Miraculous Discovery: Twitter Used to Channel Botnet Activities

Lately Twitter has been known to be buried under constant denial of service (DDoS) attacks and suffering site-wide outage for several hours on end. No sooner than after they recover from such attacks, Twitter becomes the target of yet another kind of threat this week.

Jose Nazario, manager of security research at Arbor Networks and famed computer worm expert, discovered that a Twitter account was being used as part of a makeshift update server for computers compromised to be used as part of a botnet.

Apparently the tweets that the hacked account sends out look like complete rubbish. After a second look at the messages it is apparent that they are encoded links. One of the links is dead while the other links to an encoded ZIP file which contains an infostealer trojan that is very difficult to detect, according to Nazario's example.

According to Twitter, since this discovery, the account in question has been promptly suspended, "due to strange activity". Twitter has seen more than their fair share of "strange activity" lately don't you think?

According to Nazario, though, this may not be the last of these types of attacks. He has stated that at least two other Twitter accounts suspected of being used in the same fashion have been discovered. The bots using the Twitter accounts connect via RSS feeds, a technique that allows them to receive each tweet in real time without the need for an account. As of yet, it remains unclear just how many bots are connected to these accounts. It could very well be a large number of botnets waiting to initiate an attack on a much larger scale.

This is actually the first time the social networking giant has been used as part of a botnet's command and control structure, but is it the last? Nazario's findings suggest that in the world of Internet crime, large sites can unwittingly be cast as both the victim and the enabler, sometimes simultaneously.