Continuing the zombie apocalypse from Defcon…Kevin Johnson and I will again be presenting “Social Zombies: Your Friends Want to Eat Your Brains” at this week’s OWASP AppSec DC conference. We will be speaking Thursday, November 12th at 2:10 in room 146c. We will have some new material and updates from the presentation we gave at Defcon 17 this year including the release of a new version of Robin Wood’s KreiosC2 (beyond Twitter for C&C). If your going to the conference we hope to see you there!
Tag Archives: kreiosc2
The video from the talk Kevin Johnson and I did at DEFCON 17 called “Social Zombies: Your Friends Want To Eat Your Brains” is now up on Vimeo. If you missed us at DEFCON Kevin and I will be presenting an updated version at OWASP AppSec DC in November.
Share and Enjoy
Shocking but true…today a researcher discovered that Twitter has been used for command and control of a botnet which may have been used by Brazilian hackers to steal online banking login information. Kudos to the researcher, Jose Nazario, who found this. It was an interesting read to say the least. The bot would basically look for base64 encoded commands on a Twitter account to download malware via RSS feeds with obfuscated (shortened) URL’s. Interesting…sounds a lot like Robin Wood’s tool KreiosC2 which was released at DEFCON 17. I even did this demo showing what else? Base64 encoded commands. Ironically, I showed off the first version of this code at Notacon 6 back in April of this year. Keep in mind, KreiosC2 can be used for legitimate tasks like controlling things at home remotely via Twitter. I highly recommend you read Robin’s detailed write-up on how KreiosC2 functions.
What I find fascinating (like most things in security) is that now that there has been a real confirmed case of using Twitter for botnet C2 (Command & Control) the media seems to be jumping on it and even trying to determine “why it took so long for hackers to take Twitter to the dark side”. Well, you can’t say we didn’t warn you.
The point that Robin, myself and others were trying to make way back in April was that this is a real threat and the bad guys have probably started to use Twitter for C2 even before Robin put out the code! We were hoping that by releasing the code Twitter (and others) would see this as perhaps an early warning of things to come and perhaps prepare some defense for it (yes, we know it’s hard to put a defense together for something like this). Now that we have a confirmed case used for malicious purposes we hope Twitter takes this seriously and can combat future C2 channels used for very bad things. It always takes something bad to happen to create change…where have you heard that before?
Share and Enjoy
Kevin and I want to thank everyone that came out to our talk at DEFCON 17 this past weekend. We had a great time giving the talk and thanks for the feedback! Even the two Facebook developers that came to our Q&A enjoyed it! Having said that, Kevin and I will never, ever get a Facebook party invite while at Black Hat and/or DEFCON. Oh well! At least @dualcoremusic got to play live!
You can download the slide deck from SlideShare that was in the DEFCON 17 CD. We plan on giving the talk a few more times in the next few months so we don’t plan to release the full version of the slide deck yet. However, we will post the video as soon as we get it. The slides on the DEFCON CD are mostly text…no cool Zombie graphics (thanks to @JaneDelay for the Photoshop work BTW) but it should give you a good overview of the talk.
Robin Wood’s fantastic tool called KreiosC2 was also released during our talk. I did a demo which is posted here and talked a lot about how the PoC code functions. If you don’t know already…KreiosC2 is a tool written in Ruby which allows IRC like command and control of systems over Twitter. Very cool! Also, check out the redesign of Robin’s website. Awesome. Make sure you follow Robin on Twitter! He is one you need to follow!
DEFCON was awesome as usual! Lot’s of people this year..perhaps an increase from last year and of course the usual hijinks. It was awesome catching up with everyone and meeting new people. I attended lots of great talks including the “DEFCON Security Jam 2: The Fails Keep on Coming“. This was one that you should see the video for…especially the presentations by @haxorthematrix and @myrcurial. Speaking of @mycurial…you really need to see the awesome yet scary presentation that @myrcurial and @TiffanyRad did on Sunday titled “Your Mind: Legal Status, Rights and Securing Yourself“. I highly recommend this talk!
The podcasters meetup was also a success! Thanks to @pauldotcom for hosting and for throwing such an awesome party this year and a shout out to the guys over at I-Hacked.com! The audio will be posted soon, probably over at the Security Justice site.
Pictures will be posted soon! Still trying to recover from Vegas!