Twitter-based Botnet Command Channel

UPDATED TO ADD STATS AND JAIKU PROFILE AND A TUMBLR PROFILE

While digging around I found a botnet that uses Twitter as its command and control structure. Basically what it does is use the status messages to send out new links to contact, then these contain new commands or executables to download and run. It’s an infostealer operation.

The account in question is under analysis by Twitter’s security team. I spotted it because a bot uses the RSS feed to get the status updates.

upd4t3 twitter profile.png

As for the original bot in question that fetches the updates, here’s the VirusTotal analysis, where you can see it’s detected by 19/41 (46.34%) AV tools under evaluation. We can look at the status messages and discover more nefarious activity; the bot’s hiding new malcode which is poorly detected this way. The original link from the malcode came from a ShadowServer nightly link report, which they make available to folks. Many thanks to them.

Let’s look at one of the update messages; it’s pretty clearly base64 encoded. What does it say?

$ echo "aHR0cDovL2JpdC5seS9SNlNUViAgaHR0cDovL2JpdC5seS8yS29Ibw==" | openssl base64 -d
hxxp://bit.ly/R6STV hxxp://bit.ly/2KoHo

OK, a couple of links. One is dead (to a pastebin), one is live.

That second link yields a base64 encoded block of text. When we un-encode it using base64 we see a PKZIP archive (which we have dumped as “out.qqq” since we don’t know what the extension would have been beforehand). We can then unpack this and see what we find:

$ unzip out.qqq
Archive: out.qqq
inflating: gbpm.dll
inflating: gbpm.exe
$ openssl md5 gbpm.*
MD5(gbpm.dll)= ceb8d7fd74da0a187cc39ced4550ddb4
MD5(gbpm.exe)= a5cc8140e783190efb69d38c2be4393f

gbpm.dll is UPX packed, so we can unpack this:

$ upx2 -d gbpm.dll.upx
Ultimate Packer for eXecutables
Copyright (C) 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006
UPX 2.02 Markus Oberhumer, Laszlo Molnar & John Reiser Aug 13th 2006
.
File size Ratio Format Name
-------------------- ------ ----------- -----------
263680 <- 103424 39.22% win32/pe gbpm.dll.upx
.
Unpacked 1 file.

This file looks like an infostealer. Here are some of the URLs it will send data to:

hxxp://64.79.197.110/friends/alert/new.php
hxxps://www2.bancobrasil.com.br/aapf/login.jsp?aapf.IDH=sim
hxxp://64.79.197.110/friends/post.php
hxxps://www2.bancobrasil.com.br/aapf/
hxxps://www2.bancobrasil.com.br/aapf/

gbpm.exe is packed with a different packer.

That DLL is very poorly detected, the EXE has a VTotal result of 9/41 (21.95%) and appears to be a Buzus sample according to one vendor.

The account is presently live but under review by Twitter, and is just one of what appear to be a handful of Twitter C&C accounts.

UPDATE 14 Aug 2009

Via bit.ly, some statistics that suggest the malcode has infected a couple hundred PCs, mostly in Brazil.

bitly twitter botnet geo.png

Now that it’s disabled, “upd4t3” had a similar profile on Jaiku.com:

upd4t3 jaiku profile.png

Many thanks to the Jaiku team for reviewing and shutting this account down. Still looking for more services “upd4t3” is abusing … looks like Tumblr has also been used by “upd4t3”:

upd4t3 tumblr profile.png

Still poking around various micro-blogging services. I wonder why he abandoned Tumblr. (There are more microblogging tools than I had anticipated …)

Comments (107)

  • securitybananas.com » Twitter based botnet

    |

    […] /blog/asert/2009/08/twitter-based-botnet-command-channel/ Comments are off for this post Digg this […]

  • Avatar

    Guilherme Venere

    |

    Nice post Jose!

    the URL hxxps://www2.bancobrasil.com.br/aapf/login.jsp?aapf.IDH=sim is from a Brazilian bank login page. This may be a banker and oh, surprise, may have Brazilian hackers involved 🙂

  • Avatar

    Keith

    |

    Nice find. I hate to admit but this is really an innovative control. BTW, account is now suspended

  • Avatar

    Robert Peaslee

    |

    I wonder why he wasn’t using a symmetric encryption algorithm for encrypting the urls instead of just encoding them base64? He could have kept that pretty well secret with just a little thought.

