Twitter-based Botnet Command Channel

UPDATED TO ADD STATS AND JAIKU PROFILE AND A TUMBLR PROFILE

While digging around I found a botnet that uses Twitter as its command and control structure. Basically what it does is use the status messages to send out new links to contact, then these contain new commands or executables to download and run. It’s an infostealer operation.

The account in question is under analysis by Twitter’s security team. I spotted it because a bot uses the RSS feed to get the status updates.

upd4t3 twitter profile.png

As for the original bot in question that fetches the updates, here’s the VirusTotal analysis, where you can see it’s detected by 19/41 (46.34%) AV tools under evaluation. We can look at the status messages and discover more nefarious activity; the bot’s hiding new malcode which is poorly detected this way. The original link from the malcode came from a ShadowServer nightly link report, which they make available to folks. Many thanks to them.

Let’s look at one of the update messages; it’s pretty clearly base64 encoded. What does it say?

$ echo "aHR0cDovL2JpdC5seS9SNlNUViAgaHR0cDovL2JpdC5seS8yS29Ibw==" | openssl base64 -d
hxxp://bit.ly/R6STV hxxp://bit.ly/2KoHo

OK, a couple of links. One is dead (to a pastebin), one is live.

That second link yields a base64 encoded block of text. When we un-encode it using base64 we see a PKZIP archive (which we have dumped as “out.qqq” since we don’t know what the extension would have been beforehand). We can then unpack this and see what we find:

$ unzip out.qqq
Archive: out.qqq
inflating: gbpm.dll
inflating: gbpm.exe
$ openssl md5 gbpm.*
MD5(gbpm.dll)= ceb8d7fd74da0a187cc39ced4550ddb4
MD5(gbpm.exe)= a5cc8140e783190efb69d38c2be4393f

gbpm.dll is UPX packed, so we can unpack this:

$ upx2 -d gbpm.dll.upx
Ultimate Packer for eXecutables
Copyright (C) 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006
UPX 2.02 Markus Oberhumer, Laszlo Molnar & John Reiser Aug 13th 2006
.
File size Ratio Format Name
-------------------- ------ ----------- -----------
263680 <- 103424 39.22% win32/pe gbpm.dll.upx
.
Unpacked 1 file.

This file looks like an infostealer. Here are some of the URLs it will send data to:

hxxp://64.79.197.110/friends/alert/new.php
hxxps://www2.bancobrasil.com.br/aapf/login.jsp?aapf.IDH=sim
hxxp://64.79.197.110/friends/post.php
hxxps://www2.bancobrasil.com.br/aapf/
hxxps://www2.bancobrasil.com.br/aapf/

gbpm.exe is packed with a different packer.

That DLL is very poorly detected, the EXE has a VTotal result of 9/41 (21.95%) and appears to be a Buzus sample according to one vendor.

The account is presently live but under review by Twitter, and is just one of what appear to be a handful of Twitter C&C accounts.

UPDATE 14 Aug 2009

Via bit.ly, some statistics that suggest the malcode has infected a couple hundred PCs, mostly in Brazil.

bitly twitter botnet geo.png

Now that it’s disabled, “upd4t3” had a similar profile on Jaiku.com:

upd4t3 jaiku profile.png

Many thanks to the Jaiku team for reviewing and shutting this account down. Still looking for more services “upd4t3” is abusing … looks like Tumblr has also been used by “upd4t3”:

upd4t3 tumblr profile.png

Still poking around various micro-blogging services. I wonder why he abandoned Tumblr. (There are more microblogging tools than I had anticipated …)

107 Responses to “Twitter-based Botnet Command Channel”

August 13, 2009 at 4:16 pm, securitybananas.com » Twitter based botnet said:

[…] /blog/asert/2009/08/twitter-based-botnet-command-channel/ Comments are off for this post Digg this […]

August 13, 2009 at 3:26 pm, Guilherme Venere said:

Nice post Jose!

the URL hxxps://www2.bancobrasil.com.br/aapf/login.jsp?aapf.IDH=sim is from a Brazilian bank login page. This may be a banker and oh, surprise, may have Brazilian hackers involved 🙂

