#BotSpot: Obituary of a Botnet

Accounts are created, post thousands of time, and disappear

Some of the accounts in the series. (Source: Twitter / @kurikairiku52 through 57.)

The life of a Twitter bot is an increasingly precarious one. @DFRLab has been privileged to track the creation, and destruction, of one network of bots over just five days.

“Bots,” short for “robots,” are social media accounts which have been automated to retweet, follow or like other accounts without human intervention. They have become such a troublesome part of life on Twitter that, on February 21, the platform announced a series of reforms to its Terms of Service (ToS), aimed at cracking down on large-scale automation.

The reform seems to be working. On March 29, @DFRLab identified a network of 50 apparently Japanese bots which had been created a few days before. While we were still studying the botnet, its accounts were suspended.

The dear deleted: twelve of the botnet’s accounts, serial numbers 70 through 81, created within a few minutes on March 25, and suspended within a few minutes on March 29. All accounts in the series archived on March 29, 2018. (SourceTwitter)

We describe them here as a case study in the life, and death, of bots on Twitter, in the wake of the platform’s reform.

This was a relatively primitive botnet, and readily visible to the human eye. Each account had a handle beginning with @kurikairiku, plus a final number running from 51 to 100. We classified them as bots because of their behavior. All posted the same four or (in the older accounts) five tweets; all followed 21 accounts; all posted hundreds or thousands of “likes” in just five days.

Comparison of the profile pages of @kurikairiku53 and @kurikairiku54, both created on March 25. Note the identical tweets, the identical number of tweets and accounts followed, the high number of “likes,” and the identical profile and background pictures. Archived on March 29, 2018. (Source: Twitter / @kurikairiku53 / @kurikairiku54)

The account handles demonstrated that these accounts were part of a network. Their profile pictures confirmed it: between them, the fifty accounts had just three different images.

Profiles of bots 71, 72, 74, 78, 80 and 81, showing the three profile pictures. All accounts archived on March 29, 2018. (Source: Twitter.)

As background images, they had four variations: the Eiffel Tower, two mugs, a minion from the movie “Despicable Me,” and a beach scene.

Background images of bots 52 (with minion), 72 (with beach), 76 (with Eiffel Tower) and 80 (with mugs). All posts archived on March 29, 2018. (Source: Twitter)

The accounts were created in two short bursts. Numbers 51 through 56 were created in a seven-minute span, from 10:48 to 10:55 pm (UK time) on March 24.

Profile pictures of bots 51–56. Note the time of creation of each account, in black. All accounts archived on March 29, 2018. (Source: Twitter)

Numbers 57 through 100 were created in 57 minutes, between 1:16 and 2:13 am, UK time, on March 25.

Profile pictures of bots 57 and 100. Note the creation times for each account; the intervening bots were all created within the same timespan. Archived on March 29, 2018. (Source: Twitter)

In each case, this gives an average speed of roughly one new account every minute, or slightly slower. This is such a high speed, and sustained over a sufficiently intense period, that it is extraordinarily unlikely to have been the work of one user: the overwhelming likelihood is that they were created by an automated system, or by a group of human users working on industrial lines.

All the accounts were hyperactive likers. By the time we archived number 60, it had posted 2,574 likes, for an average rate of roughly 588 every 24 hours; other bots had been similarly prolific.

Profile of bot 60. Archived on March 29, 2018. (Source: Twitter)

The great majority of likes were from Japanese accounts, especially business-oriented ones. A few were English-language posts concerning movies and entertainment.

Each account followed 21 others. Of these, the great majority were verified Japanese accounts, such as the Nikkei index, NHK news, and the Tokyo Metro and fire service. The likelihood is that these were suggested by Twitter at the moment of account creation, and accepted en masse as a way of giving the accounts a more human look.

Based on the similarity of these accounts, we examined the handles @kurikairiku1 through @kurikairiku50. All had already been suspended. @kurikairiku101, and higher numbers, did not exist. We therefore conclude this to be the full extent of the network.

Twitter returns for @kurikairiku49 (upper image) and @kurikairiku101 (lower image). (SourceTwitter)

We managed to archive each account from 51 to 81, plus numbers 90 and 100, before the suspension. We publish the full list below, for bot source researchers who may be interested.

Conclusion

The life and untimely demise of this botnet illustrates both the strength, and an apparent loophole, of Twitter’s reinforced ToS.

The botnet was small, and its activity was limited to large-scale liking, rather than retweeting or following accounts; its overall impact was thus minimal. Nevertheless, Twitter identified and suspended it within a few days.

That said, the botnet creator, whether an algorithm or a team, did manage to create the network, and to register on the order of 100,000 likes over a five-day period, before being caught. By its own account, Twitter has systems in place which detect and block over half a million suspicious logins per day, as being generated by automation; a group of fifty new accounts created in that period may well have been lost in the noise.

The likelihood is that this botnet was too small to trigger Twitter’s automated gatekeepers, but too active to escape detection for long. That suggests that there is still a window in which bot makers can operate, but that it has become much narrower.


Here follows the complete list of bots, and the archive links:

@kurikairiku51 — http://archive.is/Cr6yj

Accounts followed by @kurikairiku51 — http://archive.is/qbmx9

@kurikairiku52 — http://archive.is/B9ntX

@kurikairiku53 — http://archive.is/MzZAT

@kurikairiku54 — http://archive.is/hqC3I

@kurikairiku55 — http://archive.is/ith4p

@kurikairiku56 — http://archive.is/LYxsb

@kurikairiku57 — http://archive.is/i2YJ1

@kurikairiku58 — http://archive.is/wUiXo

@kurikairiku59 — http://archive.is/8jDyJ

@kurikairiku60 — http://archive.is/yZCYM

@kurikairiku61 — http://archive.is/5VAsZ

@kurikairiku62 — http://archive.is/vyUSl

@kurikairiku63 — http://archive.is/WeUio

@kurikairiku64 — http://archive.is/Myd7N

@kurikairiku65 — http://archive.is/egSyx

@kurikairiku66 — http://archive.is/r8cLU

@kurikairiku67 — http://archive.is/gmczV

@kurikairiku68 — http://archive.is/SOcbX

@kurikairiku69 — http://archive.is/jubB0

@kurikairiku70 — http://archive.is/lLwnd

@kurikairiku71 — http://archive.is/xxwzc

@kurikairiku72 — http://archive.is/U5wXa

@kurikairiku73 — http://archive.is/T2RWt

@kurikairiku74 — http://archive.is/S0cVM

@kurikairiku75 — http://archive.is/RXxU5

@kurikairiku76 — http://archive.is/fvyi3

@kurikairiku77 — http://archive.is/1Ed5G

@kurikairiku78 — http://archive.is/bkUgh

@kurikairiku79 — http://archive.is/AYeFD

@kurikairiku80 — http://archive.is/KXDUA

@kurikairiku81 — http://archive.is/5nFgt

Accounts followed by @kurikairiku81 — http://archive.is/4IGbz

@kurikairiku90 — http://archive.is/1lu1k

Accounts followed by @kurikairiku91 — http://archive.is/aYEfJ

@kurikairiku100 — http://archive.is/EP9D3


Ben Nimmo is Senior Fellow for Information Defense at the Atlantic Council’s Digital Forensic Research Lab (@DFRLab).

Follow along for more in-depth analysis from our #DigitalSherlocks.