[ad]
Ah Twitter in the news again, the bad guys sure do keep up with new trends. After being taken offline for a while by a Joejob DDoS attack Twitter is in the news again – this time it’s being used as the command channel for a Botnet.
The normal method for controlling Botnets is via an IRC channel, usually a private keyed channel on some obscure network. A lot of people used to use EFnet due to it’s lack of network services, but nowdays there are so many networks to choose from people can keep out of the limelight.
Sometimes even using a private IRCd setup on a hacked server or via Dynamic DNS on a home server.
For the past couple weeks, Twitter has come under attacks that besieged it with more traffic than it could handle. Now comes evidence that the microblogging website is being used to feed the very types of infected machines that took it out of commission.
That’s the conclusion of Jose Nazario, the manager of security research at Arbor Networks. On Thursday, he stumbled upon a Twitter account that was being used as part of an improvised update server for computers that are part of a botnet.
The account, which Twitter promptly suspended, issued tweets containing a single line of text that looked indecipherable to the naked eye. Using what’s known as a base64 decoder, however, the dispatches pointed to links where infected computers could receive malware updates.
Ok so one such channel was discovered, how many more accounts are there on Twitter being used for nefarious purposes?
Very hard for anyone to track them down, especially if they don’t use standard syntax across all the accounts.
I’m sure Twitter will be thinking up some way to auto-discover these accounts.
Master command channels used to herd large numbers of infected machines have long been one of the weak links in the botnet trade. Not only do they cost money to maintain, but they can provide tell-tale clues that help law enforcement agents to track down the miscreants running the rogue networks. Bot herders have used ICQ, internet relay chat, and other chat mediums to get around this limitation, but this appears to be the first time Twitter is known to have been employed.
Nazario said he’s found at least two other Twitter accounts he suspects were being used in the same fashion, but needs to do additional analysis before he can be sure. The bots using the Twitter account connected using RSS feeds, a technique that allowed them to receive each tweet in real time without the need of an account. It was unclear how many bots connected to the account.
Up to now, the bot designers have done a good job keeping their enterprise under wraps. The original bot software is detected by just 46 percent of the major anti-virus tools, according to this VirusTotal analysis. The updates, which appear to be affiliated with the Buzus trojan, are even stealthier, with only 22 percent of AV engines detecting it.
The example discovered uses base64 encoding, so perhaps they can track down accounts with base64 strings in their feed.
You can read more on the Arbor Networks blog here:
Twitter-based Botnet Command Channel
Source: The Register
NNM says
I’m not sure why anyone uses twitter at all…
It’s childish, buggy, hacked, unsecured…
I signed up a year ago to “see what it is”…
I have never used it, and I have about 300 followers, all spammers or bots.
I find it very amusing how they get abused…
“Now comes evidence that the microblogging website is being used to feed the very types of infected machines that took it out of commission.”
GZero says
Web Based C&Cs are (for me) the next natural step.
Just like P2P networks made the switch from obscure custom protocols (Gnutella, Direct Connect) to HTTP based services (BitTorrent), so too will the bots.
John says
I like Twitter, but it is becoming more spammy.
Paul says
If anyone is interested in taking apart the malware that was being propagated in this botnet, I wrote up a post of my experiences, along with malware samples should you wish to follow along: http://wp.me/pBV1X-n
sighK says
Maybe they can use that to their advantage, twitter can see how it works, then block the person from logging on and then post something to make them all delete themselves
Morgan Storey says
Didn’t conficker get its command and control from websites and a long list of domains, also using p2p between bots, I am sure I even read about one that generated blogspot sub domains and visited their for their C&C. It is a natural progression.
The bot programmers will obfuscate and disperse their C&C infrastructure so that it is both difficult to find and nice and distributed on free services, it seems common sense to me, like a story I heard a few years ago about a terrorist cell comunicating via a public messaging board using keywords in their usually on topic posts, combined with images posted that contained stenographically encapsulated data. Or back in WW1 and WW2 ending news broadcasts with non-sensical messages as a way to communicate with the resistance.
What is being done now has been done before.