Twitter is a social networking and microblogging service launched in late 2006. Once logged in, users post small updates to the site frequently throughout the day. These short update messages, known as “tweets,” may not exceed 140 UTF-8 encoded characters. User’s tweets are displayed on his or her “timeline” for their “followers” to see, accessible anonymously via the Twitter web site, RSS, or the Twitter API.

A web service like Twitter that allows users to publish short update messages to a publicly accessible page is a prime candidate for botnet command and control. This is especially true with regard to Twitter, since it is widely used. This large amount of content generated on a daily basis makes it easier for an attacker to blend in without being noticed. A proof-of-concept tool named KreiosC2 was released by Robin Wood that allows users to control machines via a central Twitter feed.

Jose Nazario of Arbor Networks recently uncovered a Brazilian infostealer trojan that uses Twitter for command and control and targets online banking credentials. Here we can see the malicious Twitter account (now cancelled by Twitter) and several encoded tweets:

Source: Arbor Networks

The messages shown are Base64 encoded URLs. Decoding the links and following them leads to an encoded .ZIP archive, which contains the infostealer trojan. In my opinion, using Twitter is an expected but novel addition to the list of previously used command & control protocols, including HTTP, IRC, P2P, et. al. Here we can see a graph of infected machines, the majority of which are located in Brazil.

Source: Arbor Networks

Twitter is not alone; it’s also important to note that other microblogging services such as Jaiku and Tumblr are being used in similar ways. In this case, the malicious tweets look suspicious and are easily decoded, revealing links to malicious sites hiding behind URL redirection services such as bit.ly. The complexity of these command & control mechanisms will continue to increase, with the end goal of operating in a completely undetectable manner.

Security researchers have had a number of victories to celebrate recently. First Atrivo and now McColo have been disconnected from the Internet. This was done not by law enforcement or other governmental action, but rather by the concerted efforts of the Internet community. The Internet is made up of privately owned networks that are voluntarily connected. The companies that were connected to Atrivo and McColo have severed those connections, removing the companies from the Internet.

Removing those two companies from the Internet has also removed large amounts of botnet and spam infrastructure. Several sources have reported seeing spam drop as much as 60-70% following McColo’s loss of connectivity. There was a similar, but smaller drop when Atrivo was taken offline. Of course, one of the reasons that the McColo disconnect reduced spam more than Atrivo, is that some of the spammers simply moved from Atrivo to McColo.

Back in October, my colleague Joe Stewart documented the Warezov botnet moving to McColo and also predicted (quite correctly as it turned out) that disconnecting McColo would reduce spam by one-half world wide. A number of other botnets, including Rustock, Srizbi, Pushdo and Ozdok had infrastructure hosted at McColo.

It’s clear that this infrastructure remains in place. Over the weekend McColo was able to temporarily find a new upstream provider. Thankfully, they were quickly shut down again. However, this did allow botnet C&C platforms in McColo to connect to their bots, updating software and rerouting the bots to new C&C servers located elsewhere. This has been seen to be happening with Srizbi, where researchers were able to register domains used as a fallback C&C mechanism.

Other botnets will also be relocating their C&C servers. While most, if not all, will just pop up in another datacenter, the growing trend of upstream providers disconnecting nefarious hosting companies is encouraging. So far these companies have been US based. We’re now seeing early evidence that bot-herders are moving their C&C servers overseas. The next question is: will the Internet community be able to put pressure on those companies and their upstream providers to prevent the bot-herders from finding a new safe haven?