A new report by McAfee chronicles the evolution of botnets, including the use of sites like Twitter and LinkedIn as command and control mechanisms.
Botnet operators are always on the lookout for ways to get around the
security community-a fact that has led some to turn to Web 2.0 to gain an
a new report
(PDF), researchers at McAfee examine the evolution of
botnets as well as examples of people using sites like Twitter
and LinkedIn as command and control (C&C) mechanisms.
"I would expect social networks like Twitter to be used only as a
command and control last resort to allow a botmaster to re-home his botnet to a
new and more secure botnet C&C structure, after he has lost control of it
for some reason," said Adam Wosotowsky, principal engineer at McAfee Labs.
"Botmasters will continue to use whatever form of communication they can,
so I'd expect for this to continue."
In 2009, Arbor Networks uncovered a botnet using Twitter as a command and
control mechanism. Since then, other evidence of attackers moving toward Web
2.0 sites have emerged. Researchers at Sunbelt Software, for example, found a
Trojan botnet creator tool called TwitterNet
in May. The tool has a basic interface, prompting users to enter a
Twitter username for a Trojan to follow. When they hit the "Build"
button, an executable will follow the named account and wait for commands.
In addition to highlighting TwitterNet Builder, McAfee researchers noted yet
another example of this trend in the form of KeriosC2, a proof-of-concept tool
for controlling a botnet through Twitter, LinkedIn and TinyURL.
"There is not much that Twitter or Facebook
to successfully prevent it because simple things like encryption can
be used on the commands, turning them into strings of random characters for all
intents and purposes," Wosotowsky said. "In many cases it might not
be the user who owns the site or Facebook page that is responsible for the
post. If I know that some LiveJournal page is going to exist, all I need
to do is go post a comment on the most recent post."
As the trend of botnets "riding on top of commonly used applications
and protocols" continues, botnet communications will be more challenging
to detect and prevent, McAfee researchers stated in the paper. Looking ahead,
the company predicts there will be more multibrowser functionality beyond
Internet Explorer and Mozilla Firefox, as well as more built-in integration
with instant messaging technologies such as JabberZeuS to provide faster access
to banking and other data.
"While botnets like Twitbot are not widespread, they demonstrate how
easy it is to do it, and that any social network is vulnerable to [this]
kind of attack
," said Pedro Bueno, malware research scientist at
McAfee Labs, adding, "All major social networks must be prepared to act
fast when receiving takedown requests and improve their monitoring methods."