Twitter-based Botnet Command Channel

by

Twitter-based Botnet Command Channel: “

UPDATED TO ADD STATS AND JAIKU PROFILE AND A TUMBLR PROFILE

While digging around I found a botnet that uses Twitter as its command and control structure. Basically what it does is use the status messages to send out new links to contact, then these contain new commands or executables to download and run. It’s an infostealer operation.

The account in question is under analysis by Twitter’s security team. I spotted it because a bot uses the RSS feed to get the status updates.

upd4t3 twitter profile.png

As for the original bot in question that fetches the updates, here’s the VirusTotal analysis, where you can see it’s detected by 19/41 (46.34%) AV tools under evaluation. We can look at the status messages and discover more nefarious activity; the bot’s hiding new malcode which is poorly detected this way. The original link from the malcode came from a ShadowServer nightly link report, which they make available to folks. Many thanks to them.

Let’s look at one of the update messages; it’s pretty clearly base64 encoded. What does it say?

$ echo 'aHR0cDovL2JpdC5seS9SNlNUViAgaHR0cDovL2JpdC5seS8yS29Ibw==' | openssl base64 -d
hxxp://bit.ly/R6STV hxxp://bit.ly/2KoHo

OK, a couple of links. One is dead (to a pastebin), one is live.

That second link yields a base64 encoded block of text. When we un-encode it using base64 we see a PKZIP archive (which we have dumped as ‘out.qqq’ since we don’t know what the extension would have been beforehand). We can then unpack this and see what we find:

$ unzip out.qqq
Archive: out.qqq
inflating: gbpm.dll
inflating: gbpm.exe
$ openssl md5 gbpm.*
MD5(gbpm.dll)= ceb8d7fd74da0a187cc39ced4550ddb4
MD5(gbpm.exe)= a5cc8140e783190efb69d38c2be4393f

gbpm.dll is UPX packed, so we can unpack this:

$ upx2 -d gbpm.dll.upx
Ultimate Packer for eXecutables
Copyright (C) 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006
UPX 2.02 Markus Oberhumer, Laszlo Molnar & John Reiser Aug 13th 2006
.
File size Ratio Format Name
-------------------- ------ ----------- -----------
263680 <- 103424 39.22% win32/pe gbpm.dll.upx
.
Unpacked 1 file.

This file looks like an infostealer. Here are some of the URLs it will send data to:

hxxp://64.79.197.110/friends/alert/new.php
hxxps://www2.bancobrasil.com.br/aapf/login.jsp?aapf.IDH=sim
hxxp://64.79.197.110/friends/post.php
hxxps://www2.bancobrasil.com.br/aapf/
hxxps://www2.bancobrasil.com.br/aapf/

gbpm.exe is packed with a different packer.

That DLL is very poorly detected, the EXE has a VTotal result of 9/41 (21.95%) and appears to be a Buzus sample according to one vendor.

The account is presently live but under review by Twitter, and is just one of what appear to be a handful of Twitter C&C accounts.

UPDATE 14 Aug 2009

Via bit.ly, some statistics that suggest the malcode has infected a couple hundred PCs, mostly in Brazil.

bitly twitter botnet geo.png

Now that it’s disabled, ‘upd4t3″ had a similar profile on Jaiku.com:

upd4t3 jaiku profile.png

Many thanks to the Jaiku team for reviewing and shutting this account down. Still looking for more services ‘upd4t3″ is abusing … looks like Tumblr has also been used by ‘upd4t3″:

upd4t3 tumblr profile.png

Still poking around various micro-blogging services. I wonder why he abandoned Tumblr. (There are more microblogging tools than I had anticipated …)

(Via Security to the Core | Arbor Networks Security.)

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: