Twitter-based Botnet Command Channel


Twitter-based Botnet Command Channel: “


While digging around I found a botnet that uses Twitter as its command and control structure. Basically what it does is use the status messages to send out new links to contact, then these contain new commands or executables to download and run. It’s an infostealer operation.

The account in question is under analysis by Twitter’s security team. I spotted it because a bot uses the RSS feed to get the status updates.

upd4t3 twitter profile.png

As for the original bot in question that fetches the updates, here’s the VirusTotal analysis, where you can see it’s detected by 19/41 (46.34%) AV tools under evaluation. We can look at the status messages and discover more nefarious activity; the bot’s hiding new malcode which is poorly detected this way. The original link from the malcode came from a ShadowServer nightly link report, which they make available to folks. Many thanks to them.

Let’s look at one of the update messages; it’s pretty clearly base64 encoded. What does it say?

$ echo 'aHR0cDovL2JpdC5seS9SNlNUViAgaHR0cDovL2JpdC5seS8yS29Ibw==' | openssl base64 -d
hxxp:// hxxp://

OK, a couple of links. One is dead (to a pastebin), one is live.

That second link yields a base64 encoded block of text. When we un-encode it using base64 we see a PKZIP archive (which we have dumped as ‘out.qqq’ since we don’t know what the extension would have been beforehand). We can then unpack this and see what we find:

$ unzip out.qqq
Archive: out.qqq
inflating: gbpm.dll
inflating: gbpm.exe
$ openssl md5 gbpm.*
MD5(gbpm.dll)= ceb8d7fd74da0a187cc39ced4550ddb4
MD5(gbpm.exe)= a5cc8140e783190efb69d38c2be4393f

gbpm.dll is UPX packed, so we can unpack this:

$ upx2 -d gbpm.dll.upx
Ultimate Packer for eXecutables
Copyright (C) 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006
UPX 2.02 Markus Oberhumer, Laszlo Molnar & John Reiser Aug 13th 2006
File size Ratio Format Name
-------------------- ------ ----------- -----------
263680 <- 103424 39.22% win32/pe gbpm.dll.upx
Unpacked 1 file.

This file looks like an infostealer. Here are some of the URLs it will send data to:


gbpm.exe is packed with a different packer.

That DLL is very poorly detected, the EXE has a VTotal result of 9/41 (21.95%) and appears to be a Buzus sample according to one vendor.

The account is presently live but under review by Twitter, and is just one of what appear to be a handful of Twitter C&C accounts.

UPDATE 14 Aug 2009

Via, some statistics that suggest the malcode has infected a couple hundred PCs, mostly in Brazil.

bitly twitter botnet geo.png

Now that it’s disabled, ‘upd4t3″ had a similar profile on

upd4t3 jaiku profile.png

Many thanks to the Jaiku team for reviewing and shutting this account down. Still looking for more services ‘upd4t3″ is abusing … looks like Tumblr has also been used by ‘upd4t3″:

upd4t3 tumblr profile.png

Still poking around various micro-blogging services. I wonder why he abandoned Tumblr. (There are more microblogging tools than I had anticipated …)

(Via Security to the Core | Arbor Networks Security.)


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: