How to Build a Botnet


Sound the alarms – bots are taking over.

A report in December of 2013 reported that 61.5% of website traffic was performed by bots [1]. Social media in particular has emerged as a unique hot bed of automation, where a stunning number of accounts are automated. A recent report issued by Twitter stated that nearly 8% of their users interact with the network in an automated, bot-like fashion [2]. In Twitter’s SEC filing, they updated the number to about 11% [3]. However, it is a common misconception that automation on social networks is harmful to end-users . Many bots are programmed for legitimate uses, like weather updates, sports scores, retweet bots and chatroom policing [4]. Due to the utility of automation and the social network’s open APIs, bots thrive on social networks. There is, of course, a dark side to automation.

Anatomy of a Social Botnet

Social networks were some of the first organizations to incorporate open APIs into their business model. Public access to social network APIs is important for the best and most personalized user experience, however cyber criminals with malicious intentions exploit this programmatic access to hundreds of millions of users [5]. These malicious actors build legions of interconnected bots, known as botnets, that can spread malware [7], collect intelligence on high profile accounts for counterintelligence or spread influence for terrorist organizations [8].

Not only do these cyber criminals leverage the social networks for their own malicious ends, but they can do so from a single computer. Traditionally, cyber criminals had to infect each computer independently in order to build out a botnet [9]. A social media bot doesn’t equal one infected computer, but a social media account, which is much simpler to create and control. The herders also do not have to rely on maintaining a foothold on the target account considering they “own” the social account, whereas traditional bot infections involve an infection vector. Given that social networks acquire thousands of new users daily it can be very difficult for both social networks and the end user to differentiate the benign bots from the malicious — it’s tough to tell the grass from the weeds.

For the hacker managing the botnet, or “herder”, obtaining accounts to build an army can be tricky. Social networks do a great job of limiting mass registrations of accounts by IP address, frequency and authentication. Additionally, creating fake accounts violates terms of service [10][11], so some effort must go into evading these policies. One work-around is to buy large numbers of packaged accounts from a variety of websites. Hackers can also automate the creation of these bots through web scraping software [13] combined with an IP masking program like Tor [14]. Herders can subsequently set up an infrastructure to control these bots.

Users buy and sell accounts online.

Social botnets are split into two categories. The first is an ad hoc, web scraping-type approach. Herders register massive numbers of accounts with just username and passwords to a “warez” application that can parse HTML content from the social networks to submit requests as if they were logged onto the websites with real browsers. Benefits to this approach include non-attribution, because all posts are made from the default browser client. The downfall to this approach is that social networks change their CSS layouts and source code frequently. If the source changes a core part of the warez scraper, then users of the software are out of luck and need to wait for a new release.

Bot herder interphase.

The second approach is a social network application based infrastructure. Well known social networks only allow programmatic access to social accounts via registered applications–similar to how an app requires authorization to be installed on a smart phone. Basic application creation and access only requires an app name, e-mail and a domain name for most of the large social networks. A herder registers their app with a phoney purpose and begins their recruitment process. Each bot authorizes the app to perform actions on its behalf, and these credentials are stored. When a herder wants to initiate a request, it uses these credentials to essentially say “I am authorized to post for this user with this content,” and the network subsequently processes the request. The benefit of this approach is that APIs rarely change. When they do change, there is a long adoption process and the old versions depreciate very slowly. The downfall to the app approach is that the networks have more control on how these herders are using their API, and have strong mechanisms in place to measure abuse in order to ban these accounts and applications.

Each application can be thought of as a bot “head”, which can control hundreds to thousands of bots underneath it. Herders issue a command to the bot head, and the bot head can choose a targeted or random profile to perform that action. Herders scale these by creating many applications and many bot heads to build their empire to hundreds of thousands of automated profiles. These can be controlled via traditional command and control infrastructures, which range from chatrooms to websites to the social networks themselves. Commands include using hashtags, following users, shortening attack URLs and spamming a hashtag.

Bot herders automate commands for their botnets.

Botnet Attacks

ZeroFOX has observed and reported a myriad of attacks related to social botnets. One common tactic we monitor, hashtag hijacking, abuses trending hashtags by posting malicious, phishing or spam links to the hashtag due to its popularity. Such was the case when cyber attackers targeted a large media conglomerate. An innocuous hashtag, simply the name of an event, was repurposed to spread malware, phishing links and spam. Followers of the media conglomerate were bombarded by dangerous tweets, much to the detriment of the organization itself.

In this case, and many others, the handles of the offending accounts were the first characteristic to raise eyebrows – users like @xybiXXXXdehub or @rijidXXXXojak. The handles are randomly generated and have high text entropy (entropy is a metric to determine the randomness of a string of characters). A scroll through any of their profiles shows scammy posts about free Viagra and pornography downloads. To help throw off the social networks’ sensors, their “About Me” sections contain structured yet meaningless blobs of text, often random descriptions generated from dictionaries.

A typical randomly generated About Me section of a bot.

These bots exhibit “spray and pray” tactics, meaning they post a high volume of links, only expecting one or two get clicked. Bots are automated to append trending hashtags, like in this case-study, in order to amplify the audience and easily turn the attack into a targeted attack. The bots tweet malicious links in bursts, followed by a series of text-based tweets. By posting links incrementally, they create a sinusoidal link frequency – just enough to avoid being flagged. The text-based tweets are often canned book passages or algorithmically generated semi-coherent strings of words – just enough to look normal.

Another attack, known as a retweet storm, abuses the ability for a tweet to rise in popularity due to the number of retweets. These are especially useful if you want to “pin” a malicious message to a trend because it’s so popular. If this tweet contains a malicious link, or is seen as abusive by Twitter, they may ban the original poster, but not every user that retweeted that tweet. The link will remain on the accounts of all the retweeting profiles.The banned bot, known as the “martyr bot”, sacrifices itself at the cost of one account.

Retweet storms are also abused by people selling their botnet armies for popularity. Popular websites let users pay for retweets, friends, followers or even shout-outs on botnets.

Online marketers pay bot herders to distribute their message.

Botnet herders range from “dumb” botnets to ones that are harder to find. Avoidance techniques to “look human” and to evade detection include:

  • Posting during the same times that a human in the region will post, like during core work hours, during the day and sometimes later in the night on the weekend
  • Posting statuses with benign text, usually passages from newspapers, books or even from the timelines of other users
  • Use the above posting techniques for months to set up a smokescreen and to build clout with followers in the same social network neighborhood
  • Buy friends or followers via the methods listed previously
  • Automatically retweet popular posts from the accounts that they are following

I presented at BSidesROC about these issues, as well as issues surrounding the inherent trust exhibited by users on social networks. You can view the presentation and review the sample botnet we created. We also presented at Shmoocon, highlighting how these strategies were implemented by a college class to attack each other for a semester project.

Stay Informed

Best practices, the latest research, and breaking news, delivered right to your inbox.