• Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Home
  • About Darknet
  • Hacking Tools
  • Popular Posts
  • Darknet Archives
  • Contact Darknet
    • Advertise
    • Submit a Tool
Darknet – Hacking Tools, Hacker News & Cyber Security

Darknet - Hacking Tools, Hacker News & Cyber Security

Darknet is your best source for the latest hacking tools, hacker news, cyber security best practices, ethical hacking & pen-testing.

Twitter Being Used As Botnet Command Channel

August 17, 2009

Views: 13,682

[ad]

Ah Twitter in the news again, the bad guys sure do keep up with new trends. After being taken offline for a while by a Joejob DDoS attack Twitter is in the news again – this time it’s being used as the command channel for a Botnet.

The normal method for controlling Botnets is via an IRC channel, usually a private keyed channel on some obscure network. A lot of people used to use EFnet due to it’s lack of network services, but nowdays there are so many networks to choose from people can keep out of the limelight.

Sometimes even using a private IRCd setup on a hacked server or via Dynamic DNS on a home server.

For the past couple weeks, Twitter has come under attacks that besieged it with more traffic than it could handle. Now comes evidence that the microblogging website is being used to feed the very types of infected machines that took it out of commission.

That’s the conclusion of Jose Nazario, the manager of security research at Arbor Networks. On Thursday, he stumbled upon a Twitter account that was being used as part of an improvised update server for computers that are part of a botnet.

The account, which Twitter promptly suspended, issued tweets containing a single line of text that looked indecipherable to the naked eye. Using what’s known as a base64 decoder, however, the dispatches pointed to links where infected computers could receive malware updates.

Ok so one such channel was discovered, how many more accounts are there on Twitter being used for nefarious purposes?

Very hard for anyone to track them down, especially if they don’t use standard syntax across all the accounts.

I’m sure Twitter will be thinking up some way to auto-discover these accounts.

Master command channels used to herd large numbers of infected machines have long been one of the weak links in the botnet trade. Not only do they cost money to maintain, but they can provide tell-tale clues that help law enforcement agents to track down the miscreants running the rogue networks. Bot herders have used ICQ, internet relay chat, and other chat mediums to get around this limitation, but this appears to be the first time Twitter is known to have been employed.

Nazario said he’s found at least two other Twitter accounts he suspects were being used in the same fashion, but needs to do additional analysis before he can be sure. The bots using the Twitter account connected using RSS feeds, a technique that allowed them to receive each tweet in real time without the need of an account. It was unclear how many bots connected to the account.

Up to now, the bot designers have done a good job keeping their enterprise under wraps. The original bot software is detected by just 46 percent of the major anti-virus tools, according to this VirusTotal analysis. The updates, which appear to be affiliated with the Buzus trojan, are even stealthier, with only 22 percent of AV engines detecting it.

The example discovered uses base64 encoding, so perhaps they can track down accounts with base64 strings in their feed.

You can read more on the Arbor Networks blog here:

Twitter-based Botnet Command Channel

Source: The Register

Share
Tweet
Share
Buffer
WhatsApp
Email
0 Shares

Filed Under: Malware, Networking Hacking Tools Tagged With: botnet, botnets, malware, twitter, worms



Reader Interactions

Comments

  1. NNM says

    August 17, 2009 at 6:27 am

    I’m not sure why anyone uses twitter at all…
    It’s childish, buggy, hacked, unsecured…
    I signed up a year ago to “see what it is”…
    I have never used it, and I have about 300 followers, all spammers or bots.

    I find it very amusing how they get abused…
    “Now comes evidence that the microblogging website is being used to feed the very types of infected machines that took it out of commission.”

  2. GZero says

    August 17, 2009 at 8:09 am

    Web Based C&Cs are (for me) the next natural step.

    Just like P2P networks made the switch from obscure custom protocols (Gnutella, Direct Connect) to HTTP based services (BitTorrent), so too will the bots.

  3. John says

    August 17, 2009 at 4:23 pm

    I like Twitter, but it is becoming more spammy.

  4. Paul says

    August 17, 2009 at 4:45 pm

    If anyone is interested in taking apart the malware that was being propagated in this botnet, I wrote up a post of my experiences, along with malware samples should you wish to follow along: http://wp.me/pBV1X-n

  5. sighK says

    August 17, 2009 at 10:46 pm

    Maybe they can use that to their advantage, twitter can see how it works, then block the person from logging on and then post something to make them all delete themselves

  6. Morgan Storey says

    August 19, 2009 at 12:41 am

    Didn’t conficker get its command and control from websites and a long list of domains, also using p2p between bots, I am sure I even read about one that generated blogspot sub domains and visited their for their C&C. It is a natural progression.
    The bot programmers will obfuscate and disperse their C&C infrastructure so that it is both difficult to find and nice and distributed on free services, it seems common sense to me, like a story I heard a few years ago about a terrorist cell comunicating via a public messaging board using keywords in their usually on topic posts, combined with images posted that contained stenographically encapsulated data. Or back in WW1 and WW2 ending news broadcasts with non-sensical messages as a way to communicate with the resistance.
    What is being done now has been done before.

