Massive Twitter Botnet Dormant Since 2013

Researchers from the University College London have found a Twitter botnet of 350,000 bots that has been dormant since shortly after the accounts were registered.

A sizable and dormant Twitter botnet has been uncovered by two researchers from the University College London, who expressed concern about the possible risks should the botmaster decide to waken the accounts under his control.

Research student Juan Echeverria Guzman and his supervisor and senior lecturer at the college Shi Zhou told Threatpost that the 350,000 bots in the Star Wars botnet could be used to spread spam or malicious links, and also, more in line with today’s social media climate, start phony trending topics, attempt to influence public opinion, or start campaigns that purport a false sense of agreement among Twitter users.

Compounding the issue is a larger botnet of more than a half-million bots that the researchers have uncovered since their initial research. That research, the two academics said, will be shared in a future paper. In the meantime, the Star Wars botnet dataset is available for study; the researchers said the data is tens of times larger than any public collection on Twitter bots.

The researchers also said they have not shared their data with Twitter yet because they are waiting for their current research to be approved in a scientific journal.

“We would also like to give researchers a chance to get the dataset by themselves before they are gone, this is why we have not reported to Twitter directly, but we will as soon as the paper gets accepted,” Echeverria Guzman said.

A request to Twitter for comment was not returned in time for publication.

The researchers said the botnet was created in 2013 and has remained hidden since then with relatively little activity. The mundane pace at which the bots tweeted seemed automated and intentional, the researchers said. Most of the content are benign quotes from Star Wars novels and do not include URLs, giving the tweets the appearance of real human language as a means of side-stepping bot detection services. The user profiles behind the bots also used tactics that would not trigger alerts, such as having real profile pictures.

“All the accounts were created in a short window of time, less than two months. They all behave in exactly the same way, quoting Star Wars novels including the same hashtags (and adding random hashtags to the quote),” Echeverria Guzman said. “All of their tweets are marked as coming from ‘Windows Phone,’ which means that they are likely to be controlled by the API instead of the Twitter site. For reference, that source accounts for less than 0.1% of tweets normally.”

The clincher, however, connecting the hundreds of thousands of bots to the same network comes in the geographic distribution of the host accounts. Tweets were tagged with geographic locations which, when mapped, fall within neat rectangles plotted over North America and Europe. The tweets are distributed within the rectangles, even in uninhabited areas. The researchers describe the plotting in the paper:

“These rectangles have sharp corners and straight borders that are parallel to the latitude and longitude lines. We conjectured that the figure shows two overlapping distributions. One is the distribution of tweets by real users, which is coincident with population distribution. The other is the distribution of tweets with faked locations by Twitter bots, where the fake locations are randomly chosen in the two rectangles – perhaps as an effort to pretend that the tweets are created in the two continents where Twitter is most popular.”

Echeverria Guzman said the split between the two rectangles is exactly 50 percent and the tweets are uniform throughout the rectangle.

“All of this is almost impossible to have originated from normal users,” he said.

The researchers point out previous work demonstrating how Twitter bots have been able to abuse Twitter’s streaming API. Bots, the researchers said in their paper, are programmed to time tweets so that they are included in the streaming API as much as 82 percent of the time versus the expected 1 percent.

“If and when these bots are activated, they can do all of the threats as listed above—but on a large scale with a sudden effect,” Zhou said. “For example it is known that the Streaming API is susceptible to tampering by bots. The size of the Star Wars botnet is clearly enough to contaminate the Twitter API and the Twitter environment itself, particularly if focused on a single topic.

“In other words, it is scary to know there are bad guys and see the terrible things that they have been doing; yet it is much more scary to know there are a lot of bad guys around, but we have no idea what they are up to.”

The researchers said they hope others download and analyze the available data. They’ve also created a Twitter account, @thatisabot, and website, where bots can be reported.

Suggested articles