Hackers Using Twitter to Control Botnets

2009-08-17

Jose Nazario, Arbor Networks security researcher, recently blogged about a crimeware botnet using Twitter as its command and control operation.

A Botnet is generally known as a term referring to a collection of compromised computers that run autonomously and automatically, controlled by the botnets originator remotely. A botnet can be exploited for different purposes, including denial-of-service attacks, creation or misuse of SMTP mail relays for spam, click fraud, spamdexing and the theft of application serial numbers, login IDs, and financial information such as credit card numbers.

Usually botnets are controlled via an IRC Channel, however Nazario discovered a Twitter account being used as its command and control structure, stating "Basically what it does is use the status messages to send out new links to contact, then these contain new commands or executables to download and run. It's an infostealer operation."

The account, @upd4t3, had been tweeting out links to download a piece of malware called Downloader.Sninfs, also known as Infostealer.Bancos - a Trojan that uses the disguise of a Brazilian banking site to collect passwords and related personal information from infected computers. In Nazario's blog post he states that statistics are suggesting the malcode has infected a couple hundred PC's, mostly in Brazil.

While the discovered account has been suspended and is being investigated by the Twitter security team, Nazario suspects that this account is just one of a handful of Twitter C&C accounts.

To find out more about what a botnet is, check out the Wikipedia article here.