First Ever Twitter-Controlled Android Botnet Discovered

Security researchers have uncovered the first ever Twitter-controlled Android botnet, which acts as a backdoor to download malware onto infected devices. Dubbed Twitoor, the malicious app is not available on any official Android app stores. Researchers believe that the botnet is possibly distributed via SMS or malicious URLs. IT security experts from Imperva and AlienVault commented below.

Ben Herzberg, Security Research Group Manager at Imperva:

“Attackers keep looking for novel ways to extract information and receive commands and by using Twitter or other social media, the traffic seems less suspicious or prone to blocking.

We see attacks emanating from mobile devices on a daily basis. It’s really simply a continuation of a trend we’ve seen for some time now – botnet herders will try to compromise as many machines as they can, and mobile phones are an easy target.

Mobile devices are similar to IoT devices in that they are proliferating faster than desktops or servers, and are used by people with limited security training, and with no endpoint security like on personal computers. Like other IoT devices, mobile devices have plenty of bandwidth to mount attacks. To minimize the chance of your mobile phone being part of a botnet, only install applications from the Apple AppStore or Google Play.”

Javvad Malik, Security Advocate at AlienVault:

“There’s nothing particularly new about this. Twitter, and other social media channels have long been touted by researchers as potential C&C avenues http://www.darkreading.com/endpoint/tool-controls-botnet-with-twitter-direct-messages/d/d-id/1323110.

Command and Control structures are constantly evolving, and this is an example of that. Typically, C&C malware activity will take a hidden form as:

Tor network traffic.  The Tor browser utilizes a special network of worldwide servers to deliver exceptionally private browsing that’s very hard to trace to its original source. Unfortunately, that same design makes botnet commands hard to trace.

Peer to peer (P2P) services.  Thanks to the distributed nature of P2P, commands are distributed globally, in unpredictable ways, by an ever-changing network.

Social media. A public Facebook page or Twitter feed can be used to issue botnet commands — and that kind of traffic can be very hard to distinguish from genuine traffic.

Domain generation algorithms.  Today, herders use specialized algorithms to distribute botnet traffic so that it’s coming from random domains, effectively disguising the source.

Multi-level command and control servers.  Sometimes herders issue commands to server A, which issues them to server B, which issues them to the botnet. Even if server B is somehow blocked, A will keep working and can send them to a new server, C – mimicking the way scalable, highly stable enterprise software is architected.

As many techniques are designed to be stealthy, enterprises need to implement a multi-layered approach to detect c&c control server detection. Some ideas would be to:

Track suspicious network activity.  Beyond simply blocking IRC, admins can look for dubious outbound connection attempts in a much broader sense, and create/update service blacklists to deal with suspicious cases. Example: If a thousand users are all suddenly following a particular Twitter feed, and that feed’s content obviously isn’t meant for a human audience, that’s a clear sign of botnet activity.

Tweak firewalls and intrusion prevention/detection (IPS/IDS) systems in context-specific ways.  Many times, it’s possible to mitigate the problem for a given class of endpoint by limiting network access to the tasks/ports that are directly relevant to that endpoint. For instance, given a DNS server, you might consider blocking everything except UDP and TCP port 53. Also, for certain freeware IDS solutions such as Snort, there are downloadable rules that can help you automatically detect and block dubious activity on IRC and other ports, no matter where it originates on the network.

Harden workstations against the initial malware infection that creates a bot.  In addition to maintaining and upgrading basic antivirus solutions, administrators can run system integrity checks, minimize root privileges, and install client-side firewalls (especially effective if they support outbound packet rules, not just inbound). The fewer compromised machines you have, the less you need to worry about command and control server detection itself.

Try to break down the malware code to see how it works. Not all IT professionals can do this, but even knowing and applying the basics can yield good results. For instance, it’s sometimes possible to find command and control server detection information by disassembling the compiled code or even just by using a sector analysis tool that converts hexadecimal to ASCII.  (However, since herders are increasingly turning to integrated encryption, don’t expect this to work in every case.)

Taking down a C&C server is another matter. It often involves collaborating with law enforcement to take action on a case-by-case basis.

For the typical security professional, taking down a command and control server infrastructure is nearly impossible, and your time is honestly better spent elsewhere. Rely on trusted security solution providers to assist you in blacklisting known command and control networks with frequent updates to their command and control server list, and automating detection of suspicious activity inside your firewall. This frees you up to focus on preventing command & control malware infections and ensuring your endpoints are not being used in an attack on your infrastructure or on someone else’s.”