Chapter 32. The stealth botnet

The true story


We guess, that we found the most active undetectable botnet in Twitter. In this article you will get the answers to the questions: Why are it bots and why is it a botnet? Who created this botnet?


Bots means accounts which have no signs of human activity. Botnet means a centralized automatic control of millions accounts. Bots and botnet in fact, are special software for imitation an audience for social networks or websites. The most common use case is the advertising fraud.


Why is this 3,000,000 botnet undetectable? All the accounts are protected and excluded from twitter search. There is no connections with the other accounts. All the likes, retweets, hashtags are counted in stats, but the accounts are invisible in the lists. It is impossible to detect this botnet without special requests and analysis of big data.Investigative team Sadbottrue has own technologies for data gathering and for meta-analysis of big data. We focused on findings and explanation of anomalies that influence on the tech companies.


But let's go back to the researched botnet. Why are those accounts bots?

Name: name

Screen name:@sfa_2000000000

Description: some kinda description

Tweets: 182,000

Followers: 2,999,961

Account status: protected

It is difficult to find at least one reason to admit this account a human.






This is probably the most popular Twitter account, which nobody has ever seen. How can you find a protected account with this name and some kinda description? Is there a next number account? Do you also have a desire to check out@sfa_2000000001?





This is an exact copy of the previous account, though with less impressive stats. Going through the sequence numbers, we see exactly the same accounts, differing only in ordinal number in the screen name, up to account @sfa_2002999999. The following numbers was not registered. You can manually check any number between@sfa_2000000000and@sfa_2002999999and make sure it exist,missing just 13 accounts, chances are that you may come across them are negligible.



Most amazing facts about this botnet. All of 3 million accounts have been registered on the same day, April 17, 2014. This is an absolute record, in any other day it was not even half of this amount. It is incredibly abnormal activity.Since its creation protected botnet made 2.6 billion tweets (including retweets). Current Daily Twitter activity is about 500 million tweets. That is, this botnet has made the same number of tweets as all Twitter users combined for 5 days. Or this amount of tweets is enough to handle on world top any hashtag for 8 years permanently.


And finally, the most impressive fact. The key to the mysteries of this botnet is in the name of each account. What does the acronym SFA? We have already seen that the botnet creators have some kinda sense of humor. Maybe it means “Serial Fake Account”? But most interesting is the account number in the name. This is not a random ten-digit number, which starts counting.


The part of the account's name coincides with the account's ID.


One more time. All of three million accounts have the same number as its ID. A little explanation for you to understand how much it's unbelievable. ID is a unique number, in contrast to all other parameters can not be changed. There can’t be two accounts with the same ID. Find out your ID can only be through a special service, for exampletweeterid.com. Check the ID before the registration is not possible: before the inception of the account ID is not assigned, just reserved.


Botnet creators knew what ID must be received by each account before it joined. How is this possible We found prearranged gap in which they were registered. All these ID were reserved October 22, 2013, its total amount is 168 million.The recent account prior to the gap is@benjarobledo9, ID 1,979,689,039. This is followed a gap in over 20 million ID. Then, there is the described 3M botnet. A regular registration continued after 144 million blank ID. The first account was@Umrade, its ID is 2,147,483,653.




That is two other two hundreds of accounts in a row with the ID in the name.


@cas_2050000000 - @cas_2050099999


@wt_2050100000 - @wt_2050199999


CAS group was registered from 3 to 5 March 2015, WT group was registered from 23 October to 22 November 2014.





How was it created?


Someone reserved the 168,000,000 of IDs in the one range. It should be not just “admin” of the main database, it should be “superadmin”. The rights to reserve and to change the order of the ID assignment can only СTO or CIO.


Reserved ID means, that new twitter users can’t get this ID for the new the registration. The system able use just unreserved IDs.


And the final, all 3,000,000 accounts among secret IDs range, with the same number in ID and the name, was registered just in single day. There was 35,4 average registrations per second.




The bot facts


1. There are 3 million protected accounts with 2,6 billion tweets.


2. Someone has enough power for reservation 168 millions of ID in the Twitter’s database.


3. The 3,000,000 accounts have been registered on the same day.


4. The 3,000,000 accounts have ID’s from the 168 millions reserve.


5. The 3,000,000 accounts have used the uninterrupted sequence of ID from the reserve.


6. Every account has the name, containing 10 digits of the account’s ID.


7. There is no ways to know the ID before the registration will complete.


8. The most active account @sfa_2002997030 has 476,990 tweets. And the only follower.




9. The most active follower is @sfa_2000000004. It is following 1,268,501 accounts.





10. Likes and retweets of protected accounts are included in the counted twitter stats.


11. Hashtags of protected account are included in the counted Top Trending stats.


12. 0-day 3 million stealth twitter botnet with 2,6 billion tweets was exploited for 2 years.


13. The botnet can’t be registered without the consent of Twitter officials, but without its approval.







The sad questions


1. What was the reason to reserve 168 millions twitter IDs?


2. Why did stealth twitter botnet have been created with reserved ID?


3. Why was it done precisely in October 2013?


4. What were used 3 million accounts with 2.6 billion tweets for?


5. Why were 3 million accounts from 168 million reserved IDs enough?


6. How is botnet size related to the purpose for which it was created?