The owners of at least one botnet are now using Twitter to control it, according to a report from traffic management specialist Arbor Networks.
Because the control messages come from a trusted site, this sort of traffic could pierce the enterprise security firewall, the firm warned.
“This appears as legitimate traffic to a legitimate Web site. It is conceivable that this traffic could evade enterprise-level security,” Jose Nazario, a senior security researcher with Arbor Networks, told InternetNews.com.
The news is the latest in a string of cases where legitimate sites have proven more dangerous than the Web’s known seamy areas.
Another security expert agreed that the danger is growing.
“As Twitter gains an increasingly large audience, it becomes an increasingly desirable target for attack and exploitation,” Don Gray, the chief security strategist with security firm Solutionary, said in an e-mail to InternetNews.com. “And because organizations may be viewing Twitter traffic as acceptable use, an attack like this one can often come in under the radar.”
The tweets in question consisted of encoded links shortened with the URL service bit.ly. Those links led to Web sites hosting the malware payload and instructions for the bots.
Symantec identified the infection as a new malware sample that it called Downloader.snifs. The downloader is using Twitter links to find a payload called Infostealer.Bancos that dates back to 2003, Symantec security analyst Peter Coogan wrote in a blog
post. Infostealer.Bancos installs software that searches for credentials for banks accounts at Banco de Brasil.
Criminals after money find it in bank account and credit card credentials, experts say.
“We have seen bank account information stealers for years now,” Nazario said. “They either attack global banks or banks in Latin America. Many go back in one form or another to Brazil.”
He added, “We often see the use of a language-specific or cultural-specific lure to download malware, such as photos of a TV starlet or a song from a band.”
Because the attackers used bit.ly, Nazario was able to estimate the botnet’s size at around 200 infected PCs using the clickthrough statistics that bit.ly generates automatically.
Botnets are very bad
The theft of personal accounts places a real burden on victims. On average, victims of identity theft spend $789 and spend 58 hours repairing the damage, according to a report from the Identity Theft Resource Center.
The crime can be even more harmful when it involves the theft of a person’s medical identity, resulting in the denial of medical care or a loss of health insurance.
It also places a burden on businesses. Business victims of identity theft reported average damages of $90,107 in 2008, according to the Identity Theft Resource Center.
Botnets are the root cause of much Internet pain. Security researchers have attributed recent high-profile denial-of-service attacks to botnet operations, and blamed for them for a significant portion of the
Twitter still has a place in the enterprise
Despite the recent attacks, Nazario said that IT managers should not abandon the use of social media in the enterprise.
“Any social media has tremendous power to make employees more productive,” he said. “Most employees couldn’t live without e-mail and now IM too.”
He gave the services involved in the recent attack credit for their professional management and speedy response to security concerns.
Both bit.ly and Twitter contaced Nazario after the botnet operation was discovered and reacted quickly, he said.
“Once they confirmed this was a malicious account, our security contact at Twitter disabled it in minutes,” Nazario said. “We are also in contact with bit.ly. Twitter and bit.ly are victims of their own success, and they take security seriously. They have been quick in their response and they have done what they need to do.”
He acknowledged, however, that some managers have legitimate misgivings about social media. “There are security concerns,” he said. “From a managerial perspective, some worry that people are wasting time.”
He added that managers should be able to tell the difference between the productive use of social media and a waste of time. “I encourage managers to identify whether social media are being used and if they are being used, to make sure they are used safely and appropriately,” he said.
Solutionary’s Gray agreed that this is no time for IT managers to let their guard down, because the next bot herders that crop up on Twitter could be better hidden.
“Luckily, in this case, the attacker chose to use weak encoding to conceal the attack — the next such attack will likely be harder to track down and defend against,” he warned.
Update fixes spelling of the name of Don Gray, the chief security strategist with security firm Solutionary.