August 13, 2009 at 4:53 pm, Keith said:

Nice find. I hate to admit but this is really an innovative control. BTW, account is now suspended

August 13, 2009 at 6:19 pm, FT.com | Tech Blog | Hackers use Twitter to control botnets said:

[…] researcher Jose Nazario of Arbor Networks said Thursday he had found a handful of streams on the micro-blogging service that were used to tell drone computers where to go to download new […]

August 13, 2009 at 6:23 pm, C’est la rentrée – attaques DDoS sur Twitter ? « Criminalités numériques said:

[…] Information incidente révélée aujourd’hui par Jose Nazario de chez Arbor Networks (origine ici). Celui-ci a découvert pendant des investigations sur cette affaire d’attaque en déni de […]

August 13, 2009 at 7:34 pm, tech: Twitter-based Botnet Command Channel (Jose Nazario/Arbor Networks Security) | tech3bite said:

[…] Nazario / Arbor Networks Security: Twitter-based Botnet Command Channel  —  While digging around I found a botnet that uses Twitter as its command and […]

August 13, 2009 at 11:35 pm, Robert Peaslee said:

I wonder why he wasn’t using a symmetric encryption algorithm for encrypting the urls instead of just encoding them base64? He could have kept that pretty well secret with just a little thought.

August 13, 2009 at 11:46 pm, Twitter-based Botnet Command Channel | Twittermazing said:

[…] Twitter-based Botnet Command Channel Raj’s shared items in Google Reader While digging around I found a botnet that uses Twitter as its command and control structure. Read More […]

August 13, 2009 at 8:57 pm, Tom said:

Ironically, PoC code was released several months ago which did just this. The code was updated for a talk at DEFCON 17 this year which does…base64 encoded commands. You can download the code and more information here: http://www.digininja.org/projects/kreiosc2.php

August 13, 2009 at 10:01 pm, links for 2009-08-13 (Jarrett House North) said:

[…] Twitter-based Botnet Command Channel (Security to the Core | Arbor Networks Security) Nasty nasty nasty. Using base64 encoded tweets, that translate to tinyURLs, that download as zipped archives, that unpack with malicious payloads. (tags: twitter security) […]

August 13, 2009 at 11:18 pm, BotNet command and control finds new home on Twitter said:

[…] Source: Arbor Networks :: Twitter-based Botnet Command Channel […]

August 13, 2009 at 11:51 pm, Old News: Twitter can be used for Botnet Command & Control — spylogic.net said:

[…] but true…today a researcher discovered that Twitter has been used for command and control of a botnet which may have been used by Brazilian hackers to steal online banking login information.  Kudos to […]

August 14, 2009 at 12:12 am, Social Media Security » Old News: Twitter can be used for Botnet Command & Control said:

[…] but true…today a researcher discovered that Twitter has been used for command and control of a botnet which may have been used by Brazilian hackers to steal online banking login information.  Kudos to […]

August 14, 2009 at 6:51 am, Twitter used to manage botnet, says security expert | O24int said:

[…] on infected machines, wrote Jose Nazario, manager of security research at Arbor Networks, on in a blog posting on […]

August 14, 2009 at 3:09 am, John Reedaw said:

Nice pick up, José!! It’s always very interesting to follow your posts.

August 14, 2009 at 9:07 am, تويتر يستخدم في التحكم في شبكة البوت نت | تيدوز said:

[…] ARBOR – […]

August 14, 2009 at 5:27 am, meneame.net said:

Controlando botnets a través de Twitter…

[ENG] José Nazario de Arbor Networks ha descubierto el uso de Twitter para controlar botnets: "El usuario utilizaba los mensajes para enviar nuevos enlaces a sus contactos, enlaces que contenían nuevos comandos o programas para descargar y ejecuta…

August 14, 2009 at 11:48 am, Hackers utilizan Twitter para controlar redes de bots | Moova! News on the Move said:

[…] etc. Más tarde evolucionaron a otros sistemas de control como redes P2P pero ahora todo cambió y el uso de las redes sociales puede ser el próximo […]

