14 DAY TRIAL // British security researcher Paul Amar has created a tool that uses Twitter private messages (DMs) to power botnets. His tool, named Twittor, is a simple Python script that leverages the Twitter API and the service's option to let anyone message users.
Twittor allows hackers to create a Twitter account, set up a Twitter app, and obtain API credentials that they can feed into a Python script. This script can then be deployed to allow botnets to send PMs to a main Twitter account, or to send out instructions to botnet slaves.
Since Twitter removed the 140-character limit to DMs in August, complex instructions can be sent out without having to send multiple DMs to the same bot.
With Twitter enforcing a 1,000 DMs per day, per account API limit, with only a few Twittor-powered master accounts, criminals can control botnets with thousands of clients.
This is not the first time we see Twitter being abused to manage botnets. In July, we reported on the activities of APT29, a group that used Twitter accounts to control the activities of a botnet that was set up using the HAMMERTOSS malware. In that particular case, the hackers were using public tweets.
If Twittor had been available at that moment, the group's activities would have been harder to detect, since they would not have been public.