46 — Discovery of the Twitter Bursty Botnet
Read on 06 October 2017The authors of this paper polled the Twitter live streaming API to detect botnet-like behavior: Earlier, they had characterized the Star Wars botnet, a network of Twitter bots spanning more than 350,000 accounts, whole sole behavior was to tweet random Star Wars quotes. The authors were able to characterize these bots as such because their geolocation information suggested that they were all uniformly spatially distributed across two rectangular coordinate ranges that included uninhabitable regions (ocean, mountains, or desert). These coordinate ranges perfectly covered the continental United States and the European continent, including much of northern Africa.
This paper documents a newly discovered botnet dubbed the Bursty botnet, so named because its more than 500,000 accounts followed a simple pattern of Tweet posting: After account creation (in Feb–Mar 2012), the accounts tweeted around three times, and then never again.
Interestingly, while a great percentage of the accounts created during this timeframe have been removed by Twitter, the majority (well over 500,000) still exist online, suggesting that Twitter has not found all of the botnet accounts in this network yet. Of the millions of URLs posted by these bots, 1.2MM pointed to a now-blocked page (hiding behind a tinyurl shortlink); 2MM pointed to single-use “burner-domain” URLs under the Russian .ru
TLD.