ID thieves use Twitter to control evil zombies @upd4t3

Brazilian identity thieves are now using Twitter for command and control duties in their botnets. In IT Blogwatch, bloggers tell tales of the shady Twitter user @upd4t3.

By Richi Jennings. August 14, 2009.

Your humble blogwatcher has selected these bloggy morsels for your enjoyment. Not to mention French alien babies...

Dan Goodin reports:

Twitter has come under attacks that besieged it with more traffic than it could handle. Now comes evidence that the microblogging website is being used to feed the very types of infected machines that took it out of commission. That's the conclusion of Jose Nazario, the manager of security research at Arbor Networks. On Thursday, he stumbled upon a Twitter account that was being used as part of an improvised update server for computers that are part of a botnet..
...
Master command channels used to herd large numbers of infected machines have long been one of the weak links in the botnet trade. Not only do they cost money to maintain, but they can provide tell-tale clues that help law enforcement. ... Bot herders have used ICQ, internet relay chat, and other chat mediums to get around this limitation, but this appears to be the first time Twitter is known to have been employed.

Joseph Menn adds:

Besides denial-of-service attacks,  botnets are used for stealing financial data from the true owners of the computers and sending spam email..

Jose Nazario is the horse's mouth:

While digging around I found a botnet that uses Twitter as its command and control structure. Basically what it does is use the status messages to send out new links to contact, then these contain new commands or executables to download and run. It’s an infostealer operation.
...
The account ... is just one of what appear to be a handful of Twitter C&C accounts.

Ryan Naraine goes deeper:

The bots are sending data to URLs linked to Brazilian criminals that specialize in banker Trojans. ... used to steal logins, passwords, PINs, check words and other information from bank websites.
 
The stolen information is usually uploaded to a hacker’s website using a webform. The most vulnerable are users of on-line banks and payment systems that have logins and passwords that do not change every time a user logs on. That is why many banks are now switching to one-time passwords that expire after being used once.

Doesn't Michael R. Farnum mean "bot-herders"?:

If botherders are using Twitter for command and control of their botnets, then it stands to reason that they won't take Twitter down for fear of losing control of the very botnet they are using to attack Twitter, right? RIGHT?? Ugh...

Ryan Singel is surprised:

Infected computers were following the Twitter feed “Upd4t3″ (now suspended) through its RSS feed.
...
Perhaps what’s surprising then is that it’s taken so long for hackers to take Twitter to the dark side.

Rasputin offers snappy patter:

Twitter is very useful! You can use it to stay up to date with friends and family; or to broadcast your witty bon mots to your millions of followers; or to remotely control thousands of zombified, virus-laden computers, forcing them to do your bidding.

So what's your take?
Get involved: leave a comment.

• You can't buy MS Word: i4i XML patent ruling
• Bad news: we're stuck with IE6 until 2014
• Toshiba gets the Blu(e)s, Ray
• We all hate Apple and Steve Jobs, suddenly; why?
• Cyxymu DDoS denies Twitter, Facebook, LiveJournal service

Don't miss out on IT Blogwatch:

• Subscribe to the Computerworld Blogs and IT Blogwatch newsletters
• Catch up with posts from the previous few days

And finally...

• Tigex: What Your Alien Baby Craves
  

Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and spam. A 24 year, cross-functional IT veteran, he is also an analyst at Ferris Research. You can follow him as @richi on Twitter or richij on FriendFeed, pretend to be Richi's friend on Facebook, or just use good old email: itblogwatch@richij.com.