Our colleagues in ESET Latin America have just blogged about an interesting botnet creation tool: the original blog is at http://blogs.eset-la.com/laboratorio/2010/05/14/botnet-a-traves-twitter/, by Jorge Mieres and Sebastián Bortnik, Security Analysts. (Mistakes in interpretation are, as usual, down to me!) In the last years we have seen many security incidents driven by botnets and exploiting the technologies
Our colleagues in ESET Latin America have just blogged about an interesting botnet creation tool: the original blog is at http://blogs.eset-la.com/laboratorio/2010/05/14/botnet-a-traves-twitter/, by Jorge Mieres and Sebastián Bortnik, Security Analysts. (Mistakes in interpretation are, as usual, down to me!)
In the last years we have seen many security incidents driven by botnets and exploiting the technologies currently most popular, in order to spread infection: social networks are an example we've often highlighted.
In the last few hours we have found an application that is currently in-the-wild. This application has been developed to automate the creation of botnets where communication between the botmaster and the zombie systems under his control is performed through Twitter, the best known microblogging network. (A zombie system is one that is controlled remotely through an agent that has been infectively installed on the system.) Here is an image of the builder program, detected by ESET NOD32 Antivirus as MSIL/Agent.NBW:
This is a very simple application designed to automate the creation of bot Trojans. The development of these programs pretend to be as intuitive as possible in a sort of "applications-for-dummies" way. In this case, it only requires the creation of a Twitter profile for use for launching commands to the infected computer.
To build the malware, the attacker needs only to type in the username that will send instructions to the zombie computers. The trojan generated through this builder is malicious code that, by infecting a system, will receive commands launched via social networking. In other words, the attacker can control infected computers via the content type in his Twitter profile.
The bot created has a basic command set that allows the botmaster to interact with infected computers. For example:
- The command DDOS * IP * PORT performs a Distributed Denial of Service Attack (DDoS)
- With DOWNLOAD * LINK / MALWARE.EXE can download other malicious code
- The command REMOVEALL automatically deletes information relating to the bot from the infected system
In order to illustrate this process better, we have developed an educational video where you can watch the entire process, from the creation of the malware by the attacker, to the infection of the system and finally, the execution of a Distributed Denial of Service Attack through the zombies that comprise the botnet. The video gives step-by-step explanations as the attack proceeds: video: http://www.youtube.com/watch?v=EoATrwF4DdM
It is worth mentioning that all users of ESET products are protected, since the malware is proactively detected through our ThreatSense engine.
David Harley CISSP FBCS CITP
Research Fellow & Director of Malware Intelligence
ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter:
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Securing Our eCity community initiative: http://www.securingourecity.org/
Also blogging at: