Tag Archives: twitter

Two steps forward, one step back – controling botnets…

Just stumbled across this: http://www.symantec.com/connect/blogs/google-groups-trojan – basically, botnets are utilizing Google groups (could have been any other mailing list system for the sake of argument) to communicate between the bots (trojans) and their command and control centers.

Funny how technology sometimes is way simpler than you imagine it would be. As per the new twitter based botnet channels, and the fancy web2.0 communications that are available for usage (see older post at here), utilizing the age-old mechanism of anonymously posing messages on a newsgroup is humbling.

Nevertheless, it’s the same new story (Google groups were chosen because of the web interface and the uptime reputation), just dressed up in old clothes (pun intended…). The same advice that I gave 2 years ago, which I gave last year, and again 3 months ago, is still valid – forget about putting out fires (that’s your off-the-shelf AV). Focus on proper mitigation, a solution that shows you how the technology is an extension of the company’s research, and forward thinking attitude. Look for solutions that are more behavioral in nature in order to identify mal-intent communications, and act proactively based on the predictions and research done.

Basically – don’t settle for mediocracy!

Stay safe.

Botnet communications moving to Web2.0

A great find by Jose Nazario shows how botnets have moved on from relying on old-school communication schemes (usually IRC or direct HTTP connections) to utilizing the tools that Web2.0 provides.

I have been naming this development since it started being discussed in the back-channels, and predicted that these would be the next generation communication methods as they provide not only another layer of separation (anonymity) between the botnet manager and the controlled bots/trojans, but also a layer of scalability to the control scheme.

You can check out the last time I discussed this on my DefCon presentation slides which should be uploaded to the DefCon site soon. In the meantime here is an older presentation (at least 10 months old) where the same subject is being demonstrated (slides 31-32):
Behind the Scenes of E Crime July09

Basically, the Twitter messages are encrypted codes being sent between the command and control and the controlled bots, which is very close to the “homework” I mentioned at the end of my DefCon talk – encouraging researchers to look for “garbage” data on blogs and Web2.0 services which are actually encrypted data being passed over a public medium.

I guess that that’s one more issue to deal with when trying to deal with the growing threat of eCrime and cyberwarfare.

Twitter spam – Spitter? Tpam?

Unless you’ve been living under a rock in the past couple of years, you have been exposed to Twitter in some shape or form. Having adopted the means of socializing myself not too long ago (been researching it’s security since day-0, jumped on the bandwagon a few months ago), you have to live with the bad aspects of social networks again.

When you finally think that a social network platform would get immune from the perils of spam and malicious content, it’s funny to see how spammers – especially on the adult content side have been using Twitter to peddle their stuff… Instead of Tweeting it again (http://twitter.com/iiamit/status/2404011102), I decided to pay respects with a full blog post.

spitter

So here are my 2 new followers (the one mentioned on my older tweet has fled – probably didn’t get what they signed up for 😉 ), I’ll be sure to keep checking out these trends and make sure that nothing beyond the traditional and mostly harmless content (unless you consider NSFW dangerous – no malweb so far there).

See you all in Vegas (https://www.defcon.org/html/defcon-17/dc-17-speakers.html#Amit)!

Update: OK, this can go out in the open now (had to make sure that this went public already…) pushing malweb through Twitter has been going on for a while, a funny example below shows the usage of the same malicious URL being pushed by “foot soldiers” across multiple trending topics as they change over time:

maltweet1

And the Tweet of the day for me is an attempt to “whore” the trending topics in order to promote an adult site:

trendwhoring

Obviously all the keywords at the time this was published were on the trending top list…