Botnets Now On Twitter

The Sydney Morning Herald reports that security researchers investigating the recent Twitter spam and denial of service attacks found at least one account that was using Twitter to control a botnet.

          “Jose Nazario with Arbor Networks said he found a Twitter account that was used to send out what looked like garbled messages. But they were actually commands for computers in a botnet to visit malicious websites, where they download programs that steal banking passwords.”

Social networking services such as Twitter have recently become associated with spam and phishing attacks due to the lack of inbuilt protection from malicious users.  This new development of using Twitter messages to control botnets takes the issue another step forward.Typically a botnet is made up of computers connected to broadband connections that have been compromised in some way, usually by either tricking the owner into installing malicious software (a browser toolbar, fake antivirus software, or a porn dialer) or by exploiting a vulnerability in the operating system or web browser that they are using.  A lot of these attacks occurred over email, which lead to the need for the email anti-spam protection software most of us are using today (either on our own computers or on the email servers of our businesses and ISPs).

Botnets were often controlled using IRC channels, which were quick and easy for spammers to set up anywhere in the world and control remotely.  Over time IRC traffic became almost synonymous with botnets, and despite its legitimate intended uses it is really only used by tech enthusiasts so most businesses simply block IRC traffic at their firewall.  Many consumer broadband modems and routers also block IRC traffic by default.

Twitter on the other hand simply works over the HTTP protocol, which is almost always open on business and consumer firewalls.  Most Twitter clients will even work seamlessly through web proxies.  This makes the use of Twitter for controlling botnets a very serious problem.

There is no doubt that social networking such as Twitter can be a valuable tool for businesses to use to communicate with their customers.  However the lack of content filtering exposes the end user to attacks such as messages with URLs that lead to web pages designed to trick the user or exploit a software vulnerability.  The URLs are often masked with URL shortening services making malicious URLs more difficult to detect at a glance.  Even a message from a known, trusted friend may be an attack because of the tendency for people to willingly give away their Twitter password to third party services.

The security challenge here is complex.  Businesses would like to trust their users to engage in social networking for work and for pleasure, but even the best online security training for staff will still leave gaps as people’s awareness and attentiveness wanes over time.  Blocking the services entirely is undesirable, which just leaves blocking of URL shortening services in email and at the web proxy as a counter-measure.  This of course cripples one of Twitter’s more useful benefits, the ability to quickly share interesting and useful links.

Ultimately the best on-premises solution a business can implement will still be vulnerable without better inbuilt security measures for social networks.  But as long as these networks remain free and open for anyone to use they will often lack the resources to invest in security even as they continue to attract malicious users.