Tuesday, August 18, 2009

Twitter as a Covert Channel?

Your tweeple [your Twitter followers, for the not-in-the-Twitter-lingo-know] may be out to get you. Seriously!

Unless you've been completely living with your head in the sand (or too busy to read, like I've been) lately, you've undoubtedly seen this article in Wired Magazine titled "Hackers Use Twitter to Control Botnet". This type of communication is hardly a covert channel, as it's sitting out in the open and can be detected rather easily if one looks hard enough - the problem then becomes one of Twitter's servers reading your tweets to determine if you're a "bot" or "bot-master" or not... that poses some interesting privacy issues but in a social media platform where you're publishing your thoughts to the world... wouldn't it be OK to have some tool that reads all your tweets? ... well... actually... what about those people who protect their tweets? Personally I think it's sort of like standing on a street corner but only telling certain people to listen - isn't it going completely against the whole point of the social media micro-blogging thing? ... but I digress.

So anyway, I had this conversation with a Twitter colleague a while back much to this effect, and now of course I'm sitting here thinking... look, someone made it work! On that note - I think it's important to recognize that DigiNinja (twitter.com/digininja) has a brilliant Twitter bot (and oh, so much more) called Kreios C2, already in it's second release and is quite brilliant, you should really give it a read. So we know that a Twitter-bot is not only possible but it is actively out there... but there's more to this than meets the eye.

You ever wonder why some accounts just randomly follow you? I've dug into this, and have noticed something that may or may not be of consequence... but it's interesting nonetheless. Some of these obviously spam-laden or bot-laden accounts follow people randomly just to get follows... which will attempt to legitimize their existence, but others simply like to look for people to @ message. Think about this attack vector for a second, and think how you'd stop it.

Say you get infested with a drive-by trojan which happens to drop a bot on your machine, and communicates its presence back to the master... The Twitter control-channel is so much more practical than the old IRC channel approach simply because damn near everyone is on Twitter these days... right? I can notice something amiss in 3 seconds flat if machines inside of some corporate network begin to make connections to Efnet servers... but if 1,000 computers fire up a Twitter client... that's pretty much a Monday morning at the office. Even worse, I think DigiNinja's approach may even be sharpened by taking the spammer approach to getting your message across. Once you know which targets have been infected, and you want to send them individual messages simply send them an @message! Even if my Twitter client isn't following "@BigBotMaster" all that account has to do is simply @RafalLos or what-ever DigiNinja and the Hak5 crew end up cooking up... and you're seriously in hot water. You can't simply look at who you're following to see if you're infected (because you aren't following them!), and since Twitter's clients will alert you (i.e. show it in your feed) when someone @ messages you... this is an indefensible position if you're compromised and you have a legitimate Twitter client. This type of "reflective" C2 (Command/Control) infrastructure could be incredibly sneaky at controlling millions of Twitter hosts, or just one.

Imagine a control-structure like this:
  • RT (fake re-tweet) of any message you've actually previously sent with a "control" bit inserted in the tweet; for example "RT @RafalLos #InfoSecBlogs :|: "New Blog Post on Twitter Bots" :|: http://no.url/aidli3 AQ3
  • Suggested-reading/following: "@RafalLos - I think you would also enjoy http://no.url/EVIL_URL" with the EVIL_URL being a page where the bot would go to for instructions, updates... whatever
  • Fake Replies: "@RafalLos You should get some sleep, ping me at later!"
The beauty of this is that only the BotMaster needs to know the accounts of compromised machines! The client doesn't have to follow anyone! Yes... there are thousands of possible approaches besides the 3 super-simple examples above... but this approach basically ensures that even if the master account is suspended another is spooled up in seconds and since it knows all the accounts it's responsible for - it simply announces itself to them! Ok, now even I'm worried.

By the way, Paul Makowski has a brilliant write-up on his research into one of these botnets - and it's worth the time it'll take you to read it, I can promise you that. Check it out on his (hopefully patched?) WordPress page... just kidding Paul. Go read: "A Closer Look at the Twitter-Controlled Botnet (Part 1)". Quality stuff, kudos for the work.

The explosion of social media formats such as the micro-blogging Twitter platform are going to continue to pose a serious threat to Information Security measures by making botnet controls so much more sneaky ... I don't envy our position as the good guys.

1 comment:

Anonymous said...

Some of us have private accounts because we do not want our tweets showing up in the timeline that is monitored by bots and spammers. We also do not want followers.

Using free blogging services such as livejournal, Blogger, and Twitter as a "CnC servers" isn't new, although newly public. RSS feeds are also handy considering instructions read as mangled web traffic.

This approach is only necessary when the chatter between host and server needs to look as legit as possible. Peer based botnets are still more secure and resilient.