Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Karl Dominguez (Threat Response Engineer)

    A Twitter bot builder is currently being freely distributed on the Internet with the capability to attack users’ systems and to have some fun at the same time. It may, however, act as a threat when an attacker uses the tool to start a distributed denial-of-service attack (DDoS) on critical systems and to download malicious files.

    The program is used to build an executable file that connects to and to execute commands based on a user’s Tweets. The attacker can send emails with file attachments or send instant messages with links to copy and trick victims to download and execute the file.

    The bot builder comprises two files—TwitterNet Builder.exe and Stub.exe. TwitterNet Builder.exe is the interface for the builder, which requires a user to input a Twitter user name to follow and click the “Build” button. Stub.exe is the base file to which the builder will integrate the Twitter user name entered.

    Click for larger view

    The builder will generate the bot server TwitterNet Builder.exe from Stub.exe, which the user may send to a target victim:

    Click for larger view

    Once the server runs on a system, it will regularly connect to the target Twitter page to read the Tweets the attacker posted. The executable file is capable of downloading and executing a file from the Internet. It can start a DDoS attack via User Datagram protocol (UDP). It also opens a Web page, uses the Windows Text-to-Speech Application, stops all bot-related activities, and removes connecting bots.

    However, for the botnet to work, the attacking profile should be a public one so that bot server can read its Tweets. By being listed as a public profile, attackers can easily be tracked by security staff and administrators by simply searching any of the commands it used.

    Though it does not have any propagation capability nor autostart technique, it is also possible for an attacker to manually install the bot server onto a system or to trick a user into executing the file. Users should then be careful when opening attachments and when executing files from unknown sources.

    The bot builder TwitterNet Builder.exe is detected by Trend Micro as TROJ_TWEBOT.BLD while Stub.exe and the generated bot servers TwitterNet.exe are detected as TROJ_TWEBOT.STB.

    Trend Micro™ Smart Protection Network™ already protects product users from this threat by preventing the download and execution of all the related malicious files—TROJ_TWEBOT.BLD and TROJ_TWEBOT.STB—onto affected systems via the file reputation service.

    Hat tip to Chris Boyd for first writing about this Twitter botnet creator here.


    TrendLabsSM engineers recently spotted a new worm leveraging peer-to-peer (P2P) applications similar to the threat that displays copyright violation warnings. The new worm detected by Trend Micro as WORM_PITUPI.K solves the typical problem that P2P worms face, that is, hard-coded file names used to trick users by pretending to be cracks, key generators, or actual software.

    Click for larger view

    However, the problem with using the hard-coded technique is that the malware becomes obsolete once the software becomes outdated. WORM_PITUPI.K goes about this by using the names of recently released software by connecting to The Pirate Bay website every time the worm executes. It then drops copies of itself into P2P shared folders using the names of the top 100 software and top 100 games as file names.

    The worm is also capable of dropping 200 copies into the P2P shared folders with every execution. At 254,604 bytes per copy, the worm can easily occupy a substantial portion of a user’s system over time. It propagates via removable drives and over the Bearshare, BitComet, eMule, FrostWire, Kazaa, Limewire, Lphant, and Shareaza P2P networks.

    Unfortunately, copies of the malware’s source code have also been found to be freely available in underground forums. As such, malicious programmers can enhance it to include other payloads such as downloading routines or even backdoor capabilities.

    Because of this threat and similar ones we have encountered in the past, users are advised to stop downloading illegal software and media content. As this worm also spreads via removable drives, it is also advisable to disable their AutoRun feature and make them malware proof.

    Trend Micro™ Smart Protection Network™ protects users from this kind of threat by blocking access to all related malicious URLs via the Web reputation service and by preventing the download and execution of WORM_PITUPI.K via the file reputation service.


    The ZeuS/ZBOT malware continues to uphold its notorious reputation. As we have seen in the past, ZBOT variants steal account credentials when users visit various social networking, online shopping, and bank-related websites.

    Another social engineering tactic that has been employed by ZeuS/ZBOT perpetrators is the use of .PDF files. Specially crafted .PDF files have been used as a vehicle for malware propagation by exploiting different vulnerabilities discovered in Adobe Reader and Acrobat.

    Recently, however, we spotted a specially crafted .PDF file that drops a ZBOT variant without exploiting a vulnerability. Instead, this malicious file exploits a legitimate Adobe Reader feature. The said feature is the /launch function in the PDF specification, as security researcher Dieder Stevens demonstrated in his blog. This function allows a portable document author to attach an executable file and, via social engineering, trick users to save and run the embedded file.

    Trend Micro currently detects the specially crafted .PDF file as TROJ_PIDIEF.UTA. The said file arrives as an attachment to a spammed message supposedly from “Royal Mail.” The email body states that a mail it tried to deliver was not received and that the attached Royal_Mail_Delivery_Invoice_1092817.pdf is a notification for the delivery invoice.

    Upon opening the malicious .PDF file, however, Adobe Reader and Acrobat will prompt the user that the file contains a potential security risk and that he/she must only allow the program to execute if it came from a trusted source. The said prompt is a legitimate feature of  Adobe Reader and Acrobat, which triggers the dropping of the ZBOT variant. Clicking the Open button executes the malicious embedded file. This dropped file is detected by Trend Micro as TSPY_ZBOT.NCT. To further trick the user into thinking the file is legitimate, the .PDF file contains a calendar that helps hide its routines from the user.

    Click for larger view Click for larger view

    Adobe is currently conducting research on how to mitigate this security hazard. As a precaution, however, users of Adobe Reader and Acrobat can change the program settings to disable the execution of attachments in portable documents. This can be done by the following these steps:

    1. In Adobe Reader and Acrobat, click Edit menu then click Preferences.
    2. In the Trust Manager Category, uncheck Allow opening of non-PDF file attachment with external applications box.

    Trend Micro protects users from this attack via the Smart Protection Network™, which blocks user access to all malicious URLs via the Web reputation service and detects all related malware via the file reputation service.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice