Wednesday, August 6, 2008

Serious Spam

We've all seen the Twitter spammers, those people with weird Twitter names like Stella613 or MikeGravel832 whofollow thousands and broadcast a single message multiple times. In fact, I've written about the spammers before and Twitter's efforts to control it. Unfortunately, Twitter spam and malware is turning a lot more sinister.

Adam Cohen told me about a site, Twitpwn, that is focused on logging all past and current vulnerabilities in Twitter. The guys at Twitpwn write about the potential for distributing malware via Twitter. Security experts at Kaspersky Labs have identified  a malicious Twitter profile twitter.com/[skip]/ with a name that is Portuguese for ‘pretty rabbit’ which has a photo advertising a video with girls posted.
This profile has obviously been created especially for infecting users, as there is no other data except the photo, which contains the link to the video.
If you click on the link, you get a window that shows the progress of an automatic download of a so-called new version of Adobe Flash which is supposedly required to watch the video. You end up with a file labeled Adobe Flash (it’s a fake) on your machine; a technique that is currently very popular.
In reality, this is a Trojan downloader that proceeds to download 10 banker Trojans onto the infected machine, all of which are disguised as MP3 files. We first detected the downloader proactively as Heur.Downloader and then added a signature to detect it also as Trojan-Downloader.Win32.Banload.sco.

News of the malware/virus profile has been spreading fast as it has been written about on Ars Technica, TechCrunch and The Register, but of course good Twitermaven readers don't go to those minor sites and only depend on the maven for news. :)