A recent blog from our colleagues at Sunbelt highlighted a new Trojan botnet creator tool called "TwitterNet Builder." Symantec has detection in place for this threat as Trojan.Twebot. As the name suggests, the builder is closely linked to Twitter, using a Twitter account to issue command-and-control instructions to the Trojans created by the builder. When building Trojan.Twebot, the user is able to supply a public Twitter account for Trojan.Twebot to follow. Because Trojan.Twebot does not try to obfuscate commands on Twitter, it will not be difficult for Twitter security staff to find and close accounts abusing their service in this way. It’s worth noting that issuing commands via Twitter accounts is nothing new and Symantec has blogged about this in the past.
Trojan.Twebot has a number of the usual commands you would expect to see, such as “.DOWNLOAD” to download additional files and “.DDOS” to perform a distributed denial-of-service attack. However, it also has the interesting command “.SAY”. This command allows an attacker to get a compromised computer to use the operating system's Text-to-Speech function to read aloud any messages sent by the attacker. The exact reason for the addition of this command is unknown, but it could be used to taunt victims.
We have created the following video in a controlled environment (in our lab) to show how Twitter is used as a command-and-control server for Trojan.Twebot and how by using smart phones, attackers can easily issue commands to their botnet:
As always, Symantec recommends that you keep your definitions up to date in order to ensure protection against new threats.