Security researchers have discovered an automated toolkit that enables the user to set up a botnet using the popular micro-blogging platform, Twitter as the botnet command and control
Attackers have used Twitter in the past to issue orders to botnets. Security researchers at Arbor Networks Inc. discovered a botnet using Twitter as a command and control server. Twitter's security team has shut down dozens of accounts with suspicious messages that could be traced orders to zombie computers. But the new toolkit, called TwitterNET Builder, takes the code writing knowledge out of using the service for command and control.
"In order to create their custom bot, an attacker only has to launch the SDK, enter a Twitter username that would act as a command and control center and modify the resulting bot's name and icon to suit their distribution method," BitDefender said in a news release.
The antimalware vendor said it issued updates to detect malware designed to get orders from Twitter. BitDefender called the tool experimental. Symantec Corp. issued a video demonstrating TwitterNet Builder in action.
"The creator didn't spend too much to protect the generated bots from reverse engineering or from detection and termination, but this flaw doesn't make them less dangerous for the average computer user."
It's unlikely the experimental tool will gain widespread use because the method has a major disadvantage. Once an account is deleted for abuse, the entire botnet would be taken down. Still, BitDefender said an attacker can spread malware in seconds or order a distributed denial of service (DDoS) attack by Tweeting a single line from a mobile phone or Twitter client.
Chris Boyd, a senior threat researcher at security vendor Sunbelt Software Inc. called the new TwitterNET tool "slick," but said anyone attempting to use the Twitter botnet attack method is exposed.
"For one thing, this doesn't work if the person controlling the bots attempts to hide their commands with a private Twitter page; the bots will just flail aimlessly as they wonder where their master has gone," Boyd wrote in the Sunbelt blog.
Boyd said Twitter should be able to track and block anyone attempting to use the service to issue commands.
Bot herders turn to cloud-based methods
As cloud computing gains an increasing role at enterprises, cybercriminals are also turning to Web-based platforms rather than physical servers to send marching orders to hoards of bot infected computers. Last summer, Arbor Networks' botnet expert, Jose Nazario, said Arbor is finding more cybercriminals attempting to use free storage and bandwidth offered by cloud-based services. Nazario said bot herders can also get resiliency if they set up their system effectively in addition to a certain level of anonymity.
At the time, Arbor was tracking the use of a Google AppEngine application used by bot herders to feed commands to their bots. The phenomena has forced social networking sites including Twitter and Facebook to improve content filtering to detect executable files and links that lead to servers hosting malware.
Symantec Corp. also detected a similar method using Facebook as a command and control server. The Whitewell Trojan was detected last year and logged into the mobile version of Facebook to receive configuration data before forwarding to a Web server to download malware.