Update - The Twitter commander module no longer works as Twitter have turned off support for basic authentication and now only support OAuth. If anyone wants to update the script it should be fairly easy to do but I'm not intending to do the work myself unless someone gives me a very good reason to.
KreiosC2 is a proof of concept bot which uses various unusual systems as its Command and Control channel. Obviously this can be used for malicious purposes but also for good ones, for example you can set up a bot at home to listen to your Twitter feed and perform actions on it. I'll discuss the potentially malicious use of it here but it would be easy to take the concepts and use them for good.
They say a picture is worth a thousand words so a video must be worth more, here are two videos demoonstrating KreiosC2, the first video of KreiosC2 in action put together by Tom Eston for his Defcon talk, Social Zombies - Your friends want your brains, and the second created by me for the sequal, Social Zombies II, Your friends need more brains.
Version 3 was released at Shmoocon 2010 as part of the "Social Zombies II, Your friends need more brains" talk given by Tom Eston, Kevin Johnson and myself. It adds support for channelling through LinkedIn and has been tested under Windows.
As soon as the videos are posted I'll add a link.
In this release I've separated the code which downloads the messages from the main body of the application in the same way as the languages are self contained files. This allowed me to add new command channels as well as the original Twitter.
With this version you can now pass messages encoded in TinyURL shortened URLs and through text hidden in JPEGs. Also, with the way the system is built, it is a simple process to add a new type of channel and roll it out to a live system. I've called these new channel types protocols and you can read more about them in the How it all works section.
Whats new since version 1?
First the name change. Version 1 of this project was called TwitterBot. Unfortunately, I didn't do any research before using the name and only after I launched it I realised that there were already a lot of other projects out there with the same name. The name KreiosC2 was created by Tom and is made up from Kreios, a Greek Titan God, and C2 which is the name the military uses to define command and control.
Second, and really more importantly, KreiosC2 now has the ability to dynamically update the control language used and add new features on the fly without any restarts or any manual intervention.
The reason I was thinking about Twitter is it has such a large community that it would be easy to hide random commands in the large amount of data that is generated each day. It also has a really good API that would make integration easy.
My first idea was to have a protected twitter account which only the bots could read. This would restrict who could see the commands but it would be easy for Twitter to block that user. My next thought was to send the commands to random accounts and then have the bot use the search feature to find the commands. This would mean that it would be harder for Twitter to block the messages as the commands could be posted from any account to any other account. For this to work the bot would have to have a way to spot the commands in the general mess of other tweets out there. The problem with this is that if the bot can spot the commands then Twitter could also do the same matching and automatically drop those tweets. This is a harder one to defend against. My plan to defeat this would be to use seemingly innocent commands, such as "check out this link ..." to say download a file, which would be hard for Twitter to block without upsetting legitimate users but I don't know how hard it would be to create a command language based on this.
I proposed these ideas to Tom Eston (from the Security Justice Podcast), who is currently doing work on social media botnets, and to Mubix (who everyone knows). Tom suggested using TinyURL to obfuscate commands or to use hash tags to represent certain things. You could also get the bots to follow certain accounts to mark themselves as bots. If they followed a specific bot master account then they would be easy to spot but having them follow a general account, the BBC say, again they could be lost in the masses unless you knew where to look. Tom is giving a talk at Notacon where he will be talking a bit more about this and other social media bots.
Mubix added the following ideas:
- Use a time based code that is based on the time of the twitter update so, bots check via the public time line what the current time is, and based on the hour they are checking within ( 7AM, 2PM etc) they have a specific minute to look for a command within (i.e. at 7 PM they are looking for a command at 7:13). This command would be a cipher text posted by one of over a hundred dummy twitter accounts, and no matter how many accounts Twitter got rid of, you could always make more
- Again going with the key. You could simply use Unix time as part of the post. So, bot checks twitter time based on public stream, converts to Unix time, does a search on twitter for the current Unix time and looks for the second part of the key would be an easy cipher. Once they found the key, it would be: "1239197528 How do I convert this to normal date time?" - And then the bot would take the first letter of each of the words: HDICTTNDT and look up that user then take it's latest post and issue the command in the post. "ping -t victim.com"
Some interesting ideas on the packet structure have been suggested by Tcrweb at his blog. I'd personally expand the command byte to at least two bytes to allow for expansion but apart from that I like the ideas.
Hopefully this gives you an idea of the potential for using channels other than IRC to control a bot or botnet. Versions 1 and 2 both suffer from the problem that once someone reverse engineers a bot and works out the command syntax it would probably be possible for Twitter to shut the system down fairly well, however, as version 3 now allows you to switch channels it makes the job of shutting down the network much harder, and if the reverse engineering job was made hard enough and the methods of hiding the commands made either very generic or just maybe a really large amount of them, maybe 50 different ways to say execute a command, then it would take admins a while to workout the fix and implement it which may just give the bad guys the edge they need.
I was in two minds about releasing this idea, partly because I thought it was a bit mad as Twitter could shut this kind of thing down a lot easier than, say, the DNS registrars could stop the registering of the domain names Confiker uses to control its bots, and partly because if it did work and someone does use this for badness then it is quite scary that I may have triggered it. But after talking to Mubix and Tom we decided that disclosure is better than keeping things boxed up so I've put it out. Please give me any feedback as I'm interested to know what others think.