Sunday, January 10, 2010

twitbot 0.1

Sometimes I end up in conversations with people that leave me with an undeniable urge to prove my point, generally only to myself. Last April I had a conversation along these lines that left me writing a piece of "malware" that communicated via Twitter and since by the time I'd finished the conversation was no longer relevant and so I just let it sit there. Later last year I wrote a paper about Web 2.0 and malware and so I dusted it off and decided to share it with you. Feel free to use the code for whatever, it's a nice basic example of programs passing information to each other via Twitter. Don't use it as is as the authentication/security model is plain bad and this would be perhaps the worst remote administration tool you could think of! searches twitter for interesting posts and if it finds one it will decrypt and execute it then sleep n seconds. takes a time offset (0 is fine) and a command line, it will encode these and post them to the configured twitter account.

Here's how it works:

Twitbot Main loop:
     Generate tag from tag key
     Search for Twitter posts containing tag
     For first matching post:
          Decrypt payload string with message key
          Execute payload string in shell

Twitcontrol Algorithm:
     Generate tag from tag key
     Encrypt message with message key
     Post message and tag to Twitter

Simple Tag Generation:
     MD5 hash the tag key
     Truncate hash to designated tag length – 1

Dynamic Tag Generation:
     Calculate seconds since 01/01/1970 0000 UTC
     Truncate value to 7 most significant digits
     MD5 hash value and tag key
     Truncate hash to designated tag length – 1

Message Encryption:
     MD5 hash message key to create cipher key
     Encrypt message with RC4 and cipher key

One of the nice things about twitbot is that you don't need to specify an account to post from. Instead a tag is generated (from a key) that is searched for using the twitter search API. This is helpful for the hypothetical bad guy because a single banned account won't ruin his day. The other use of tags is to time stamp the command posts to prevent duplicate execution. I use Mike Verdon’s Python Twitter Tools module which I found the best of the python modules I looked at.

A few months after I wrote twitbot Jose Nazario from Arbor Networks discovered a botnet that was using Twitter as its command and control channel, the botnet would post base64 encoded URLs of executables and the bots would download and execute them. I was surprised that people haven't been doing this for longer. 

No comments:

Post a Comment