Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

4/17/2009
05:08 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

Botnets: Coming To A Social Network Near You

I've dealt with a lot of different types of bots. The communication channels among them have varied from unsophisticated IRC command and control (C&C) servers to advanced peer-to-peer (P2P) protocols. For botnet herders, the challenge is flying under the radar of network security professionals who are monitoring their networks and looking for anomalies. The infosec pros who know their networks inside and out are likely to pick up on strange protocols pretty quickly -- which is one of the reasons

I've dealt with a lot of different types of bots. The communication channels among them have varied from unsophisticated IRC command and control (C&C) servers to advanced peer-to-peer (P2P) protocols. For botnet herders, the challenge is flying under the radar of network security professionals who are monitoring their networks and looking for anomalies. The infosec pros who know their networks inside and out are likely to pick up on strange protocols pretty quickly -- which is one of the reasons HTTP bots have been so effective.Blocking HTTP is impractical for many organizations, opening up the opportunity for bots to reach out to their HTTP C&C servers. Zeus and Conficker are two examples of bots that have used HTTP. Malware researchers have published a list of known Zeus HTTP C&Cs, and that's where Conficker has upped the ante, making it much harder to track because it can check a huge list of domains generated daily and still communicate via P2P.

What about bots that use social networking sites? There have been a few discussions and examples of using Blogger in the past and, more recently, Twitter, but very few proof of concepts -- until this morning. Robin Wood, from digininja.org, posted an e-mail to the PaulDotCom mailing list about a Twitter-based bot, called TwitterBot, that he wrote in Ruby.

Robin's example is simple, but gives a glimpse of what could be done. In his example, you create an account that the bot follows. When you want the bot to do something, you post a "tweet" to the C&C Twitter account. The bot will then execute that command upon its next check-in. Very cool stuff. For more info, check out Robin's page.

Defense against bots using social networks is easy if you can simply block all social networks. But that might not be an option for companies that are increasingly using social networking to spread their marketing message. For example, it's not uncommon for the CEO of a tech company to blog, or for the marketing team to use Twitter to discuss new products.

Trying to defend against HTTP bots gets even trickier when you realize that social networking sites aren't the only public avenue to post commands. Consider sites, like Amazon, that let you post product reviews. It would very easy to post a seemingly innocuous comment about a product that turned out to have an embedded command in it.

Is it time to rethink letting your employees have Internet access? I know that seems drastic, but how many of your employees really and truly need Web access to do their jobs?

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17475
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
CVE-2020-0255
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-14353
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-17464
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-17473
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.