August 14, 2009 at 12:21 pm, Ryan Grieve (thegrieve) 's status on Friday, 14-Aug-09 16:21:33 UTC - Identi.ca said:

[…] /blog/asert/2009/08/twitter-based-botnet-command-channel/ […]

August 14, 2009 at 8:47 am, Novo ataque visa o Twitter » SegBlog said:

[…] ataque visa o Twitter Ontem foi descoberta pelo Jose Nazario da Arbor Networks a atividade de uma botnet que utiliza Twitter para enviar informações sobre […]

August 14, 2009 at 1:24 pm, Federico Ch. Tomasczik (ftomasczik) 's status on Friday, 14-Aug-09 17:24:13 UTC - Identi.ca said:

[…] Lo nuevo en bicharracos… Twitter-based Botnet Command Channel /blog/asert/2009/08/twitter-based-botnet-command-channel/ […]

August 14, 2009 at 9:29 am, Twitter botnet plundert bankrekeningen - BLOG PC Web plus - said:

[…] uploadt. In Brazilië gebruiken de meeste banken nog steeds een gebruikersnaam en wachtwoord. De Twitter bot kwam aan het licht omdat het de RSS feed gebruikt om status updates te krijgen. Het account in […]

August 14, 2009 at 9:47 am, Angelo Dell'Aera said:

Nice post Jose. I was just thinking about how simple it could be to raise the bar through a photography fanatic blog and just a bit of steganography…

August 14, 2009 at 10:04 am, links for 2009-08-14 | Yostivanich.com said:

[…] » Twitter-based Botnet Command Channel · Security to the Core | Arbor Networks Security Makes it easy to avoid getting an IP Address block. (tags: twitter cracking security botnet) […]

August 14, 2009 at 10:18 am, Shlok Vaidya’s Thinking » Botnet Command Via Twitter said:

[…] Vaidya’s Thinking While digging around I found a botnet that uses Twitter as its command and control structure. Basica… Subscribe to comments Comment | Trackback | Tags: gaming […]

August 14, 2009 at 10:33 am, Allan Rowntree said:

Not to be confused with:

#mmjChallenge[CqPSy8qqd7IW4POiaRAwbjyMmtYRrGdi]

Tweets my new games uses as a way of passing challenges from player to player!

Check out http://mmj.arowx.com for latest details, it’s coming soon!

August 14, 2009 at 10:41 am, Hackers utilizan Twitter para controlar redes de bots | ALT1040 (Internet) said:

[…] etc. Más tarde evolucionaron a otros sistemas de control como redes P2P pero ahora todo cambió y el uso de las redes sociales puede ser el próximo […]

August 14, 2009 at 12:01 pm, Usan Twitter Para Controlar Red Zombie. - La Comunidad DragonJAR said:

[…] […]

August 14, 2009 at 4:32 pm, Jesper Wallin said:

Hehe, pretty smart if you ask me.. Thank god it’s easy for Twitter to kill these “channels” as well as see who’s requesting these tweets (finding what machines/networks are infected) .. 🙂

August 14, 2009 at 1:40 pm, Twitter used to manage botnet, says security expert said:

[…] on infected machines, wrote Jose Nazario, manager of security research at Arbor Networks, on in a blog posting on […]

August 14, 2009 at 6:02 pm, Twitter utilisé par un Botnet ! « said:

[…] Nazario d’Arbornetworks.com, a découvert un botnet qui utiliserait Twitter, le site de réseau social et de […]

August 14, 2009 at 2:22 pm, Botnets ontdekken Twitter | Techfreak said:

[…] Nazario, hoofd secu­rity research bij Arbor Net­works, kwam de bot­ne­tac­tiviteit via Twit­ter op het spoor door­dat de bots via de rss-feed van het […]

August 14, 2009 at 7:50 pm, Security firms discover botnet on Twitter - Programming Blog said:

[…] be used as the command center for harnessing a “botnet” of virus-infected computers, security firms Arbor Networks and Symantec reported. In a blog post Friday, Symantec analyst Peter Coogan wrote that researchers […]

August 14, 2009 at 4:25 pm, Interesting Information Security Bits for 08/14/2009 | Infosec Ramblings said:

