A Twitter bot builder is currently being freely distributed on the Internet with the capability to attack users’ systems and to have some fun at the same time. It may, however, act as a threat when an attacker uses the tool to start a distributed denial-of-service attack (DDoS) on critical systems and to download malicious files.
The program is used to build an executable file that connects to Twitter.com and to execute commands based on a user’s Tweets. The attacker can send emails with file attachments or send instant messages with links to copy and trick victims to download and execute the file.
The bot builder comprises two files—TwitterNet Builder.exe and Stub.exe. TwitterNet Builder.exe is the interface for the builder, which requires a user to input a Twitter user name to follow and click the “Build” button. Stub.exe is the base file to which the builder will integrate the Twitter user name entered.
The builder will generate the bot server TwitterNet Builder.exe from Stub.exe, which the user may send to a target victim:
Once the server runs on a system, it will regularly connect to the target Twitter page to read the Tweets the attacker posted. The executable file is capable of downloading and executing a file from the Internet. It can start a DDoS attack via User Datagram protocol (UDP). It also opens a Web page, uses the Windows Text-to-Speech Application, stops all bot-related activities, and removes connecting bots.
However, for the botnet to work, the attacking profile should be a public one so that bot server can read its Tweets. By being listed as a public profile, attackers can easily be tracked by security staff and administrators by simply searching any of the commands it used.
Though it does not have any propagation capability nor autostart technique, it is also possible for an attacker to manually install the bot server onto a system or to trick a user into executing the file. Users should then be careful when opening attachments and when executing files from unknown sources.
Trend Micro™ Smart Protection Network™ already protects product users from this threat by preventing the download and execution of all the related malicious files—TROJ_TWEBOT.BLD and TROJ_TWEBOT.STB—onto affected systems via the file reputation service.
Hat tip to Chris Boyd for first writing about this Twitter botnet creator here.