Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    A Twitter bot builder is currently being freely distributed on the Internet with the capability to attack users’ systems and to have some fun at the same time. It may, however, act as a threat when an attacker uses the tool to start a distributed denial-of-service attack (DDoS) on critical systems and to download malicious files.

    The program is used to build an executable file that connects to and to execute commands based on a user’s Tweets. The attacker can send emails with file attachments or send instant messages with links to copy and trick victims to download and execute the file.

    The bot builder comprises two files—TwitterNet Builder.exe and Stub.exe. TwitterNet Builder.exe is the interface for the builder, which requires a user to input a Twitter user name to follow and click the “Build” button. Stub.exe is the base file to which the builder will integrate the Twitter user name entered.

    Click for larger view

    The builder will generate the bot server TwitterNet Builder.exe from Stub.exe, which the user may send to a target victim:

    Click for larger view

    Once the server runs on a system, it will regularly connect to the target Twitter page to read the Tweets the attacker posted. The executable file is capable of downloading and executing a file from the Internet. It can start a DDoS attack via User Datagram protocol (UDP). It also opens a Web page, uses the Windows Text-to-Speech Application, stops all bot-related activities, and removes connecting bots.

    However, for the botnet to work, the attacking profile should be a public one so that bot server can read its Tweets. By being listed as a public profile, attackers can easily be tracked by security staff and administrators by simply searching any of the commands it used.

    Though it does not have any propagation capability nor autostart technique, it is also possible for an attacker to manually install the bot server onto a system or to trick a user into executing the file. Users should then be careful when opening attachments and when executing files from unknown sources.

    The bot builder TwitterNet Builder.exe is detected by Trend Micro as TROJ_TWEBOT.BLD while Stub.exe and the generated bot servers TwitterNet.exe are detected as TROJ_TWEBOT.STB.

    Trend Micro™ Smart Protection Network™ already protects product users from this threat by preventing the download and execution of all the related malicious files—TROJ_TWEBOT.BLD and TROJ_TWEBOT.STB—onto affected systems via the file reputation service.

    Hat tip to Chris Boyd for first writing about this Twitter botnet creator here.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice