New tools enable Twitter controlled botnets

by CXOtoday Staff    May 18, 2010

BitDefender has released an emergency update to protect against a potential pandemic caused by the emergence of a botnet self-development kit controllable via the popular social media service Twitter. In order to create their custom bot, an attacker only has to launch the SDK, enter a Twitter username that would act as a command & control center and modify the resulting bot’s name and icon to suit their distribution method.


The newly-created bot will constantly interrogate the specified Twitter profile (available at http://www. for posts resembling specially-crafted commands. In order to avoid confusion, all of the six supported commands have to start with a period:

1. The .VISIT command accepts two parameters separated by the * sign, as follows: .VISIT*URL*1 or .VISIT*URL*0. The command would make the bot visit a web page specified in the URL parameter. The latter parameter tells the bot whether to visit the URL in a visible (1) or an invisible (0) window.

2. The .SAY command only takes one parameter and would initialize the Microsoft Text-To-Speech Engine to read the specific parameter (as demonstrated in the video). Example: .SAY*Something to say.

Up until here, the bot seems to be more of a hoax tool than of a dangerous piece of malware. However, things get complicated with the inclusion of the following two commands.

3. The .DOWNLOAD command takes a URL as the first parameter and either 0 or 1 as the second one: .DOWNLOAD*URL/somefile.exe*0 or .DOWNLOAD*URL/somefile.exe*1. The URL tells the bot where to take the file from, while the numeric parameter tells is if the file should be executed or not when download completes.

4. The .DDOS*IP*PORT command would trigger an UDP flood attack against the indicated IP on the specified port number (be it computer, router or server), thus taking the criminal game to a whole new level of aggression.

Terminating the tasks:
5. .STOP ensures that the bots eventually stop the repetitive actions such as visiting web resources or hammering an IP to cause a DDOS condition, and return to a "listening" state.

6. The .REMOVEALL command tells the bots to disconnect from the Twitter account and stay dormant until the next restart. This command practically eliminates all traffic between the bot and the Web, thus making it less "visible" to network packet monitoring tools such as Wireshark.

This is, undoubtedly, one of the first attempts at creating an automated bot creation tool to be used in conjunction with a Twitter C&C. However, the overall mood of the TwitterNET Builder, as it is called, is experimental: the creator didn’t spend too much to protect the generated bots from reverse engineering or from detection and termination, but this flaw doesn’t make them less dangerous for the average computer user.

One thing to bear in mind though: a closer look into the file reveals that the wannabe botmaster is not the only one controlling the network. There is a secondary hardcoded Twitter account name called @Korrupt that may pass commands to any bot generated with the tool, regardless of the C & C account specified by the bot’s creator. However, at the moment, this account does not reveal any traces of criminal activity.


And even if coordinating a botnet via a Twitter profile has its specific drawbacks (this is a single point-of-failure C&C - once the Twitter account is deleted for abuse, the entire botnet would fall apart the next second), it also has its advantages - a botmaster can unleash a large-scale malware pandemic (by silently downloading and executing malware to all the zombie systems) or a DDOS attack by simply tweeting a single line of text from a mobile phone.
In order to protect customers, BitDefender has added detection for Trojan.TweetBot.A and released a free removal tool available at