New, Simple Twitter Botnet Tool Debuts

There is a new point-and-click tool circulating online that enables virtually anyone to create a piece of malware that will connect a PC to a budding Twitter botnet.

There is a new point-and-click tool circulating online that enables virtually anyone to create a piece of malware that will connect a PC to a budding Twitter botnet.

The tool, known as TwitterNET Builder, is being used by attackers to build quick and easy botnets that are then controlled through commands sent via Twitter messages. There have been other examples of botnets that have used Twitter for command and control, but this particular one is making it easy for even the most clueless wanna-be hacker to compromise PCs and build a botnet.

The TwitterNET Builder client simply asks the user for a Twitter account name and then, after the user clicks “Build,” the program creates an executable. That version of the program then sits and watches the Twitter account for commands, which run the gamut from simply opening a specific Web page to starting a denial-of-service attack on a specified site.The commands used by this version are fairly easily identifiable as botnet commands.

A newer version uses less-obvious commands in its Twitter messages, making it somewhat more difficult for officials to identify the malicious accounts and disable them. David Jacoby, an analyst with Kaspersky Lab, analyzed the new TwitterNET Builder code and found that it doesn’t contain any automatic-download mechanism, so it needs help from users to be effective.

That’s usually not a problem.

“Since this tool does not have its own distribution
mechanisms it needs to be manually downloaded and executed – for
example, it might arrive as an attachment in an email, or as a file sent
via a instant messaging client. You need to be careful executing email
attachments or files sent to you in a chat conversation. You also need
to be careful that you do not get infected through a drive-by attack,
which may exploit vulnerability in for example your browser,” Jacoby wrote in his analysis.

While the new attack tool is simple to use, experts say it also leaves would-be DDoS attackers open to discovery.

“All in all, a very slick tool and no doubt script kiddies everywhere are
salivating over the prospect of hitting a website with a DDoS from
their mobile phones. However, something to keep in mind: anyone using
this as an attack method is horribly exposed. For one thing, this doesn’t work if the person controlling the bots
attempts to hide their commands with a private Twitter page; the bots
will just flail aimlessly as they wonder where their master has gone,” Christopher Boyd of Sunbelt Software wrote in an analysis of the TwitterNet Builder tool.

Suggested articles


  • Anonymous on

    With all of the open proxy servers out there, or the ability to pwn someones system and install a proxy that doesn't log, it doesn't really leave them that "open" to discovery.   Finding and terminating the twitter account would be obviously easy, but nailing who is sending commands is another story.

  • Anonymous on

    However, something to keep in mind: anyone who uses this as a method of attack is horribly exposed. On the one hand, that does not work if the person controlling the robots trying to hide their orders to a private Twitter bots, simply because they randomly flails are wondering where it went to his master,

    recession proof business

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.