Twitter Being Used As Botnet Command Channel

Ah Twitter in the news again, the bad guys sure do keep up with new trends. After being taken offline for a while by a Joejob DDoS attack Twitter is in the news again – this time it’s being used as the command channel for a Botnet.

The normal method for controlling Botnets is via an IRC channel, usually a private keyed channel on some obscure network. A lot of people used to use EFnet due to it’s lack of network services, but nowdays there are so many networks to choose from people can keep out of the limelight.

Sometimes even using a private IRCd setup on a hacked server or via Dynamic DNS on a home server.

For the past couple weeks, Twitter has come under attacks that besieged it with more traffic than it could handle. Now comes evidence that the microblogging website is being used to feed the very types of infected machines that took it out of commission.

That’s the conclusion of Jose Nazario, the manager of security research at Arbor Networks. On Thursday, he stumbled upon a Twitter account that was being used as part of an improvised update server for computers that are part of a botnet.

The account, which Twitter promptly suspended, issued tweets containing a single line of text that looked indecipherable to the naked eye. Using what’s known as a base64 decoder, however, the dispatches pointed to links where infected computers could receive malware updates.

Ok so one such channel was discovered, how many more accounts are there on Twitter being used for nefarious purposes?

Very hard for anyone to track them down, especially if they don’t use standard syntax across all the accounts.

I’m sure Twitter will be thinking up some way to auto-discover these accounts.

Master command channels used to herd large numbers of infected machines have long been one of the weak links in the botnet trade. Not only do they cost money to maintain, but they can provide tell-tale clues that help law enforcement agents to track down the miscreants running the rogue networks. Bot herders have used ICQ, internet relay chat, and other chat mediums to get around this limitation, but this appears to be the first time Twitter is known to have been employed.

Nazario said he’s found at least two other Twitter accounts he suspects were being used in the same fashion, but needs to do additional analysis before he can be sure. The bots using the Twitter account connected using RSS feeds, a technique that allowed them to receive each tweet in real time without the need of an account. It was unclear how many bots connected to the account.

Up to now, the bot designers have done a good job keeping their enterprise under wraps. The original bot software is detected by just 46 percent of the major anti-virus tools, according to this VirusTotal analysis. The updates, which appear to be affiliated with the Buzus trojan, are even stealthier, with only 22 percent of AV engines detecting it.

The example discovered uses base64 encoding, so perhaps they can track down accounts with base64 strings in their feed.

You can read more on the Arbor Networks blog here:

Twitter-based Botnet Command Channel

Source: The Register

Posted in: Malware, Networking Hacking Tools

, , , ,

Latest Posts:

GitLab Watchman - Audit Gitlab For Sensitive Data & Credentials GitLab Watchman – Audit Gitlab For Sensitive Data & Credentials
GitLab Watchman is an app that uses the GitLab API to audit GitLab for sensitive data and credentials exposed internally, this includes code, commits, wikis etc
GKE Auditor - Detect Google Kubernetes Engine Misconfigurations GKE Auditor – Detect Google Kubernetes Engine Misconfigurations
GKE Auditor is a Java-based tool to detect Google Kubernetes Engine misconfigurations, it aims to help security & dev teams streamline the configuration process
zANTI - Android Wireless Hacking Tool Free Download zANTI – Android Wireless Hacking Tool Free Download
zANTI is an Android Wireless Hacking Tool that functions as a mobile penetration testing toolkit that lets you assess the risk level of a network using mobile.
HELK - Open Source Threat Hunting Platform HELK – Open Source Threat Hunting Platform
The Hunting ELK or simply the HELK is an Open-Source Threat Hunting Platform with advanced analytics capabilities such as SQL declarative language, graphing etc
trape - OSINT Analysis Tool For People Tracking Trape – OSINT Analysis Tool For People Tracking
Trape is an OSINT analysis tool, which allows people to track and execute intelligent social engineering attacks in real-time.
Fuzzilli - JavaScript Engine Fuzzing Library Fuzzilli – JavaScript Engine Fuzzing Library
Fuzzilii is a JavaScript engine fuzzing library, it's a coverage-guided fuzzer for dynamic language interpreters based on a custom intermediate language.

6 Responses to Twitter Being Used As Botnet Command Channel

  1. NNM August 17, 2009 at 6:27 am #

    I’m not sure why anyone uses twitter at all…
    It’s childish, buggy, hacked, unsecured…
    I signed up a year ago to “see what it is”…
    I have never used it, and I have about 300 followers, all spammers or bots.

    I find it very amusing how they get abused…
    “Now comes evidence that the microblogging website is being used to feed the very types of infected machines that took it out of commission.”

  2. GZero August 17, 2009 at 8:09 am #

    Web Based C&Cs are (for me) the next natural step.

    Just like P2P networks made the switch from obscure custom protocols (Gnutella, Direct Connect) to HTTP based services (BitTorrent), so too will the bots.

  3. John August 17, 2009 at 4:23 pm #

    I like Twitter, but it is becoming more spammy.

  4. Paul August 17, 2009 at 4:45 pm #

    If anyone is interested in taking apart the malware that was being propagated in this botnet, I wrote up a post of my experiences, along with malware samples should you wish to follow along:

  5. sighK August 17, 2009 at 10:46 pm #

    Maybe they can use that to their advantage, twitter can see how it works, then block the person from logging on and then post something to make them all delete themselves

  6. Morgan Storey August 19, 2009 at 12:41 am #

    Didn’t conficker get its command and control from websites and a long list of domains, also using p2p between bots, I am sure I even read about one that generated blogspot sub domains and visited their for their C&C. It is a natural progression.
    The bot programmers will obfuscate and disperse their C&C infrastructure so that it is both difficult to find and nice and distributed on free services, it seems common sense to me, like a story I heard a few years ago about a terrorist cell comunicating via a public messaging board using keywords in their usually on topic posts, combined with images posted that contained stenographically encapsulated data. Or back in WW1 and WW2 ending news broadcasts with non-sensical messages as a way to communicate with the resistance.
    What is being done now has been done before.