Article

New tool enables botnet command and control via Twitter

Robert Westervelt, News Editor

Security researchers have discovered an automated toolkit that enables the user to set up a botnet using the popular micro-blogging service, Twitter as the botnet command and control platform.

Called TwitterNET Builder, the automated tool takes the code writing knowledge out of using the service for command and control.

"In order to create their custom bot, an attacker only has to launch the SDK, enter a Twitter username that would act as a command and control center and modify the resulting bot's name and icon to suit their distribution method," said BitDefender in a news release.The antimalware vendor said it issued updates to detect malware designed to get orders from Twitter. BitDefender called the tool experimental.

Attackers have used Twitter in the past to issue orders to botnets. Security researchers at Arbor Networks Inc. discovered a botnet using Twitter as a command and control server. Twitter's security team has shut down dozens of accounts with suspicious messages that could be traced to zombie computers.

Requires Free Membership to View

Botnet command and control:

Botnet masters turn to Google, social networks to avoid detection: Cybercriminals turn to cloud computing to feed commands to the throngs of zombie computers under their control and avoid detection.

What warning signs will indicate the presence of a P2P botnet?Expert Mike Chapple explains two easy ways to detect the presence of a P2P botnet on your system.

Botnet research suggests progress in cybercrime war: The recent arrests of those suspected of being connected to the Mariposa botnet and the legal action by Microsoft to take down the command and control of the Waledac botnet may be evidence that cybercriminals are losing ground.

Researchers say the new tool is the first of its kind. Symantec Corp. issued a video demonstrating TwitterNet Builder in action.

It's unlikely the experimental tool will gain widespread use because the method has a major disadvantage. Once an account is deleted for abuse, the entire botnet would be taken down. Still, BitDefender said an attacker can spread malware in seconds or order a distributed denial of service (DDoS) attack by Tweeting a single line from a mobile phone or Twitter client.

"The creator didn't spend too much to protect the generated bots from reverse engineering or from detection and termination, but this flaw doesn't make them less dangerous for the average computer user," BitDefender said.

Chris Boyd, a senior threat researcher at security vendor Sunbelt Software Inc. called the new TwitterNET tool "slick," but said anyone attempting to use the Twitter botnet attack method is exposed.

"For one thing, this doesn't work if the person controlling the bots attempts to hide their commands with a private Twitter page; the bots will just flail aimlessly as they wonder where their master has gone," Boyd wrote in the Sunbelt blog.

Boyd said Twitter should be able to track and block anyone attempting to use the service to issue commands.

Bot herders turn to cloud-based methods
As cloud computing gains an increasing role at enterprises, cybercriminals are also turning to Web-based platforms rather than physical servers to send marching orders to hoards of bot infected computers. Last summer, Arbor Networks' botnet expert, Jose Nazario, said Arbor is finding more cybercriminals attempting to use free storage and bandwidth offered by cloud-based services. Nazario said bot herders can also get resiliency if they set up their system effectively in addition to a certain level of anonymity.

At the time, Arbor was tracking the use of a Google AppEngine application used by bot herders to feed commands to their bots. The phenomena has forced social networking sites including Twitter and Facebook to improve content filtering to detect executable files and links that lead to servers hosting malware.

Symantec Corp. also detected a similar method using Facebook as a command and control server. The Whitewell Trojan was detected last year and logged into the mobile version of Facebook to receive configuration data before forwarding to a Web server to download malware.