McAfee Examines Botnet Use of Social Networks, Web 2.0

A new report by McAfee chronicles the evolution of botnets, including the use of sites like Twitter and LinkedIn as command and control mechanisms.

Botnet operators are always on the lookout for ways to get around the security community-a fact that has led some to turn to Web 2.0 to gain an edge.

In a new report (PDF), researchers at McAfee examine the evolution of botnets as well as examples of people using sites like Twitter and LinkedIn as command and control (C&C) mechanisms.

"I would expect social networks like Twitter to be used only as a command and control last resort to allow a botmaster to re-home his botnet to a new and more secure botnet C&C structure, after he has lost control of it for some reason," said Adam Wosotowsky, principal engineer at McAfee Labs. "Botmasters will continue to use whatever form of communication they can, so I'd expect for this to continue."

In 2009, Arbor Networks uncovered a botnet using Twitter as a command and control mechanism. Since then, other evidence of attackers moving toward Web 2.0 sites have emerged. Researchers at Sunbelt Software, for example, found a Trojan botnet creator tool called TwitterNet Builder in May. The tool has a basic interface, prompting users to enter a Twitter username for a Trojan to follow. When they hit the "Build" button, an executable will follow the named account and wait for commands.

In addition to highlighting TwitterNet Builder, McAfee researchers noted yet another example of this trend in the form of KeriosC2, a proof-of-concept tool for controlling a botnet through Twitter, LinkedIn and TinyURL.

"There is not much that Twitter or Facebook can do to successfully prevent it because simple things like encryption can be used on the commands, turning them into strings of random characters for all intents and purposes," Wosotowsky said. "In many cases it might not be the user who owns the site or Facebook page that is responsible for the post. If I know that some LiveJournal page is going to exist, all I need to do is go post a comment on the most recent post."

As the trend of botnets "riding on top of commonly used applications and protocols" continues, botnet communications will be more challenging to detect and prevent, McAfee researchers stated in the paper. Looking ahead, the company predicts there will be more multibrowser functionality beyond Internet Explorer and Mozilla Firefox, as well as more built-in integration with instant messaging technologies such as JabberZeuS to provide faster access to banking and other data.

"While botnets like Twitbot are not widespread, they demonstrate how easy it is to do it, and that any social network is vulnerable to [this] kind of attack," said Pedro Bueno, malware research scientist at McAfee Labs, adding, "All major social networks must be prepared to act fast when receiving takedown requests and improve their monitoring methods."