Hackers use Twitter accounts and Tweets as command & control for botnets
Posted on | August 17, 2009 | add a comment
A cyber gang has begun experimenting with setting up free Twitter accounts, then sending out Tweets from the popular micro-blogging service that are really coded instructions to botted PCs to carry out criminal activities.
Anti-virus maker Symantec has isolated several samples of infected PCs carrying a unique new infection, dubbed “Sninfs.”
The PCs most likely got infected when their users unwittingly clicked to a tainted web page or on a corrupted link carried in an email or social network message, says Marc Fossi research and development manager at Symantec Security Response.
The first few stages of the Sninfs infection are routine. The virus searches for any unpatched security holes, and when it finds one exploits the vulnerability to embed a wormhole, called a Trojan downloader. The attacker now “owns” the PC; he can send whatever instructions his heart desires and install any malicious program of his choosing.
This is standard operating procedure for attackers, called botmasters, who specialize in assembling and deploying huge armies of botted PCs to distribute spam, steal data, conduct denial of service attacks and hijack online financial accounts.
What’s new about Sninfs is that unlike the headline-grabbing virus, Conficker, which used a peer-to-peer network to issue commands, Sninfs appears to be testing the concept of using Tweets to issue commands, says Fossi.
Each Sninfs-infected PC carries instructions to follow a Twitter account set up by the botmaster ahead of time. And every so often, the botmaster’s Twitter account Tweets out a link to a web page that installs a malicious program, called “Bancos,” which is designed to steal online banking account logins from a customized list of financial institutions.
The botted PCs following this account automatically clicks on the Tweeted link and thus installs Bancos.
“We’re not sure if they’re tweeting manually or if they have a script set up that sends out a Tweet every so often,” says Fossi.
Twitter shut down the instruction-issuing account late last week. But on Sunday, Symantec spotted a new Twitter account — and this time also a Jaiku account — tweeting out the same instructions. This suggests fresh Sninfs infections are being distributed via tainted web sites and web links in email and social network messages, says Fossi.
For the moment, Symantec rates Sninfs as a low risk, because fewer than 50 infected PCs have been pinpointed. “It’s not very widespread,” says Fossi. “We’ve got it classified as a low rate of infection.”
But Jose Nazario, Manager of Security Research for Arbor Networks, says there is probably more afoot. The bad guys appears to be experimenting with a new command and control methodology that’s harder for the good guys to disrupt. Because micro-blogging posts appear briefly on the Internet, and then vanish, issuing criminal commands via Tweets is like writing instructions written in wet sand before high tide.
“Without some more robust detection in place this can easily become a major issue for Twitter,” says Nazario. “Hackers love to strike out at the darlings of the media – and now that this is available in the wild – we can expect more of this.”
Photo: Marc Fossi
–Byron Acohido