  • Twitter-based Botnet Command Channel | Twittermazing

    |

    […] Twitter-based Botnet Command Channel Raj’s shared items in Google Reader While digging around I found a botnet that uses Twitter as its command and control structure. Read More […]

  • Avatar

    Tom

    |

    Ironically, PoC code was released several months ago which did just this. The code was updated for a talk at DEFCON 17 this year which does…base64 encoded commands. You can download the code and more information here: http://www.digininja.org/projects/kreiosc2.php

  • links for 2009-08-13 (Jarrett House North)

    |

    […] Twitter-based Botnet Command Channel (Security to the Core | Arbor Networks Security) Nasty nasty nasty. Using base64 encoded tweets, that translate to tinyURLs, that download as zipped archives, that unpack with malicious payloads. (tags: twitter security) […]

  • Twitter used to manage botnet, says security expert | O24int

    |

    […] on infected machines, wrote Jose Nazario, manager of security research at Arbor Networks, on in a blog posting on […]

  • Avatar

    John Reedaw

    |

    Nice pick up, José!! It’s always very interesting to follow your posts.

  • تويتر يستخدم في التحكم في شبكة البوت نت | تيدوز

    |

    […] ARBOR – […]

  • meneame.net

    |

    Controlando botnets a través de Twitter…

    [ENG] José Nazario de Arbor Networks ha descubierto el uso de Twitter para controlar botnets: "El usuario utilizaba los mensajes para enviar nuevos enlaces a sus contactos, enlaces que contenían nuevos comandos o programas para descargar y ejecuta…

  • Novo ataque visa o Twitter » SegBlog

    |

    […] ataque visa o Twitter Ontem foi descoberta pelo Jose Nazario da Arbor Networks a atividade de uma botnet que utiliza Twitter para enviar informações sobre […]

  • Federico Ch. Tomasczik (ftomasczik) 's status on Friday, 14-Aug-09 17:24:13 UTC - Identi.ca

    |

    […] Lo nuevo en bicharracos… Twitter-based Botnet Command Channel /blog/asert/2009/08/twitter-based-botnet-command-channel/ […]

  • Twitter botnet plundert bankrekeningen - BLOG PC Web plus -

    |

    […] uploadt. In Brazilië gebruiken de meeste banken nog steeds een gebruikersnaam en wachtwoord. De Twitter bot kwam aan het licht omdat het de RSS feed gebruikt om status updates te krijgen. Het account in […]

  • Avatar

    Angelo Dell'Aera

    |

    Nice post Jose. I was just thinking about how simple it could be to raise the bar through a photography fanatic blog and just a bit of steganography…

  • links for 2009-08-14 | Yostivanich.com

    |

    […] » Twitter-based Botnet Command Channel · Security to the Core | Arbor Networks Security Makes it easy to avoid getting an IP Address block. (tags: twitter cracking security botnet) […]

  • Avatar

    Allan Rowntree

    |

    Not to be confused with:

    #mmjChallenge[CqPSy8qqd7IW4POiaRAwbjyMmtYRrGdi]

    Tweets my new games uses as a way of passing challenges from player to player!

    Check out http://mmj.arowx.com for latest details, it’s coming soon!

  • Avatar

    Jesper Wallin

    |

    Hehe, pretty smart if you ask me.. Thank god it’s easy for Twitter to kill these “channels” as well as see who’s requesting these tweets (finding what machines/networks are infected) .. 🙂

  • Twitter utilisé par un Botnet ! «

    |

    […] Nazario d’Arbornetworks.com, a découvert un botnet qui utiliserait Twitter, le site de réseau social et de […]

  • Botnets ontdekken Twitter | Techfreak

    |

    […] Nazario, hoofd secu­rity research bij Arbor Net­works, kwam de bot­ne­tac­tiviteit via Twit­ter op het spoor door­dat de bots via de rss-feed van het […]

