Professional Documents
Culture Documents
Social Networking For Botnet Command and
Social Networking For Botnet Command and
Social Networking For Botnet Command and
Abstract — A botnet is a group of compromised covert channel for the botnet, that cannot be easily
computers—often a large group—under the command detected or shut down. We have more to say about these
and control of a malicious botmaster. Botnets can be used issues in the next section.
for a wide variety of malicious attacks, including At least since 2009, there have been reports of botnets
spamming, distributed denial of service, and identity theft. using Twitter and other social media for command and
Botnets are generally recognized as a serious threat on the control. For example, the botnet discussed in [15]
Internet. This paper discusses SocialNetworkingBot, a apparently uses Twitter status messages to instruct bots to
botnet we have developed that uses Twitter for command download executable files. This particular bot is
and control. In SocialNetworkingBot, the botmaster reportedly focused on stealing information.
tweets commands that are acted on by the individual bots. Another Twitter botnet is discussed in [11]. This
We discuss the functionality and implementation of particular botnet may have been very short lived—it went
SocialNetworkingBot, as well as a small-scale down the same day that it was detected. This botnet was
experiment that we have conducted. The botnet presented supposedly part of a larger group of botnets of Mexican
here is intended to serve as a proof of concept and a origin that were collectively used for a variety of illicit
platform to facilitate further research. activities, including spamming, phishing, and DDoS
attacks.
Index Terms — Botnet, Twitter, malware Yet another botnet that used Twitter is discussed in
[12]. This botnet was designed to attack an electronic
currency known as Bitcoin.
I. INTRODUCTION In addition to the specific Twitter-based botnets
mentioned above, there has recently been some general
A botnet is a collection of compromised computers
discussion about the increased activity of social media-
controlled by a botmaster. The compromised computers,
based botnets [17]. However, we can find no example of
or bots, can be used for attacks such as distributed denial
an existing Twitter-based botnet that is well documented
of service (DDoS), click fraud, identity theft, and
or readily available for analysis. Our goal here is to
spamming. Most botnets have a command and control
develop a Twitter-based botnet that clearly demonstrates
server that the botmaster uses to issue commands to the
individual bots [1]. Although it is difficult to determine the potential for such a botnet. This work provides
the size of a botnet, some have been estimated to have researchers with a tangible example that can be used to
millions of active bots [14]. study possible attacks by such botnets, as well as a tool
for testing defensive strategies against this relatively new
In this paper, we discuss a botnet that we have
malware threat.
developed. This botnet, which we refer to as
This paper is organized as follows. In Section II we
SocialNetworkingBot, uses Twitter for its command and
cover background information on botnets and other
control structure. SocialNetworkingBot is intended to
relevant topics, including covert channels and selected
demonstrate the potential for such a botnet, and to serve
communication protocols. Section III provides details
as a vehicle for further research on defenses against social
about our SocialNetworkingBot application, with
media-based botnets.
emphasis on its Twitter-based command and control
From the attacker’s point of view, there are several
structure. Then in Section IV, we discuss various attacks
potential benefits to using Twitter (or other social media)
that can be performed using our botnet. In Section V we
for botnet command and control. Unlike most traditional
mention some small-scale experimental results. Finally,
botnet architectures, in a Twitter-based botnet, there is no
Section VI contains our conclusions and suggestions for
need for the botmaster to install or access a server. In
future work.
addition, a Twitter-based botnet is very simple to create
and easy to maintain. But, the most obvious advantage to
using Twitter is that it is difficult to distinguish legitimate
activity from botnet-related activity. In effect, the botnet II. BACKGROUND
command and control messages can “hide in plain sight.” In this section we provide relevant background
Alternatively, we can view Twitter as acting as a type of information, with the emphasis on botnet command and
Copyright © 2013 MECS I.J. Computer Network and Information Security, 2013, 6, 11-17
12 Social Networking for Botnet Command and Control
Copyright © 2013 MECS I.J. Computer Network and Information Security, 2013, 6, 11-17
Social Networking for Botnet Command and Control 13
Copyright © 2013 MECS I.J. Computer Network and Information Security, 2013, 6, 11-17
14 Social Networking for Botnet Command and Control
to our web application within the botmaster application. Note that anyone who has access to the botmaster
Twitter account can act as botmaster. Consequently, there
could be multiple botmasters acting at various times.
