14 DAY TRIAL // Dr. Jose Nazario, manager of security research at Arbor Networks, has recently discovered that the Twitter channel “upd4t3” has been relaying base64 command messages to a bot network through its tweets. Unnoticed by Twitter, the channel has been broadcasting messages containing encrypted information to a network of bots.
After the recent DDOS attacks on Twitter, company security officials have been on a rampage and quarantined or deleted hundreds of suspicious accounts. The website was down last week and hit at the beginning of this week by numerous attacks that crippled its services for hours at a time.
The upd4t3 account has been put under observation by Twitter admins who will later make a decision on what to do with it and its owner. According to Dr. Nazario's investigation, it seems that this channel has been broadcasting several base64 encrypted messages containing different orders to one another through Twitter's RSS status update service.
Dr. Nazario analyzed a random message from the account on his blog post, and after decryption contained, two URLs were found inside of it. The first link was dead, the second containing an archive.
After unzipping, two files were found inside the archive, a .DLL and an .EXE. Using a UPX unpacker, Dr. Nazario discovered an infostealer inside the DLL file, which led to several Brazilian assigned IP and Brazilian websites.
After a virus scan with the VirusTotal online scanning tool, the DLL was not found to be malware, while for the EXE file, 9 out of 41 anti-virus clients were found to be infected, some of them labeling it as a Buzus trojan.
More than probable, the Twitter account has been used to control a network of banker Trojans, which stole and spied for necessary information in access online banking and financial websites. The success rate that this kind of attacks had using that account or any other account on Twitter is not known.
A similar RSS client-server botnet command channel was identified on MySpace two years ago, performing iframe injection on victims’ blogs and profiles.