

Twitter Bots Are Getting Stranger - gluejar
http://go-to-hellman.blogspot.com/2013/03/twitter-bots-are-getting-stranger.html

======
nwh
I'm with the commenter on the blog; looks like obfuscated domain names to me,
probably controlling a botnet of some sort.

Most of the tweets end in \\.[a-zA-Z]{3}, which to me says they mean .org,
.com and .net. The words could be representing characters in the name, or
references to a lookup table. That would explain the frequency of "unglue".

~~~
gluejar
Gotta be a code.

Two tweets from "BootmanRussel":

Ferruginous induce tavern other show business jean: .naL

5967 blogid tavern cialis inurl october phentermine griller viagra: .jcA
163069

~~~
switch33
.naL and .jCA are file formats I think.

.naL refers to an file that cannot be opened.

.jCA is an propietary oracle file:
<http://docs.oracle.com/cd/E14571_01/doc.1111/e15867/jca.htm>

My guess is this is a botnet that is shouting commands through twitter about
what it has retrieved.

Also; "inurL" could be used for google hacking. Look it up if you don't
understand what I'm saying. This bot might lookup sites using a search engine
and search for very select text based off the first part as well.

~~~
nwh
There's lots more than just those two extensions though. Hundreds, even.

~~~
switch33
Your right. It's more likely just a tag for the messages or an encrypted
command and not a file format.

But maybe my hunch for select google lookups and "next word or some other base
rules" is a good indication.

Actually the numbers are always 6 digits just enough for a hex code color
number. Maybe this is a lot more complicated than it looks. And some don't
have this at all. So it must have a "default" color value if the number is a
hex color code at all.

~~~
switch33
<https://twitter.com/Rice18501444>

Probably the same type of bot if it helps anyone get ideas.

Gosh this is really such a freaky thing. I just can't imagine this being only
for blackhat SEO. It must be something else for so many bots to be posting 6
digits and random text. It can have so many ways of filtering all that
information though, and without having much clues it's hard to find what is
what.

I thought looking at the smaller ones might make more sense but haven't gotten
any luck. However one thing I did notice is that when you google parts of the
messages you can sometimes see that they are injected into other websites as
well.

If you consider that some of these may reference messages not on the same date
this gets even more complicated to decode, so unless anyone else has something
more to go on I don't really know what to say.

Edit: Actually if you look at it here from the stream from the article:
<https://twitter.com/search?q=unglue>

It's clearly blackhat SEO for "most" of the message with just some extra words
mixed in between as they are found on the page that it links from. As far as
the ".xxx" or 6 digits those are still up to question though.

~~~
nwh
I'm really curious too. I'd love for the whole thing to get some more
attention, at least then we might get some definiate answers.

All the tweets are being posted by tweetfeed, which suggests it might just be
badly bade spam rather than an encoded message like I thought. Seems to be a
stupid amount of energy going into making some very bad spam though.

Ed2: The site loads JS resources from <http://chitika.net/>. The username of
the advertiser is "artemkamen", which is something.

