An Innovative Control and Lame – Twitter Being Used As Botnet Command Channel

Controlling bots from IRCD not a fashion anymore. That’s my conclusion on Jose Nazario towards one of the Twitter’s analysis report.

Nazario said he’s found at least two other Twitter accounts he suspects were being used in the same fashion, but needs to do additional analysy before he can be sure. he bots using the Twitter account connected using RSS feeds, a technique that allowed them to receive each tweet in real time without the need of an account. It was unclear how many bots connected to the account.

The account, which Twitter promptly suspended, issued tweets containing a single line of text that looked indecipherable to the naked eye. Using what’s known as a base64 decoder, however, the dispatches pointed to links where infected computers could receive malware updates.

According to Nazario, one of the tweet pointed to one of the bank in Brazil. I’m not sure either the bank aware on this activity or completely invisible from their security monitoring.

This file looks like an infostealer. Here are some of the URLs it will send data to:

hxxp://64.79.197.110/friends/alert/new.php
hxxps://www2.bancobrasil.com.br/aapf/login.jsp?aapf.IDH=sim
hxxp://64.79.197.110/friends/post.php
hxxps://www2.bancobrasil.com.br/aapf/
hxxps://www2.bancobrasil.com.br/aapf/

I didn’t see this method really accurate and efficient in order to launch or control any botnets.

Read more on Arbor Network blog:

Twitter-based Botnet Command Channel

Note: Security is not a fashion nor a business.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s