A View from Robert Lemos
Botnets Go Public by Tweeting on Twitter
Bot operators push their command-and-control channels back into the public eye by tweeting updates.
Twitter is such a craze, even bot masters feel the need to jump on the social-networking service.
On Thursday, a researcher with network-security firm Arbor Networks revealed that some bot masters are using the microblogging service to communicate with collections of compromised computers.
Jose Nazario, manager of security research for Arbor Networks, began investigating the connection between botnets and Twitter after spotting a strange-looking feed on the social network. As it turns out, what appeared to be scrambled status updates were in fact a series of obfuscated links to malicious software updates for a relatively new botnet. Following the links, which redirected through the URL-shortening service Bit.ly, resulted in users downloading a compressed file.
“What we found was a base-64 encoded ZIP file,” says Nazario. “When you unpack the file and try to do a detection on the two files inside, it had weak detection.” In other words, only 44 percent of antivirus engines detected the original bot software and less than half of those detected the updates.
Bot operators moved away from public command-and-control channels because security researchers have had too much success analyzing the botnets that use such communications as Internet relay chat (IRC). In a recent paper, Ulrich Bayer, of the Technical University of Vienna, and his colleagues documented the drop in use of IRC for command and control between the start of 2007 and the end of 2008.
Yet, Nazario argues that it will be easy to hide in the noise of Twitter. Because shortened URLs are so common, and services such as Bit.ly have trouble scanning the destination of every link they handle, defending against botnets who abuse Twitter as a communications medium will be hard, he says.
“There are so many Twitter accounts, it would be pretty easy to hide in the fray,” Nazario says.