반응형
썬벨트(Sunbelt) 보안업체에서 트위터 봇넷 생성기를 발견했다고 블로그에 기재하였다.
아직 샘플은 수집되지 않아, 어떤 방식으로 동작하는지에 대해서는 모르겠지만 ㅋㅋ
블로그를 살펴보니 DDoS를 한다고 한다.
SNS가 대세이다 보니~ 이제 별걸 다 이용한다..ㅠㅠ
At the tail end of last year, Botnets controlled by Twitter accounts started to make the news. They’ve kind of faded from view a little since then, but one enterprising coder is hoping they’ll make a comeback with a tool designed to make botting simple for script kiddies the world over.
This is the builder we’ll be looking at today:
Firing the program up gives the most basic of interfaces – all you can do is enter a Twitter Username and hit the “Build” button:
Once done, an executable file is created that will keep an eye on the named Twitter account for a series of commands used to infect, download, attack with DDoS and even kill the connection between Bot and Command channel. This is the file that’s created:
Of course, the attacker will change the name and the icon before attempting to send it to a victim. Should an end-user infect themselves, the attacker simply posts one of the following commands to their Twitter feed and the Bot will happily oblige:
.VISIT*link.com* (The attacker can add a 0 at the end to repeatedly open a weblink in an “invisible” manner, or a 1 if they want to pop open a website for giggles on the infected PC. Above, you can see a Twitter account telling all bots to open up Google.com in a visible web browser).
.DDOS*IP*PORT (This is a UDP attack).
.SAY* (This one takes advantage of the text to speech feature on a Windows machine, babbling a phrase of choice at the confused victim).
.DOWNLOAD*link.com/file.exe* (The attacker can add a 0 at the end to download, or a 1 if they want to download and execute a file).
.STOP (This will tell the Bots to cease their activities, regardless of whether that’s a DDoS attack or a world record attempt for the amount of times they can open up a Rickroll).
.REMOVEALL (This cuts the connection between bot and Twitter account).
Here’s a screenshot of Youtube popped open on an infected PC courtesy of a .VISIT command – note the shot of the Wireshark traffic indicating the bot / Twitter connection just before the browser opens:
All in all, a very slick tool and no doubt script kiddies everywhere are salivating over the prospect of hitting a website with a DDoS from their mobile phones. However, something to keep in mind: anyone using this as an attack method is horribly exposed.
For one thing, this doesn’t work if the person controlling the bots attempts to hide their commands with a private Twitter page; the bots will just flail aimlessly as they wonder where their master has gone. There are two side effects of "being public" as a result:
1) In theory it should be easy for Twitter to track / filter / block anyone issuing these commands - and security researchers on Twitter who go hunting for these things will probably ensure offending accounts are reported and banned.
2) It only takes a quick Twitter Search to reveal who is using this Bot method at the moment:
Even better, things get extremely complicated if you’re apparently posting Bot commands from a Twitter feed that contains your full name, your geographic location and a link to your homepage that gives up your home address & phone number from a Whois search.
Whoops.
We’ve notified Twitter about this bot creation system, and they’re looking into it. I’d also like to point out that they took exactly thirteen minutes to respond to my email, which is rather impressive by any standards.
We detect the infection file as Hacktool.win32.Twebot.A.
Christopher Boyd
This is the builder we’ll be looking at today:
Firing the program up gives the most basic of interfaces – all you can do is enter a Twitter Username and hit the “Build” button:
Once done, an executable file is created that will keep an eye on the named Twitter account for a series of commands used to infect, download, attack with DDoS and even kill the connection between Bot and Command channel. This is the file that’s created:
Of course, the attacker will change the name and the icon before attempting to send it to a victim. Should an end-user infect themselves, the attacker simply posts one of the following commands to their Twitter feed and the Bot will happily oblige:
.VISIT*link.com* (The attacker can add a 0 at the end to repeatedly open a weblink in an “invisible” manner, or a 1 if they want to pop open a website for giggles on the infected PC. Above, you can see a Twitter account telling all bots to open up Google.com in a visible web browser).
.DDOS*IP*PORT (This is a UDP attack).
.SAY* (This one takes advantage of the text to speech feature on a Windows machine, babbling a phrase of choice at the confused victim).
.DOWNLOAD*link.com/file.exe* (The attacker can add a 0 at the end to download, or a 1 if they want to download and execute a file).
.STOP (This will tell the Bots to cease their activities, regardless of whether that’s a DDoS attack or a world record attempt for the amount of times they can open up a Rickroll).
.REMOVEALL (This cuts the connection between bot and Twitter account).
Here’s a screenshot of Youtube popped open on an infected PC courtesy of a .VISIT command – note the shot of the Wireshark traffic indicating the bot / Twitter connection just before the browser opens:
All in all, a very slick tool and no doubt script kiddies everywhere are salivating over the prospect of hitting a website with a DDoS from their mobile phones. However, something to keep in mind: anyone using this as an attack method is horribly exposed.
For one thing, this doesn’t work if the person controlling the bots attempts to hide their commands with a private Twitter page; the bots will just flail aimlessly as they wonder where their master has gone. There are two side effects of "being public" as a result:
1) In theory it should be easy for Twitter to track / filter / block anyone issuing these commands - and security researchers on Twitter who go hunting for these things will probably ensure offending accounts are reported and banned.
2) It only takes a quick Twitter Search to reveal who is using this Bot method at the moment:
Even better, things get extremely complicated if you’re apparently posting Bot commands from a Twitter feed that contains your full name, your geographic location and a link to your homepage that gives up your home address & phone number from a Whois search.
Whoops.
We’ve notified Twitter about this bot creation system, and they’re looking into it. I’d also like to point out that they took exactly thirteen minutes to respond to my email, which is rather impressive by any standards.
We detect the infection file as Hacktool.win32.Twebot.A.
Christopher Boyd
'IT 보안소식' 카테고리의 다른 글
7.7 DDoS, 제 3의 인터넷 대란 일어날까? (2) | 2010.05.17 |
---|---|
어도브(Adobe), "우리는 애플을 사랑합니다" 애플사에 대한 비판인가? 비굴인가? (0) | 2010.05.14 |
Sophos, Free Next Generation iPhone 4G (0) | 2010.05.13 |
이력서 검토를 가장한 스팸메일 주의!! (0) | 2010.05.12 |
Pc Security Labs, AV Comparative Against Chinese Malware (4) | 2010.05.11 |
댓글