Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrades.
Please accept our apologies in advance for any inconvenience this might cause.

Twittering Botnets

Created: 14 Aug 2009 15:57:46 GMT • Updated: 23 Jan 2014 18:33:26 GMT
Peter Coogan's picture
+1 1 Vote
Login to vote

Twitter.com is once again in the media spotlight. This time security researchers at Arbor Networks have found what is thought to be a botnet using Twitter for its command-and-control operations. Obfuscated Twitter status messages (like the ones in the image below) are being used to send out new download links to malware that Symantec calls Downloader.Sninfs.

imagebrowser image

Although Twitter.com has been used in this instance, there are plenty of alternative sites on the Internet that could also be used as a similar medium of communication. Twitter.com has already taken the appropriate action against accounts being used in this way, including suspending the account used in the example above. Our investigation and analysis of Downloader.Sninfs is ongoing but has so far shown that it reads a specific Twitter.com RSS feed only once. The RSS feed is simply a text file similar to other RSS feeds found on other Internet sites. The RSS text file contains information as to where Downloader.Sninfs can find additional threats to download onto the compromised system. In this way the RSS file acts like a config file for the malware.

The malware currently being downloaded by Downloader.Sninfs is known to Symantec as Infostealer.Bancos. Infostealer.Bancos is a password-stealing Trojan. It mimics the interface of certain Brazilian banks in an attempt to collect passwords and other sensitive information from users of a compromised computer. This malware has been around since 2003 and is still prevalent. The image below shows a heatmap for Infostealer.Bancos infections over the last 60 days.

imagebrowser image

Infostealer.Bancos heatmap