Twitter botnet command and control captured

Filed Under: Malware, Social networks, Twitter

Twitter-bot tweets

I came across this very interesting example of a Twitter controlled botnet this evening. There has been a lot of talk the last few weeks about a new toolkit for creating simple Twitter bot armies, but little evidence of it happening.

Fortunately 2 pieces of the puzzle came together in the last few hours. The first bit was a friend on twitter (@snowfl0w) who tipped me off to a botnet controller using Twitter seen in the image to the right. The second was an excellent blog article on malwarecity.com showing an example of how these botnets work.

I can't say I am surprised to see this in action, but it is an interesting new take. It solves many problems for the attacker. You maintain anonymity without expending any resource. Twitter provides you an enormously scalable infrastructure at no cost and you enjoy the flexibility of controlling your botnet via your mobile phone.

What is not new is that this is simply another way to send simple commands to a large number of bots without providing a target for a take down. Many botnets have had a centralized command and control hostname or IP that has proven to be a major weakness. We have seen IRC, Facebook and P2P protocols used in the past to achieve the same results. Using Twitter is merely an iteration.

The most amusing thing about this attack is that it contains the ability to use a text to speech engine. As you can see in the screenshot, one of the commands is SAY. This command allows the controller to have the victim's PC speak the text to them, in this case "Hello my infectants".

Whatever way we decide to communicate it will be used to facilitate fraud. The good news is that these protocols are not difficult to decipher and hopefully Twitter and their security team are paying close attention. Criminals using this style of command and control can easily be sorted out from legitimate Twitter users and shut down.

If you see something suspicious on Twitter, Facebook or other online haunts, don't hesitate to drop us a line. Threats are developing at an amazing rate and we could use the help. Together we can tackle this enormous problem.

, , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.