Friday, August 14, 2009
Jose Nazario, manager of security research at Arbor Networks discovered a botnet that uses twitter updates from a specific twitter account as Command and Control channel. The updates are base-64 encoded that lead to malicious short urls.
The idea of using twitter updates as a C&C channel was presented in Defcon few months ago, and a twitter-based botnet POC is available for public since then.
Now we can imagine the next step for the bad guys:
- Use Asymmetric/Symmetric keys to encrypt and sign the C&C updates
- Use same technique like domain-flux that was used in conficker, by generating hundreds of thousands of twitter accounts, and randomly go and check some of them.
- Use more than one micro blog service, like jaiku for example, already detected.
- Use blogs, or even public social media profiles to distribute commands.
I guess this will take us to the next level of botnets..... hold your breath ....