For HomeFor BusinessFor Partners
Archive
3 min read

Twitter

Bogdan Botezatu

May 14, 2010

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Twitter

Huge armies of zombified computers unanimously executing the commands sent by their master – that’s what comes in the mind of a computer user at the sound of the word “botnet”. Fortunately enough, writing a bot is an extremely tedious task that takes a lot of in-depth programming knowledge, so not everyone can become a botmaster overnight, despite the obvious financial advantages.

BitDefender has released an emergency update to protect against a potential pandemic caused by the emergence of a botnet self-development kit controllable via the popular social media service Twitter®. In order to create their custom bot, an attacker only has to launch the SDK, enter a Twitter username that would act as a command & control center and modify the resulting bot’s name and icon to suit their distribution method.

Twitter Bot.

 

The newly-created bot will constantly interrogate the specified Twitter® profile (available at http://www.twitter.com/[userprofile-name] for posts resembling specially-crafted commands. In order to avoid confusion, all of the six supported commands have to start with a period:

Twitter Interface Bot

  1. The .VISIT command accepts two parameters separated by the * sign, as follows: .VISIT*URL*1 or .VISIT*URL*0. The command would make the bot visit a web page specified in the URL parameter. The latter parameter tells the bot whether to visit the URL in a visible (1) or an invisible (0) window.
  2. The .SAY command only takes one parameter and would initialize the Microsoft Text-To-Speech Engine to read the specific parameter. Example: .SAY*Something to say.

Up until here, the bot seems to be more of a hoax tool than of a dangerous piece of malware. However, things get complicated with the inclusion of the following two commands.

  1. The .DOWNLOAD command takes a URL as the first parameter and either 0 or 1 as the second one: .DOWNLOAD*URL/somefile.exe*0 or .DOWNLOAD*URL/somefile.exe*1. The URL tells the bot where to take the file from, while the numeric parameter tells is if the file should be executed or not when download completes.
  2. The .DDOS*IP*PORT command would trigger an UDP flood attack against the indicated IP on the specified port number (be it computer, router or server), thus taking the criminal game to a whole new level of aggression.

Terminating the tasks:

  1. .STOP ensures that the bots eventually stop the repetitive actions such as visiting web resources or hammering an IP to cause a DDOS condition, and return to a “listening” state.
  2. The .REMOVEALL command tells the bots to disconnect from the Twitter account and stay dormant until the next restart. This command practically eliminates all traffic between the bot and the Web, thus making it less “visible” to network packet monitoring tools such as Wireshark®.

This is, undoubtedly, one of the first attempts at creating an automated bot creation tool to be used in conjunction with a Twitter C&C. However, the overall mood of the TwitterNET Builder, as it is called, is experimental: the creator didn’t spend too much to protect the generated bots from reverse engineering or from detection and termination, but this flaw doesn’t make them less dangerous for the average computer user.

One thing to bear in mind though: a closer look into the file reveals that the wannabe botmaster is not the only one controlling the network. There is a secondary hardcoded Twitter account name called @Korrupt that may pass commands to any bot generated with the tool, regardless of the C & C account specified by the bot’s creator. However, at the moment, this account does not reveal any traces of criminal activity.

Fallback twitter

And even if coordinating a botnet via a Twitter profile has its specific drawbacks (this is a single point-of-failure C&C – once the Twitter account is deleted for abuse, the entire botnet would fall apart the next second), it also has its advantages – a botmaster can unleash a large-scale malware pandemic (by silently downloading and executing malware to all the zombie systems) or a DDOS attack by simply tweeting a single line of text from a mobile phone.

In order to protect customers, BitDefender has added detection for Trojan.TweetBot.A and released a free removal tool available here http://www.hotforsecurity.com/files/Anti-TweetBot-EN.rar

tags

Archive

Author

Right now Top posts

Torrents with Pirated TV Shows Used to Push Lumma Stealer Malware
Threats The Safe Nomad

Torrents with Pirated TV Shows Used to Push Lumma Stealer Malware

November 14, 2024

4 min read
How Scammers Stole $20 Million by Hacking Emails of Real Estate Agents – Here’s Why Small Firms Must Take Cybersecurity Seriously
Industry News Very Small Business Scam

How Scammers Stole $20 Million by Hacking Emails of Real Estate Agents – Here’s Why Small Firms Must Take Cybersecurity Seriously

November 11, 2024

3 min read
Is Your Digital Footprint Placing You in Scammers’ Crosshairs?
Scam

Is Your Digital Footprint Placing You in Scammers’ Crosshairs?

October 17, 2024

4 min read
What Key Cyberthreats Do Small Businesses Face?
Tips and Tricks How to Very Small Business

What Key Cyberthreats Do Small Businesses Face?

September 06, 2024

4 min read

FOLLOW US ON SOCIAL MEDIA

You might also like

How to keep your Android device immune to malicious vaccine themed apps
Archive

How to keep your Android device immune to malicious vaccine themed apps
Cristina POPOV

April 22, 2021

2 min read
Facebook Takes Down Two Hacking Groups Operating out of Palestine
Archive Industry News

Facebook Takes Down Two Hacking Groups Operating out of Palestine
Silviu STAHIE

April 22, 2021

2 min read
Ransomware attack causes supermarket cheese shortage in the Netherlands
Archive

Ransomware attack causes supermarket cheese shortage in the Netherlands
Graham CLULEY

April 13, 2021

2 min read

Bookmarks

loader