It’s been a tough week for Twitter. First DDoS attacks. Now Arbor Networks security researcher Jose Nazario has come across something more troublesome – a botnet using Twitter for its command-and-control.
According to Nazario, the botnet uses the micro-blogging service’s status messages to communicate to compromised machines. The tweets contain obfuscated links to sites with new commands and executables to download and run.
As Twitter has grown in popularity, it has become a source of increasing interest for attackers. Last month for example, Koobface – the worm that made headlines for squiggling around Facebook and MySpace – made an appearance on Twitter.
But using the micro-blogging service as a means to control bots is an interesting twist. In a blog post, Nazario outlines how he unpacked one of the update messages and uncovered hidden links the bot will send data to. Some of the links may be tied to Brazilian cyber-criminals known for banking Trojans.
Nazario wrote that he spotted the rogue account because a bot used the RSS feed to get the status updates.
“It’s an infostealer operation,” he blogged.
The account appears to be one of a handful of Twitter C&C accounts, he added.