Primary Sidebar

Search Darknet

  • Email
  • Facebook
  • LinkedIn
  • RSS
  • Twitter

Advertise on Darknet

Latest Posts

AI-Powered Malware - The Next Evolution in Cyber Threats

AI-Powered Malware – The Next Evolution in Cyber Threats

Views: 241

Introduction Artificial Intelligence (AI) is reshaping cybersecurity on both sides of the … ...More about AI-Powered Malware – The Next Evolution in Cyber Threats

Falco - Real-Time Threat Detection for Linux and Containers

Falco – Real-Time Threat Detection for Linux and Containers

Views: 369

Security visibility inside containers, Kubernetes, and cloud workloads remains among the hardest … ...More about Falco – Real-Time Threat Detection for Linux and Containers

Wazuh – Open Source Security Platform for Threat Detection, Visibility & Compliance

Wazuh – Open Source Security Platform for Threat Detection, Visibility & Compliance

Views: 676

As threat surfaces grow and attack sophistication increases, many security teams face the same … ...More about Wazuh – Open Source Security Platform for Threat Detection, Visibility & Compliance

Best Open Source HIDS Tools for Linux in 2025 (Compared & Ranked)

Views: 597

With more businesses running Linux in production—whether in bare metal, VMs, or containers—the need … ...More about Best Open Source HIDS Tools for Linux in 2025 (Compared & Ranked)

SUDO_KILLER - Auditing Sudo Configurations for Privilege Escalation Paths

SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths

Views: 638

sudo is a powerful utility in Unix-like systems that allows permitted users to execute commands with … ...More about SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths

Bantam - Advanced PHP Backdoor Management Tool For Post Exploitation

Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation

Views: 482

Bantam is a lightweight post-exploitation utility written in C# that includes advanced payload … ...More about Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation

Topics

  • Advertorial (28)
  • Apple (46)
  • Countermeasures (228)
  • Cryptography (82)
  • Database Hacking (89)
  • Events/Cons (7)
  • Exploits/Vulnerabilities (431)
  • Forensics (65)
  • GenAI (3)
  • Hacker Culture (8)
  • Hacking News (230)
  • Hacking Tools (684)
  • Hardware Hacking (82)
  • Legal Issues (179)
  • Linux Hacking (74)
  • Malware (238)
  • Networking Hacking Tools (352)
  • Password Cracking Tools (104)
  • Phishing (41)
  • Privacy (219)
  • Secure Coding (118)
  • Security Software (235)
  • Site News (51)
    • Authors (6)
  • Social Engineering (37)
  • Spammers & Scammers (76)
  • Stupid E-mails (6)
  • Telecomms Hacking (6)
  • UNIX Hacking (6)
  • Virology (6)
  • Web Hacking (384)
  • Windows Hacking (169)
  • Wireless Hacking (45)

Security Blogs

  • Dancho Danchev
  • F-Secure Weblog
  • Google Online Security
  • Graham Cluley
  • Internet Storm Center
  • Krebs on Security
  • Schneier on Security
  • TaoSecurity
  • Troy Hunt

Security Links

  • Exploits Database
  • Linux Security
  • Register – Security
  • SANS
  • Sec Lists
  • US CERT

Footer

Most Viewed Posts

  • Brutus Password Cracker – Download brutus-aet2.zip AET2 (2,299,293)
  • Darknet – Hacking Tools, Hacker News & Cyber Security (2,173,111)
  • Top 15 Security Utilities & Download Hacking Tools (2,096,648)
  • 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) (1,199,694)
  • Password List Download Best Word List – Most Common Passwords (933,536)
  • wwwhack 1.9 – wwwhack19.zip Web Hacking Software Free Download (776,176)
  • Hack Tools/Exploits (673,304)
  • Wep0ff – Wireless WEP Key Cracker Tool (530,194)

Search

Recent Posts

  • AI-Powered Malware – The Next Evolution in Cyber Threats May 21, 2025
  • Falco – Real-Time Threat Detection for Linux and Containers May 19, 2025
  • Wazuh – Open Source Security Platform for Threat Detection, Visibility & Compliance May 16, 2025
  • Best Open Source HIDS Tools for Linux in 2025 (Compared & Ranked) May 14, 2025
  • SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths May 12, 2025
  • Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation May 9, 2025

Tags

apple botnets computer-security darknet Database Hacking ddos dos exploits fuzzing google hacking-networks hacking-websites hacking-windows hacking tool Information-Security information gathering Legal Issues malware microsoft network-security Network Hacking Password Cracking pen-testing penetration-testing Phishing Privacy Python scammers Security Security Software spam spammers sql-injection trojan trojans virus viruses vulnerabilities web-application-security web-security windows windows-security Windows Hacking worms XSS

Copyright © 1999–2025 Darknet All Rights Reserved · Privacy Policy