Researchers from Sunbelt Software found a new Trojan botnet creator tool called TwitterNet Builder, which they reported on May 13.
In August 2009, Arbor Networks’ Jose Nazario reported finding numerous Twitter accounts being used to send commands to compromised machines. Here, researchers have found an account passing commands to Trojans created by the builder.
The tool has a basic interface, requiring users only to enter a Twitter user name for the Trojan to follow and hit the “Build” button. Afterwards, an executable file is created to keep an eye on the named Twitter account “for a series of commands used to infect, download, attack with DDoS [distributed denial of service] and even kill the connection between Bot and Command channel,” blogged Sunbelt’s Christopher Boyd.
“Should an end user infect themselves, the attacker simply posts … commands to their Twitter feed and the Bot will happily oblige,” Boyd wrote.
“All in all, a very slick tool and no doubt script kiddies everywhere are salivating over the prospect of hitting a Website with a DDoS from their mobile phones,” he continued. “However, something to keep in mind: Anyone using this as an attack method is horribly exposed.”
Boyd noted, “For one thing, this doesn’t work if the person controlling the bots attempts to hide their commands with a private Twitter page.” Since the attacker has to be public, “In theory it should be easy for Twitter to track/filter/ block anyone issuing these commands,” and, “It only takes a quick Twitter Search to reveal who is using this Bot method at the moment.”
Symantec created a video to show how Twitter is being used as a command-and-control server for Trojan.Twebot and how attackers can control it using smartphones.