Twittor tool uses Twitter direct messages to control botnets
16.11.2015

Twittor is a tool open source that was designed by the London-based researchers Paul Amar to control botnets via Direct Messages.

The expert has developed the Twittor tool to make life easier for botnet masters, allowing them to control their malicious architectute by sending out commands via Twitter accounts.

“I mostly wanted to create a PoC after Twitter decided to remove the 140 characters limit for Direct Messages,” wrote the security researcher.
The use of Twitter as a communication channel to control a botnet is not a novelty, any botmasters use social networks such as Facebook and Twitter as C&C. This is a winner’s choice because the technique makes it hard to detect botnet activities.

The interactions with social networking sites can be easily automated and “malicious” traffic directed to social media platforms is hard to identify due to large volumes. Attackers can set up a network of fake profiles on a social network and use them to post a specific set of encrypted commands to the malware. The infected machine queries the “bootmaster” profile for new commands, summarizing a botnet a using C&C in social media is extremely resilient and allows malware to run for long periods of time.

The attackers have improved their control techniques over time. Some malicious agents, in fact, don’t limit their activity to just interpreting messages from social networking but also receive commands hidden inside a picture posted by a profile related to the bootmaster.

Twittor tool twitter CeC server

The Twittor tool is open source and it is available on GitHub, and the researcher Amar is inviting developers to contribute to the project.

“A stealthy Python based backdoor that uses Twitter (Direct Messages) as a command and control server This project has been inspired by Gcat which does the same but using a Gmail account.” Amar wrote.

“fork the project, contribute, submit pull requests, and have fun.”

The Twittor tool is a Python-based backdoor, the attacker just needs a Twitter account, set up a Twitter app, and get Twitter API credentials.

Among the features already implemented by the twitter tool there is the listing of active boys, execution of commands on it, refreshing of the C&C control. All via features rely on the Direct Messages.

Amar explained that Twittor tool has been inspired by gcat, another open source backdoor that exploits Gmail as a command and control server.