There are currently two known TwitterNET Builder variants. The first variant uses malicious commands with static names. The second variant, detected by Kaspersky Lab, allows users to change the names of the command making it harder to identify which Twitter accounts are being used to control the botnets.
It takes just a couple of mouse clicks to create malicious code capable of turning infected computers into zombies, which when joined together form a botnet. The botnets are then controlled via an account set up with the popular microblogging service Twitter. Such botnets are subsequently used for the usual practices of distributing spam, carrying out DDoS attacks, etc.
TwitterNET Builder is freely available and is likely to appeal to hackers of every type, especially novices.
"This malicious code does not contain any distribution mechanism and must be manually run on the victim computer, but these tools can be executed when combined with a drive-by attack or a worm that spreads via a new-found vulnerability," David Jacoby at Kaspersky Lab states in his blog.
Recently, the Twitter microblogging service has been attracting more and more attention from malware writers and hackers.
"The theft of Twitter credentials and the publication of malicious links on Twitter have jumped noticeably since mid-March and we are seeing more and more schemes designed to make money from this data," says Costin Raiu, Director of Kaspersky Lab's Global Research & Analysis Team.
Russian-language hacker forums are currently doing a roaring trade in compromised Twitter accounts. A thousand compromised accounts are selling for anything from $100 to $200. The price depends on the number of users – the more 'followers' the account has, the higher the price. The accounts were presumably compromised using two basic methods: Trojans that steal users' Twitter credentials directly, and phishing scams that use fake authorisation requests on bogus websites designed to resemble the original. Once the cybercriminals have access to an account they can initiate a malicious mailing that appears to come from the legitimate account holder, or just sell the account on to others for similar purposes.
Kaspersky Lab recommends that users be particularly vigilant with messages received from social networking sites and ensure that their antivirus solution is always kept up to date.