Controlling bots from IRCD not a fashion anymore. That’s my conclusion on Jose Nazario towards one of the Twitter’s analysis report.
Nazario said he’s found at least two other Twitter accounts he suspects were being used in the same fashion, but needs to do additional analysy before he can be sure. he bots using the Twitter account connected using RSS feeds, a technique that allowed them to receive each tweet in real time without the need of an account. It was unclear how many bots connected to the account.
The account, which Twitter promptly suspended, issued tweets containing a single line of text that looked indecipherable to the naked eye. Using what’s known as a base64 decoder, however, the dispatches pointed to links where infected computers could receive malware updates.
According to Nazario, one of the tweet pointed to one of the bank in Brazil. I’m not sure either the bank aware on this activity or completely invisible from their security monitoring.
This file looks like an infostealer. Here are some of the URLs it will send data to:
hxxp://18.104.22.168/friends/alert/new.php hxxps://www2.bancobrasil.com.br/aapf/login.jsp?aapf.IDH=sim hxxp://22.214.171.124/friends/post.php hxxps://www2.bancobrasil.com.br/aapf/ hxxps://www2.bancobrasil.com.br/aapf/
I didn’t see this method really accurate and efficient in order to launch or control any botnets.
Read more on Arbor Network blog:
Note: Security is not a fashion nor a business.