Free tool uses Twitter Direct Messages to control hacked computers

Twitter Direct Messages

Direct Messages on Twitter are a way for users to send messages to individuals or a group of users privately, as opposed to regular tweets, which can be seen by everyone.

Twitter has expended a lot of effort to stamp out the predictable abuses of the Direct Message medium – namely spam and phishing attacks.

But now, self-styled security researcher Paul Amar has created a free Python-based tool called Twittor that uses Direct Messages on Twitter as a command-and-control server for botnets.

As you probably know, cybercriminals use botnets in a variety of ways to launch attacks.

For example, a cybercriminal could tell the computers in his botnet (called bots or zombies) to send out spam, or he could rent the botnet to other cybercriminals who might use it to generate fraudulent traffic that can cause a website to crash.

A crook could also drop malware on the bots he controls to steal data like passwords and banking credentials, or infect the bots with ransomware.

How botnets and bots work

For a botnet to do any of these things, the bots need to “call home” for instructions to a command and control (C&C) server, which typically uses the HTTP protocol to send messages over the web, or via HTTPS for encrypted communications.

Now, using Twittor, a cybercrook could send messages over Twitter Direct Message, which Amar says could help botnet masters hide their activities among legitimate Twitter traffic.

Amar got the idea for his Direct Message C&C server from a similar tool called Gcat, which does the same thing using a Gmail account, according to Amar’s post on the code-sharing site GitHub, where he provides the Twittor tool and instructions on how to use it.

Amar was looking for ways third-party services could hide malicious traffic, he told Dark Reading.

The opportunity to use Twitter opened up in August when Twitter announced that it was lifting the 140-character limit on Direct Messages, which Amar says “allows for more malicious activity.”

There are some limitations: Twitter does limit users to 1000 Direct Messages per day, so a bot master would be able to control only about 100 bots per account.

But a bot master might find the stealth of using Twitter Direct Messages appealing because those communications would be very hard to detect.

Amar told Dark Reading that his tool uses the Twitter API, so IP filtering won’t catch it; and because Direct Messages are private, “there’s no public malicious activity.”

But the one thing we don’t quite get in all of this is, “Why?”

Many security tools, like Nmap and Metasploit, cut both ways, being useful for researchers and penetration testers but also handy for crooks.

But publishing a free tool that helps you operate a botnet via Twitter Direct Message seems a strange way to conduct security research, especially when Twitbots are nothing new.

Learn more about botnets

Listen to our Techknow podcast, Understanding Botnets. We explain, in plain English, the what, why and how of botnets – the money-making machinery of modern cybercrime.


(Audio player above not working for you? Download to listen offline, or listen on Soundcloud.)

Image of birds and speech bubbles courtesy of Shutterstock.com.