Twitter botnet creation made simple


A new tool designed to make botnet-based attacks over Twitter simpler has been created, according to a security expert.

Named the TwitterNet Builder, it can create botnets to carry out a variety of actions, including installation of software or a distributed denial-of-service attack, explained Sunbelt Software researcher Christopher Boyd, in a blog post.

Once the end user is infected, the attacker can post commands telling the botnet what action they want it to take from a specified Twitter account.

Twitter has now been notified of the problem and is looking into it, Boyd noted.

"All in all, a very slick tool and no doubt script kiddies everywhere are salivating over the prospect of hitting a website with a DDoS from their mobile phones," Boyd said.

Fortunately for Twitter users, there are drawbacks to the system. "This doesn't work if the person controlling the bots attempts to hide their commands with a private Twitter page," Boyd added.

Being public means that Twitter should be able to block anyone issuing such commands and it only takes a search on the micro-blogging service to identify those using the attack method.

Graham Cluley, senior technology consultant at Sophos, had seen Boyd's blog and also pointed to the flaws of the botnet creator.

"If a botnet is reliant upon Twitter accounts to give it its commands then it's relatively easy to cut off the head and disable accounts. The guys at Twitter are shutting down accounts all the time because of spam, or porn, or phishing, or faking identities," he told IT PRO.

He did have a warning, however, about other threats on Twitter, such as spam and malicious links being placed on the service.

"We see lots of automated accounts being created with fake profiles which then lure you in with sexy pictures and sexy chat and then ultimately you are given a malicious link," he said.

He also pointed to the recent bug that let some users force others to follow them, which "could have been very nasty".

"One wonders how many other flaws might there be on Twitter which we simply don't know about at the moment," Cluley added.

Tom Brewster

Tom Brewster is currently an associate editor at Forbes and an award-winning journalist who covers cyber security, surveillance, and privacy. Starting his career at ITPro as a staff writer and working up to a senior staff writer role, Tom has been covering the tech industry for more than ten years and is considered one of the leading journalists in his specialism.

He is a proud alum of the University of Sheffield where he secured an undergraduate degree in English Literature before undertaking a certification from General Assembly in web development.