#BotSpot: Obituary of a Botnet
Accounts are created, post thousands of time, and disappear
The life of a Twitter bot is an increasingly precarious one. @DFRLab has been privileged to track the creation, and destruction, of one network of bots over just five days.
“Bots,” short for “robots,” are social media accounts which have been automated to retweet, follow or like other accounts without human intervention. They have become such a troublesome part of life on Twitter that, on February 21, the platform announced a series of reforms to its Terms of Service (ToS), aimed at cracking down on large-scale automation.
The reform seems to be working. On March 29, @DFRLab identified a network of 50 apparently Japanese bots which had been created a few days before. While we were still studying the botnet, its accounts were suspended.
We describe them here as a case study in the life, and death, of bots on Twitter, in the wake of the platform’s reform.
This was a relatively primitive botnet, and readily visible to the human eye. Each account had a handle beginning with @kurikairiku, plus a final number running from 51 to 100. We classified them as bots because of their behavior. All posted the same four or (in the older accounts) five tweets; all followed 21 accounts; all posted hundreds or thousands of “likes” in just five days.
The account handles demonstrated that these accounts were part of a network. Their profile pictures confirmed it: between them, the fifty accounts had just three different images.
As background images, they had four variations: the Eiffel Tower, two mugs, a minion from the movie “Despicable Me,” and a beach scene.
The accounts were created in two short bursts. Numbers 51 through 56 were created in a seven-minute span, from 10:48 to 10:55 pm (UK time) on March 24.
Numbers 57 through 100 were created in 57 minutes, between 1:16 and 2:13 am, UK time, on March 25.
In each case, this gives an average speed of roughly one new account every minute, or slightly slower. This is such a high speed, and sustained over a sufficiently intense period, that it is extraordinarily unlikely to have been the work of one user: the overwhelming likelihood is that they were created by an automated system, or by a group of human users working on industrial lines.
All the accounts were hyperactive likers. By the time we archived number 60, it had posted 2,574 likes, for an average rate of roughly 588 every 24 hours; other bots had been similarly prolific.
The great majority of likes were from Japanese accounts, especially business-oriented ones. A few were English-language posts concerning movies and entertainment.
Each account followed 21 others. Of these, the great majority were verified Japanese accounts, such as the Nikkei index, NHK news, and the Tokyo Metro and fire service. The likelihood is that these were suggested by Twitter at the moment of account creation, and accepted en masse as a way of giving the accounts a more human look.
Based on the similarity of these accounts, we examined the handles @kurikairiku1 through @kurikairiku50. All had already been suspended. @kurikairiku101, and higher numbers, did not exist. We therefore conclude this to be the full extent of the network.
The life and untimely demise of this botnet illustrates both the strength, and an apparent loophole, of Twitter’s reinforced ToS.
The botnet was small, and its activity was limited to large-scale liking, rather than retweeting or following accounts; its overall impact was thus minimal. Nevertheless, Twitter identified and suspended it within a few days.
That said, the botnet creator, whether an algorithm or a team, did manage to create the network, and to register on the order of 100,000 likes over a five-day period, before being caught. By its own account, Twitter has systems in place which detect and block over half a million suspicious logins per day, as being generated by automation; a group of fifty new accounts created in that period may well have been lost in the noise.
The likelihood is that this botnet was too small to trigger Twitter’s automated gatekeepers, but too active to escape detection for long. That suggests that there is still a window in which bot makers can operate, but that it has become much narrower.
Here follows the complete list of bots, and the archive links:
@kurikairiku51 — http://archive.is/Cr6yj
Accounts followed by @kurikairiku51 — http://archive.is/qbmx9
@kurikairiku52 — http://archive.is/B9ntX
@kurikairiku53 — http://archive.is/MzZAT
@kurikairiku54 — http://archive.is/hqC3I
@kurikairiku55 — http://archive.is/ith4p
@kurikairiku56 — http://archive.is/LYxsb
@kurikairiku57 — http://archive.is/i2YJ1
@kurikairiku58 — http://archive.is/wUiXo
@kurikairiku59 — http://archive.is/8jDyJ
@kurikairiku60 — http://archive.is/yZCYM
@kurikairiku61 — http://archive.is/5VAsZ
@kurikairiku62 — http://archive.is/vyUSl
@kurikairiku63 — http://archive.is/WeUio
@kurikairiku64 — http://archive.is/Myd7N
@kurikairiku65 — http://archive.is/egSyx
@kurikairiku66 — http://archive.is/r8cLU
@kurikairiku67 — http://archive.is/gmczV
@kurikairiku68 — http://archive.is/SOcbX
@kurikairiku69 — http://archive.is/jubB0
@kurikairiku70 — http://archive.is/lLwnd
@kurikairiku71 — http://archive.is/xxwzc
@kurikairiku72 — http://archive.is/U5wXa
@kurikairiku73 — http://archive.is/T2RWt
@kurikairiku74 — http://archive.is/S0cVM
@kurikairiku75 — http://archive.is/RXxU5
@kurikairiku76 — http://archive.is/fvyi3
@kurikairiku77 — http://archive.is/1Ed5G
@kurikairiku78 — http://archive.is/bkUgh
@kurikairiku79 — http://archive.is/AYeFD
@kurikairiku80 — http://archive.is/KXDUA
@kurikairiku81 — http://archive.is/5nFgt
Accounts followed by @kurikairiku81 — http://archive.is/4IGbz
@kurikairiku90 — http://archive.is/1lu1k
Accounts followed by @kurikairiku91 — http://archive.is/aYEfJ
@kurikairiku100 — http://archive.is/EP9D3
Ben Nimmo is Senior Fellow for Information Defense at the Atlantic Council’s Digital Forensic Research Lab (@DFRLab).
Follow along for more in-depth analysis from our #DigitalSherlocks.