31 comments

[ 3.0 ms ] story [ 68.0 ms ] thread
Yes, this is something well known. Chat platforms have long since been used as botnet infrastructures. IRC is/was a big one for a long time because it's very lightweight and the protocol is well known (with a little know-how you can completely IRC over telnet). The only reason it's been ditched is because it's so heavily centralized -- loose the C&C server and you lose control, unless you have a way to push updates. That's why fast-flux DNS became popular.

In other news, water is wet, the sky is blue, etc. etc.

Agreed, but they created this paper because they actually found malware using Discord and Telegram. Apparently it can have alternative uses, such as being a direct interface to ransomware victims ("join this Slack channel to send me your bitcoin")
You know they're getting crafty when you can lend them your account for 72 hours to unlock your PC.

Legitimate History as a Service?

61 pages to conclude, yes you can indeed pass messages via chat APIs, shocking.

Also stupid if you actually do that since the chat API provider can simply cut you off and you don't have a C2 anymore and lost access to all the systems you infected.

This isn't really focused at developers and admins. The paper is for CEO's, managers, and purchasing to get new software and hardware for reasons. It also makes great presentation materials.
I don't think it's "stupid" to C2 via chat API. It would be "stupid" to have no fallback mechanisms
Chat API's are good because the traffic to "facebook.com" probably won't be detected as malicious by most firewalls.

Your fallback should be a peer2peer network in DHT style, scanning the entire IP address space on a well known port to find nodes to connect to.

When a node is found, addresses of other nodes are requested, and a cache of a few thousand infected nodes kept to use as seeds for future connections.

Imagine you have 1 million infected machines, then most new nodes will find and connect to the network within 4000 packets sent across the network. For good measure, build in a list of a few thousand addresses into the malware as bootstrap nodes.

Yeah, fair enough.
I think a Tor hidden service would probably be a really good way to run C&C infrastructure. I'm surprised it doesn't get used more often. Or maybe it does?
Actually not. TOR is easily blocked and doesn't play well on mobile (install, bandwidth, and battery hog.) Plus if you're sending a small commands say in Twitter like ones below, no one would even notice.

New Update http://somefile,com/command.json

Subscribe to @newJunkAccount and @AnotherJunkAccount

@newJunkAccount has CLOSED his account

Tor botnets are extremely common for ransomware and Bitcoin mining... however, Tor is readily blocked on some networks, so other considerations should be made - a variety of available approaches is generally the way to go.
They spent a year and a half on this fairly obvious thing only to conclude nothing new here and offer no useful advice beyond common best practices.

Are they going to waste the next year on how Twitter, Facebook, etc. can be used by criminals?

I have to admit, I've had a lot of fun in the past thinking of creative ways to control botnets. It's a fun thought exercise in developing in an area where everything is adversarial to your goal. And the fact that the amount of information you really need to transfer is so trivially small that you can get some really creative "solutions".

My favorite idea so far is to look for the existence of a specific username across several services for commands. Only the usernames are (in part) generated via a TOTP style rolling code. So to see if something should activate, it will look for the existence of a username of "imnotabot349556" on reddit, HN, and twitter. if it sees any of them, it can read a small command from any number of places on those sites that the user can post some kind of comment/profile/text.

This is super easy to control securely (could be done from anywhere, using any machine, over TOR or other networks), is hard to shut down (the rolling codes mean they would need to either have access to the "secret" and ban all future codes, or just ban "imnotabot*" which wouldn't be sustainable if multiple botnets started using this method, not to mention you could just switch to a hash of everything as the username), and is fairly fullproof (no reliance on any one network or channel). And with some forethought, an update mechanism can be built into it as well, so when someone gets close to your scheme, you could have all your bots update at a moment's notice to a new one.

At the end of the day, trying to stop a C&C server of a botnet is a futile exercise. Once the botnet is out there, there's no stopping it by shutting down a C&C server. There are just SO many ways to pass information, and when the information is on the size of hundreds of bytes in some cases, there's just no hope.

> the rolling codes mean they would need to either have access to the "secret" and ban all future codes, or just ban "imnotabot*" which wouldn't be sustainable if multiple botnets started using this method

They will have access to the secret, because they have access to the programs that run the TOTP algorithm.

But it relies on all services I would use to add custom code to block all future rolling codes. For a problem that they don't really have any financial reason to write that custom code to stop it.

And any fix that they introduce, can be trivially updated to change around by any of the other services. They'd have to coordinate across all services that are used to update at the same time in order to stop it.

No, you reverse engineer the "domain generation algorithm" and figure out what the secret seeds are as input, then every time you need to know the name of the rendezvous point you figure out what the current seed is (easy if it's static, a little harder if it's dynamic) and run the algorithm.

Anyone that does this can register the reddit/twitter handles or domain names as soon as they figure this out, if they aren't pre-registered. And if you're the provider, you are then given a list of accounts to kill. Now you're in a game of cat and mouse with the botnet operator, and each move you take kills off some of the operators bots, perhaps all of them if you get ahead of them by enough.

The commands could be cryptographically signed to prevent "malicious" control of the botnet.
True, but you can prevent the introduction of new commands.

In this setting, if there's a central point, it can be cut. It's different if there is no central point (i.e. conficker P2P).

(comment deleted)
> trying to stop a C&C server of a botnet is a futile exercise.

Laptop users who want broad Internet access (and will complain loudly if reddit/HN/Twitter is "down") aren't the same thing as the app server that only talks to a short whitelisted set of RFC1918 IPs, on specific ports only, and doesn't have Internet access - not even DNS. (WannaCry demonstrated why not.)

Reddit and the like needs to accept they are hosting botnet C&C servers due to hosting loads of user-generated content (I'd do an invite-only subreddit with a tracking pixel in the CSS), but that doesn't make it pointless for the rest of us to do something where possible.

(comment deleted)
> The app server that only talks to a short whitelisted set of RFC1918 IPs, on specific ports only, and doesn't have Internet access - not even DNS.

Problem is that this stops application level automated updating. Firewalls are all fine but unfortunately they operate at IP level, not DNS - which means good luck if the vendor's auto-update server uses stuff like Cloudflare, ELB or anything other that (more or less rapidly) changes IP addresses.

> (I'd do an invite-only subreddit with a tracking pixel in the CSS)

So that you could nuke it if a not-you IP accessed the subreddit? That's nice and could be very easily automated.

Except it doesn't work because reddit sanitizes their CSS and doesn't allow url() to external hosts. You need to upload the images you want to reference in the CSS to reddit.
Using a popular Blockchain seems to me to be the best C&C system. It's distributed and authenticated. The botnet could either talk directly to the network or fallback to http and look at the hundreds of websites that allow you to read the blockchain. It would be "impossible" for the C&C to be taken over without the collaboration of the Blockchain developers and miners...

It means "spending" to send a command, but you only lose the fee.

Eh, I dunno. Easy to corporate firewall off. Easy to detect once it starts. I'd rather just communicate through a google API of some kind. Or maybe a clever series of dropbox accounts.
I'll admit that I didn't even open this because of its size but I'm deeply confused by the the subject. I'm no cyber criminal but I know fundamentally how a bot net works, in fact I'm sure if you google it your first few results will describe how IRC / telnet is leveraged as conduit, through which the metroids commune with mother brain. How is it the least bit surprising that an enterprising troll would leverage newer chat clients as means to the same end. Bleh, now I just feel like the majority of reddit commenters, leaving an uninformed shit post after not reading the article. Is this actually worth reading? I guess is what I'm asking.