Security

350,000 Twitter bot sleeper cell betrayed by love of Star Wars and Windows Phone

Computer researchers uncover yuuuge dormant army


Computer boffins Juan Echeverria and Shi Zhou at University College London have chanced across a dormant Twitter botnet made up of more than 350,000 accounts with a fondness for quoting Star Wars novels.

Twitter bots have been accused of warping the tone of the 2016 election. They also can be used for entertainment, marketing, spamming, manipulating Twitter's trending topics list and public opinion, trolling, fake followers, malware distribution, and data set pollution, among other things.

In a recently published research paper, the two computer scientists recount how a random sampling of 1 per cent of English-speaking Twitter accounts – about 6 million accounts – led to their discovery.

Pursuing an unrelated inquiry, the researchers were examining the geographic distribution of 20 million tweets with location tags in the dataset of 843 million tweets from the account sample, and they noticed an unusual distribution pattern.

Some accounts followed the expected distribution pattern, which coincides with population centers in America and Europe. But another set of accounts showed random distribution within those areas, often resulting in tweets from unlikely places such as seas, deserts, and the Arctic.

Blue dots at edge of box over Europe, barely visible after image compression, show Star Wars bots

When the researchers manually examined the text of these tweets, they found the majority of them consisted of random excerpts from Star Wars novels, and that many of them started or ended with an incomplete word or included a randomly placed hashtag.

For example:

Luke's answer was to put on an extra burst of speed. There were only ten meters #separating them now. If he could cover t

"This quote was from the book Star Wars: Choices of One, where Luke Skywalker is an important character," the paper explains. "We have found quotations from at least 11 Star Wars novels."

The manual examination of data associated with 4,942 accounts resulted in the identification of 3,244 bots with consistent characteristics:

Given that set of bots, the researchers created a machine learning classifier to hunt for other accounts with similar characteristics. The algorithm identified 356,957 Star Wars bots.

The researchers say they were lucky to have spotted the bots, which appear to have been designed to thwart automated detection methods. They note that being human helped make the discovery possible.

"The fact that the bots tagged their tweets with random locations in North America and Europe was a [deliberate] effort to make their tweets look more real," the paper explains. "But this camouflage trick backfired – the faked locations when plotted on a map seemed completely abnormal. It's important to note that this anomaly could only be noticed by a human looking at the map, whereas a computer algorithm would have a hard time to realize the anomaly."

Curiously, the Star Wars bots have been silent since 2013. The researchers observe that pre-aged bots can be sold for more than newly created bots on the black market, presumably because bot detection methods consider older accounts more likely to be reputable.

Twitter declined to comment on the findings, which may be because the company was unaware of them until now.

"We have not reported the accounts directly to Twitter (yet)," said Echeverria in an email to The Register. "We are waiting for the paper to be approved by the scientific journal to which it was submitted. We would also like to give researchers a chance to get the dataset by themselves before they are gone, this is why we have not reported to Twitter directly, but we will as soon as the paper gets accepted."

Inspired by their success identifying the Star Wars botnet, Echeverria, a research student, and his faculty advisor, senior lecturer Shi Zhou, claim to have identified an even larger botnet numbering half a million accounts.

"The larger botnet is part of a subsequent research paper, which is also under review," Echeverria said. "As soon as it gets approved, I will be able to disclose more information about it."

Echeverria added that there's now a Twitter account named "@thatisabot" to make it easier for people to report bots to researchers.

"Think of it as @spam but for researchers instead of Twitter," he said. "Furthermore, we have a webpage, www.thatisabot.com, which will (soon) also allow people to report bots to researchers."

"Commander, tear this ship apart until you've found those plans and bring me the Ambassador. I want her alive!" ®
Send us news
33 Comments

Google reportedly in talks to buy infosec outfit Wiz for $23 billion

The security industry has never had a clear leader – could it be the Chocolate Factory?

Twitter grew an incredible '1.6%' since Musk's $44B takeover. Amazing. Wow

No doubt thanks to Vladi5555, KremLinda1776, RealAmericanPat22, etc etc

FBI, cyber-cops zap ~1K Russian AI disinfo Twitter bots

RT News snarks back after it's accused of building social nyet-work for Kremlin

DarkGate, the Swiss Army knife of malware, sees boom after rival Qbot crushed

Meet the new boss, same as the old boss

Big Tech's eventual response to my LLM-crasher bug report was dire

Fixes have been made, it appears, but disclosure or discussion is invisible

Kaspersky gives US customers six months of free updates as a parting gift

So long, farewell, do svidaniya, goodbye

Merged Exabeam and LogRhythm cut jobs, face lawsuit

Unconfirmed reports suggest 30 percent reduction in headcount

Three words to send a chill down your spine: Snowflake. Intrusion. Alert

And can AI save us from the scourge of malware? In theory, why not, but in practice ... Color us skeptical

China's APT41 crew adds a stealthy malware loader and fresh backdoor to its toolbox

Meet DodgeBox, son of StealthVector

Critical Windows licensing bugs – plus two others under attack – top Patch Tuesday

Citrix, SAP also deserve your attention – because miscreants are already thinking about Exploit Wednesday

Kaspersky culls staff, closes doors in US amid Biden's ban

After all we've done for you, America, sniffs antivirus lab

ZDI shames Microsoft for – yet another – coordinated vulnerability disclosure snafu

'It seems like they really don't have a full grasp of what's going on with this patch'
BREAKING NEWS: CrowdStrike code update bricking Windows machines around the world