Twitter is such a craze, even bot masters feel the need to jump on the social-networking service.

On Thursday, a researcher with network-security firm Arbor Networks revealed that some bot masters are using the microblogging service to communicate with collections of compromised computers.

Jose Nazario, manager of security research for Arbor Networks, began investigating the connection between botnets and Twitter after spotting a strange-looking feed on the social network. As it turns out, what appeared to be scrambled status updates were in fact a series of obfuscated links to malicious software updates for a relatively new botnet. Following the links, which redirected through the URL-shortening service Bit.ly, resulted in users downloading a compressed file.

"What we found was a base-64 encoded ZIP file," says Nazario. "When you unpack the file and try to do a detection on the two files inside, it had weak detection." In other words, only 44 percent of antivirus engines detected the original bot software and less than half of those detected the updates.

A study of over 1.1 million botnet submissions over a two-year period found that the use of IRC for communications was in decline. (Source: "A View on Current Malware Behaviors," Bayer et al.)

Bot operators moved away from public command-and-control channels because security researchers have had too much success analyzing the botnets that use such communications as Internet relay chat (IRC). In a recent paper, Ulrich Bayer, of the Technical University of Vienna, and his colleagues documented the drop in use of IRC for command and control between the start of 2007 and the end of 2008.

Yet, Nazario argues that it will be easy to hide in the noise of Twitter. Because shortened URLs are so common, and services such as Bit.ly have trouble scanning the destination of every link they handle, defending against botnets who abuse Twitter as a communications medium will be hard, he says.

"There are so many Twitter accounts, it would be pretty easy to hide in the fray," Nazario says.

The latest data point in the arms race between security firms and cybercriminals comes from Panda Security of Bilbao, Spain.

On Wednesday, the company announced that the quantity of malicious software seen by its customers has skyrocketed recently, with the firm now processing some 37,000 samples per day. In 2008, Panda saw 22,000 new samples every day, on average.

"Samples", as explained in a previous post to UnsafeBits, is an amorphous term that generally covers not only malicious software and variants that are different on a binary level, but also the same software that has been compressed--more commonly referred to as "packed"--in slightly different ways.

The dramatic increase in malicious software samples shows the success of cybercriminals' efforts to hide their programs from detection. As the number of samples increases, antivirus firms have to improve their automated analysis capabilities or hire more analysts.

"They decided to attack the antivirus labs," says Sean-Paul Correll, a threat researcher with Panda Labs. "It is a DDoS (distributed denial-of-service attack) is what it is. It is going to continue and it's only going to get worse."

Security-software firms have improved their ability to analyze threats, both through better automated analysis and through hiring more analysts. In Panda's case, the company launched its Collective Intelligence analysis system in 2007, which typically handles about 99 percent of all submissions to the company, Correll says. Collective Intelligence processes a sample in about six minutes.

Yet, antivirus firms also have to deal with the constant churn of threats. Cybercriminals often only have to pack their latest virus or Trojan horse in a slightly different way to escape detection. And if a particular criminal group does not have the technical chops to create new variants, other groups offer services to create obfuscated programs.

Panda documented the churn by noting that 52 percent of samples are only seen in a single 24-hour period. Another 19 percent do not last more than two days. Within three days, 80 percent of all malware disappears from the Internet.

For consumers, that means that updating their software on a daily basis is no longer enough. With more than half of all malicious software appearing and disappearing between updates, consumers are more than likely to miss a threat.

Panda plans to take the update out of the equation, launching a service, hosted in the cloud, that can automatically identify unfamiliar threats. By uploading specific characteristics of any program encountered by the client, its software can then make a judgment on whether a particular file is malicious or not.

"We upload the behavioral traits," Correll says. "There is so much valuable information in, say, API calls. You can extract so much data about how the program interacts with the operating system. So rather than upload the original file, ... by just using the behavioral traits, we can make a judgment using our past knowledge."

There has been speculation that the attack on Twitter consisted of a widely distributed e-mail containing links to the Twitter page of a blogger from Georgia (the former Soviet state).

Yet, based on available data, that theory doesn't seem to hold up. The attack may have been designed to silence the blogger, but it is unlikely that the spam traffic amounted to much of a denial-of-service attack, according to network-traffic patterns seen by Arbor Networks, a networking services vendor. According to the company, the attack resulted not from users clicking through a link in an e-mail, but from two common types of packet floods used in more common denial-of-service attacks.

"The attack traffic is not an e-mail click but SYN floods and UDP floods going to Twitter's space," says Craig Labovitz, chief scientist for Arbor. "It's stuff that does not look like it was directly tied to a click-through or e-mail attacks."

Early on Thursday, Arbor's network of Internet sensors could tell that traffic to Twitter had dropped by half. While the company collected a dozen or so examples of attack traffic, the company cannot tell from which sources the traffic came, Labovitz says.

Moreover, if the attack's origin had been widespread, such as when millions of people click on links in e-mail messages, then the firm should have seen an increase in traffic to Twitter, not a decrease. The drop in traffic witnessed by Arbor and other network monitoring services indicates that the attack came from a smaller number of computers that were, in general, not visible to the vendors.

Of course, there are caveats. The link in the e-mail could have exploited an application issue in Twitter's site to consumer an inordinate amount of resources per click-through. Alternatively, Arbor and other vendors could have failed to monitor the specific paths to Twitter through which the attacks were routed.

"Without more details, it is possible that it went along paths that we were not monitoring," acknowledges Labovitz.

Why wasn't Facebook as affected by the attacks as Twitter? The company has a much more robust infrastructure consisting of an Akamai-like distributed hosting service and crunches a lot more bandwidth than Twitter, says Labovitz. While Twitter typically maxes out at 300 gigabits per second, Facebook accounts for 0.5 percent of the bandwidth of the entire Internet, he says.