Anti-Malware

Twitter has quickly moved to patch an exploit in their new URL wrapping service which allowed users to inject executable javascript code into their tweets.

Basically when you place a URL in a Tweet, Twitter takes the link and automatically formats it, only the link submitted by the user is not sanitised from security purposes – particularly removing any included quotes.

Before the patch, users where able to add on mouseover events which triggered javascript to be executed when a mouse hovers over a users Tweet – and do things like pop up annoying messages on the screen or automatically fill out the status field and post a Tweet.

Luckily Twitter has patched this exploit before it was discovered by cyber criminals and used as a means to mass distribute malware.

Continue Reading

Due to Twitter’s announcement regarding outbound links, third party developers were forced to notify their users of how the changes would effect their own software. Naturally, cyber criminals wasted no time trying to exploit this activity sending out their own tweets with the exact same content onling their URLs contained links to malacious software diguised as a TweetDeck installer named tweetdeck-08302010.exe.

TweetDeck was quick to warn their users of the threat, and the irony is ofcourse this is the type of behaviour Twitter is trying to combat with the announced changes.

[Source: Trend Labs]

Continue Reading

Twitter has announced it will be rolling out it’s URL wrapping service, first outlined back in Jun. The new service, called t.co will not used as a URL shortening service rather it will wrap all outbound links with a new t.co simplified link.

According to Twitter, the new links will be easier to read with part of the actual domain showing in the tweet so that users know what they are clicking on.

Wrapped links are displayed in a way that is easier to read, with the actual domain and part of the URL showing, so that you know what you are clicking on. When you click on a wrapped link, your request will pass through the Twitter service to check if the destination site is known to contain malware, and we then will forward you on to the destination URL. All of that should happen in an instant.

The new service will be available in accounts who have opted in immediately and is expected to be live on all accounts by years end.

Continue Reading

Advanced threats researcher Jonell Baltazar recently spotted an instant message that contains a link to a malicious page.

The use of instant messages to spread malware is no longer new; neither is the use of URL shorteners. What is somewhat unusual is how these URL shorteners were used.

The URL shortener used in this attack, ow.ly, shortens long URLs using the format http://ow.ly/(5 alphanumeric characters). Note that the spammed URL was padded with the query string ?=www.facebook.com/photo.php. This can lead users to believe that they are going to a Facebook page to see a picture, as the instant message says. Unwitting users, failing to see the entire URL, are led to believe that they will land on a Facebook page instead of a malicious page.

Users should always exercise caution in clicking strange links, regardless of source—social media, email messages, or instant messages.

The malicious link downloads a worm detected by Trend Micro as WORM_YIMBOT.A. Smart Protection Network^TM already protects Trend Micro product users from this attack. In addition, the site the shortened link targets has also been blocked.

Continue Reading

The infamous KOOBFACE botnet is sending direct messages (DMs) on Facebook. If this sounds familiar… it should be, as this tactic was previously discussed here in the Malware Blog back in March.

The hook is somewhat similar to a ZBOT attack also spotted in March. That attack claimed that someone posted pictures of the user; this one uses a video instead. The text and link in the message are:

Someobdy uplaod a vdieo wtih you on utbue. you shuold see.

http://www.facebook.com/l/ae2d7CYBUtLFPs-LAKPMtRXKpBA;www.{BLOCKED}rotherz.ca./19mai/”

As is frequently the case in these kinds of attack, the English used in the message is comically bad. The URL, however, is somewhat disguised—the first domain name the user sees belongs to Facebook. This is because the link does legitimately go to Facebook first. Any URL with the format http://www.facebook.com/l/{random character};{redirected URL} brings up the Facebook preview page for external links. Apparently, cybercriminals are betting that users will ignore the warnings and proceed to their site anyway.

If users do go on to visit the malicious site, this is what they see:

This malicious site is actually hosted on multiple IP addresses (from Facebook, users go to a redirection script that point them to different IP addresses. They all have a common payload though—a new KOOBFACE variant detected as WORM_KOOBFACE.IC. (The script that redirects users to the various KOOBFACE hosting pages is detected as JS_REDIR.EB.)

Like many previous KOOBFACE variants, this is used to download malware onto the user’s system. At least one of these—TROJ_JORIK.D—installs what appears to be a webserver, possibly restarting the KOOBFACE infection chain.

Trend Micro™ product users should not worry, however, as Smart Protection Network™ protects them from this attack by blocking access to the malicious sites through Web reputation service and by preventing the download of the related malicious files through file reputation service.

Continue Reading