Twitter as a botnet command center

twitter_botnet

The folks over at Arbor Networks were browsing Twitter and discovered something very strange: a Twitter account seemingly posting gibberish. At least, that’s how it appeared at first. Upon closer investigation, they discovered that the profile was posting base64 encoded links to PKZIP archives. When they extracted the contents and unpacked the contained DLL and EXE files, they discovered that the account was posing links to malware that would post user information back to certain URLs. The article was also updated to show that the scheme wasn’t limited to Twitter, but also affected users on Jaiku and Tumblr. It’s a bit scary to see that all malware isn’t as blatantly obvious as we usually would think it to be.

Comments

  1. Skitchin says:

    I’ve found twitter and other blog accounts which were being used to push out the latest spam marketing emails. Guess I should be more vigilant in reporting them.

  2. sfcg says:

    Nice post. That’s a pretty clever way to get your commands out there. Any machine anywhere, any phone, just postup a twitter update.

  3. blake says:

    Looks like there is another one.

    http://twitter.com/botn3tcontrol

  4. pelrun says:

    The “aHR0″ is a dead giveaway here; it’s ‘http’ in base-64. You’ll see it in redirect links sometimes, in an attempt to prevent you stripping off the redirect.

  5. me says:

    Lame. Base64 for a ~18 character string? Twitter has 140 characters to work with and he couldn’t think of a less suspicious form of encoding? Could have even chopped off the ‘http://’ to get a ~11 characters. I’m really disappointed in this guy. There’s no ingenuity in this.

  6. vic says:

    It looks like a weak link, hijack the account and you can order the whole botnet to autodestruct (I guess twitter would have no problem giving access to these accounts if it can fight malware). Or is it just one of many update paths ?

  7. des$ says:

    How do I Twitter my Flickr photos?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 93,826 other followers