A botnet that has infected a few hundred computers in Brazil has turned a Twitter feed into a channel for disseminating links to computer systems compromised by the bot program, a researcher with networking firm Arbor Networks said on Thursday.
The bot, which is detected by only 44 percent of antivirus engines surveyed by VirusTotal as a generic downloader, uses the Twitter feed's status updates to post base64 encoded Web links to the service. Bot-compromised computers then go to the Twitter feed to get the latest update from the bot master, said Jose Nazario, manager of security research at Arbor Networks.
"Basically what it does is use the status messages to send out new links to contact, then these contain new commands or executables to download and run," Nazario said in a blog post. "Its an infostealer operation."
The move marks a reversal in the evolution of command-and-control channels in the botnet universe. In the past, botnet operators used Internet relay chat (IRC) channels to communicate with systems compromised by their software, but because researchers could easily track the public channels bot masters moved to more closed communications media, such as peer-to-peer or Web-based control channels.
Yet, Nazario argues that Twitter channels will be hard to stop, because the links are already encrypted to some extent and could be further obfuscated by, for example, including a news headline. Using bit.ly, the shortened URL service that served up the links, Nazario found the malicious code: Two executibles, compressed in a zip archive, and poorly detected by antivirus scanners.
"There are a number of unsolved disambiguation challenges that we have to solve here with the compressed links and whatever is on the other side of those links," Nazario told SecurityFocus.
In the end, the sheer numbers involved make the detection of malicious feeds in Twitter hard, he said. "There are so many Twitter accounts, it would be pretty easy to hide in the fray."
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos