Costin Raiu Kaspersky LabMorton Swimmer Trend MicroRainer Link Trend MicroDavid Sancho Trend Micro download slides (PDF)Twitter is a web and mobile phone service that has become a major player in the social networking world over the last few years. Being so close to other services, it is hard to describe. It is not quite Instant Messaging, nor Tumblelogs, nor RSS feeds. It is not entirely a social network either, though it augments these. It normally provides 140 characters of unstructured space to broadcast a message to anyone who decides to listen. The listening can happen via Twitter's own website, via one of their APIs, or via SMS (mobile phones). In some ways, Twitter is replacing RSS feeds, while providing an RSS feed API to its streams. While Twitter does not impose any structure on those few characters, some order has been established by the users over time by using special syntax to denote things like other users, tags, or retransmissions (retweets).Increasingly, Twitter interacts with other services. First and foremost, the lack of message space, has made URL shorteners much more important than they were before. But other add-on services have been important, such as search, grouping, and tagging. The brilliance of Twitter was to resist closing off access by these add-ons and even embrace (or buy) them as they saw fit. However, Twitter's openness is also a problem.There is nothing particularly evil about Twitter itself, but like any medium, it can be used for good as well as for bad. Society still has to sort out how a medium like Twitter should be used. However, we are more concerned with more direct attacks on the user or other malicious use of Twitter. We have seen the obvious CSRF and XSS attacks. Links in Twitter messages have pointed to malware or malicious sites. Malware has used Twitter as a command and control medium. All of this should not be surprising to security experts.In a project we call Twarf, we are exploring more generic patterns of abuse. For instance, some attacks utilize the social nature of Twitter: someone posts a link he liked, someone else also likes it, so she retweets it, and so on. A recently observed attack piggybacks on this template and retweets a malicious link instead of the original. In our system, one component called WhiteTwarf collects and datamines for possible attacks, while another components called RedTwarf uses the generated patterns to detect attacks based on the templates that were found.