While I write this, Twitter went down again. Another DDoS Attack just like the one we had seen earlier. Social networks are most prone to different kinds of threats. Why Social sites? Almost every one we know in Real life exists on one social network or the other. And Twitter bieng no.1, it’s hacker’s obvious choice to build Botnets home inside Twitter.
A security researcher has found that hackers are using Twitter as a means to distribute instructions to a network of compromised computers, a.k.a botnet.
The traditional way of managing botnets was IRC or different honeypots. But with changing times, botnet owners are continuously working on finding new ways of keeping their networks up and running, and Twitter seems to be the latest trend among the tricks.
Twitter came to know about this from an account that it recently suspended. What was it doing? It was being used to post tweets that had links to “commands or executables” to download and run, which would then be used by the botnet code on infected machines.
“I spotted it because a bot uses the RSS feed to get the status updates, the account, called “Upd4t3″, is under investigation by Twitter’s security team, according to Nazario. But the account is just one of what appear to be a handful of Twitter command and control accounts,” Nazario, a security researcher, wrote.
As for the original bot in question that fetches the updates, here’s the VirusTotal analysis, where you can see it’s detected by 19/41 (46.34%) AV tools under evaluation. We can look at the status messages and discover more nefarious activity; the bot’s hiding new malcode which is poorly detected this way. The original link from the malcode came from a ShadowServer nightly link report, which they make available to folks. Many thanks to them.
Botnets can be used to do several things like send spam or carry out distributed denial-of-service attacks, which Twitter itself became the victim of last week. The botnet Nazario found is “an infostealer operation,” a type that can be used to steal sensitive information such as login credentials from infected computers.