Twitter Being Used As Botnet Command Channel

Ah Twitter in the news again, the bad guys sure do keep up with new trends. After being taken offline for a while by a Joejob DDoS attack Twitter is in the news again – this time it’s being used as the command channel for a Botnet.

The normal method for controlling Botnets is via an IRC channel, usually a private keyed channel on some obscure network. A lot of people used to use EFnet due to it’s lack of network services, but nowdays there are so many networks to choose from people can keep out of the limelight.

Sometimes even using a private IRCd setup on a hacked server or via Dynamic DNS on a home server.

For the past couple weeks, Twitter has come under attacks that besieged it with more traffic than it could handle. Now comes evidence that the microblogging website is being used to feed the very types of infected machines that took it out of commission.

That’s the conclusion of Jose Nazario, the manager of security research at Arbor Networks. On Thursday, he stumbled upon a Twitter account that was being used as part of an improvised update server for computers that are part of a botnet.

The account, which Twitter promptly suspended, issued tweets containing a single line of text that looked indecipherable to the naked eye. Using what’s known as a base64 decoder, however, the dispatches pointed to links where infected computers could receive malware updates.

Ok so one such channel was discovered, how many more accounts are there on Twitter being used for nefarious purposes?

Very hard for anyone to track them down, especially if they don’t use standard syntax across all the accounts.

I’m sure Twitter will be thinking up some way to auto-discover these accounts.

Master command channels used to herd large numbers of infected machines have long been one of the weak links in the botnet trade. Not only do they cost money to maintain, but they can provide tell-tale clues that help law enforcement agents to track down the miscreants running the rogue networks. Bot herders have used ICQ, internet relay chat, and other chat mediums to get around this limitation, but this appears to be the first time Twitter is known to have been employed.

Nazario said he’s found at least two other Twitter accounts he suspects were being used in the same fashion, but needs to do additional analysis before he can be sure. The bots using the Twitter account connected using RSS feeds, a technique that allowed them to receive each tweet in real time without the need of an account. It was unclear how many bots connected to the account.

Up to now, the bot designers have done a good job keeping their enterprise under wraps. The original bot software is detected by just 46 percent of the major anti-virus tools, according to this VirusTotal analysis. The updates, which appear to be affiliated with the Buzus trojan, are even stealthier, with only 22 percent of AV engines detecting it.

The example discovered uses base64 encoding, so perhaps they can track down accounts with base64 strings in their feed.

You can read more on the Arbor Networks blog here:

Twitter-based Botnet Command Channel

Source: The Register

Posted in: Malware, Networking Hacking

, , , ,

Latest Posts:

BloodHound - Hacking Active Directory Trust Relationships BloodHound – Hacking Active Directory Trust Relationships
BloodHound is for hacking active directory trust relationships and it uses graph theory to reveal the hidden and often unintended relationships within an AD environment.
SecLists - Usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells SecLists – Usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place.
DeepSound - Audio Steganography Tool DeepSound – Audio Steganography Tool
DeepSound is an audio steganography tool and audio converter that hides secret data into audio files, the application also enables you to extract from files.
2019 High Severity Vulnerabilities What are the MOST Critical Web Vulnerabilities in 2019?
So what is wild on the web this year? Need to know about the most critical web vulnerabilities in 2019 to protect your organization?
GoBuster - Directory/File & DNS Busting Tool in Go GoBuster – Directory/File & DNS Busting Tool in Go
GoBuster is a tool used to brute-force URIs (directories and files) in web sites and DNS subdomains (inc. wildcards) - a directory/file & DNS busting tool.
BDFProxy - Patch Binaries via MITM - BackdoorFactory + mitmProxy BDFProxy – Patch Binaries via MiTM – BackdoorFactory + mitmproxy
BDFProxy allows you to patch binaries via MiTM with The Backdoor Factory combined with mitmproxy enabling on the fly patching of binary downloads

6 Responses to Twitter Being Used As Botnet Command Channel

  1. NNM August 17, 2009 at 6:27 am #

    I’m not sure why anyone uses twitter at all…
    It’s childish, buggy, hacked, unsecured…
    I signed up a year ago to “see what it is”…
    I have never used it, and I have about 300 followers, all spammers or bots.

    I find it very amusing how they get abused…
    “Now comes evidence that the microblogging website is being used to feed the very types of infected machines that took it out of commission.”

  2. GZero August 17, 2009 at 8:09 am #

    Web Based C&Cs are (for me) the next natural step.

    Just like P2P networks made the switch from obscure custom protocols (Gnutella, Direct Connect) to HTTP based services (BitTorrent), so too will the bots.

  3. John August 17, 2009 at 4:23 pm #

    I like Twitter, but it is becoming more spammy.

  4. Paul August 17, 2009 at 4:45 pm #

    If anyone is interested in taking apart the malware that was being propagated in this botnet, I wrote up a post of my experiences, along with malware samples should you wish to follow along:

  5. sighK August 17, 2009 at 10:46 pm #

    Maybe they can use that to their advantage, twitter can see how it works, then block the person from logging on and then post something to make them all delete themselves

  6. Morgan Storey August 19, 2009 at 12:41 am #

    Didn’t conficker get its command and control from websites and a long list of domains, also using p2p between bots, I am sure I even read about one that generated blogspot sub domains and visited their for their C&C. It is a natural progression.
    The bot programmers will obfuscate and disperse their C&C infrastructure so that it is both difficult to find and nice and distributed on free services, it seems common sense to me, like a story I heard a few years ago about a terrorist cell comunicating via a public messaging board using keywords in their usually on topic posts, combined with images posted that contained stenographically encapsulated data. Or back in WW1 and WW2 ending news broadcasts with non-sensical messages as a way to communicate with the resistance.
    What is being done now has been done before.