The Twitter Malware Campaign Wants to Bank With You

Tuesday, August 05, 2008

The Twitter Malware Campaign Wants to Bank With You

In what appears to be a lone gunman malware campaign -- where the malware spreader even left his email address within the binary - the now down Twitter malware campaign managed to attract only 69 followers before it has shut down, using a trivial approach for launching an XSS worm - Cross-site request forgery (CSRF). More info :

"This week it’s Twitter’s turn to host an attack - one that is targeting both Twitter users and the Internet community at large. In this case it's a malicious Twitter profile twitter.com/[skip]/ with a name that is Portuguese for ‘pretty rabbit’ which has a photo advertising a video with girls posted.

This profile has obviously been created especially for infecting users, as there is no other data except the photo, which contains the link to the video. If you click on the link, you get a window that shows the progress of an automatic download of a so-called new version of Adobe Flash which is supposedly required to watch the video. You end up with a file labeled Adobe Flash (it’s a fake) on your machine; a technique that is currently very popular."

Let's analyze the campaign before it was shut down. The original Twitter account used twitter.com/video_kelly_key basically included a link to player-video-youtube.sytes.net (204.16.252.98) which was using a URL shortening service fly2.ws/NilOMN3 in order to redirect to the banker malware located at freewebtown.com/construimagens/ Play-video-youtube.kelly-key.com. It's detection rate is as follows :

Scanners Result: 14/36 (38.89%)

Trojan-Spy.Win32.Banker.caw

File size: 88064 bytes

MD5...: 25600af502758ca992b9e7fff3739def

SHA1..: 9262ca501ef388e0fe42c50a3d002ddbd6e254f2

Twitter isn't an exception to the realistic potential for XSS worms though CSRF that could affect each and every Web 2.0 service, which as a matter of fact have all suffered such attempts, namely, Orkut, MySpace (as well as the QuickTime XSS flaw), GaiaOnline, Hi5, and most recently the XSS worm at Justin.tv, demonstrate that trivial vulnerabilities come handy for what's to turn into a major security incident if not taken care of promptly.

Related posts:

XSS The Planet

XSS Vulnerabilities in E-banking Sites

The Current State of Web Application Worms

g0t XSSed?

Web Application Email Harvesting Worm

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

Tuesday, August 05, 2008

The Twitter Malware Campaign Wants to Bank With You

No comments:

Post a Comment