Another way to use Twitter
Introduction
We have discussed Twitter in a few security articles this year. This time however, we shall focus on a new usage of this social network: Twitter as an element in a malicious setup.
The setup
ARBOR networks' Security and response team has investigated and published detailed information about how Twitter was used by malicious elements as a command and control center for a botnet.
In short this function in such a way that messages are posted to a Twitter account. These messages seem cryptic as they are encoded in base-64 and appears to be a random string of characters.
When the messages are unencoded, however, they reveal themselves as commands to computers, which are part of a botnet. The bots are instructed by the messages to connect to certain web sites to receive more information and download files.
The Twitter account was disabled; subsequently other social networks were abused in a similar way, for example Jaiku and Tumblr.
Implications
This new technique has interesting implications. The traditional way to control a botnet has been through the Internet Relay Chat (IRC) technology, Peer-to-Peer (P2P) networks and web sites which are under control of the person controlling the botnet. These techniques require setups and confgurations of varius complexity to control the botnet clients.
The new technique that is now used, does not require any such servers. The command and control center's commands are posted on a web page, which the controlling person never was involved in setting up.
In principle any web site that offers the ability to post messages that can be read by a computer, could be used maliciously to control zombies in a botnet.
One may expect this technology to be increasingly popular and refined in the near future.
