Twitter as a botnet command center

posted Aug 26th 2009 11:37am by
filed under: news, security hacks

twitter_botnet

The folks over at Arbor Networks were browsing Twitter and discovered something very strange: a Twitter account seemingly posting gibberish. At least, that’s how it appeared at first. Upon closer investigation, they discovered that the profile was posting base64 encoded links to PKZIP archives. When they extracted the contents and unpacked the contained DLL and EXE files, they discovered that the account was posing links to malware that would post user information back to certain URLs. The article was also updated to show that the scheme wasn’t limited to Twitter, but also affected users on Jaiku and Tumblr. It’s a bit scary to see that all malware isn’t as blatantly obvious as we usually would think it to be.



7 Responses to Twitter as a botnet command center

  • Skitchin says:
    August 26, 2009 at 12:06 pm

    I’ve found twitter and other blog accounts which were being used to push out the latest spam marketing emails. Guess I should be more vigilant in reporting them.

    Reply Report comment
  • sfcg says:
    August 26, 2009 at 12:41 pm

    Nice post. That’s a pretty clever way to get your commands out there. Any machine anywhere, any phone, just postup a twitter update.

    Reply Report comment
  • blake says:
    August 26, 2009 at 1:01 pm

    Looks like there is another one.

    http://twitter.com/botn3tcontrol

    Reply Report comment
  • pelrun says:
    August 26, 2009 at 2:55 pm

    The “aHR0″ is a dead giveaway here; it’s ‘http’ in base-64. You’ll see it in redirect links sometimes, in an attempt to prevent you stripping off the redirect.

    Reply Report comment
  • me says:
    August 26, 2009 at 6:55 pm

    Lame. Base64 for a ~18 character string? Twitter has 140 characters to work with and he couldn’t think of a less suspicious form of encoding? Could have even chopped off the ‘http://’ to get a ~11 characters. I’m really disappointed in this guy. There’s no ingenuity in this.

    Reply Report comment
  • vic says:
    August 26, 2009 at 9:57 pm

    It looks like a weak link, hijack the account and you can order the whole botnet to autodestruct (I guess twitter would have no problem giving access to these accounts if it can fight malware). Or is it just one of many update paths ?

    Reply Report comment
  • des$ says:
    September 9, 2009 at 6:06 am

    How do I Twitter my Flickr photos?

    Reply Report comment

    • Leave a Reply

    XHTML: You can use these tags: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

    Hack a Day serves up fresh hacks each day, every day from around the web as well as hacking related news.

    Send us your hacks










         



    Hacks

    Resources