C. Keywords
Each bot has a set of specified keywords that are used
to determine what, if any, action should be taken in
response to a given botmaster tweet. In our proof of
concept application, there are about 300 keywords. To
issue a command, the botmaster prepends the “#” symbol
to the current daily keyword so that it is in the form of a
hashtag. The botmaster appends the actual attack
command to the daily hashtag. A small sample of
keywords appears in Table 1.
Copyright © 2013 MECS I.J. Computer Network and Information Security, 2013, 6, 11-17
Social Networking for Botnet Command and Control 15
A. Overview of Attacks
SocialNetworkingBot includes all of the attacks listed
in Table 2. However, some of these “attacks” are used
only for communication purposes. For example, Fetch
User Information gets specific information relevant to the
botmaster's control of a bot.
Copyright © 2013 MECS I.J. Computer Network and Information Security, 2013, 6, 11-17
16 Social Networking for Botnet Command and Control
V. EXPERIMENTS
In this section, we briefly discuss some small-scale
tests performed with our SocialNetworkingBot Figure 8: Bots in Action.
application. These experiments were designed to provide
a proof of concept while testing the various features of For our experiments, the botmaster posted thousands
the botnet. of tweets, of which a few hundred required action by the
All of our tests were conducted using a network bots. All tweets were handled correctly by the bots, and
consisting of six bots and a botmaster. These seven the resulting activity was not detected by anti-virus
systems resided on two physical machines with an software on the hosts. In addition, Twitter did not detect
additional ve virtual machines installed. The two physical or prevent any of these activities.
systems had Windows XP and Ubuntu 12.04 (64 bit)
Debian Kernel 3.2.0+ installed. The virtual machines
included three Windows XP, one Windows 7, and one VI. CONCLUSIONS AND FUTURE WORK
Ubuntu 11.10 (64 bit) system. For virtualization, both
VMWare Player and Oracle Virtual Box were used. This In this paper we discussed SocialNetworkingBot, a
experimental setup is summarized in Table 3. proof of concept botnet that uses Twitter for command
and control of individual bots. A variety of attacks were
Table 3: Experimental Setup. implemented, including fetching information from a
user's system and denial of service attacks.
Role Operating System
The work presented here illustrates the potential for
Botmaster Windows XP social media-based botnets and highlights the difficulties
Bot 1 Ubuntu 12.04 associated with detecting such activity. Our work is
Bot 2 Windows 7 intended to serve as a tool for further research into this
challenging, and relatively new, malware problem. For
Bot 3 Windows XP example, our implementation could be used to test
Bot 4 Windows XP various detection strategies, such as those discussed in
Bot 5 Windows XP [10].
Bot 6 Ubuntu 12.04
REFERENCES
Fig. 7 shows the botmaster posting commands in the
form of tweets to its Twitter account. In this case, the [1] B. Lokesh, Covert Botnet implementation and
command instructs the bots to browse a specific webpage. defense against covert botnets, Utah State University,
Fig. 8 shows a victim's system running the bot code. 2009.