[…] is interesting. A botnet being controlled via Twitter. >> Twitter-based Botnet Command Channel * Security to the Core | Arbor Networks Security Tags: ( twitter botnet […]

August 14, 2009 at 5:27 pm, Malware, del IRC a Twitter said:

[…] Vía Twitter-based Botnet Command Channel […]

August 14, 2009 at 5:48 pm, Botnetz nutzt Twitterupdates von upd4t3 | elexpress.de said:

[…] sicherlich nicht nur bei Nutzern angekommen, die den Dienst als solches im gutem Sinne nutzen. Laut Jose Nazario von Arbor hat ein Botnetz die neuen Befehle für die Zombirechner über Twitter und anderen Diensten […]

August 14, 2009 at 11:09 pm, Freetracking.org » Security firms discover botnet on Twitter said:

[…] be used as the command center for harnessing a “botnet” of virus-infected computers, security firms Arbor Networks and Symantec reported. In a blog post Friday, Symantec analyst Peter Coogan wrote that researchers […]

August 15, 2009 at 7:33 am, Botnet on Twitter Now! « TheTechJournal.com said:

[…] Security holes of Twitter has been exposed here again. An employee of Arbor Networks has recently discovered a botnet that uses Twitter as its command and control structure. The Twitter user “upd4t3″ has been operating an infostealer operation using his account. The user posts status updates with links which contains commands or executables to download and run. The process is described at Arbor Networks blog. […]

August 15, 2009 at 1:14 pm, Twitter was Dwelling Botnets under the Hood - Home for DDoS | Taranfx: Technology Blog said:

[…] The traditional way of managing botnets was IRC or different honeypots.  But with changing times,  botnet owners are continuously working on finding new ways of keeping their networks up and running, and Twitter seems to be the latest trend among the tricks. Twitter came to know about this from an account that it recently suspended. What was it doing?  It was being used to post tweets that had links to “commands or executables” to download and run, which would then be used by the botnet code on infected machines. “I spotted it because a bot uses the RSS feed to get the status updates, the account, called “Upd4t3″, is under investigation by Twitter’s security team, according to Nazario. But the account is just one of what appear to be a handful of Twitter command and control accounts,” Nazario, a security researcher, wrote. […]

August 15, 2009 at 2:12 pm, Το Twitter χρησιμοποιήθηκε για την καθοδήγηση botnet | TechTips Blog - Τεχνολογικά Νέα - Ειδήσ said:

[…] στην εταιρεία δικτυακής ασφαλείας Arbor Networks, έγραψε στο blog της εταιρείας ότι το Twitter χρησιμοποιήθηκε για την καθοδήγηση […]

August 15, 2009 at 3:13 pm, Geek Montage » Botnet Using Twitter said:

[…] and that they’re only limited by the creator’s creativity. The article can be read here, but I’ll provide an excerpt for those who have only of the slighest interest and not enough […]

August 15, 2009 at 3:37 pm, DarkKnightH20 said:

Very interesting. I’m posting an excerpt on http://www.geekmontage.com if you don’t mind (with a link back to here of course). Still, this isn’t too surprising considering that their niche, IRC servers, have been easily compromised time after time. Creativity is the only thing limiting communication between a botnet owner and his/her bots.

August 15, 2009 at 6:28 pm, Faisal Khan said:

Jose, great analysis…. how can Twitter play a role in this – to stop its network from being used as a Command center??? With 10,000s of signups a day and million of messages, surely, this new medium can be termed even more threatening.

August 16, 2009 at 1:02 am, Twitter now being used to direct botnets | Cool Stuff for the Mac Pro. said:

[…] Twitter? Twitter! TWITTER! Yes, the world’s most important Web site has been co-opted by evildoers, being used to control personal information-stealing […]

August 16, 2009 at 12:43 am, BelchSpeak » Post Topic » Twitter Bot Master said:

[…] zombies only had to follow the account using an RSS feed subscription. You can read all about it at Arbors blog here. I see no reason why this method wouldn’t with other public posting methods such as […]

August 16, 2009 at 5:54 am, Twitter vira central de controle para botnet « 1security’s Blog said:

