Insidious Twitter Botnet is Streaming in Stealth Mode

Recently, I became aware of a prodigious stealth-mode Twitter botnet that contain upwards of 3 million user accounts, alongside two other botnets that total 100,000 bots. Kudos goes to SadBotTrue security researchers who first disclosed botnet findings at their blog earlier this week.

Twitter botnet streaming in stealth mode

Stealth Twitter botnet

According to SadBotTrue, this particular botnet is the most active and most undetectable botnet in existence on Twitter today.

SadBotTrue states at their blog:

All the accounts are protected and excluded from twitter search. There is no connections with the other accounts. All the likes, retweets, hashtags are counted in stats, but the accounts are invisible in the lists. It is impossible to detect this botnet without special requests and analysis of big data.

Manually checking @sfa_2000000000 through @sfa_2002999999 with random account numbers such as:

Name: Protected Tweets @sfa_2000111599  Bio: some kinda description  Joined April 2014. Tweets: 4,247, Following: 457,  Followers: 78,  Likes: 55.
Name: Protected Tweets @sfa_2000000009 Bio: some kinda description  Joined April 2014. Tweets: 101K, Following: 243, Followers: 75M,  Likes: 5K—produce drastic variations in tweet, follower, and like count.

Followers also (as would be expected) decrease the further you move away from the initial startup account:
Name: Protected Tweets @sfa_2000000000 Bio: some kinda description  Joined March 2014. Tweets: 182K, Following: 249, Followers: 3M, Likes 1. All accounts in the SFA botnet include “name” with a bio description of “some kinda description,” while the join dates fluctuate between March to April 2014.

Curious Twitter botnet findings

I am not sure how SadBotTrue correlated the @benjarobledo9 alongside the first account as @Umrade—Or, how they figured that all 3,000,000 accounts among secret IDs range, with the same number in ID and the name, was registered just in single day—with 35,4 average registrations per second. I will have to contact them regarding these accounts (and update at the bottom of this blog post).

SadBotTrue Twitter bot findings include:

  1. There are 3 million protected accounts with 2,6 billion tweets.
  2. Someone has enough power for reservation 168 millions of ID in the Twitter’s database.
  3. The 3,000,000 accounts have been registered on the same day.
  4. The 3,000,000 accounts have ID’s from the 168 millions reserve.
  5. The 3,000,000 accounts have used the uninterrupted sequence of ID from the reserve.
  6. Every account has the name, containing 10 digits of the account’s ID.
  7. There is no way to know the ID before the registration will complete.
  8. The most active account @sfa_2002997030 has 476,990 tweets with one follower.
  9. The most active follower is @sfa_2000000004following 1,268,501 accounts.
  10. Likes and retweets of protected accounts are included in the counted twitter stats.
  11. Hashtags of protected account are included in the counted Top Trending stats.
  12. 0-day 3 million stealth twitter botnet with 2,6 billion tweets was exploited for 2 years.
  13. The botnet can’t be registered without the consent of Twitter officials, but without its approval.

Moving on to more intriguing questions

SadBotTrue asks the following questions:

  1. What was the reason to reserve 168 millions twitter IDs?
  2. Why did stealth twitter botnet have been created with reserved ID?
  3. Why was it done precisely in October 2013?
  4. What were used 3 million accounts with 2.6 billion tweets for?
  5. Why were 3 million accounts from 168 million reserved IDs enough?
  6. How is botnet size related to the purpose for which it was created?

I’ve been a part of the Twitter community since early February 2009. Over time, I’ve been closely watching how dark affiliates operate—mainly in the area of selling Twitter followers . . . My curiosity factor is entirely intrigued with SadBotTrue’s research alongside many unanswered questions. Who would have enough “power” to reserve 168 million ID’s in the Twitter database with 3 million accounts registered on the same day? How could this go unnoticed for two years? Too many questions with too few answers . . .

More SadBotTrue Findings

Since its creation the protected botnet made 2.6 billion tweets (including retweets). Current Daily Twitter activity is about 500 million tweets. That is, this botnet has made the same number of tweets as all Twitter users combined for 5 days. Or this amount of tweets is enough to handle on world top any hashtag for 8 years permanently.

Internal meanderings

There is little doubt (in my mind) that this botnet (and it’s brother-sister botnets) could have fallen beneath the radar of Twitter security. What is actually going down here?

Sensors TechForum asks: Why Are Botnets a Threat to Security?

This particular attack is very suspicious, because of the large amount of fake accounts that were registered at once. Sellers of fake Twitter followers avoid making that many accounts at once as to avert suspicion. It’s likely that the creators of the botnet want something more than mere shell account to sell, the entire breach poses a serious security threat. Another troubling question in the whole the story is how Twitter didn’t notice such a huge amount of new accounts in that small a time frame.

So, it looks like Twitter administration might have some fessing up to do—or, are they truly oblivious to  the 168 million ID’s in the Twitter database with 3 million accounts registered on the same day? Will Twitter ignore SadBotTrue research findings? Seriously people—something this “obvious” deserves far more scrutiny by the infose community. Do you agree or disagree?


Twitter Bots, not up my skirt!
Is inflating your Twitter follower count really worth it?
Twitter Bots: the scourge of the low-end spam bots


Leave a reply