Twitter
is such a craze, even bot masters feel the need to jump on the
social-networking service.
On
Thursday, a researcher with network-security firm Arbor Networks revealed that
some bot masters are using the microblogging service to communicate with collections
of compromised computers.
Advertisement
Jose
Nazario, manager of security research for Arbor Networks, began investigating the connection between botnets and
Twitter after spotting a strange-looking feed on the social network. As it turns
out, what appeared to be scrambled status updates were in fact a series of obfuscated
links to malicious software updates for a relatively new botnet. Following the
links, which redirected through the URL-shortening service Bit.ly, resulted in users
downloading a compressed file.
This story is only available to subscribers.
Don’t settle for half the story.
Get paywall-free access to technology news for the here and now.
“What
we found was a base-64 encoded ZIP file,” says Nazario. “When you
unpack the file and try to do a detection on the two files inside, it had weak
detection.” In other words, only 44 percent of antivirus engines detected
the original bot software and less than half of those detected the updates.
Bot operators
moved away from public command-and-control channels because security
researchers have had too much success analyzing the botnets that use such
communications as Internet relay chat (IRC). In a recent paper, Ulrich Bayer, of the Technical University of
Vienna, and his colleagues documented the drop in use of IRC for command
and control between the start of 2007 and the end of 2008.
Yet, Nazario
argues that it will be easy to hide in the noise of Twitter. Because shortened
URLs are so common, and services such as Bit.ly have trouble scanning the
destination of every link they handle, defending against botnets who abuse Twitter
as a communications medium will be hard, he says.
“There are
so many Twitter accounts, it would be pretty easy to hide in the fray,”
Nazario says.