  • Security firms discover botnet on Twitter - Programming Blog

    |

    […] be used as the command center for harnessing a “botnet” of virus-infected computers, security firms Arbor Networks and Symantec reported. In a blog post Friday, Symantec analyst Peter Coogan wrote that researchers […]

  • Botnetz nutzt Twitterupdates von upd4t3 | elexpress.de

    |

    […] sicherlich nicht nur bei Nutzern angekommen, die den Dienst als solches im gutem Sinne nutzen. Laut Jose Nazario von Arbor hat ein Botnetz die neuen Befehle für die Zombirechner über Twitter und anderen Diensten […]

  • Freetracking.org » Security firms discover botnet on Twitter

    |

    […] be used as the command center for harnessing a “botnet” of virus-infected computers, security firms Arbor Networks and Symantec reported. In a blog post Friday, Symantec analyst Peter Coogan wrote that researchers […]

  • Botnet on Twitter Now! « TheTechJournal.com

    |

    […] Security holes of Twitter has been exposed here again. An employee of Arbor Networks has recently discovered a botnet that uses Twitter as its command and control structure. The Twitter user “upd4t3″ has been operating an infostealer operation using his account. The user posts status updates with links which contains commands or executables to download and run. The process is described at Arbor Networks blog. […]

  • Twitter was Dwelling Botnets under the Hood - Home for DDoS | Taranfx: Technology Blog

    |

    […] The traditional way of managing botnets was IRC or different honeypots.  But with changing times,  botnet owners are continuously working on finding new ways of keeping their networks up and running, and Twitter seems to be the latest trend among the tricks. Twitter came to know about this from an account that it recently suspended. What was it doing?  It was being used to post tweets that had links to “commands or executables” to download and run, which would then be used by the botnet code on infected machines. “I spotted it because a bot uses the RSS feed to get the status updates, the account, called “Upd4t3″, is under investigation by Twitter’s security team, according to Nazario. But the account is just one of what appear to be a handful of Twitter command and control accounts,” Nazario, a security researcher, wrote. […]

  • Το Twitter χρησιμοποιήθηκε για την καθοδήγηση botnet | TechTips Blog - Τεχνολογικά Νέα - Ειδήσεις - Βοηθήματα

    |

    […] στην εταιρεία δικτυακής ασφαλείας Arbor Networks, έγραψε στο blog της εταιρείας ότι το Twitter χρησιμοποιήθηκε για την καθοδήγηση […]

  • Geek Montage » Botnet Using Twitter

    |

    […] and that they’re only limited by the creator’s creativity. The article can be read here, but I’ll provide an excerpt for those who have only of the slighest interest and not enough […]

  • Avatar

    DarkKnightH20

    |

    Very interesting. I’m posting an excerpt on http://www.geekmontage.com if you don’t mind (with a link back to here of course). Still, this isn’t too surprising considering that their niche, IRC servers, have been easily compromised time after time. Creativity is the only thing limiting communication between a botnet owner and his/her bots.

  • Avatar

    Faisal Khan

    |

    Jose, great analysis…. how can Twitter play a role in this – to stop its network from being used as a Command center??? With 10,000s of signups a day and million of messages, surely, this new medium can be termed even more threatening.

  • Twitter now being used to direct botnets | Cool Stuff for the Mac Pro.

    |

    […] Twitter? Twitter! TWITTER! Yes, the world’s most important Web site has been co-opted by evildoers, being used to control personal information-stealing […]

  • BelchSpeak » Post Topic » Twitter Bot Master

    |

    […] zombies only had to follow the account using an RSS feed subscription. You can read all about it at Arbors blog here. I see no reason why this method wouldn’t with other public posting methods such as […]

  • Twitter vira central de controle para botnet « 1security’s Blog

    |

    […] especialista afirmou no blog da empresa que uma conta no microblog era responsável por enviar códigos aos computadores, transformando-o […]

  • infinity's status on Sunday, 16-Aug-09 09:55:58 UTC - Identi.ca

    |

    […] Botnet Command Channel: /blog/asert/2009/08/twitter-based-botnet-command-channel/ !infosec […]

