Twitterbot kit activity continued

There has been quite a lot of talk recently about botnets controlled through Twitter accounts. The other day I came across an interesting blog post by our colleagues at Sunbelt. Chet has also posted a post about a captured command and control Twitterbot channel. Today I managed to get some time to dig into our sample set to find the samples of the Twitter botnet kit which allows non-technical users to create their own botnets controlled by tweets.

The botnet creation kit consists of two components. Both components were developed with Visual Basic.NET and the style of coding does not indicate a high level of technical proficiency. The first component is Twebot builder.exe, which allows the botnet owner to create new bot instances and to specify Twitter account to use and follow. The second component is stub.exe which is a template file used to create new instances. The user can specify their own set of commands which seem to be encrypted using a simple xor encryption and bundled with the generated .NET bot assembly.

When the user launches the bot generator they are greeted with an end user licence agreement.

One of the interesting facts stated in the EULA is the connection with the Hackhound.org, a marketplace forum for malware trading and other underground operations. The forum is open to participants by invite only so I was not able to access the content. Once the user agrees with the EULA terms they will be presented with the configuration screen which allows them to specify basic parameters for the botnet.

Looking at the functionality, which includes a simple UDP denial of service attack capability one comes to the conclusion that the kit is created more for fun and fame than profit. Of course, if a system is infected it is possible to cause damage by downloading additional modules and it is possible to control the botnet through tweets but I would not think this approach would be very successful. Tweets are generally quite visible and it is not very difficult to find accounts attempting to control bots using the Twitter search engine. Once the account is found the whole botnet will be destroyed simply by taking the controlling Twitter account offline.

That does not mean that controlling botnets using Twitter is always doomed to fail. I can think of several techniques already used by http controlling botnets and successful malware families such as Conficker or Sinowal, which could make Twitter controlled botnets more successful. However, I think that the fact that the C&C channel is ultimately controlled by a legitimate company like Twitter will act as a deterrent for malware writers, once the novelty fades away.

Sophos products detects the Twitter kit builder as Troj/Tbotcfg-A and the generated bots as Troj/Tbot-A.