Security researchers from antivirus vendor ESET have uncovered a simple tool automating the creation of botnets that can be controlled from Twitter. The botnet clients can be commanded to launch Distributed Denial of Service (DDoS) attacks or install additional malware on the compromised computers.The do-it-yourself botnet kit, which ESET detects as MSIL/Agent.NBW, has been discovered by the company's malware investigation laboratory in Latin America, suggesting that it might have originated in the area. "In the last few hours we have found an application that is currently in-the-wild. This application has been developed to automate the creation of botnets where communication between the botmaster and the zombie systems under his control is performed through Twitter," Jorge Mieres and Sebastián Bortnik, both security analysts at ESET, announced in a blog post [in Spanish].
The application, who's title bar reads "TwitterNET Builder," has an extremely simple interface with only a text input field for specifying the Twitter account used to rely commands to the bots and a "Build" button. Amongst the commands accepted by the botnet clients generated with this tool are ".DDOS*IP ADDRESS*PORT NUMBER" for launching DDoS attacks, ".DOWNLOAD*LINK/MALWARE.EXE" for downloading more malware or ".VISIT*LINK" for opening a link in the default browser. There is also a .REMOVEALL instruction for the bots to uninstall themselves.
According to the ESET researchers, the first version of the builder they analyzed was buggy and sometimes generated corrupted executables. However, they note that its creator has since fixed many of the bugs and released an improved variant. Additionally, they warn that botnets generated with this tool have already been spotted in the wild.
The practice of using Twitter channels to control botnets is not new. In August last year, researchers from Arbor Networks found an account relaying base64-encoded commands to a botnet of Brazilian origin. Other services like pastebin, Google Groups or Google's App Engine have been abused in a similar fashion in the past.
Link Removed - Invalid URL
