Twitter is a social networking and microblogging service launched in late 2006. Once logged in, users post small updates to the site frequently throughout the day. These short update messages, known as “tweets,” may not exceed 140 UTF-8 encoded characters. User’s tweets are displayed on his or her “timeline” for their “followers” to see, accessible anonymously via the Twitter web site, RSS, or the Twitter API.

A web service like Twitter that allows users to publish short update messages to a publicly accessible page is a prime candidate for botnet command and control. This is especially true with regard to Twitter, since it is widely used. This large amount of content generated on a daily basis makes it easier for an attacker to blend in without being noticed. A proof-of-concept tool named KreiosC2 was released by Robin Wood that allows users to control machines via a central Twitter feed.

Jose Nazario of Arbor Networks recently uncovered a Brazilian infostealer trojan that uses Twitter for command and control and targets online banking credentials. Here we can see the malicious Twitter account (now cancelled by Twitter) and several encoded tweets:

Source: Arbor Networks

The messages shown are Base64 encoded URLs. Decoding the links and following them leads to an encoded .ZIP archive, which contains the infostealer trojan. In my opinion, using Twitter is an expected but novel addition to the list of previously used command & control protocols, including HTTP, IRC, P2P, et. al. Here we can see a graph of infected machines, the majority of which are located in Brazil.

Source: Arbor Networks

Twitter is not alone; it’s also important to note that other microblogging services such as Jaiku and Tumblr are being used in similar ways. In this case, the malicious tweets look suspicious and are easily decoded, revealing links to malicious sites hiding behind URL redirection services such as bit.ly. The complexity of these command & control mechanisms will continue to increase, with the end goal of operating in a completely undetectable manner.

This entry was posted on Friday, September 4th, 2009 at 10:35 am.

Share This Link with Others| Twitter-Based Botnet Command and Control SlashDot | del.ico.us | Digg it | Technorati | Reddit |

Other SecureWorks Blog Categories: Events (2) General (27) Links (7) Phishing (3) Research (99) Spam (1) Trojans (6)