The folks over at Arbor Networks were browsing Twitter and discovered something very strange: a Twitter account seemingly posting gibberish. At least, that’s how it appeared at first. Upon closer investigation, they discovered that the profile was posting base64 encoded links to PKZIP archives. When they extracted the contents and unpacked the contained DLL and EXE files, they discovered that the account was posing links to malware that would post user information back to certain URLs. The article was also updated to show that the scheme wasn’t limited to Twitter, but also affected users on Jaiku and Tumblr. It’s a bit scary to see that all malware isn’t as blatantly obvious as we usually would think it to be.
7 thoughts on “Twitter As A Botnet Command Center”
Leave a Reply
Please be kind and respectful to help make the comments section excellent. (Comment Policy)
I’ve found twitter and other blog accounts which were being used to push out the latest spam marketing emails. Guess I should be more vigilant in reporting them.
Nice post. That’s a pretty clever way to get your commands out there. Any machine anywhere, any phone, just postup a twitter update.
Looks like there is another one.
http://twitter.com/botn3tcontrol
The “aHR0” is a dead giveaway here; it’s ‘http’ in base-64. You’ll see it in redirect links sometimes, in an attempt to prevent you stripping off the redirect.
Lame. Base64 for a ~18 character string? Twitter has 140 characters to work with and he couldn’t think of a less suspicious form of encoding? Could have even chopped off the ‘http://’ to get a ~11 characters. I’m really disappointed in this guy. There’s no ingenuity in this.
It looks like a weak link, hijack the account and you can order the whole botnet to autodestruct (I guess twitter would have no problem giving access to these accounts if it can fight malware). Or is it just one of many update paths ?
How do I Twitter my Flickr photos?