Unless you've been completely living with your head in the sand (or too busy to read, like I've been) lately, you've undoubtedly seen this article in Wired Magazine titled "Hackers Use Twitter to Control Botnet". This type of communication is hardly a covert channel, as it's sitting out in the open and can be detected rather easily if one looks hard enough - the problem then becomes one of Twitter's servers reading your tweets to determine if you're a "bot" or "bot-master" or not... that poses some interesting privacy issues but in a social media platform where you're publishing your thoughts to the world... wouldn't it be OK to have some tool that reads all your tweets? ... well... actually... what about those people who protect their tweets? Personally I think it's sort of like standing on a street corner but only telling certain people to listen - isn't it going completely against the whole point of the social media micro-blogging thing? ... but I digress.
So anyway, I had this conversation with a Twitter colleague a while back much to this effect, and now of course I'm sitting here thinking... look, someone made it work! On that note - I think it's important to recognize that DigiNinja (twitter.com/digininja) has a brilliant Twitter bot (and oh, so much more) called Kreios C2, already in it's second release and is quite brilliant, you should really give it a read. So we know that a Twitter-bot is not only possible but it is actively out there... but there's more to this than meets the eye.
You ever wonder why some accounts just randomly follow you? I've dug into this, and have noticed something that may or may not be of consequence... but it's interesting nonetheless. Some of these obviously spam-laden or bot-laden accounts follow people randomly just to get follows... which will attempt to legitimize their existence, but others simply like to look for people to @ message. Think about this attack vector for a second, and think how you'd stop it.
Say you get infested with a drive-by trojan which happens to drop a bot on your machine, and communicates its presence back to the master... The Twitter control-channel is so much more practical than the old IRC channel approach simply because damn near everyone is on Twitter these days... right? I can notice something amiss in 3 seconds flat if machines inside of some corporate network begin to make connections to Efnet servers... but if 1,000 computers fire up a Twitter client... that's pretty much a Monday morning at the office. Even worse, I think DigiNinja's approach may even be sharpened by taking the spammer approach to getting your message across. Once you know which targets have been infected, and you want to send them individual messages simply send them an @message! Even if my Twitter client isn't following "@BigBotMaster" all that account has to do is simply @RafalLos
Imagine a control-structure like this:
- RT (fake re-tweet) of any message you've actually previously sent with a "control" bit inserted in the tweet; for example "RT @RafalLos #InfoSecBlogs :|: "New Blog Post on Twitter Bots" :|: http://no.url/aidli3 AQ3
- Suggested-reading/following: "@RafalLos - I think you would also enjoy http://no.url/EVIL_URL" with the EVIL_URL being a page where the bot would go to for instructions, updates... whatever
- Fake Replies: "@RafalLos You should get some sleep, ping me at 22.214.171.124 later!"
By the way, Paul Makowski has a brilliant write-up on his research into one of these botnets - and it's worth the time it'll take you to read it, I can promise you that. Check it out on his (hopefully patched?) WordPress page... just kidding Paul. Go read: "A Closer Look at the Twitter-Controlled Botnet (Part 1)". Quality stuff, kudos for the work.
The explosion of social media formats such as the micro-blogging Twitter platform are going to continue to pose a serious threat to Information Security measures by making botnet controls so much more sneaky ... I don't envy our position as the good guys.