In association with heise online

14 August 2009, 11:44

Bot network uses Twitter

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Apparently, the current hype about Twitter has not passed malware writers by. Jose Nazario of Arbor appears to have discovered a bot-net that users the Twitter micro-blogging service for its communication. In a blog entry, Nazario tells of a Twitter account "upd4t3" (leet-speak for "update") whose messages seem to be Base64 encoded. He suspects the account may be used to control a bot network through allowing its clients to pick up orders. The concept is not entirely new; in 2007, The H reported on a trojan using Web-2.0-sites like MySpace for communication.

We could not verify whether the, now suspended, Twitter account did control a bot network, but it definitely looks like something suspicious was afoot. The H's associates at heise Security decoded one message which used the URL shortening service to point to the paste zone of the Debian project. The paste zone service allows users to upload messages and text and that content is made available at a particular URL. The message in this case contained a Base64-encoded file which revealed itself to be a ZIP archive with two UPX compressed files.

Preliminary analysis indicates these are phishing trojans aimed at a Brazilian bank. The detection of these files by anti-virus programs is very poor; the packed binaries produced only heuristic warnings. Only Sophos gave the unpacked version a unique identifier of "Mal/Banc-A".


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit