The DIY Twitter Botnet Creator

Chris Boyd talks about an automated Twitter bot creator that Sunbelt has discovered. Once installed,

…an executable file is created that will keep an eye on the named Twitter account for a series of commands used to infect, download, attack with DDoS and even kill the connection between Bot and Command channel…

…All in all, a very slick tool and no doubt script kiddies everywhere are salivating over the prospect of hitting a website with a DDoS from their mobile phones.
Chris Boyd

For the moment, this tool is not too worrying. Chris points out that

1. In theory it should be easy for Twitter to track / filter / block anyone issuing these commands…

2. It only takes a quick Twitter Search to reveal who is using this Bot method at the moment [a search on .REMOVEALL]

But this doesn’t mean we shouldn’t worry. Back in February I discussed a program called KreiosC2 that is available on the Net (it’s a proof of concept bot to demonstrate that we should be more than a bit worried):

KreiosC2 demonstrates very forcibly, and for real, that the new friend you have may not be a friend at all. It could be a bot controlled by someone who wants more than your friendship. If you visit this friend’s pages, you are, in the vernacular, pwned. This is not mere full disclosure, this is the actual exploit given out on a plate.
The full Monty: should we show it all or not?

The author of KreiosC2, security specialist Robin Wood, is aware of the tracking ‘weakness’:

My first idea was to have a protected twitter account which only the bots could read. This would restrict who could see the commands but it would be easy for Twitter to block that user.
Robin Wood, DigiNinja

So he thought about it, and

I proposed these ideas to Tom Eston (from the Security Justice Podcast), who is currently doing work on social media botnets, and to Mubix (who everyone knows). Tom suggested using TinyURL to obfuscate commands or to use hash tags to represent certain things. You could also get the bots to follow certain accounts to mark themselves as bots. If they followed a specific bot master account then they would be easy to spot but having them follow a general account, the BBC say, again they could be lost in the masses unless you knew where to look. Tom is giving a talk at Notacon  where he will be talking a bit more about this and other social media bots.

Mubix added the following ideas:

• Use a time based code that is based on the time of the twitter update so, bots check via the public time line what the current time is, and based on the hour they are checking within ( 7AM, 2PM etc) they have a specific minute to look for a command within (i.e. at 7 PM they are looking for a command at 7:13). This command would be a cipher text posted by one of over a hundred dummy twitter accounts, and no matter how many accounts Twitter got rid of, you could always make more

• Again going with the key. You could simply use Unix time as part of the post. So, bot checks twitter time based on public stream, converts to Unix time, does a search on twitter for the current Unix time and looks for the second part of the key would be an easy cipher. Once they found the key, it would be: “1239197528 How do I convert this to normal date time?” – And then the bot would take the first letter of each of the words: HDICTTNDT and look up that user then take its latest post and issue the command in the post. “ping -t victim.com”

For the moment, then, the bot creator found by Sunbelt is not too worrying. But I think we can be pretty certain that new and more dangerous ones will appear in the coming months.