Botnets have historically been often controlled via IRC. A Bot-herder would use specially-designed scripts in IRC channels from which the infected systems could retrieve special commands. IRC served as a platform for control.
Over the last couple of years Twitter has also become such a platform because of its wide accessibility. Accounts on Twitter can easily be set up anonymously. Using a twitter client, an attacker may now control Botnet systems using a Smart Phone. While he’s standing in the frozen food section of his local grocery store, he’s launching a DDOS attack against a network. The appeal of this is certainly understood.
A new tool called TwitterNET Builder has recently made the news as it provides script kiddies an easy way to achieve Botnet control using Twitter. The software creates an executable used to infect the target systems, causing them to watch for specific commands in specific Twitter accounts.
Twitter’s response has been swift. It seems that accounts where these commands are showing up are understandably being suspended. The same thing happened back in IRC days when accounts were found to be automatically posting such things in chat channels. Attackers at this point would need to find a way to encode these commands in such a way as to fly under Twitter’s administrator’s radar. The TwitterNET Builder seems to provide a certain list of commands which could be easily detected. The ability to customize the commands to use more common keywords or even encode the command text would provide more cover for the attacker.
Social Networking has always provided a stealthy platform from which attackers may control their victims. I wonder if, somewhere out there, someone’s writing “FacebookNET Builder.” Maybe it’s already being used. Setting up accounts on Facebook is a process that is a bit more involved than Twitter, so that might be an impediment for an attacker.
The best solution from the standpoint of a network administrator who desires to protect his people from these attacks would be to block Twitter and other social networking sites altogether. IRC is blocked for this very reason, and this would effectively remove the ability for an infected system tor receive instructions from its Botnet master.
The scenarios for doing evil are many, and becoming more numerous as more platforms for social networking are unveiled. Today it’s Facebook and Twitter. Tomorrow –who knows? The question is, as these new social networking platforms are being created, are their creators thinking about how their applications could be used for evil? Probably not. But it’s such a nice thought. 
David H.