Members
  • Total Members: 14176
  • Latest: toxxxa
Stats
  • Total Posts: 42869
  • Total Topics: 16078
  • Online Today: 3461
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)









Author Topic: Kaspersky Warns: New Twitter worm spreads fake anti-virus "Security Shield"  (Read 12109 times)

0 Members and 1 Guest are viewing this topic.

Samker

  • SCF Administrator
  • *****
  • Posts: 7528
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum


Security software vendor Kaspersky today is warning Twitter users to be on the lookout for a new worm that's distributing malicious links that eventually redirects victims to a fake anti-virus software website.

Kaspersky Lab analyst Nicolas Brulez writes in an advisory posting that the fast-moving worm uses the "goo.gl" URL shortening service to distribute the offending links: http://www.securelist.com/en/blog/11136/New_Twitter_worm_redirects_to_Fake_AV

Shortened URLs, commonly embedded in the body of 140-character tweets, have become a favorite target of hackers who know that many people using the microblogging service are far more likely to click on a link in a tweet before thoroughly vetting the link.

"The redirection chain may push Twitter users to a fake anti-virus serving the 'Security Shield' rogue AV," Brulez said. "The webpage is using exactly the same obfuscation techniques as a previous version which is an implementation of RSA cryptography in JavaScript to obfuscate the page code."

Malicious links to scareware sites have become more and more common as hackers aggressively mine social networking platforms for personal information they can then use to create more authenticate-looking malware lures.

Once the worm has redirected Twitter users to the scareware site, the scam really takes flight. It informs the intended victim that his or her "machine is running suspicious applications" and prompts users to run a scan. The subsequent scan identifies alleged threats and advises users to click to remove the threats.

Of course, this move results in the download of the fake "Security Shield" application.

In September, a similar malware campaign derived from the "onMouseOver" Twitter worm infiltrated thousands of Twitter accounts, redirecting followers to malware-laden pornographic sites and spreading more malicious content throughout the Twitter community.

Kaspersky and other leading security software vendors continue to warn Twitter and Facebook users to exercise some judgment and caution while surfing around their favorite social networking sites.

"Bear in mind that clicking on random links may lead to severe infection of your machine," Brulez said.

(eS)

Samker's Computer Forum - SCforum.info


bartblaze

  • SCF VIP Member
  • *****
  • Posts: 39
  • KARMA: 7
  • Gender: Male
    • Blaze's Security Blog
I've also made a blog post about this. You can find it at:
http://bartblaze.blogspot.com/2011/01/twitter-worm-spreading-virally.html

Cheers ;)
Feel free to follow me on Twitter: bartblaze

My weblog: http://bartblaze.blogspot.com/

Samker

  • SCF Administrator
  • *****
  • Posts: 7528
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
I've also made a blog post about this. You can find it at:

http://bartblaze.blogspot.com/2011/01/twitter-worm-spreading-virally.html

Cheers ;)


You provide even more info's and screenshoots...  :thumbsup:

cya BB

bartblaze

  • SCF VIP Member
  • *****
  • Posts: 39
  • KARMA: 7
  • Gender: Male
    • Blaze's Security Blog
Thanks Samker :) !
Feel free to follow me on Twitter: bartblaze

My weblog: http://bartblaze.blogspot.com/

krrjhn

  • SCF Advanced Member
  • ***
  • Posts: 213
  • KARMA: -5
Thanks for you info. its amazing with screen shoots !!

Samker's Computer Forum - SCforum.info


bartblaze

  • SCF VIP Member
  • *****
  • Posts: 39
  • KARMA: 7
  • Gender: Male
    • Blaze's Security Blog
Seems to be back in business. Be on the lookout people.

"m28sx" worm: back in business ?
http://bartblaze.blogspot.com/2011/02/m28sx-worm-back-in-business.html
Feel free to follow me on Twitter: bartblaze

My weblog: http://bartblaze.blogspot.com/

testuser

  • SCF Member
  • **
  • Posts: 32
  • KARMA: 4
Ahhh...that's a worm I posted about ages ago....nice to see that they have updated the graphics a bit.

testuser

  • SCF Member
  • **
  • Posts: 32
  • KARMA: 4
If you want to see how the original attack looked go to the following video I made.

http://www.xyplex.org/attacksample/attack1-LargeFile.html

The video shows how a normal site, found via google, is hijacked and your browser is redirected to a different site.

I downloaded and saved the file the site was attempting to install and checked it with www.virustotal.com and it came back clean. It was definitely a Trojan as the file made some system changes to my VM test system and removed the executable to leave little physical trace.

The second video shows the fake site and the results from www.virustotal.com

http://www.xyplex.org/attacksample2/VirusSite.html

If anyone has an active link to a hijacked site please let me know as I would like to study and document the attack in more detail. The attackers are clever enough to record your IP and block you from accessing the site if you come back a second time within a short period.

bartblaze

  • SCF VIP Member
  • *****
  • Posts: 39
  • KARMA: 7
  • Gender: Male
    • Blaze's Security Blog
Hi testuser, these kinds of attacks are still active as we speak.

The video demonstrates how the attack works, but I have 2 suggestions:
- obfuscate/hide the URL, users might unwillingly visit it
- show how you can easily end this type of attack (by killing your browser's process)

Attackers are also checking where you got redirected from, your browser agent, etc....

Nice video's !
Feel free to follow me on Twitter: bartblaze

My weblog: http://bartblaze.blogspot.com/

Samker's Computer Forum - SCforum.info


 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising