Discovery of the Twitter Bursty Botnet

TL;DR

This paper uncovers a new large-scale Twitter botnet characterized by bursty creation and activity patterns, which evade traditional detection methods and were linked to a significant spam attack.

Contribution

It introduces the discovery of the Bursty botnet and highlights a novel detection approach based on unusual tweeting behaviors rather than common bot features.

Findings

Discovered a large Twitter botnet with over 500,000 bots.

Identified bursty creation and activity patterns as key indicators.

Linked the botnet to a major spam attack in 2012.

Abstract

Many Twitter users are bots. They can be used for spamming, opinion manipulation and online fraud. Recently we discovered the Star Wars botnet, consisting of more than 350,000 bots tweeting random quotations exclusively from Star Wars novels. The bots were exposed because they tweeted uniformly from any location within two rectangle-shaped geographic zones covering Europe and the USA, including sea and desert areas in the zones. In this paper, we report another unusual behaviour of the Star Wars bots, that the bots were created in bursts or batches, and they only tweeted in their first few minutes since creation. Inspired by this observation, we discovered an even larger Twitter botnet, the Bursty botnet with more than 500,000 bots. Our preliminary study showed that the Bursty botnet was directly responsible for a large-scale online spamming attack in 2012. Most bot detection algorithms have been based on assumptions of `common' features that were supposedly shared by all bots. Our discovered botnets, however, do not show many of those features; instead, they were detected by their distinct, unusual tweeting behaviours that were unknown until now.