

Twitter-based Botnet Command Channel - rams
http://asert.arbornetworks.com/2009/08/twitter-based-botnet-command-channel/

======
tetha
Hm, it certainly is new to create a twitter-account to coordinate a bot-net,
but on the other hand... why should communicating via a public, active (and
slow) site be better than communicating via some little known (or even
private) IRC-server?

~~~
brk
Using Twitter (or some other public messaging bus) allows the bots to connect
to a control channel that is already highly available and accessible (heh,
Twitter... yeah, I see the irony). This should make it somewhat easier to hide
the bots behind a couple of proxies (if you want to mask your identities).

The IP(s) of Twitter are also less likely to be blocked, and the protocol
itself (HTTP) is probably less restricted than IRC on sketchy networks, and
also less likely to be blocked by firewalls and/or routers around infected
PC's.

It seems like it is partially a "because I can" experiment, and partially an
attempt to adapt and change the way botnets operate (and are thus detected).

The thing, to me at least, is that this seemed to obvious. With all the noise
on twitter and spam and marketeers, it would have seemed easier to setup a
bot-based Twitter account with a glossy marketeer profile that basically just
RT'd other garbage SEO/marketing spam junk. Then, randomly slip in these
encrypted commands. Maybe even break the command over a couple of tweets/RTs
to make it less obvious. You would have a sort of steganography kind of
encryption, with the data hidden in plain sight.

------
tlrobinson
What exactly is the advantage of using Twitter for C&C? It's trivial for
Twitter to suspend accounts like this (which they already have done:
<http://twitter.com/upd4t3>), it just makes their job a little harder.

~~~
kvs
Malware just need a C2 for a day or two and then they mve along to another.
The days of clinging on to one source are long gone. Please see
[http://www.pandasecurity.com/usa/homeusers/media/press-
relea...](http://www.pandasecurity.com/usa/homeusers/media/press-
releases/viewnews?noticia=9805)

------
WOPR
This was demo-ed two weeks ago at defcon, its probably using the same thing
KreiosC2

<http://www.digininja.org/projects/kreiosc2.php>

