Twitter is being used for a lot of things these days but I bet one thing that the Twitter team never thought they would see their creation being used for the command and control of botnets but according to some investigation by Jose Nazario at Arbor Networks this is indeed the case. Jose also reports that the Twitter security team is already investigating the one known account being used for this type of thing.
Luckily the original bot in question (here’s the VirusTotal analysis) is detectable by 19 out 41 evaluated AV tools. Here is a short sample of what has been found so far
That second link yields a base64 encoded block of text. When we un-encode it using base64 we see a PKZIP archive (which we have dumped as “out.qqq” since we don’t know what the extension would have been beforehand). We can then unpack this and see what we find:
$ unzip out.qqq
$ openssl md5 gbpm.*
Source: Arbor Networks :: Twitter-based Botnet Command Channel
Like I said earlier this account is being examined and watched by Twitter but it appears to be one of more than a handful of botnet command and control accounts currently active on the service.