Pastebin Botnets?

| | Comments (1)
I've always been interested in Botnet research, and a piece of code in circulation on forums at the moment seemed interesting enough to write about. The subject is "Pastebin Botnets", but first we'd better talk a little bit about Pastebins...

Pastebins - what are they?

From Wikipedia:

A pastebin, also known as a nopaste, is a web application which allows its users to upload snippets of text, usually samples of source code, for public viewing. It is very popular in IRC channels where pasting large amounts of text is considered bad etiquette. A vast number of pastebins exist on the Internet, suiting a number of different needs and provided features tailored towards the crowd they focus on most.

Pastebins have become very popular in certain hacking communities, where quick and easy sharing of a targets personal information ("Dox") is perfectly at home in the world of pastebins.

pbinbot1.jpg
Click to Enlarge

That's for another writeup, but at least we now have a decent idea of Pastebins and how easy they make things where rapid sharing /storage of data is concerned.

What does this have to do with Botnets? Well, over the past week or two I've seen a piece of code floating around on various forums that (according to the author) has the potential to be used in conjunction with a Pastebin to issue commands to a Botnet. I'm not aware of pastebins being used for issuing Botnet commands (though of course that doesn't necessarily mean it's a new technique) and was curious to see if this is indeed something relatively new or a method that's been around for a while.

Why is a Pastebin Botnet a good idea for a Botnet owner?

In a nutshell, the Botnet owner can post Botnet drone commands quickly and without fuss to a Pastebin page (your "Botnet Hub"), and the drones will carry out those commands.

Web based Botnets have been all the rage for some time, as they're usually harder to detect than the rather obvious IRC traffic of old. There are some other advantages, too - Pastebins are plentiful and the main sites (such as Pastebin.com) are rarely offline.

In addition to this, you don't have to waste time setting up webpages & hosting accounts while hoping your host doesn't shut you down - it's simply a case of cutting and pasting text onto a Pastebin. If your page dies, it takes seconds to start again (as a sidenote, there's an interesting recent post here regarding the use of RSS feeds in conjunction with Pastebins to issue commands to Botnets from changing locations which is pretty smart).

As you can see then, Pastebins appear to be a bit of a hot topic for people discussing Botnets at the moment and a clever spin on web based Botnets in general. So how does it work?

Ye Olde Disclaimer

Although the idea behind it is sound, it seems the code doing the rounds on various forums (written in Perl) is "proof of concept" and would need some work doing to it to unleash a fully formed Botnet. Despite this, according to the creator it can already read pastebin posts for text (which are then used to issue commands to the Bots), post in the previously mentioned "Botnet hub", post in its own individual private pastebin, and get the latest post by the botnet owner.

Here's a few screenshots of said code:

pbbnet2.jpg
Click to Enlarge


pbbnet3.jpg
Click to Enlarge

The idea of using Pastebins in this way is a clever one -  I've seen people post Bot drone code (which needs compiling in an external application) to Pastebin pages for "storage" many times (in much the same way people post "dox" to pages for safe keeping), but this is the first time I can remember seeing someone thinking about using a Pastebin itself to act as a kind of Command & Control center for a Botnet.

If you've seen this technique before, feel free to share your thoughts in the comments - it's certainly one of the more interesting Botnet ideas I've seen in a while.

1 Comments

Thanks for mentioning my article on changing Pastebin locations with RSS feeds. I have a strange feeling that someone read my article around the time I wrote it and produced some code around the idea. I hope I haven't started off a whole new wave of spam!

Leave a comment

About this Entry

This page contains a single entry by Christopher Boyd published on June 15, 2009 10:03 AM.

More KoobFace was the previous entry in this blog.

Yes, I Would Like To Hack Myself is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.