By: Brian Prince, SecurityWeek
This is not the first time Twitter or other social networks have been utilized as command and control systems. In fact, in 2010, researchers at Sunbelt Software uncovered a botnet creation tool called TwitterNet Builder that used the micro-blogging site for this very purpose. In the case of Flashback, Twitter appears to be a secondary means of communication for attackers if the normal command and control server is not available.
“If the control server does not return a correct reply, the Trojan uses the current date to generate a string that serves as a hash tag in a search using http://mobile.twitter.com/searches?q=,” according to Dr. Web, the Russian security firm that first reported the mammoth size of the Flashback botnet earlier this month. “For example, some Trojan versions generate a string of the "rgdgkpshxeoa" format for the date 04.13.2012 (other bot versions can generate a different string). If the Trojan manages to find a Twitter message containing bumpbegin and endbump tags enclosing a control server address, it will be used as a domain name.”