Using Twitter as a botnet: KreiosC2
The media is paying a lot of attention towards botnets. The traditional botnets make use of
zombies and C&C servers. Communication between them varied from simple IRC commands to P2P and HTTP. To stay in control of the botnets, botnet herders are looking for more and more advanced techniques. During a presentation held at Defcon 17, a new proof of concept bot was released. This bot makes use of Twitter.
During the presentation,Tom Eston and Kevin Johnson showed a demo of this bot called KreiosC2. KreiosC2 is the updated version of Twitterbot. This bot is working simple: you create an account that the bot wil follow. When you want the bot to do some action, you simply ‘tweet’ to the C&C Twitter account. Example of such a ‘tweet’: ‘cmd: look at 1.2.3.4′ which executes a ping to the address 1.2.3.4.
Since Twitter is capable of detecting and filtering text, the writer of the code (Robin of digninja.org) updated the new version with some features:
- dynamically changing the control language
- sending the command encoded (base64) and/or encrypted.
To defend against this bot is easy: block Twitter, but be honest, is this a real option? You would defend only your network, but what if people are using their smarphones to tweet?
For more background information about KreiosC2 go to:
http://www.digininja.org/projects/kreiosc2.php
Source code of KreiosC2:
http://www.digininja.org/files/kreiosc2_2.0.tar.bz2
KreiosC2 in action:
http://www.youtube.com/watch?v=2xLierFGOhQ
