There’s something fishy about this botnet. Social media and advertising fraud investigations firm Sadbottrue has discovered a botnet of three million Twitter accounts, along with two smaller botnets of 100,000 bots each, which they suspect to be behind online services that sell or rent Twitter followers.
Selling Twitter followers is a lucrative business, even if Twitter forbids it. People crave attention, and companies don’t want to embarrass themselves by having only 100 followers.
Usually, services that do sell Twitter followers, leverage botnets of a few thousand bots, which at the push of a button will become your followers.
Somebody registered three million accounts in just one day
Registering millions of Twitter accounts is out of the question since Twitter’s staff might very easily detect a huge spike in new user account registration and investigate, exposing the botnet.
But that’s exactly what happened, according to Sadbottrue, who discovered a huge botnet that was registered on the same day, on April 17, 2014. That’s about 35.4 registrations per second.
The crooks behind this botnet also managed to synchronize their Twitter usernames with the Twitter ID. The Twitter account ID is usually assigned to a user after he registers, so a few tests were probably carried out in advance.
Sadbottrue says that something is rotten in the state of Denmark. Taking a look at the Twitter IDs before and after these bots, they identified a huge gap. The company claims someone “reserved” over 168 million IDs on October 22, 2013.
SAF, CAS, and WT botnets location based on Twitter IDs
The botnet can be found at @sfa_200xxxxxxx, where xxxxxxx is a number that increments from 0 000 000 to 2 999 999. Any of these Twitter usernames are identical with their Twitter IDs. @sfa_2001234567 will have the Twitter ID 2001234567.
All accounts have a similar structure. They have “name” instead of the Twitter profile handle, display the same registration date, and feature the text “some kinda description” in the profile bio field.
All are private accounts, and nobody can view their tweets, or who they’re following.
Botnet has sent out 2.6 billion tweets
One account (@sfa_2002997030) has 476,990 tweets and just one follower. Another account (@sfa_2000000004) is following 1,268,501 accounts. The first account (@sfa_2000000000) has 2,999,959 followers. If Twitter had a ranking of the most popular accounts, this would surely make it in the Top 1,000.
There are three million Twitter bots in total, and all have blurted out 2.6 billion tweets, of God knows what. The fact that these bots have tweeted so much may hint that crooks may be using this botnet as a C&C control infrastructure, with commands sent via tweets.
C&C server hosted on Twitter have been pioneered before by the HAMMERTOSS malware, where each tweet contained instructions and an image that relayed even more commands via steganography (hiding text in images).
There are also two smaller botnets, each of 100,000 profiles
Additionally, there are also two smaller botnets available as well. One can be found between @cas_2050000000 and @cas_2050099999. Sadbottrue says it was registered between March 3 and March 5, 2015.
The second is between @wt_2050100000 and @wt_2050199999, and was registered between October 23 and November 22, 2014.
Sadbottrue was not the first to notice the presence of this botnet, someone asking about it on Quora as well.
No clues on the botnets’ creator
Besides being a possible source of fake Twitter followers, these three botnets may be very well a source of Twitter spam, but also just a test from Twitter’s devs. Softpedia has reached out to Twitter for clarification.
According to the latest statistics, Twitter was bragging about having over 310 MAUs (Monthly Active Users). If the botnet’s bots are logging on and interacting with the service once per month, and they are part of this statistic, then the @SAF botnet would represent nearly 1 percent of Twitter’s entire userbase.