Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

‘Star Wars’ Botnet Has 350,000 Twitter Bots

A newly discovered Twitter botnet has been lying dormant for over three years, although it includes more than 350,000 bot accounts, researchers at the University College London have discovered.

A newly discovered Twitter botnet has been lying dormant for over three years, although it includes more than 350,000 bot accounts, researchers at the University College London have discovered.

Discovered by Juan Echeverria and Shi Zhou, the botnet stands out because all of the bots forming it present several specific characteristics, including the fact that all of them tweeted quotes from Star Wars. In a recently published paper (PDF) called The `Star Wars’ botnet with >350k Twitter bots, the researchers also explain that all of the bots used Twitter for Windows Phone to post the messages.

Focused mainly on discussing the manner in which Twitter botnets can be discovered, the paper reveals other characteristics of these bots as well: they all used fake locations within a specific set of geographical coordinates (in Europe and North America), none had more than 11 tweets, more than 10 followers or more than 31 friends, none retweeted or mentioned another user, and all of their IDs were confined to a narrow range.

The researchers also discovered that the bots’ tweets included only the Star Wars quotations, along with either hashtags that are usually associated with earning followers, or the hash symbol # inserted in front of a randomly chosen word. After manually identifying 3,244 such bots, the researchers used machine learning to automatically detect all of the bots featuring the above characteristics (thus part of the Star Wars botnet).

For that, they looked into the content of the tweets created by these bots and a data set of 9,000 real users, and came up with a set of 80,000 words, including 30,000 most frequent words tweeted by the bots, and 50,000 words tweeted by the real users. By creating word count vectors and training the classifier (a machine learning technique) with the vectors, the researchers achieved over 99% precision in the detection of the bots.

The method revealed a total of 356,957 bots that were created between June 20 and July 14, 2013, all of which started tweeting immediately after creation, for a total of 150,000 tweets per day. However, all bots went silent on July 14, 2013, and the creation of new bots also stopped that day, suggesting that they were controlled by a botmaster, the researchers say.

Discussing the manner in which the botnet remained undetected for so long, the paper notes that “the Star Wars bots were deliberately designed to keep a low profile.” The bots tweeted a few times, did nothing special, only tweeted random quotations from novels to use real human’s language, used normal profiles (some even had pictures), and included no URLs in their tweets (in addition to never replying or mentioning users and to following only a small number of friends).

Advertisement. Scroll to continue reading.

The paper notes that the botnet was discovered because tweets were location-tagged, and the used locations created an anomaly that only a human eye could see. While the discovery of the Star Wars bots was “real luck,” the researchers say that it inspired them to look for other similar botnets, and that an even larger one, with over 500,000 bots, was spotted.

“However, the process of discovering these botnets is unique. It is unlikely that we can repeat our luck, because future botnets could easily be programmed to avoid the design `mistakes’ of the Star Wars bots. For example bots do not need to tag their locations at all, because most users do not; and bots can quote from all sorts of sources, including other series of books, magazines, web pages, or even social media postings,” the paper reads.

Although the Star Wars bots stayed inactive for more than three years, they shouldn’t be considered harmless, because the botmaster likely still has control over them, the researchers say. Thus, these bots can be easily used for spam, promotion of fake topics, opinion manipulation, astroturfing attacks, fake followers and sample contamination.

What’s more, because these bots are so old and managed to avoid detection for so long, they are believed to be more valuable to cybercriminals. Pre-aged bots are likely to be sold at premium rates on black markets, and “the Star Wars bots are perfectly suited to be sold,” the researchers say. In fact, because 15,000 Star Wars bots have been following a small number of Twitter users outside the botnet, it’s possible they were already sold as fake followers.

“One of the major challenges of research on Twitter bots is the lack of ground truth data,” the security researchers note, calling for new detection methods to find other hidden bots, as well as future bots that are likely to look more and more like normal users. “We argue that more research is needed to fully understand the potential security risks that a large, hidden botnet can pose to the Twitter environment, and research in general,” the researchers say.

Related: Botnet of 3 Million Twitter Accounts Remains Undetected for Years

Related: 32 Million Twitter Credentials Emerge on Dark Web

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...