
How Cybercriminals Can Abuse Chat Platform APIs as C&C Infrastructures [pdf] - lainon
https://documents.trendmicro.com/assets/wp/wp-how-cybercriminals-can-abuse-chat-platform-apis-as-cnc-infrastructures.pdf
======
Klathmon
I have to admit, I've had a lot of fun in the past thinking of creative ways
to control botnets. It's a fun thought exercise in developing in an area where
everything is adversarial to your goal. And the fact that the amount of
information you really need to transfer is so trivially small that you can get
some really creative "solutions".

My favorite idea so far is to look for the existence of a specific username
across several services for commands. Only the usernames are (in part)
generated via a TOTP style rolling code. So to see if something should
activate, it will look for the existence of a username of "imnotabot349556" on
reddit, HN, and twitter. if it sees any of them, it can read a small command
from any number of places on those sites that the user can post some kind of
comment/profile/text.

This is super easy to control securely (could be done from anywhere, using any
machine, over TOR or other networks), is hard to shut down (the rolling codes
mean they would need to either have access to the "secret" and ban all future
codes, or just ban "imnotabot*" which wouldn't be sustainable if multiple
botnets started using this method, not to mention you could just switch to a
hash of everything as the username), and is fairly fullproof (no reliance on
any one network or channel). And with some forethought, an update mechanism
can be built into it as well, so when someone gets close to your scheme, you
could have all your bots update at a moment's notice to a new one.

At the end of the day, trying to stop a C&C server of a botnet is a futile
exercise. Once the botnet is out there, there's no stopping it by shutting
down a C&C server. There are just SO many ways to pass information, and when
the information is on the size of hundreds of bytes in some cases, there's
just no hope.

~~~
fragmede
_> trying to stop a C&C server of a botnet is a futile exercise._

Laptop users who want broad Internet access (and will complain loudly if
reddit/HN/Twitter is "down") aren't the same thing as the app server that only
talks to a short whitelisted set of RFC1918 IPs, on specific ports only, and
doesn't have Internet access - not even DNS. (WannaCry _demonstrated_ why
not.)

Reddit and the like needs to accept they are hosting botnet C&C servers due to
hosting loads of user-generated content (I'd do an invite-only subreddit with
a tracking pixel in the CSS), but that doesn't make it pointless for the rest
of us to do something where possible.

~~~
__sha3d2
> (I'd do an invite-only subreddit with a tracking pixel in the CSS)

So that you could nuke it if a not-you IP accessed the subreddit? That's nice
and could be very easily automated.

~~~
lawl
Except it doesn't work because reddit sanitizes their CSS and doesn't allow
url() to external hosts. You need to upload the images you want to reference
in the CSS to reddit.

------
lawl
61 pages to conclude, yes you can indeed pass messages via chat APIs,
shocking.

Also stupid if you actually do that since the chat API provider can simply cut
you off and you don't have a C2 anymore and lost access to all the systems you
infected.

~~~
theEXTORTCIST
I don't think it's "stupid" to C2 via chat API. It would be "stupid" to have
no fallback mechanisms

~~~
londons_explore
Chat API's are good because the traffic to "facebook.com" probably won't be
detected as malicious by most firewalls.

Your fallback should be a peer2peer network in DHT style, scanning the entire
IP address space on a well known port to find nodes to connect to.

When a node is found, addresses of other nodes are requested, and a cache of a
few thousand infected nodes kept to use as seeds for future connections.

Imagine you have 1 million infected machines, then most new nodes will find
and connect to the network within 4000 packets sent across the network. For
good measure, build in a list of a few thousand addresses into the malware as
bootstrap nodes.

------
DarronWyke
Yes, this is something well known. Chat platforms have long since been used as
botnet infrastructures. IRC is/was a big one for a long time because it's very
lightweight and the protocol is well known (with a little know-how you can
completely IRC over telnet). The only reason it's been ditched is because it's
so heavily centralized -- loose the C&C server and you lose control, unless
you have a way to push updates. That's why fast-flux DNS became popular.

In other news, water is wet, the sky is blue, etc. etc.

~~~
peterwwillis
Agreed, but they created this paper because they actually found malware using
Discord and Telegram. Apparently it can have alternative uses, such as being a
direct interface to ransomware victims ("join this Slack channel to send me
your bitcoin")

~~~
SomeStupidPoint
You know they're getting crafty when you can lend them your account for 72
hours to unlock your PC.

Legitimate History as a Service?

------
jpfed
Leave Britney alone! Or at least her Instagram account.
[https://arstechnica.com/security/2017/06/russian-hackers-
tur...](https://arstechnica.com/security/2017/06/russian-hackers-turn-to-
britney-spears-for-help-concealing-espionage-malware/)

------
alpos
They spent a year and a half on this fairly obvious thing only to conclude
nothing new here and offer no useful advice beyond common best practices.

Are they going to waste the next year on how Twitter, Facebook, etc. can be
used by criminals?

------
jstanley
I think a Tor hidden service would probably be a really good way to run C&C
infrastructure. I'm surprised it doesn't get used more often. Or maybe it
does?

~~~
jowsie
I've always wanted to know what happened with the creator of this botnet.
[https://blog.rapid7.com/2012/12/06/skynet-a-tor-powered-
botn...](https://blog.rapid7.com/2012/12/06/skynet-a-tor-powered-botnet-
straight-from-reddit/)

~~~
goatsi
Arrested by the German police: [https://thehackernews.com/2013/12/alleged-
skynet-botnet-crea...](https://thehackernews.com/2013/12/alleged-skynet-
botnet-creator-arrested.html)

