Last-minute presentation: Twarfing: malicious tweets

Costin Raiu Kaspersky Lab

Morton Swimmer Trend Micro

Rainer Link Trend Micro

David Sancho Trend Micro

  download slides (PDF)

Twitter is a web and mobile phone service that has become a major player in the social networking world over the last few years. Being so close to other services, it is hard to describe. It is not quite Instant Messaging, nor Tumblelogs, nor RSS feeds. It is not entirely a social network either, though it augments these. It normally provides 140 characters of unstructured space to broadcast a message to anyone who decides to listen. The listening can happen via Twitter's own website, via one of their APIs, or via SMS (mobile phones). In some ways, Twitter is replacing RSS feeds, while providing an RSS feed API to its streams. While Twitter does not impose any structure on those few characters, some order has been established by the users over time by using special syntax to denote things like other users, tags, or retransmissions (retweets).

Increasingly, Twitter interacts with other services. First and foremost, the lack of message space, has made URL shorteners much more important than they were before. But other add-on services have been important, such as search, grouping, and tagging. The brilliance of Twitter was to resist closing off access by these add-ons and even embrace (or buy) them as they saw fit. However, Twitter's openness is also a problem.

There is nothing particularly evil about Twitter itself, but like any medium, it can be used for good as well as for bad. Society still has to sort out how a medium like Twitter should be used. However, we are more concerned with more direct attacks on the user or other malicious use of Twitter. We have seen the obvious CSRF and XSS attacks. Links in Twitter messages have pointed to malware or malicious sites. Malware has used Twitter as a command and control medium. All of this should not be surprising to security experts.

In a project we call Twarf, we are exploring more generic patterns of abuse. For instance, some attacks utilize the social nature of Twitter: someone posts a link he liked, someone else also likes it, so she retweets it, and so on. A recently observed attack piggybacks on this template and retweets a malicious link instead of the original. In our system, one component called WhiteTwarf collects and datamines for possible attacks, while another components called RedTwarf uses the generated patterns to detect attacks based on the templates that were found.

In this paper, we shall explore Twitter as a social networking medium and as a set of technical APIs. We shall see how WhiteTwarf and RedTwarf work and what results we have had so far in this young project.

The paper will also describe the design and implementation of an automated system which scans the Twitter public timeline, extracts all URLs and analyses them in various ways for malicious content. The system enables us to track what malware is being distributed over Twitter, as well as identifying infected users and malicious profiles which have been specifically crafted by the bad guys in order to spread malware.

The presentation will describe the system's technical details; the implementation; provide statistics on which malware is most common on Twitter and look at how the bad guys have adapted their tactics in order to evade newly implemented security features.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.