Twitter as a botnet command center


The folks over at Arbor Networks were browsing Twitter and discovered something very strange: a Twitter account seemingly posting gibberish. At least, that’s how it appeared at first. Upon closer investigation, they discovered that the profile was posting base64 encoded links to PKZIP archives. When they extracted the contents and unpacked the contained DLL and EXE files, they discovered that the account was posing links to malware that would post user information back to certain URLs. The article was also updated to show that the scheme wasn’t limited to Twitter, but also affected users on Jaiku and Tumblr. It’s a bit scary to see that all malware isn’t as blatantly obvious as we usually would think it to be.

7 thoughts on “Twitter as a botnet command center

  1. Lame. Base64 for a ~18 character string? Twitter has 140 characters to work with and he couldn’t think of a less suspicious form of encoding? Could have even chopped off the ‘http://’ to get a ~11 characters. I’m really disappointed in this guy. There’s no ingenuity in this.

  2. It looks like a weak link, hijack the account and you can order the whole botnet to autodestruct (I guess twitter would have no problem giving access to these accounts if it can fight malware). Or is it just one of many update paths ?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s