BotNet command and control finds new home on Twitter

Twitter is being used for a lot of things these days but I bet one thing that the Twitter team never thought they would see their creation being used for the command and control of botnets but according to some investigation by Jose Nazario at Arbor Networks this is indeed the case. Jose also reports that the Twitter security team is already investigating the one known account being used for this type of thing.

Luckily the original bot in question (here’s the VirusTotal analysis) is detectable by 19 out 41 evaluated AV tools. Here is a short sample of what has been found so far

That second link yields a base64 encoded block of text. When we un-encode it using base64 we see a PKZIP archive (which we have dumped as “out.qqq” since we don’t know what the extension would have been beforehand). We can then unpack this and see what we find:

$ unzip out.qqq
Archive: out.qqq
inflating: gbpm.dll
inflating: gbpm.exe
$ openssl md5 gbpm.*
MD5(gbpm.dll)= ceb8d7fd74da0a187cc39ced4550ddb4
MD5(gbpm.exe)= a5cc8140e783190efb69d38c2be4393f

Source: Arbor Networks :: Twitter-based Botnet Command Channel

Like I said earlier this account is being examined and watched by Twitter but it appears to be one of more than a handful of botnet command and control accounts currently active on the service.

Comments