twitbot.py searches twitter for interesting posts and if it finds one it will decrypt and execute it then sleep n seconds.
twitcontrol.py takes a time offset (0 is fine) and a command line, it will encode these and post them to the configured twitter account.
Here's how it works:
Twitbot Main loop:
Generate tag from tag key
Search for Twitter posts containing tag
For first matching post:
Decrypt payload string with message key
Execute payload string in shell
Sleep
Twitcontrol Algorithm:
Generate tag from tag key
Encrypt message with message key
Post message and tag to Twitter
Simple Tag Generation:
MD5 hash the tag key
Truncate hash to designated tag length – 1
Dynamic Tag Generation:
Calculate seconds since 01/01/1970 0000 UTC
Truncate value to 7 most significant digits
MD5 hash value and tag key
Truncate hash to designated tag length – 1
Message Encryption:
MD5 hash message key to create cipher key
Encrypt message with RC4 and cipher key
One of the nice things about twitbot is that you don't need to specify an account to post from. Instead a tag is generated (from a key) that is searched for using the twitter search API. This is helpful for the hypothetical bad guy because a single banned account won't ruin his day. The other use of tags is to time stamp the command posts to prevent duplicate execution. I use Mike Verdon’s Python Twitter Tools module which I found the best of the python modules I looked at.
A few months after I wrote twitbot Jose Nazario from Arbor Networks discovered a botnet that was using Twitter as its command and control channel, the botnet would post base64 encoded URLs of executables and the bots would download and execute them. I was surprised that people haven't been doing this for longer.
No comments:
Post a Comment