Skip to main content
0 Results Found
              Back To Results

                Twitter-Based Botnet Command and Control

                By: Dennis Dwyer

                Twitter is a social networking and microblogging service launched in late 2006. Once logged in, users post small updates to the site frequently throughout the day. These short update messages, known as tweets, may not exceed 140 UTF-8 encoded characters. Users tweets are displayed on his or her timeline for their followers to see, accessible anonymously via the Twitter web site, RSS, or the Twitter API.

                A web service like Twitter that allows users to publish short update messages to a publicly accessible page is a prime candidate for botnet command and control. This is especially true with regard to Twitter, since it is widely used. This large amount of content generated on a daily basis makes it easier for an attacker to blend in without being noticed. A proof-of-concept tool named KreiosC2 was released by Robin Wood that allows users to control machines via a central Twitter feed.

                Jose Nazario of Arbor Networks recently uncovered a Brazilian infostealer trojan that uses Twitter for command and control and targets online banking credentials. Here we can see the malicious Twitter account (now cancelled by Twitter) and several encoded tweets:

                Source: Arbor Networks

                The messages shown are Base64 encoded URLs. Decoding the links and following them leads to an encoded .ZIP archive, which contains the infostealer trojan. In my opinion, using Twitter is an expected but novel addition to the list of previously used command & control protocols, including HTTP, IRC, P2P, et. al. Here we can see a graph of infected machines, the majority of which are located in Brazil.

                Source: Arbor Networks

                Twitter is not alone; it's also important to note that other microblogging services such as Jaiku and Tumblr are being used in similar ways. In this case, the malicious tweets look suspicious and are easily decoded, revealing links to malicious sites hiding behind URL redirection services such as The complexity of these command & control mechanisms will continue to increase, with the end goal of operating in a completely undetectable manner.

                Close Modal
                Close Modal