Monday, December 14, 2009

Filled Under: ,

Torpig Domain Generator : Hackers Using Twitter Trending Topics

Torpig botnet uses Twitter API (trends) to generate new pseudo-random domain names of attack sites where infected websites silently redirect visitors to. Active domain names change at least twice a day.

This real-time tool generates a domain name of the currently active attack site and two domain names that hackers should activate in upcoming 24 hours.

 twitter bot

This tool is a initiative by a hacker Denis or you can say a security guy. The tool uses JavaScript and Twitters API to find a domain for attacking using the twitters Trending topics.

Well its big hole in the whole twitter’s API and the way this tool have predicted the domain names are right one so far. Its now the all up to the twitter API developers hand…


What is Torpig Botnet

Botnets, networks of malware-infected machines that are controlled by an adversary, are the root cause of a large number of security threats on the Internet.


A particularly sophisticated and insidious type of bot is Torpig, a malware program that is designed to harvest sensitive information (such as bank account and credit card data) from its victims.


At the beginning of 2009, we took control of the Torpig botnet for ten days. Over this period, we observed more than 180 thousand infections and recorded more than 70 GB of data that the bots collected.


Torpig relies on domain flux not only for its main C&C servers, but also to generate the names of the drive-by-download servers that it uses to spread. In traditional drive-by-download attacks, the iframe or script tags reference a hard-coded domain to redirect the victim browser to a malicious webpage to start the attack.


However, Torpig redirects victims to a malicious webpage by computing a pseudo-random domain name on-the-fly (seeded by the current date) using JavaScript code.


Two Twitter API Botnet Uses


However, this time they use two consecutive calls to Twitter (was one).

The first request goes to



The response contains a timestamp (current time) and hackers use it to calculate a date (2 or 3 days before the current date) for the next API request.


where yyyy-dd-mm is the calculated date. This request returns the top 20 trending topics for each hour in a given day.

as per the author..



Well you can also view the hackers blog post on Here . Overall its a good news for some malicious hackers who work on some twitter stuff and try to get victims. But it has some hole in this botnet too..




Happy Hacking @hackerthedude

blog comments powered by Disqus