First published: 14th August 2009
Jose Nazario, the manager of security research at Arbor Networks, reports finding a Twitter-based botnet command channel. The channel, since shut down by Twitter, uses base64-encoded posts to direct bots to download additional malware from various URLs... helpfully shortened using a url shortening service. Nazario found that the downloaded malware looked like an information stealer.
A basic challenge for bot herders is how they stay in charge of their network of compromised machines, without leaving a trail that law-enforcement can use to locate them. Previous command and control channels have included chat protocols, such as ICQ and IRC. In this case, bots subscribed to the Twitter account by RSS.
Nazario also suspects two other Twitter accounts are being used in the same way, but further analysis is needed to confirm this.
To point out the obvious, any communications channel can be utilised for malicious purposes, and the more popular a method is, the easier it is for the bad guys to hide in the stream of messages.