[…] especialista afirmou no blog da empresa que uma conta no microblog era responsável por enviar códigos aos computadores, transformando-o […]

August 16, 2009 at 5:56 am, infinity's status on Sunday, 16-Aug-09 09:55:58 UTC - Identi.ca said:

[…] Botnet Command Channel: /blog/asert/2009/08/twitter-based-botnet-command-channel/ !infosec […]

August 16, 2009 at 7:08 am, Brazen Botnet Uses Twitter Comm Channel - Lets Be Secure | Lets Be Secure said:

[…] links to contact, then these contain new commands or executables to download and run," Nazario said in a blog post. "It’s an infostealer […]

August 16, 2009 at 8:29 am, Twitter can be used to steal you bank account details said:

[…] week, since Twitter was first attacked and it still seems to be reeling from it. Now a researcher, Jose Nazario, has discovered that an account in Twitter is being used as a Botnet, for its command and control […]

August 16, 2009 at 3:04 pm, GeekDays » Hackers utilizan Twitter para controlar redes de bots said:

[…] etc. Más tarde evolucionaron a otros sistemas de control como redes P2P pero ahora todo cambió y el uso de las redes sociales puede ser el próximo […]

August 16, 2009 at 12:46 pm, וירוס השתמש בחשבון טוויטר כדי להעביר הוראות למחשבים נגועים | Newsgeek said:

[…] סוף השבוע הודיעה חברת אבטחת המידע Arbor Networks ×›×™ מצאה חשבון משתמש בטוויטר, אשר בו מתבצע שימוש לצורך […]

August 16, 2009 at 6:35 pm, slacker2d (slacker2d) 's status on Sunday, 16-Aug-09 22:35:14 UTC - Identi.ca said:

[…] twitter based #botnet command channel /blog/asert/2009/08/twitter-based-botnet-command-channel/ […]

August 16, 2009 at 6:39 pm, duritong's status on Sunday, 16-Aug-09 22:39:01 UTC - Identi.ca said:

[…] RT @slacker2d twitter based #botnet command channel /blog/asert/2009/08/twitter-based-botnet-command-channel/ […]

August 16, 2009 at 6:40 pm, Not just Twitter, Jaiku too (Banker Trojan) | Virus Experts - We Make Your Digital Life Secured said:

[…] Networks reported that malware (which we detect as Trojan-Banker.Win32.Banker.alwa and […]

August 16, 2009 at 8:47 pm, Twitter down on Saturday, external apps to be affected | KBBS @ TECHBLOG said:

[…] operation,” wrote Jose Nazario, manager of security research at Arbor Networks, on in a blog posting on […]

August 17, 2009 at 11:47 am, ID Brasileiros No Twitter Usados Em Botnet | Blog KTecNet said:

[…] como se parece uma conta destas (via Arbor Networks blog) […]

August 17, 2009 at 12:05 pm, Malware y botnet a través de Twitter | Shadow Security said:

[…] Kaspersky Lab y Jose Nazario publican una entrada en su blog en donde muestran capturas y más información sobre este malware que […]

August 17, 2009 at 11:09 pm, Botnet que utiliza twitter como command & control | said:

[…] del CSIRT-Antel de Uruguay me enteré que la gente de Arbor Networks (Jose Nazario) encontró una botnet que utiliza twitter como command & control. Es un cambio interesante en el comportamiento de las […]

August 18, 2009 at 10:49 am, Links of the Week: Data Security Edition | EPC's Computer Recyling Blog said:

[…] Twitter used to control botnet It was a matter of time, but Jose Nazario of Arbor Networks discovered a botnet that used Twitter for its command and control infastructure. While the account in question is obviously not a person, how long before a botnet writer creates an account that looks legitimate at first glance? […]

August 18, 2009 at 12:27 pm, Hackers Use Twitter To Control Botnet | HackTalk said:

[…] Network’s Jose Nazario, an expert on botnets, discovered the so-called command-and-control structure. Infected computers were following the […]

August 18, 2009 at 12:30 pm, Marcosof Informatica y Telecomunicaciones » Blog Archive » Malware y botnet a través de Twitter said:

