Manage botnet via Twitter
On Habré there were already a lot of topics devoted to the technical aspects of work as a botnet. As you know, the standard botnet consists of infected computers (zombies) and control servers (C & C). The connection between them is supported by a variety of protocols: from IRC to P2P and HTTP. However, at the last hacker conference, Defcon was demonstrated another interesting way to manage a botnet - via Twitter.
The concept is simple to genius. An account is created on Twitter (new accounts can be created constantly according to a predetermined algorithm to avoid blocking) and twitterbot, which subscribes to it and treats all tweets as commands for execution. For example, the tweet “cmd: look at 1.2.3.4” could launch a DDoS attack to the address 1.2.3.4.
At Defcon, the KreiosC2 twitterbot was demonstrated in action, which can actually be used to manage a botnet. Among the supported features is a dynamic change of the control language (to avoid filtering on Twitter), sending commands in encrypted (base64) and / or encrypted form.
')
This is a great option, because it is now easy and convenient to launch attacks directly from a mobile phone, and providers will never block access to Twitter, like access to control servers of another type. And the hosting provider will not be able to close.
A couple of days ago, on Twitter, we found and blocked the first account that was de facto used to manage the botnet. It's only the beginning.
The source code of the KreiosC2 program can be downloaded here . Below is a demonstration video from the Defcon conference.
The concept is simple to genius. An account is created on Twitter (new accounts can be created constantly according to a predetermined algorithm to avoid blocking) and twitterbot, which subscribes to it and treats all tweets as commands for execution. For example, the tweet “cmd: look at 1.2.3.4” could launch a DDoS attack to the address 1.2.3.4.
At Defcon, the KreiosC2 twitterbot was demonstrated in action, which can actually be used to manage a botnet. Among the supported features is a dynamic change of the control language (to avoid filtering on Twitter), sending commands in encrypted (base64) and / or encrypted form.
')
This is a great option, because it is now easy and convenient to launch attacks directly from a mobile phone, and providers will never block access to Twitter, like access to control servers of another type. And the hosting provider will not be able to close.
A couple of days ago, on Twitter, we found and blocked the first account that was de facto used to manage the botnet. It's only the beginning.
The source code of the KreiosC2 program can be downloaded here . Below is a demonstration video from the Defcon conference.
Source: https://habr.com/ru/post/67062/
All Articles