We had previously blogged about TweetMyPC here. TweetMyPC is easier to detect and remove on the Twitter network. It is also open source, so it can be modified to your own likings. I personally found a few holes with using the TweetMyPC bot as any one could find things like screen shots, etc. by just searching for 192.168, 172.16, etc. But now, things change with KreiosC2.
KreiosC2 is a command and control bot which uses the Twitter channel as its control channel. What is cool is that it aims at being un-detected to the ‘Twitter eye’. This means that your command and control or C2 channel remains un-noticable for Twitter controllers. They can not easily shut you down if they want. This ‘Proof of Concept‘ bot was released in the Defcon 17. It has been written in Ruby and is available as an open source package.
The working of this bot is simple – create accounts for yourself and the bot on Twitter. Have the bot follow your channel. That is all! Whenever you feel like having the bot do something for you, just tweet to your channel commands like ping an IP, etc. Now another cool thing about this bot is that it’s C2 language is English. So, innocent looking tweets like ‘look at 222.221.220.150′ etc will seem legitimate for Twitter and might be passed on.
Though the communication language is simple English, it has four default types of languages for your convenience – default, English, encoded and encrypted. The default language was used in version 1 and those commands are identified by messages starting with :cmd followed by the command. The second type – English is where commands are written using English phrases. The messages also have a checksum appended to them, so that they can be differentiated from the normal, real messages. This checksum is made up from the last 10 bytes of an MD5 of the message. The encoded language has commands that are Base64 coded to add a level of obfuscation to the tweet. The encrypted language combines bits from all three other languages, the language from Default, the checksum from English and the base64 encoding from Encoded. The tweet is built up from the command followed by the first 10 characters of a SHA1 of the message, this is then encrypted using AES and finally base64 encoded so it can be tweeted as an ASCII message.
The commander can be asked to send these commands:
exec:Execute the given command
get: Download the specified file
language:Download and use a new language file
ping: Ping the specified IP address (not a domain name)
In addition to Ruby, you will need the following Gems installed:
- crack (0.1.1)
- echoe (3.1.1)
- highline (1.5.0)
- hoe (1.12.1)
- hpricot (0.8.1)
- http_configuration (1.0.2)
- httparty (0.4.2)
- nokogiri (1.2.3)
- rake (0.8.4)
- rcov (0.8.1.2.0)
- rubyforge (1.0.3)
- rubyzip (0.9.1)
You can view a video of this bot in action here, download the source code here and check out its home page here.
You must log in to post a comment.