August 13th, 2009
Brazilian ID thieves using Twitter as botnet command channel
Arbor Networks security researcher Jose Nazario has stumbled upon a crimeware botnet using Twitter as its command-and-control operation.
The botnet, which is linked to identity thieves in Brazil, uses Twitter status messages to communicate with bots — sending new links for the infected computers to contact and new commands and executables to download and run.
Here’s a look at the Twitter account in question (via Arbor Networks blog):
“It’s an infostealer operation,” Nazario explained.
He said the bots are sending data to URLs linked to Brazilian criminals that specialize in banker Trojans.
Banker Trojans are used to steal logins, passwords, PINs, check words and other information from bank websites.
The stolen information is usually uploaded to a hacker’s website using a webform. The most vulnerable are users of on-line banks and payment systems that have logins and passwords that do not change every time a user logs on. That is why many banks are now switching to one-time passwords that expire after being used once.
Nazario said there are quite a few Twitter accounts being used to control botnets. Twitter’s security team is aware of the issue. Some of the malicious accounts have already been deleted.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
