Twitter-based Botnet Command Channel
by Jose NazarioUPDATED TO ADD STATS AND JAIKU PROFILE AND A TUMBLR PROFILE
While digging around I found a botnet that uses Twitter as its command and control structure. Basically what it does is use the status messages to send out new links to contact, then these contain new commands or executables to download and run. It’s an infostealer operation.
The account in question is under analysis by Twitter’s security team. I spotted it because a bot uses the RSS feed to get the status updates.
As for the original bot in question that fetches the updates, here’s the VirusTotal analysis, where you can see it’s detected by 19/41 (46.34%) AV tools under evaluation. We can look at the status messages and discover more nefarious activity; the bot’s hiding new malcode which is poorly detected this way. The original link from the malcode came from a ShadowServer nightly link report, which they make available to folks. Many thanks to them.
Let’s look at one of the update messages; it’s pretty clearly base64 encoded. What does it say?
$ echo "aHR0cDovL2JpdC5seS9SNlNUViAgaHR0cDovL2JpdC5seS8yS29Ibw==" | openssl base64 -d
hxxp://bit.ly/R6STV hxxp://bit.ly/2KoHo
OK, a couple of links. One is dead (to a pastebin), one is live.
That second link yields a base64 encoded block of text. When we un-encode it using base64 we see a PKZIP archive (which we have dumped as “out.qqq” since we don’t know what the extension would have been beforehand). We can then unpack this and see what we find:
$ unzip out.qqq
Archive: out.qqq
inflating: gbpm.dll
inflating: gbpm.exe
$ openssl md5 gbpm.*
MD5(gbpm.dll)= ceb8d7fd74da0a187cc39ced4550ddb4
MD5(gbpm.exe)= a5cc8140e783190efb69d38c2be4393f
gbpm.dll is UPX packed, so we can unpack this:
$ upx2 -d gbpm.dll.upx
Ultimate Packer for eXecutables
Copyright (C) 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006
UPX 2.02 Markus Oberhumer, Laszlo Molnar & John Reiser Aug 13th 2006
.
File size Ratio Format Name
-------------------- ------ ----------- -----------
263680 <- 103424 39.22% win32/pe gbpm.dll.upx
.
Unpacked 1 file.
This file looks like an infostealer. Here are some of the URLs it will send data to:
hxxp://64.79.197.110/friends/alert/new.php hxxps://www2.bancobrasil.com.br/aapf/login.jsp?aapf.IDH=sim hxxp://64.79.197.110/friends/post.php hxxps://www2.bancobrasil.com.br/aapf/ hxxps://www2.bancobrasil.com.br/aapf/
gbpm.exe is packed with a different packer.
That DLL is very poorly detected, the EXE has a VTotal result of 9/41 (21.95%) and appears to be a Buzus sample according to one vendor.
The account is presently live but under review by Twitter, and is just one of what appear to be a handful of Twitter C&C accounts.
UPDATE 14 Aug 2009
Via bit.ly, some statistics that suggest the malcode has infected a couple hundred PCs, mostly in Brazil.
Now that it’s disabled, “upd4t3″ had a similar profile on Jaiku.com:
Many thanks to the Jaiku team for reviewing and shutting this account down. Still looking for more services “upd4t3″ is abusing … looks like Tumblr has also been used by “upd4t3″:
Still poking around various micro-blogging services. I wonder why he abandoned Tumblr. (There are more microblogging tools than I had anticipated …)
Nice post Jose!
the URL hxxps://www2.bancobrasil.com.br/aapf/login.jsp?aapf.IDH=sim is from a Brazilian bank login page. This may be a banker and oh, surprise, may have Brazilian hackers involved :)