[…] Kaspersky Lab y Jose Nazario publican una entrada en su blog en donde muestran capturas y más información sobre este malware que […]

August 19, 2009 at 7:01 am, The Linux Mint Blog » Blog Archive » The Mint Newsletter - issue 91 said:

[…] Botnet Command […]

August 19, 2009 at 9:05 pm, YJ said:

Do you know CipherTwitter ? http://www.security-projects.com/?CipherTwitter

August 20, 2009 at 2:13 pm, Hilda Jones said:

the base64 is the part that always makes me mad… great post

August 20, 2009 at 4:08 pm, Security and Social Media | Z0nbi said:

[…] Being used as a C&C server to botnets […]

August 20, 2009 at 10:29 pm, Uso estúpido de Twitter de la semana: dirigir una red de bots (botnet) » Consultorio del Dr. Ogalinski said:

[…] Fuente: PC World, Arbor SERT […]

August 21, 2009 at 1:07 pm, Support Wars » Brazen botnet uses Twitter comm channel said:

[…] to contact, then these contain new commands or executables to download and run,” Nazario said in a blog post. “It’s an infostealer […]

August 24, 2009 at 12:33 pm, Răufăcătorii secolului XXI « dreptungeek said:

[…] că există un nou mod în care idila cu mesajele de 140 de caractere poate fi brutal întreruptă: un cont folosit de un bot pentru a infecta alte conturi. ÃŽntre astfel de cazuri ÅŸi link-uri mascate, destule persoane neatente vor mai avea în viitor […]

August 26, 2009 at 2:38 pm, Twitter as a botnet command center - Hack a Day said:

[…] folks over at Arbor Networks were browsing Twitter and discovered something very strange: a Twitter account seemingly posting […]

August 26, 2009 at 4:03 pm, Adam (teferi) 's status on Wednesday, 26-Aug-09 20:03:27 UTC - Identi.ca said:

[…] /blog/asert/2009/08/twitter-based-botnet-command-channel/ — ha ha […]

August 26, 2009 at 5:25 pm, Herb said:

Seem like there is another out there now.

http://twitter.com/botn3tcontrol

August 27, 2009 at 9:33 am, Jose Nazario said:

thanks, herb! i contacted twitter and the account was disabled overnight.

August 27, 2009 at 1:11 am, Често задавани въпроси » Blog Archive » twitter като средство за управление на ботнРsaid:

[…] за управление на ботнет August 27th, 2009 от singu От Arbor са разпознали ботнет, чийто пастир използва twitter за да […]

August 27, 2009 at 4:57 am, Blight Watch » Blog Archive » Botnet Using Twitter For Command/Control said:

[…] you’re interested in the full technical details, check out the Arbor Networks blog which found the problem in the first place, and which fully explores exactly how the […]

August 31, 2009 at 5:33 am, TheTechJournal.com » Blog Archive » Botnet on Twitter Now! said:

[…] Security holes of Twitter has been exposed here again. An employee of Arbor Networks has recently discovered a botnet that uses Twitter as its command and control structure. The Twitter user “upd4t3″ has been operating an infostealer operation using his account. The user posts status updates with links which contains commands or executables to download and run. The process is described at Arbor Networks blog. […]

August 31, 2009 at 2:00 pm, Wilhelm Greiners Communitainment-Blog » Blog Archive » Symantec warnt vor Kriminellen in Social Networks said:

[…] missbraucht worden. Der von Symantec in der Pressemitteilung nicht genannte Dienst ist Twitter, wie Arbor Networks meldete: Brasilianische Cyber-Kriminelle hatten den Micro-Blogging-Dienst zur Steuerung ihrer Zombies […]

September 01, 2009 at 10:07 pm, Security Justice » Blog Archive » Security Justice – Episode 16 DEFCON Recovery with @dave_rel1k said:

[…] Twitter botnet? We told you so… […]

September 04, 2009 at 6:20 pm, An Innovative Control – Twitter Being Used As Botnet Command Channel | the dancing packet said:

[…] Twitter-based Botnet Command Channel […]

