In an analysis of current variants of the malware, Dr. Web’s team found that the Trojan initially configured with a list of servers through which it can receive additional commands and configuration updates. If the malware doesn’t get a correct response from one of the control servers in its own internal generated list, it will search Twitter for posts containing a string of text generated from the current date, and look for a control server address embedded in the posts. “For example, some Trojan versions generate a string of the ‘rgdgkpshxeoa’ format for the date 04.13.2012,” the Dr. Web team wrote in their blog post. “If the Trojan manages to find aTwitter message containing bumpbegin and endbump tags enclosing a control server address, it will be used as a domain name.”"
Link to Original Source