Botnet Controls “Twitch Installs Arch Linux”
twitter.comYup, this was pretty disappointing to us.
We were keeping it running as long as we felt comfortable to do so, but due to our lack of preparation for an actual attack, we decided to cut it when it was obvious that the majority was voting too perfectly on actions that were turning malicious.
At this point, we are not sure how we are going to be continuing with this project. The time investment required to make this secure is much larger than we initially anticipated and our current setup is not optimal to do so. Along with this, we are both currently students and do not have the time to invest in such an undertaking. However, we are currently talking with a group that is attempting to reboot this idea immediately in a more secure environment. We will be exploring our options on how to best keep this project going.
All of our code is available on github at https://github.com/twitchinstallsarchlinux
Well, I'll thank you for having this experiment, short as it was.
I was in the stream and while at least some of the feats accomplished (partitioning the disk, installing the right things, changing the password) seemed to have some authenticity to it, the chat started to try to install nmap, then it tried investigate networking capabilities, tried to ping 8.8.8.8, to start dhcpcd, then tried to ping 8.8.8.8 again...all in rapid succession before anyone really discussed it at all. It certainly seemed fishy.
It's kind of upsetting. It was very exciting in the beginning--the internet installing a bootable arch linux system by voting for a single character at a time in under 3 hours...seemed unimaginable. But after the dhcpcd stuff started, it felt like that victory was taken from us.
EDIT: it WAS a botnet, see the reply from pdaddyo
I thought nmap was just chat going along with random stuff, but now that you mention it could be a botnet.
I doubt the `ping 8.8.8.8` was botnet though as its standard to test out your internet to see if you enabled it or not. Chat was trying to pacman -S something. People were encouraging others to type "ping 8.8.8.8"
Creator JRWR confirmed botnet in irc channel: https://i.imgur.com/qaWFUEH.jpg
JRWR is not a creator, he is one of the irc members who are looking into rebooting the project for us.
What irc client is that? Could you share the config?
Latest news from irc:
JRWR: So, the creators of this project have left. they no longer want to be a part of this any more. they have their reasons and I will NOT be disclosing it. The creators have handed over the keys to JRWR and yamamushi
JRWR: This project WILL live on, give us 24/48 hours to make something nice, we have their code and will expand on it.
yamimushi: We are working to get everything back online asap
And yes the reasoning for shutdown was the botnet, not pings or Google complaints.
So, is there any way to stop this botnet? Seems to be that the only way to stop bots from abusing the twich IRC api is to ban each of them.
I have programmed twitch spam bots before (repeats what people say, once on each account with eight accounts), it's surprisingly easy to do. Twitch does have some sort of system to detect if you are abusing the API I think, because I noticed that I get timed out pretty quickly.
A few ideas were thrown around with a third-party server and captcha necessary to validate your twitch account to send commands.
People working on it say it's being handled, but it definitely isn't a bad idea to brainstorm.
What about setting up a second site with a form: enter twitch name and answer a turing test question. also ask for person to create a new turing question with answer. Person has ability to request a few new questions before deny.
Submitted questions are approved by admins via rapid fire Y/N buttons, with ability to fix typos, etc.
This authenticates that user for something like 5-15 minutes or however long to participate in voting.
this kind of defeats the purpose of twitch chat
Evidence? https://imgur.com/WLEt2iz
I doubt it, I doubt people would just hand over their twitch accounts to some guy on 4chan.
Most likely the OP would have been nypa'd out of there.
I doubt that. The thread had only <10 replies and it has been dead.
I saw this on 4chan. I wonder what he would have done.
Don't restart this thing until you've had a professional harden your network. You are not gonna stop the botnet, so the best you can do is limit the impact of post-exploitation.
And this is hardening like a DMZ. I'd probably end up with an arch mirror VM on the same host, tell libvirt to isolate the traffic and tell the host to drop all traffic coming from these machines without looking at it after setting up the arch mirror.
And then cross my fingers that there are no KVM bugs.
Better yet, just run this on a t2.micro on a throwaway EC2 account. Doesn't matter if they own the box, they get literally nothing they couldn't get for free from Amazon anyways.
it also becomes quite easy to lock the machine down
yeah. basically, no network access, except to the arch mirrors and just enough to watch the twitch stream. should be hard to abuse.
put it in an aws vpc on a private subnet. create another subnet with a nat instance. Only allow access to the vpc over ssh or whatever from the secure control server. Lock all other incomming via security groups or network ACLs. Allow egress from this box only to route on ports 80 && 443 out through a route table to the NAT instance to the internet. Further you can allow the nat to only allow access to 80/443 outbound to whitelisted ip addresses, or if you want to get craftier, make the nat a squid box and whitelist / net nanny what it can hit possibly via an admin watching twitch plays stream and saying yea/nea
A good twitch stress test. Hopefully this stuff gets cleaned up in the future!