Twitter is a social networking site famous for it’s short tweets with a limit of 140 character in length. It is used as a source to find news and information related to your interests. Direct message is a feature of twitter where you can send personal messages to the user following you.
When twitter first started sending Direct Messages it had a limit of 140 characters but the character limit was deprecated and users could send messages of any length, which is when a London based security researcher Paul Amar built a backdoor tool which could control botnets (compromised machines) using twitter’s direct message feature. Researcher used his tool as a botnet command-and-control infrastructure to control his botnet to carry out a DDOS attack without knowledge of a PC owner.
According to Amar, attacker can use Tor to create new Twitter accounts and use those multiple accounts to bypass the limitation of 1,000 direct messages per day per user which will be enough to control hundreds of machines. “With DMs longer than 140 characters, it leaves plenty of headroom for controlling the bots and allows for more malicious activity”, says Amar.
Since twitter bot communicate via twitter api’s, bots don’t need their own twitter accounts to be controlled. And since the messages sent are personal and not public there is less hassle for attacker to worry about IP-filtering.