More on Twitter.

Special events like the football playoffs, awards shows, and politics can been seen in the twitter post statistics Twiguard collects. We can normally see some sort of spike, with the Grammys being no exception. We recorded 3.2 million tweets in a single hour which is way above the average of around 1.4 million tweets. To the left is a chart from 3am on Feb 1 showing the last 24 hour of tweet data we collected.

Malware authors often take this as a chance to spread new malware advertised as a link to something about the event. Normally we flag about 8% of Twitter traffic as spam or malware. Last night during the highest hour of tweets that number skyrocketed to almost 22%.

Just thought the stat was interesting.

Twiguard update week 4 and final week.

Although this update was a little late the analysis ran at the correct time and produced its results. 1239 bad urls in the list with 876 of them being new. That is almost 70%. The chart to the left shows the progression from week one of total flagged URLs in red with the unique URLs that week in blue. After 4 weeks they almost intersect and at this rate I am guessing that they will intersect in the next few weeks. This goes along way to showing that URL blacklisting alone is not fast enough to stop a spread on malware on a social network like twitter.

There are alot of reasons that can explain the numbers with one being that although we captured the URL weeks ago it didn’t start hosting malware until recently. Keep in mind though that the purpose of this experiment is to judge how quickly traditional blacklists can respond to malware spread with Twitter. Although Safe Browse may have flagged a URL as bad this week that doesn’t mean it was serving malicious content when it was first captured by Twiguard. In this experiment the majority of bad urls captured (58.6%) are hosted in Brazil. On Sunday the 7th twiguard will capture another 24 hours worth of URLs and make them available to anybody who wishes to duplicate this experiment.

Twiguard update week 3

Lets recap: the first week of our test we got 1250 hits, the second week netted 1741. The third week total is 1427. At first this seems like the number is dipping until you factor in sites being removed from the blocked list. Of the 1427 more than half are Urls that were not flagged last week. 784 URLs were flagged this week that were not flagged last week while several URLs are no longer flagged as malicious. Next week is the last week for this exercise. After that we will start over with a set of URLs that are publicly available so anybody can duplicate my effort.

The point of the exercise is to judge how well a traditional "bad site list" can keep up with the way threats from social networks like Twitter can spread.

Its awesome how accurate TwiGUARD is at picking out Spammers, here is an example. Below is the TwiGUARD stats we collected on this account...
ID:Username:First Seen Date:Last Seen Date:Folscore
| 174597 | BTLife7 | 2010-01-06 19:24:00 -0500 | 2010-01-06 19:24:00 -0500 | 100 |

Keep in mind a folscore of greater than 75 is considered bad.

TwiGUARD update

Several months ago we announced TwiGUARD, a project researching how hackers spread malware/spam via Twitter. We believe that defenses like SafeBrowse (a Google feature that tells you when URLs are malicious) react too slowly. We are starting an experiment today that shows this, whose results we'll post in two months.

Social networking sites are the new front in the computer virus war. Previously, users would check a webpage (such as CNN or Slashdot) only once a day. Now, users check Twitter or Facebook several times an hour. (I am a good example of this, checking Twitter every ten minutes throughout the day). This means a piece of malware can spread quickly among Twitter users, faster than a security mechanism (like SafeBrowse, or updates to virus signatures) can respond.

Google's SafeBrowse is based on its search engine spider. When it comes across a site distributing malware, it adds that site to black-list. Browsers like Firefox downloads black-list updates every 30 minutes. When a user innocently clicks on a link to one of these bad sites in the black-list, Firefox will display a warning instead.

There is a race between how fast hackers can distribute malware on Twitter, and how fast Google's spider can find them, update the list, and distribute that list to browsers.

We have devised an experiment to test this speed. We downloaded all the tweets from yesterday (December 28, 2009) that contained URLs, and saved them to a file. This file contains half a million (504,489) URLs.

After downloading the list, we ran it through Google's SafeBrowse. It told us that about a thousand (1,250) of those URLs were bad.

Next we are going to wait a week and run the same list of URLs again through SafeBrowse. We expect that Google will have found more of them to be bad. We expect the number of bad URLs found in that file will double or triple. We will run the December 28 list through SafeBrowse every week for the next two months. We should see a steady rise in SafeBrowse claiming URLs are bad.

While we have done this informally in the past, this is the first time we are tracking the results. We'll post them in two months.

TwiGUARD tracked the HowToHack incident

I have updated the TwiGUARD analysts log with a followup on the HowToHack incident. You can find it here.

We cover the accounts that were spreading the malware links, how long the incidnet went on for, the number of possible tweets, and some information about the malware. Check it out!

Tweet Theft Spam

I’ve been playing around with tracking spam and malware on Twitter, a project we call TwiGUARD, and have been learning new things.

Last night I was testing my TwiGUARD analysis tool and it marked a user as spam, but when I manually checked the profile, it looked legitimate. The user had some timely quotes and seemed to be a real person. Sure, it’s a real person who likes to retweet offers for free money, but who am I to judge?

Then a lightbulb went off in my head. I copied the non-spam looking posts into the Twitter search engine and found a young lady in Iowa had tweeted the exact quote an hour before. The spambot had simply stolen her tweet and copied it in order to appear as a legitimate person.

I found many other spambots who did the same thing. They simply track the top 10 “Tending Topics”, find people who replied to those topics, then steal other tweets those people have made.

Anyway, I feel like a parent who has been surpassed by his kid. I was fooled by the spambot, but my tool wasn’t.

Below are two screen shots of tweet theft I found while writing this post. It comes from parsing "#wheniwaslittle I", which is current the #1 “trending topic”. The first screen shot is the spammer (You can tell by the pleas to watch her dirty videos) followed up by a screen shot of the lass who made the original comment.


This is the spam!


This is the orginal comment.