  • Brazen Botnet Uses Twitter Comm Channel - Lets Be Secure | Lets Be Secure

    |

    […] links to contact, then these contain new commands or executables to download and run," Nazario said in a blog post. "It’s an infostealer […]

  • Twitter can be used to steal you bank account details

    |

    […] week, since Twitter was first attacked and it still seems to be reeling from it. Now a researcher, Jose Nazario, has discovered that an account in Twitter is being used as a Botnet, for its command and control […]

  • GeekDays » Hackers utilizan Twitter para controlar redes de bots

    |

    […] etc. Más tarde evolucionaron a otros sistemas de control como redes P2P pero ahora todo cambió y el uso de las redes sociales puede ser el próximo […]

  • וירוס השתמש בחשבון טוויטר כדי להעביר הוראות למחשבים נגועים | Newsgeek

    |

    […] סוף השבוע הודיעה חברת אבטחת המידע Arbor Networks ×›×™ מצאה חשבון משתמש בטוויטר, אשר בו מתבצע שימוש לצורך […]

  • slacker2d (slacker2d) 's status on Sunday, 16-Aug-09 22:35:14 UTC - Identi.ca

    |

    […] twitter based #botnet command channel /blog/asert/2009/08/twitter-based-botnet-command-channel/ […]

  • duritong's status on Sunday, 16-Aug-09 22:39:01 UTC - Identi.ca

    |

    […] RT @slacker2d twitter based #botnet command channel /blog/asert/2009/08/twitter-based-botnet-command-channel/ […]

  • Botnet que utiliza twitter como command & control |

    |

    […] del CSIRT-Antel de Uruguay me enteré que la gente de Arbor Networks (Jose Nazario) encontró una botnet que utiliza twitter como command & control. Es un cambio interesante en el comportamiento de las […]

  • Links of the Week: Data Security Edition | EPC's Computer Recyling Blog

    |

    […] Twitter used to control botnet It was a matter of time, but Jose Nazario of Arbor Networks discovered a botnet that used Twitter for its command and control infastructure. While the account in question is obviously not a person, how long before a botnet writer creates an account that looks legitimate at first glance? […]

  • Avatar

    Hilda Jones

    |

    the base64 is the part that always makes me mad… great post

  • Răufăcătorii secolului XXI « dreptungeek

    |

    […] că există un nou mod în care idila cu mesajele de 140 de caractere poate fi brutal întreruptă: un cont folosit de un bot pentru a infecta alte conturi. ÃŽntre astfel de cazuri ÅŸi link-uri mascate, destule persoane neatente vor mai avea în viitor […]

    • Avatar

      Jose Nazario

      |

      thanks, herb! i contacted twitter and the account was disabled overnight.

  • Често задавани въпроси » Blog Archive » twitter като средство за управление на ботнет

    |

    […] за управление на ботнет August 27th, 2009 от singu От Arbor са разпознали ботнет, чийто пастир използва twitter за да […]

  • TheTechJournal.com » Blog Archive » Botnet on Twitter Now!

    |

    […] Security holes of Twitter has been exposed here again. An employee of Arbor Networks has recently discovered a botnet that uses Twitter as its command and control structure. The Twitter user “upd4t3″ has been operating an infostealer operation using his account. The user posts status updates with links which contains commands or executables to download and run. The process is described at Arbor Networks blog. […]

  • Trojan Hides Its Brain in Google Groups « Friendly Computers Virus Alerts

    |

    […] in touch with hacked PCs and update their malicious software. Researchers have also seen criminals hide their messages in RSS feeds that are set up to broadcast Twitter messages, said Gerry Egan, a director with […]

  • Trojan Hides Its Brain in Google Groups (PC World) | Breaking News Fast

    |

    […] in touch with hacked PCs and update their malicious software. Researchers have also seen criminals hide their messages in RSS feeds that are set up to broadcast Twitter messages, said Gerry Egan, a director with […]

  • Trojan Hides in Google Group « AKS-Feel The Change!

    |

    […] to keep in touch with hacked PCs and update their malicious software. Researchers have also seen criminals hide their messages in RSS feeds that are set up to broadcast Twitter messages, said Gerry Egan, a director with […]

