Botnet Command And Control With Twitter

Using Twitter as a command and control (C&C) for botnets is a novel idea. Googling for twitter+botnet returns a bunch of results, with some diamonds. Listening to Risky Business Episode #121 got the brain juices flowing, though, on a way to be a bit more creative on the C&C structure.

Step 0: C&C Language
Out of scope for this discussion.

Step 1: Have Persistent Data Returned in a Web App
A possible way to get persistent data returned within an arbitrary web application would be to find a SQLi vulnerability or persistent XSS issue with some random application on the web. The idea is to be able to enter a string such as the following:

[PREFIX][ENCODED COMMAND WITH SIGNATURE]

This string could be commented out or a JavaScript variable. It just has to be present. The "PREFIX" would be used by the botnet as a search variable. If/when found, the appended command (with some type of signature to ensure integrity) would then be validated, and if good, used. The PREFIX could be updated in the future, though.

Step 2: Shorten a URL and Do Math
Enter the prior web application's URL into a popular URL shortener, such as bit.ly, yfrog.com, etc. Save the resulting shortened URL path. For example, the bit.ly shortened URL for http://www.google.com is http://bit.ly/14d7yE. Save the 14d7yE and associate it to bit.ly somehow.

Understand the range of values the shortener provides. bit.ly seems to use [0-9][a-z][A-Z], which would be an alphabet of 62 characters. Map these alphabets to some numbering system. For example, the google.com bit.ly shortened URL could map to this number:

1*62^5 + 4*62^4 + d*62^3 + 7*62^2 + y*62^1 + E*62^0, which is a number smaller than 990014512.

Call this number P.

Randomly pick a number and call it Q. Take P * Q to get N. N gets included with the botnet members. N should be a variant that can be updated by the botnet members.

Encode Q the same way that P was encoded by the shortener. Q now equals the PREFIX value from above.

Step 3: Inject PREFIX into App
Inject Q / PREFIX into the web app, along with the encoded commands.

Step 4: Create a Twitter Account (or Two, or 100)
Create a twitter account and upload a custom picture. Do not protect the account.

Step 5: Abuse Twitter Public Timeline (or Search) and PROFIT!
The twitter public timeline displays the tweets of 20 non-protected accounts with a custom picture, cached for a 60 second period. To request the current timeline in XML, GET http://twitter.com/statuses/public_timeline.xml.

With all of the available twitter accounts, tweet about the shortened URL. These accounts can tweet about any other URL they want. The botnet monitors the public timeline. The goal is to get one of these twitter accounts to be shown in the public timeline.

For whatever shorteners the botnet supports, it will have to follow each and every shortened URL. So, bit.ly may not be a good choice due to all of the false positives and traffic. All the same, a shortener that is rarely used may also stand out. Getting the tweets in the public timeline may be a numbers game.

Instead of using the timeline, the botnet could also search twitter for a shortener. For example, searching for short.to's shortener has a limited number of hits relative to bit.ly. One could use a list of shorteners to test this against and figure out a good one to use.

Once a shortener link is found, the botnet recreates the PREFIX / Q variable (called Q-prime) by taking the shortened URL, divided by the stored N variable. If the resultant Q-prime is an integer, then the botnet follows the link and searches for the Q-prime variable in the text of the site. If Q-prime is found, the botnet then attempts to decode the command, hopefully signed in some way.

Voilà!

Issues

• Since the botnet only follows specific shortened URLs, the secrecy of the C&C server is somewhat impacted. Now, if Q is chosen is a way where it has a lot of coprime factors, then it seems more probable that N can be divided by a larger set of shortened URLs (Ps). But, I'm not a mathematician, so don't trust me here (or anywhere in this post :-)
  
• If the Twitter accounts only tweet on the C&C shortened URL, the secrecy of the C&C system (and also the subversive nature of the Twitter accounts) is impacted. The accounts can send out random, harmless tweets to add noise.
• The public timeline method seems cumbersome. The search method seems a bit more robust.
• Systems that pound on twitter.com would probably reveal themselves to be bots
  

This seems to be a novel approach to running a C&C server advertised on Twitter. The botnet has no hardcoded data, outside of N, that would reveal the location of the C&C method. Subterfuge can be achieved with the twitter accounts to a point, assuming the prior tweets and links have something in common with the injected site. The bots could even search for other twitter stuff to add noise in the stream, such as popular accounts or sites.