Back in 2006, I saw an article on Security Focus that briefly discussed how Botnets are becoming more difficult to track because Botnet operators have been switching from IRC to HTTP as their means of communication to and from the Botnets (article link). When a Botnet operator uses IRC, it makes blocking of communication channels easier for a Network Administrator because it’s easier to find. A Net Admin can setup his/her firewall to only allow outbound communication from a specific network to use specified ports, such as 80/443 for HTTP/HTTPS, 993/465 for IMAP/SMTP, etc. However, with Botnets utilizing HTTP as their method of communication, tracking a Botnet Zombie communicating to and from the Command & Control host in a given network becomes much more difficult, because it’s disguised as regular web traffic. Still, there are some cat and mouse games a Net Admin can play: block HTTP traffic to/from certain websites, use HTTP filters to detect and block Botnet traffic, etc. But, what happens when the Botnet operator is able to use a social networking site that your company needs to access using HTTP or HTTPS to communicate to the zombies and is able to issue commands?
Robin Wood, aka the DigiNinja, did a talk at Shmoocon 2010 about Botnet Zombies communicating using Social Networks. With his proof-of-concept project, Kreios C2, Robin shows how a Botnet operator could use social networking sites, such as LinkedIn, as a means of controlling a Botnet. On a recent episode of Hak5, Robin Wood and Darren Kitchen discuss how a Botnet operator can issue commands via Twitter, LinkedIn, or even TinyURL.
Here is the video from Hak5.
Here is a link to a demo video from Robin Wood’s website.