  • Avatar

    Rhialto

    |

    Interesting. But can you please separate the trackbacks from the real comments, since they are extremely irritating when you’re trying to read real comments from real people…

  • Trojan hides its brain in Google Groups « I.T News & Stuff

    |

    […] have also seen criminals hide their messages in RSS feeds that are set up to broadcast Twitter messages, said Gerry Egan, a director with […]

  • Ботнеты: игра в прятки на Web 2.0 | ДайСлово!

    |

    […] середине Устя эксперты Arbor Networks обнаружили в микроблогах Twitter в некоторой степени аккаунтов, с […]

  • Twitter as a botnet command center | Hack a Day Thailand

    |

    […] folks over at Arbor Networks were browsing Twitter and discovered something very strange: a Twitter account seemingly posting […]

  • Social Networks being used by Banking Trojans | Helablog

    |

    […] exploited as a command and control point belonging to a Trojan’s operation reportedly involves Twitter’s RSS feed option. The bot herder’s method of operation in this case is as […]

  • DNS Botnet Cyberwar

    |

    […] Transfer Protocol) como por ejemplo Twitter (Para más información puede leer el siguiente enlace :/blog/asert/2009/08/twitter-based-botnet-command-channel/). Una vez se consigue infectar con Malware y estos comienzan a acceder al canal de control, quedan […]

  • DNS BOTNET CYBERWAR « SR HADDEN SECURITY CONSULTING

    |

    […] Transfer Protocol) como por ejemplo Twitter (Para más información puede leer el siguiente enlace :/blog/asert/2009/08/twitter-based-botnet-command-channel/). Una vez se consigue infectar con Malware y estos comienzan a acceder al canal de control, quedan […]

  • Uncrackable DIY Pencil-and-Paper Encryption

    |

    […] cellphone create the modern day equivalent of a number station. In fact, there is at least one known bot net coordinated via an anonymous Twitter account (not encrypted, […]

  • על בוטנטים (Botnets), מלחמה טכנולוגית, IRC ושטויות נוספות. | טכנולוגיה ואבטחת מידע מזווית אחרת

    |

    […] הבוטנטים יתחברו לשרת (ראו "טופולוגיית בוטנטים" להלן), ממנו הם יקבלו את הפקודות. השרת יכול להיות בוטנט אחר, או "מפקדה" – בסיס מרכזי אליו מתחברים הבוטנטים. מקומות נפוצים להקמת מפקדה הם שרתי IRC, עליהם דיברנו כבר בעבר, תוכנות מסרים מידיים (כן כן!) ואפילו אתרי אינטרנט, כמו טוויטר! […]

  • Avatar

    Antivirus

    |

    This is very nice post about twitter botnet. I saw a video on youtube how people can command twitter using botnet to do something they want based on what they command it to do.

  • Botnets : Aeterna's World

    |

    […] launch of twitter several have switched from the traditional IRC channels(Chat software) to using twitter to regulate themselves. Now I think it’s quite an interesting and cool way of controlling the […]

  • Who Do You Know? | Morpho Designs

    |

    […] is, by and large, ethically neutral. The most benign tool becomes a weapon of mass destruction in the hands of a spammer or so-called black hat SEO operative. Conversations are neither […]

  • Avatar

    Snoep76239

    |

    Why “steal” personal information when every FarcebookTweeter give it all away voluntarily?
    Social networking is a stalker’s or social engineer’s wet dream.
    So many peoples’ passwords are their dog’s name, backwards birthday, or can be gotten by using a dictionary based on their interests. Brute force, schmute force.

  • Hackers Use Twitter to Control Botnet « www.unixbox.org

    |

    […] Network’s Jose Nazario, an expert on botnets, discovered the so-called command-and-control structure. Infected computers were following the Twitter feed […]

  • Dipl.-Inform. Carsten Eilers

    |

    Botnets – Zombie-Plagen im Internet…

    Die mit einer spezifischen Schadsoftware infizierten Rechner werden oft zu sog. Botnets zusammengefasst. Wie die Schadsoftware verbreitet wurde, egal ob als Virus, Wurm, Trojaner, Drive-by-Infektion oder wie auch immer, ist dabei egal. Die infiz…

Comments are closed