Hacker News new | past | comments | ask | show | jobs | submit login
Twitter Bots Are Getting Stranger (go-to-hellman.blogspot.com)
8 points by gluejar on Mar 14, 2013 | hide | past | web | favorite | 7 comments

I'm with the commenter on the blog; looks like obfuscated domain names to me, probably controlling a botnet of some sort.

Most of the tweets end in \.[a-zA-Z]{3}, which to me says they mean .org, .com and .net. The words could be representing characters in the name, or references to a lookup table. That would explain the frequency of "unglue".

Gotta be a code.

Two tweets from "BootmanRussel":

Ferruginous induce tavern other show business jean: .naL

5967 blogid tavern cialis inurl october phentermine griller viagra: .jcA 163069

.naL and .jCA are file formats I think.

.naL refers to an file that cannot be opened.

.jCA is an propietary oracle file: http://docs.oracle.com/cd/E14571_01/doc.1111/e15867/jca.htm

My guess is this is a botnet that is shouting commands through twitter about what it has retrieved.

Also; "inurL" could be used for google hacking. Look it up if you don't understand what I'm saying. This bot might lookup sites using a search engine and search for very select text based off the first part as well.

There's lots more than just those two extensions though. Hundreds, even.

Your right. It's more likely just a tag for the messages or an encrypted command and not a file format.

But maybe my hunch for select google lookups and "next word or some other base rules" is a good indication.

Actually the numbers are always 6 digits just enough for a hex code color number. Maybe this is a lot more complicated than it looks. And some don't have this at all. So it must have a "default" color value if the number is a hex color code at all.


Probably the same type of bot if it helps anyone get ideas.

Gosh this is really such a freaky thing. I just can't imagine this being only for blackhat SEO. It must be something else for so many bots to be posting 6 digits and random text. It can have so many ways of filtering all that information though, and without having much clues it's hard to find what is what.

I thought looking at the smaller ones might make more sense but haven't gotten any luck. However one thing I did notice is that when you google parts of the messages you can sometimes see that they are injected into other websites as well.

If you consider that some of these may reference messages not on the same date this gets even more complicated to decode, so unless anyone else has something more to go on I don't really know what to say.

Edit: Actually if you look at it here from the stream from the article: https://twitter.com/search?q=unglue

It's clearly blackhat SEO for "most" of the message with just some extra words mixed in between as they are found on the page that it links from. As far as the ".xxx" or 6 digits those are still up to question though.

I'm really curious too. I'd love for the whole thing to get some more attention, at least then we might get some definiate answers.

All the tweets are being posted by tweetfeed, which suggests it might just be badly bade spam rather than an encoded message like I thought. Seems to be a stupid amount of energy going into making some very bad spam though.

Ed2: The site loads JS resources from http://chitika.net/. The username of the advertiser is "artemkamen", which is something.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact