Direct Messages on Twitter are a way for users to send messages to individuals or a group of users privately, as opposed to regular tweets, which can be seen by everyone.
But now, self-styled security researcher Paul Amar has created a free Python-based tool called Twittor that uses Direct Messages on Twitter as a command-and-control server for botnets.
As you probably know, cybercriminals use botnets in a variety of ways to launch attacks.
For example, a cybercriminal could tell the computers in his botnet (called bots or zombies) to send out spam, or he could rent the botnet to other cybercriminals who might use it to generate fraudulent traffic that can cause a website to crash.
For a botnet to do any of these things, the bots need to “call home” for instructions to a command and control (C&C) server, which typically uses the HTTP protocol to send messages over the web, or via HTTPS for encrypted communications.
Now, using Twittor, a cybercrook could send messages over Twitter Direct Message, which Amar says could help botnet masters hide their activities among legitimate Twitter traffic.
Amar got the idea for his Direct Message C&C server from a similar tool called Gcat, which does the same thing using a Gmail account, according to Amar’s post on the code-sharing site GitHub, where he provides the Twittor tool and instructions on how to use it.
Amar was looking for ways third-party services could hide malicious traffic, he told Dark Reading.
The opportunity to use Twitter opened up in August when Twitter announced that it was lifting the 140-character limit on Direct Messages, which Amar says “allows for more malicious activity.”
There are some limitations: Twitter does limit users to 1000 Direct Messages per day, so a bot master would be able to control only about 100 bots per account.
But a bot master might find the stealth of using Twitter Direct Messages appealing because those communications would be very hard to detect.
Amar told Dark Reading that his tool uses the Twitter API, so IP filtering won’t catch it; and because Direct Messages are private, “there’s no public malicious activity.”
But the one thing we don’t quite get in all of this is, “Why?”
But publishing a free tool that helps you operate a botnet via Twitter Direct Message seems a strange way to conduct security research, especially when Twitbots are nothing new.
Learn more about botnets
Listen to our Techknow podcast, Understanding Botnets. We explain, in plain English, the what, why and how of botnets – the money-making machinery of modern cybercrime.