Jose Nazario, writing on the Arbor Network Security blog “Security to the Core,” has described a botnet that uses Twitter as a command-and-control channel. The bot owner sends update information in a tweet and RSS feeds send it to the botnet.
The tweeted update information is in the form of a shortened URL, which leads to one of several malicious web sites. Before they were taken down, Nazario found that the sites downloaded a packed .exe file that was an information stealer (Buzus) and packed .dll file loaded with URL’s where the .exe could phone home the information.
The mechanism seems to be the work of Brazilian ID thieves, he said.
Blog post here.