Twitter Bot Builder in the Wild

Written by: Valerie Rivera

Background of the Attack

A Twitter bot builder, primarily created as a joke program, is currently being freely distributed on the Internet. While the tool is designed for harmless fun, it may used by malicious users to attack user systems.


How does this threat get into users' systems?

This threat may arrive bundled with malware packages as a malware component or may be unknowingly downloaded by users from the Internet. Malicious users may also deliberately install the executable file onto user systems or trick them into installing and executing the file.


What happens in this attack?

Malicious users can build the Twitter botnet using files detected by Trend Micro as TROJ_TWEBOLD.BLD and TROJ_TWEBOLD.STB. The bot builder comprises two files—TwitterNet Builder.exe and Stub.exe. TwitterNet Builder.exe is the interface for the builder, which requires a user to input a Twitter user name to follow and to click the "Build" button. Stub.exe acts as the base file to which the builder will integrate the Twitter user name entered.

Once the executable file Twitternet.exe is executed on the affected system, the bot server will regularly connect to the target Twitter page to read and execute the commands posted by the attacker via Tweets. The bot server is capable of downloading and executing a file from the Internet. It can start a distributed denial-of-service (DDoS) attack via User Datagram Protocol (UDP). It can also open a Web page, use the Windows Text-to-Speech Application, stop all bot-related activities, and remove connecting bots.


Why is this attack noteworthy?

Because the bot builder is freely available online, practically anyone can create the bot server and can execute commands on affected systems. The tool may specifically pose a threat to users when an attacker uses the tool to start a DDoS attack on critical systems. The download command may also be abused to download malicious files.

It is also important to note that Twitter remains one of the top social networking sites, which has at least 105,779,710 registered users. In the event that the bot builder becomes widespread, millions of users may fall prey to the attack.


How can users protect themselves from this attack?

Though it does not have any propagation capability nor autostart technique, it is also possible for an attacker to manually install the bot server onto a system or to trick a user into executing the file. Users should then be careful when opening attachments and when executing files from unknown sources. It is also advisable to be wary of running unknown executable files on users systems since the Twitter bot server will not function unless Twitternet.exe is properly installed.

Trend Micro™ Smart Protection Network™ already protects product users from this threat by preventing the download and execution of all the related malicious files—TROJ_TWEBOT.BLD and TROJ_TWEBOT.STB—onto affected systems via the file reputation service.

Non-Trend Micro product users can also stay protected via HouseCall, a free tool that identifies and removes all kinds of viruses, Trojans, worms, unwanted browser plug-ins, and other malware from affected systems.