TwitterBotnetSmallA new strain of malware has been discovered that changes the rules of how most people think about botnets.  The apply named Twittoor, is a Trojan that that infects Android phones and uses the Twitter social network to coordinate the botnet.  Twitoor is believed to be the first instance of a botnet controlled through a social media service instead of traditional command-and control servers.

The Twitoor malware is spread primarily though SMS and malicious links.  Once downloaded, it activates immediately and typically impersonates video players and messenger applications.  The malware periodically checks in with a designated Twitter account to receive instructions for downloading additional malicious payloads.  These payloads have been shown to include banking malware and other Trojans used to spy on user activity and steal personal information.

Using Twitter instead of a traditional command-and control server offers many benefits for cybercriminals and it’s surprising it has taken this long for someone to exploit them.  Botnets are traditionally controlled from a single server farm.  Given enough time and resources they can be backtracked and shutdown.  A Twitter based botnet is more resilient.  Twitter accounts are free to anyone and anonymous; a new throwaway account can be created in seconds.  The cybercriminal in charge of the botnet can easily create a new account every week, day or even hourly if they felt the need.  All devices connected to the botnet can receive updates of the new account seconds before the changeover occurs.  In this way, any security or law enforcement agencies end up chasing a ghost trail.  Even if law enforcement does manage to shut down a host account before it switches, it is unlikely that the account can be linked back to an owner.

Botnets are nothing new but Twitoor represents an evolution on the part of traditional malware and an innovation in the way malware gets distributed and controlled.  The takeaway from this is that malware is not limited to personal computers anymore, your phone and other mobile devices can become infected just as easily.  When it comes to mobile devices, monitor your data usage for suspicious activity and be cautious when downloading new software.  Online security is everyone’s concern.

– Richard Keene
IT Computer Support of New York
Webmaster and Lead Designer