Mobile admin or twitter as a command center
Managing a botnet from a mobile phone has long been a reality - we have already encountered cases of managing a botnet through jabber. A few years ago, for these purposes, the IRC protocol was very popular with attackers. Last week we were caught by a curious MSIL / Twebot.A bots generation program, which “binds” them to the command center in the form of a twitter account, through which all the botnet management is conducted.
Update:
Added description of MSIL / Twebot.B.
Managing the botnet via Twitter is not a new idea, and last summer it was already implemented as a concept , but in the current case, the authors went further and developed it into something more. The set of control commands is quite diverse:
')
.VISIT (.VISIT * link.com *) - allows you to visit the specified URL. If at the end it is 1, then the browser window will be visible, and if 0, the window will be invisible.
.DDOS (.DDOS * IP * PORT) - performs a UDP flood attack on the specified address and port.
.SAY (.SAY * any text) - allows you to say on your computer under control a specified phrase using the Microsoft Text-To-Speech Engine technology.
.DOWNLOAD (.DOWNLOAD * link.com / malware.exe *) - if at the end is 1 - downloads and runs the file at the specified URL, if 0 - the file does not start.
.STOP - stops bots activity regardless of current tasks.
.REMOVEALL - causes bots to stop any activity and not to contact the command center until the next reboot.
The bot generator is implemented in Visual Basic .NET and requires the installed .NET Framework to run.
To counteract the inverse analysis, the bot generator and the generated bots themselves are obfuscated.
In the resource section of the bot generator, you can see interesting information that identifies the alias of the author Korrupt.
Even more interesting is the fact that in each generated bot there is a hard-coded @Korrupt account, which can also control the bots, despite the other command centers specified during the generation.
At the moment, a bot can only bind to public twitter accounts, which are available in the search through a standard interface. Since commands are not masked in any way, they are easy to detect.
Today, this is also some concept, but with a clearly malicious potential. This approach to managing a botnet is convenient for attackers for many reasons, but the main thing is to disguise the bot for the twitter client and mobility.
Update:
Yesterday evening we had a new modification of this Trojan - MSIL / Twebot.B. This time, the author added a license agreement conclusion before launching the bot generator, in which he explicitly makes it clear that the user has a concept, and the developer is not responsible for its use.
Also, the author has largely redesigned the graphical interface of the bot generator. Now you can change a lot more parameters responsible for the interaction between the command center and the bot itself.
Update:
Added description of MSIL / Twebot.B.
Managing the botnet via Twitter is not a new idea, and last summer it was already implemented as a concept , but in the current case, the authors went further and developed it into something more. The set of control commands is quite diverse:
')
.VISIT (.VISIT * link.com *) - allows you to visit the specified URL. If at the end it is 1, then the browser window will be visible, and if 0, the window will be invisible.
.DDOS (.DDOS * IP * PORT) - performs a UDP flood attack on the specified address and port.
.SAY (.SAY * any text) - allows you to say on your computer under control a specified phrase using the Microsoft Text-To-Speech Engine technology.
.DOWNLOAD (.DOWNLOAD * link.com / malware.exe *) - if at the end is 1 - downloads and runs the file at the specified URL, if 0 - the file does not start.
.STOP - stops bots activity regardless of current tasks.
.REMOVEALL - causes bots to stop any activity and not to contact the command center until the next reboot.
The bot generator is implemented in Visual Basic .NET and requires the installed .NET Framework to run.
To counteract the inverse analysis, the bot generator and the generated bots themselves are obfuscated.
In the resource section of the bot generator, you can see interesting information that identifies the alias of the author Korrupt.
Even more interesting is the fact that in each generated bot there is a hard-coded @Korrupt account, which can also control the bots, despite the other command centers specified during the generation.
At the moment, a bot can only bind to public twitter accounts, which are available in the search through a standard interface. Since commands are not masked in any way, they are easy to detect.
Today, this is also some concept, but with a clearly malicious potential. This approach to managing a botnet is convenient for attackers for many reasons, but the main thing is to disguise the bot for the twitter client and mobility.
Update:
Yesterday evening we had a new modification of this Trojan - MSIL / Twebot.B. This time, the author added a license agreement conclusion before launching the bot generator, in which he explicitly makes it clear that the user has a concept, and the developer is not responsible for its use.
Also, the author has largely redesigned the graphical interface of the bot generator. Now you can change a lot more parameters responsible for the interaction between the command center and the bot itself.
Source: https://habr.com/ru/post/93766/
All Articles