September 11, 2009 at 5:23 pm, Trojan Hides Its Brain in Google Groups « Friendly Computers Virus Alerts said:

[…] in touch with hacked PCs and update their malicious software. Researchers have also seen criminals hide their messages in RSS feeds that are set up to broadcast Twitter messages, said Gerry Egan, a director with […]

September 11, 2009 at 8:50 pm, Trojan hides its brain in Google Groups | Sync-Tech - Syncing tomorrow with today. said:

[…] in touch with hacked PCs and update their malicious software. Researchers have also seen criminals hide their messages in RSS feeds that are set up to broadcast Twitter messages, said Gerry Egan, a director with […]

September 12, 2009 at 4:40 am, Trojan Hides Its Brain in Google Groups (PC World) | Breaking News Fast said:

[…] in touch with hacked PCs and update their malicious software. Researchers have also seen criminals hide their messages in RSS feeds that are set up to broadcast Twitter messages, said Gerry Egan, a director with […]

September 12, 2009 at 2:35 am, Trojan Hides in Google Group « AKS-Feel The Change! said:

[…] to keep in touch with hacked PCs and update their malicious software. Researchers have also seen criminals hide their messages in RSS feeds that are set up to broadcast Twitter messages, said Gerry Egan, a director with […]

September 12, 2009 at 8:40 am, Rhialto said:

Interesting. But can you please separate the trackbacks from the real comments, since they are extremely irritating when you’re trying to read real comments from real people…

September 14, 2009 at 1:30 am, Trojan hides its brain in Google Groups « I.T News & Stuff said:

[…] have also seen criminals hide their messages in RSS feeds that are set up to broadcast Twitter messages, said Gerry Egan, a director with […]

September 17, 2009 at 11:03 am, Un malware coordonné par un groupe de discussions Google « Service de Fax par Internet : Le Blog de TooFAX® said:

[…] pirates : plusieurs chevaux de Troie sont désormais contrôlés à travers des structures C&C hébergées sur Twitter. Le but recherché est d’entraver au maximum l’action des forces de l’ordre : d’une part, […]

September 21, 2009 at 4:53 am, Ботнеты: игра в прятки на Web 2.0 | ДайСлово! said:

[…] середине Устя эксперты Arbor Networks обнаружили в микроблогах Twitter в некоторой степени аккаунтов, с […]

September 29, 2009 at 12:01 pm, Twitter-based Botnet Command Channel « "The CTI Blog" – A Daily View into the World of Cyber Threat Intelligence said:

[…] Botnet Command Channel By pmakohon Twitter-based Botnet Command Channel: […]

October 17, 2009 at 8:09 pm, Ботнеты: игра в прятки на Web 2.0 | Hacker Info said:

[…] середине августа эксперты Arbor Networks обнаружили в микроблогах Twitter несколько аккаунтов, с которых […]

December 12, 2009 at 8:08 am, Twitter Turned Botherder – Security Threat Research News said:

[…] For more details, you can also check the original post from Arbor Sert. […]

January 01, 2010 at 9:45 pm, Twitter as a botnet command center | Hack a Day Thailand said:

[…] folks over at Arbor Networks were browsing Twitter and discovered something very strange: a Twitter account seemingly posting […]

April 08, 2010 at 11:41 am, Notes from a wireframe world » Blog Archive » Is cloud computing safe? Not if you’ve got data worth stealing. said:

[…] 2009 cybercriminals continued demonstrating their interest in abusing legitimate services such as Twitter, Google Groups, Facebook as command and control servers, as well as Amazon’s EC2 as a […]

July 20, 2010 at 1:05 pm, Social Networks being used by Banking Trojans | Helablog said:

[…] exploited as a command and control point belonging to a Trojan’s operation reportedly involves Twitter’s RSS feed option. The bot herder’s method of operation in this case is as […]

July 22, 2010 at 3:21 am, The Italian Honey Project » Social networks used as C&C server – Facebook? said:

[…] google groups and twitter , here is another example about how a social network  (probably Facebook)  is being (mis)used by […]

July 22, 2010 at 12:18 pm, DNS Botnet Cyberwar said:

