Twitter Being Used As Botnet Command Channel

Use Netsparker

Ah Twitter in the news again, the bad guys sure do keep up with new trends. After being taken offline for a while by a Joejob DDoS attack Twitter is in the news again – this time it’s being used as the command channel for a Botnet.

The normal method for controlling Botnets is via an IRC channel, usually a private keyed channel on some obscure network. A lot of people used to use EFnet due to it’s lack of network services, but nowdays there are so many networks to choose from people can keep out of the limelight.

Sometimes even using a private IRCd setup on a hacked server or via Dynamic DNS on a home server.

For the past couple weeks, Twitter has come under attacks that besieged it with more traffic than it could handle. Now comes evidence that the microblogging website is being used to feed the very types of infected machines that took it out of commission.

That’s the conclusion of Jose Nazario, the manager of security research at Arbor Networks. On Thursday, he stumbled upon a Twitter account that was being used as part of an improvised update server for computers that are part of a botnet.

The account, which Twitter promptly suspended, issued tweets containing a single line of text that looked indecipherable to the naked eye. Using what’s known as a base64 decoder, however, the dispatches pointed to links where infected computers could receive malware updates.

Ok so one such channel was discovered, how many more accounts are there on Twitter being used for nefarious purposes?

Very hard for anyone to track them down, especially if they don’t use standard syntax across all the accounts.

I’m sure Twitter will be thinking up some way to auto-discover these accounts.

Master command channels used to herd large numbers of infected machines have long been one of the weak links in the botnet trade. Not only do they cost money to maintain, but they can provide tell-tale clues that help law enforcement agents to track down the miscreants running the rogue networks. Bot herders have used ICQ, internet relay chat, and other chat mediums to get around this limitation, but this appears to be the first time Twitter is known to have been employed.

Nazario said he’s found at least two other Twitter accounts he suspects were being used in the same fashion, but needs to do additional analysis before he can be sure. The bots using the Twitter account connected using RSS feeds, a technique that allowed them to receive each tweet in real time without the need of an account. It was unclear how many bots connected to the account.

Up to now, the bot designers have done a good job keeping their enterprise under wraps. The original bot software is detected by just 46 percent of the major anti-virus tools, according to this VirusTotal analysis. The updates, which appear to be affiliated with the Buzus trojan, are even stealthier, with only 22 percent of AV engines detecting it.

The example discovered uses base64 encoding, so perhaps they can track down accounts with base64 strings in their feed.

You can read more on the Arbor Networks blog here:

Twitter-based Botnet Command Channel

Source: The Register

Posted in: Malware, Networking Hacking

, , , ,

Latest Posts:

CHIPSEC - Platform Security Assessment Framework CHIPSEC – Platform Security Assessment Framework For Firmware Hacking
CHIPSEC is a platform security assessment framework for PCs including hardware, system firmware (BIOS/UEFI), and platform components for firmware hacking.
How To Recover When Your Website Got Hacked How To Recover When Your Website Got Hacked
The array of easily available Hacking Tools out there now is astounding, combined with self-propagating malware, people often come to me when their website got hacked and they don't know what to do, or even where to start.
HTTrack - Website Downloader Copier & Site Ripper Download HTTrack – Website Downloader Copier & Site Ripper Download
HTTrack is a free and easy-to-use offline browser utility which acts as a website downloader and a site ripper for copying websites and downloading them for offline viewing.
sshLooter - Script To Steal SSH Passwords sshLooter – Script To Steal SSH Passwords
sshLooter is a Python script using a PAM module to steal SSH passwords by logging the password and notifying the admin of the script via Telegram when a user logs in.
Intercepter-NG - Android App For Hacking Intercepter-NG – Android App For Hacking
Intercepter-NG is a multi functional network toolkit including an Android app for hacking, the main purpose is to recover interesting data from the network stream and perform different kinds of MiTM attacks.
dcipher - Online Hash Cracking Using Rainbow & Lookup Tables dcipher – Online Hash Cracking Using Rainbow & Lookup Tables
dcipher is a JavaScript-based online hash cracking tool to decipher hashes using online rainbow & lookup table attack services.

6 Responses to Twitter Being Used As Botnet Command Channel

  1. NNM August 17, 2009 at 6:27 am #

    I’m not sure why anyone uses twitter at all…
    It’s childish, buggy, hacked, unsecured…
    I signed up a year ago to “see what it is”…
    I have never used it, and I have about 300 followers, all spammers or bots.

    I find it very amusing how they get abused…
    “Now comes evidence that the microblogging website is being used to feed the very types of infected machines that took it out of commission.”

  2. GZero August 17, 2009 at 8:09 am #

    Web Based C&Cs are (for me) the next natural step.

    Just like P2P networks made the switch from obscure custom protocols (Gnutella, Direct Connect) to HTTP based services (BitTorrent), so too will the bots.

  3. John August 17, 2009 at 4:23 pm #

    I like Twitter, but it is becoming more spammy.

  4. Paul August 17, 2009 at 4:45 pm #

    If anyone is interested in taking apart the malware that was being propagated in this botnet, I wrote up a post of my experiences, along with malware samples should you wish to follow along:

  5. sighK August 17, 2009 at 10:46 pm #

    Maybe they can use that to their advantage, twitter can see how it works, then block the person from logging on and then post something to make them all delete themselves

  6. Morgan Storey August 19, 2009 at 12:41 am #

    Didn’t conficker get its command and control from websites and a long list of domains, also using p2p between bots, I am sure I even read about one that generated blogspot sub domains and visited their for their C&C. It is a natural progression.
    The bot programmers will obfuscate and disperse their C&C infrastructure so that it is both difficult to find and nice and distributed on free services, it seems common sense to me, like a story I heard a few years ago about a terrorist cell comunicating via a public messaging board using keywords in their usually on topic posts, combined with images posted that contained stenographically encapsulated data. Or back in WW1 and WW2 ending news broadcasts with non-sensical messages as a way to communicate with the resistance.
    What is being done now has been done before.