Twitter used as a hacking tool

Mysterious accounts seem to be appearing all over the popular Twitter micro-blogging website. The suspicious accounts appear to be posting complete gibberish, when in reality are posting executable commands that are downloading malware to victims computers.

Hackers have always longed to find new ways to hide their tracks and make attacks harder to see coming, but now hackers have turned to Twitter to become the host of a series of attacks against users. Hackers have managed to form a botnet using Twitter as a way to control compromised PCs.

The compromised computers could potentially launch DoS (denial of service) attacks – something Twitter has been hit by multiple times over the last few months – or spread spam to other users, turning the victim into a botnet as well.

Twitter is now reviewing the suspected accounts and suspending suspicious activity from happening, but since the shutdowns, more command-line accounts are being registered, popping up all over the website. These accounts could possibly be the very same ones that turn computers into slaves, attacking the very site that affected them.

Report a problem with article
Previous Story

Sins of a Solar Empire: Diplomacy Micro-Expansion Announced

Next Story

Wikipedia to begin accepting volunteer editors for entries

36 Comments

Commenting is disabled on this article.

Just quickly, does Twitter use CAPTCHA (or anything similar) for new accounts signing up yet? I remember they didn't not long ago, and hopefully they've fixed that now.

starsky2 said,
This is nothing new actually...............

they even use flickr for this type of stuff!!!1oneone@11!1


That last bit opened up my porn folder and broadcast it across my workplace network, you scoundrel!

My computer knowledge definitely doesn't stretch this far... can someone explain in simple terms how text can act as commands?

The malicious software/virus goes to various twitter pages, decodes the Base64 text on the page (the random text ending with an equals sign '='), and acts upon the text it decodes. The actual text itself when decoded could be a link that the malicious software/virus would go to or keywords that the software/virus recognizes and uses to perform a specific task. A person would have to be infected with this software/virus for the text to affect them.

What is taking place here is nothing new. The best way to explain it is to give a very brief history on the subject.

Hackers would install trojans on a computer. These trojans would be programmed to connect to basic chat channels on the web, usually IRC. The hackers would be sitting in the same chat channel and be able to issue commands to the trojan.

The same basic principal is taking place here. The trojan is programmed to visit a Twitter page where it reads the most recent command. Just like normal programming code, the commands look like scrambled text to normal users but actually mean something to the program.

All of the trojans installed on millions of computers form a botnet when controlled by a few individuals. Otherwise they would just be considered a bunch of virus infected computers.

Twitter is a good vehicle to control botnets because it eliminates the hacker from needing to use a client to control the trojan. The hacker just needs to open a browser, post the command and they're done. Nothing new here, just the botnet controllers have evolved very slightly. The problem with using Twitter is that it̢۪s very noticeable.

The term 'hacker' in this case was used loosely.

you have to give credit to whoever this 'upd4t3' guy is, at least his 'tweets' are probably alot more carefully thought out than most of the stuff you find on twitter...

still tho, if they had used something they run themselves, like an IRC channel, they wouldnt have left this much of a trail as when they used Twitter like that...

Twitter is apparently being used as the communication proxy between botnets. Those commands right there, they have to be interpreted by a malicious tool already installed in a PC. Basically, when in the past they used IRC or something else, now they use the twitter public feed. Convenient, considering that IT managers might block everything but the essential ports, and port 80 is the one everybody loves.

Those commands right there, are encoded in base64 and they are links. In those links, there's the malicious stuff.
More info here: http://asert.arbornetworks.com/2009/08/twi...ommand-channel/

So don't worry, regular, non-infected users. You're all fine (unless that by any chance you use your free time to decode tweets in base64, and execute the contents of the links they point you to).

I wonder if Twitter will become the first popular web site to become "uncool" and "unsafe" because too many companies use it, making it uncool to teenagers and just becomes too unreliable and unsecured for people to visit anymore with all of these hackers attacking it.

Andrew Lyle said,
I wonder if Twitter will become the first popular web site to become "uncool" and "unsafe" because too many companies use it, making it uncool to teenagers and just becomes too unreliable and unsecured for people to visit anymore with all of these hackers attacking it.

MySpace comes to mind.

Andrew Lyle said,
I wonder if Twitter will become the first popular web site to become "uncool" and "unsafe" because too many companies use it, making it uncool to teenagers

I don't think twitter was ever of any interest to teenagers, was it? Maybe for some new york/silicon valley rich kids, but it was never a craze to be compared with facebook or myspace among the younger generations.

And if it was, I think that time is already past. Even the local library where I live (Leeds, UK) has a "keep up to date with us on twitter!" slogan outside, and if there's ever a sure sign that the hype has passed it's a library catching on.

Andrew Lyle said,
I wonder if Twitter will become the first popular web site to become "uncool" and "unsafe" because too many companies use it, making it uncool to teenagers and just becomes too unreliable and unsecured for people to visit anymore with all of these hackers attacking it.



You mean ANY of these social networking sites were cool at one time?

That in itself is news to me!!

I'm not sure this is really a reflection on Twitter's security. You could hide some bot commands in a Neowin thread if you really wanted to and it would have the same effect. Twitter's response to this trend, if it indeed becomes a trend, will be telling though.

lordcanti86 said,
But....they use Linux servers and Google Apps...

How can their security possibly be bad?

Just because they use Linux servers and Google Apps does not make them completely secure. Nothing is unbreakable.

mindscape said,

Just because they use Linux servers and Google Apps does not make them completely secure. Nothing is unbreakable.


Just because you failed to notice his post was ironic does not make it less so.

There would be no difference if the same things came through AIM or MSN or YIM or any other means of internet protocols and communications.

This issue still requires that you have a malicious program installed beforehand, to read and interpret and make those harmless letters of text converted to malicious commands.

If I could attach a device to a telephone line and sent signals through that line that could be interpreted as malicious commands then that would be the same issue here. The problem isn't that you are able to send signals through a telephone line, but instead more of an issue that you would be able to install a program that converts those signals to something malicious. And here we are back to square one. Keep your computer secure; Use malware protection and keep your computer applications up-to-date.

If you read the article you would know that Twitter is only serving as a way for "the hackers" to communicate instructions to already compromised computers.