Shocking but true…today a researcher discovered that Twitter has been used for command and control of a botnet which may have been used by Brazilian hackers to steal online banking login information. Kudos to the researcher, Jose Nazario, who found this. It was an interesting read to say the least. The bot would basically look for base64 encoded commands on a Twitter account to download malware via RSS feeds with obfuscated (shortened) URL’s. Interesting…sounds a lot like Robin Wood’s tool KreiosC2 which was released at DEFCON 17. I even did this demo showing what else? Base64 encoded commands. Ironically, I showed off the first version of this code at Notacon 6 back in April of this year. Keep in mind, KreiosC2 can be used for legitimate tasks like controlling things at home remotely via Twitter. I highly recommend you read Robin’s detailed write-up on how KreiosC2 functions.
What I find fascinating (like most things in security) is that now that there has been a real confirmed case of using Twitter for botnet C2 (Command & Control) the media seems to be jumping on it and even trying to determine “why it took so long for hackers to take Twitter to the dark side”. Well, you can’t say we didn’t warn you.
The point that Robin, myself and others were trying to make way back in April was that this is a real threat and the bad guys have probably started to use Twitter for C2 even before Robin put out the code! We were hoping that by releasing the code Twitter (and others) would see this as perhaps an early warning of things to come and perhaps prepare some defense for it (yes, we know it’s hard to put a defense together for something like this). Now that we have a confirmed case used for malicious purposes we hope Twitter takes this seriously and can combat future C2 channels used for very bad things. It always takes something bad to happen to create change…where have you heard that before?