[…] Transfer Protocol) como por ejemplo Twitter (Para más información puede leer el siguiente enlace :/blog/asert/2009/08/twitter-based-botnet-command-channel/). Una vez se consigue infectar con Malware y estos comienzan a acceder al canal de control, quedan […]

July 23, 2010 at 9:52 am, DNS BOTNET CYBERWAR « SR HADDEN SECURITY CONSULTING said:

[…] Transfer Protocol) como por ejemplo Twitter (Para más información puede leer el siguiente enlace :/blog/asert/2009/08/twitter-based-botnet-command-channel/). Una vez se consigue infectar con Malware y estos comienzan a acceder al canal de control, quedan […]

August 05, 2010 at 5:29 pm, Uncrackable DIY Pencil-and-Paper Encryption said:

[…] cellphone create the modern day equivalent of a number station. In fact, there is at least one known bot net coordinated via an anonymous Twitter account (not encrypted, […]

August 10, 2010 at 10:51 pm, על בוטנטים (Botnets), מלחמה טכנולוגית, IRC ושטויות נוספות. | טכנולוגיה ואבטחת said:

[…] הבוטנטים יתחברו לשרת (ראו "טופולוגיית בוטנטים" להלן), ממנו הם יקבלו את הפקודות. השרת יכול להיות בוטנט אחר, או "מפקדה" – בסיס מרכזי אליו מתחברים הבוטנטים. מקומות נפוצים להקמת מפקדה הם שרתי IRC, עליהם דיברנו כבר בעבר, תוכנות מסרים מידיים (כן כן!) ואפילו אתרי אינטרנט, כמו טוויטר! […]

August 22, 2010 at 10:46 pm, Antivirus said:

This is very nice post about twitter botnet. I saw a video on youtube how people can command twitter using botnet to do something they want based on what they command it to do.

September 21, 2010 at 5:10 pm, Botnets : Aeterna's World said:

[…] launch of twitter several have switched from the traditional IRC channels(Chat software) to using twitter to regulate themselves. Now I think it’s quite an interesting and cool way of controlling the […]

December 10, 2010 at 8:39 pm, Who Do You Know? | Morpho Designs said:

[…] is, by and large, ethically neutral. The most benign tool becomes a weapon of mass destruction in the hands of a spammer or so-called black hat SEO operative. Conversations are neither […]

February 05, 2011 at 3:21 am, Should a targeted country strike back at the cyber attackers? by Dancho Danchev « surflightroy said:

[…] into the malicious mix, with notable examples including the abuse of legitimate services such as, Twitter, Google Groups, Facebook as command and control servers, as well as Amazon’s EC2 as a […]

March 11, 2011 at 2:14 am, Snoep76239 said:

Why “steal” personal information when every FarcebookTweeter give it all away voluntarily?
Social networking is a stalker’s or social engineer’s wet dream.
So many peoples’ passwords are their dog’s name, backwards birthday, or can be gotten by using a dictionary based on their interests. Brute force, schmute force.

April 22, 2011 at 12:13 am, Hackers Use Twitter to Control Botnet « www.unixbox.org said:

[…] Network’s Jose Nazario, an expert on botnets, discovered the so-called command-and-control structure. Infected computers were following the Twitter feed […]

June 16, 2011 at 4:08 am, Dipl.-Inform. Carsten Eilers said:

Botnets – Zombie-Plagen im Internet…

Die mit einer spezifischen Schadsoftware infizierten Rechner werden oft zu sog. Botnets zusammengefasst. Wie die Schadsoftware verbreitet wurde, egal ob als Virus, Wurm, Trojaner, Drive-by-Infektion oder wie auch immer, ist dabei egal. Die infiz…

July 19, 2011 at 4:59 pm, An Innovative Control and Lame – Twitter Being Used As Botnet Command Channel « wnnsnn said:

[…] Twitter-based Botnet Command Channel […]

July 31, 2011 at 2:14 am, Amazon's Cloud Services Systematically Exploited by Cybercriminals | Vishnu Valentino Hacking Tutorial, Tips and Trick said:

[…] crimeware in the cloud have a future? Most certainly, as cybercriminals appear to have been actively […]

Comments are closed.