Twitter.com is once again in the media spotlight. This time security researchers at Arbor Networks have found what is thought to be a botnet using Twitter for its command-and-control operations. Obfuscated Twitter status messages (like the ones in the image below) are being used to send out new download links to malware that Symantec calls Downloader.Sninfs.
Although Twitter.com has been used in this instance, there are plenty of alternative sites on the Internet that could also be used as a similar medium of communication. Twitter.com has already taken the appropriate action against accounts being used in this way, including suspending the account used in the example above. Our investigation and analysis of Downloader.Sninfs is ongoing but has so far shown that it reads a specific Twitter.com RSS feed only once. The RSS feed is simply a text file similar to other RSS feeds found on other Internet sites. The RSS text file contains information as to where Downloader.Sninfs can find additional threats to download onto the compromised system. In this way the RSS file acts like a config file for the malware.
The malware currently being downloaded by Downloader.Sninfs is known to Symantec as Infostealer.Bancos. Infostealer.Bancos is a password-stealing Trojan. It mimics the interface of certain Brazilian banks in an attempt to collect passwords and other sensitive information from users of a compromised computer. This malware has been around since 2003 and is still prevalent. The image below shows a heatmap for Infostealer.Bancos infections over the last 60 days.