[2] P. Barford and V. Yegneswaran, An inside look at
botnets, Special Workshop on Malware Detection,
Advances in Information Security, Springer 2006
http://pages.cs.wisc.edu/~pb/botnets_final.pdf
Copyright © 2013 MECS I.J. Computer Network and Information Security, 2013, 6, 11-17
Social Networking for Botnet Command and Control 17
[3] D. Dittrich and S. Dittrich, P2P as botnet command [18] B. Schneier, Nugache and Storm
and control: A deeper insight, International http://www.schneier.com/blog/archives/2007/12/the_
Conference on Malicious and Unwanted Software, nugache_wor.html
2008 [19] M. Stamp, Information Security: Principles and
http://staff.washington.edu/dittrich/misc/malware08- Practice, 2nd edition, Wiley, May 2011
dd-final.pdf [20] Twitter Fan Wiki, Bots
[4] S. Gaudin, Storm worm erupts into worst virus attack http://twitter.pbworks.com/w/page/1779741/Bots/
in 2 years, Information Week, July 24, 2007 [21] P. Wang, S. Sparks, and C. Zou, An advanced
http://www.informationweek.com/news/201200849 hybrid peer-to-peer botnet, IEEE Transactions on
[5] J. Grizzard, et al, Peer-to-peer botnets: Overview and Dependable and Secure Computing, 7(2), 113-127,
case study, In Proceedings of Hot Topics in April-June 2010
Understanding Botnets (HotBots'07), 2007
http://static.usenix.org/event/hotbots07/tech/full_pap
ers/grizzard/grizzard.pdf
[6] G. Gu, J. Zhang, and W. Lee, BotSniffer: Detecting Ashutosh Singh received his MS degree in Computer
botnet command and control channels in network Science from San Jose State University in May 2012.
traffic, In Proceedings of the 15th Annual Network Currently, he works for Oracle in the NAS Protocol
and Distributed System Security Symposium Development team. Ashutosh’s interests include file
(NDSS'08), San Diego, California systems, storage virtualization, cryptography, and
[7] T. Holz, S. Marechal, and F. Raynal, New threats information security.
and attacks on the world wide web, IEEE Security &
Privacy, 4 (2), pp. 72-75, March/April 2006 Annie H. Toderici recently received her Master’s degree
[8] Java API in Computer Science from San Jose State University. She
http://www.oracle.com/technetwork/java/javamail/ja is currently working as a consultant at TCS. Annie’s
vamail143-243221.html interests include information security, web development,
[9] C. Kalt, Internet Relay Chat: Client Protocol, RFC and mobile phone development.
2812, 2000
[10] E. Kartaltepe, et al, Social-network based botnet Kevin Ross is currently a Master’s student in Computer
command-and-control: Emerging threats and Science at San Jose State University. Kevin also works as
countermeasures, Applied Cryptography and a System Administrator for the university.
Network Security 8th International Conference
(ACNS 2010), J. Zhou and M. Yung (editors), LNCS Mark Stamp is Professor of Computer Science at San
6123, pp. 511-528 Jose State University. His research interests include
[11] J. Leyden, Mexican Twitter-controlled botnet malware, cryptography, other aspects of information
unpicked, The Register, September 15, 2010 security, and applications of machine learning. Professor
http://www.theregister.co.uk/2010/09/15/mexican_t Stamp has authored (or co-authored) more than 80
witter_botnet/ research papers and 2 textbooks.
[12] J. Leyden, Twitter-control botnet mines Bitcoins,
The Register, August 3, 2011
http://www.theregister.co.uk/2011/08/03/twitter_cont
rolled_bitcoin_botnet/
[13] L. Liu, et al, Botnet: classi cation, attacks, detection,
tracing, and preventive measures, EURASIP Journal
on Wireless Communications and Networking,
Volume 2009, Article ID 692654
[14] E. Messmer, America's 10 most wanted botnets,
Network World, July 22, 2009
http://www.networkworld.com/news/2009/072209-
botnets.html
[15] J. Nazario, Twitter-based botnet command channel,
The Arbor Networks Security Blog, August 13, 2009
http://ddos.arbornetworks.com/2009/08/twitter-
based-botnet-command-channel/
[16] P. Porras, H. Saidi, and V. Yegneswaran, A multi-
perspective analysis of the Storm (Peacomm) worm,
CSL Technical Note, Computer Science Laboratory,
SRI International, October 2007
[17] P. Roberts, Sophisticated attackers now using social
net for command and control, ThreatPost, January 27,
2011
Copyright © 2013 MECS I.J. Computer Network and Information Security, 2013, 6, 11-17