Topic: Kaspersky Warns: New Twitter worm spreads fake anti-virus "Security Shield"

[Samker]

Security software vendor Kaspersky today is warning Twitter users to be on the lookout for a new worm that's distributing malicious links that eventually redirects victims to a fake anti-virus software website.

Kaspersky Lab analyst Nicolas Brulez writes in an advisory posting that the fast-moving worm uses the "goo.gl" URL shortening service to distribute the offending links: http://www.securelist.com/en/blog/11136/New_Twitter_worm_redirects_to_Fake_AV

Shortened URLs, commonly embedded in the body of 140-character tweets, have become a favorite target of hackers who know that many people using the microblogging service are far more likely to click on a link in a tweet before thoroughly vetting the link.

"The redirection chain may push Twitter users to a fake anti-virus serving the 'Security Shield' rogue AV," Brulez said. "The webpage is using exactly the same obfuscation techniques as a previous version which is an implementation of RSA cryptography in JavaScript to obfuscate the page code."

Malicious links to scareware sites have become more and more common as hackers aggressively mine social networking platforms for personal information they can then use to create more authenticate-looking malware lures.

Once the worm has redirected Twitter users to the scareware site, the scam really takes flight. It informs the intended victim that his or her "machine is running suspicious applications" and prompts users to run a scan. The subsequent scan identifies alleged threats and advises users to click to remove the threats.

Of course, this move results in the download of the fake "Security Shield" application.

In September, a similar malware campaign derived from the "onMouseOver" Twitter worm infiltrated thousands of Twitter accounts, redirecting followers to malware-laden pornographic sites and spreading more malicious content throughout the Twitter community.

Kaspersky and other leading security software vendors continue to warn Twitter and Facebook users to exercise some judgment and caution while surfing around their favorite social networking sites.

"Bear in mind that clicking on random links may lead to severe infection of your machine," Brulez said.

(eS)

[bartblaze]

I've also made a blog post about this. You can find it at:
http://bartblaze.blogspot.com/2011/01/twitter-worm-spreading-virally.html

Cheers

[Samker]

I've also made a blog post about this. You can find it at:

http://bartblaze.blogspot.com/2011/01/twitter-worm-spreading-virally.html

Cheers

You provide even more info's and screenshoots... 

cya BB

[bartblaze]

Thanks Samker !

[krrjhn]

Thanks for you info. its amazing with screen shoots !!

[bartblaze]

Seems to be back in business. Be on the lookout people.

"m28sx" worm: back in business ?
http://bartblaze.blogspot.com/2011/02/m28sx-worm-back-in-business.html

[testuser]

Ahhh...that's a worm I posted about ages ago....nice to see that they have updated the graphics a bit.

[testuser]

If you want to see how the original attack looked go to the following video I made.

http://www.xyplex.org/attacksample/attack1-LargeFile.html

The video shows how a normal site, found via google, is hijacked and your browser is redirected to a different site.

I downloaded and saved the file the site was attempting to install and checked it with www.virustotal.com and it came back clean. It was definitely a Trojan as the file made some system changes to my VM test system and removed the executable to leave little physical trace.

The second video shows the fake site and the results from www.virustotal.com

http://www.xyplex.org/attacksample2/VirusSite.html

If anyone has an active link to a hijacked site please let me know as I would like to study and document the attack in more detail. The attackers are clever enough to record your IP and block you from accessing the site if you come back a second time within a short period.

[bartblaze]

Hi testuser, these kinds of attacks are still active as we speak.

The video demonstrates how the attack works, but I have 2 suggestions:
- obfuscate/hide the URL, users might unwillingly visit it
- show how you can easily end this type of attack (by killing your browser's process)

Attackers are also checking where you got redirected from, your browser agent, etc....

Nice video's !