Earlier today Rik Ferguson at the Countermeasures blog posted about a new malware threat that came from Twitter. The details are at his post but the short version is as follows:

Somehow, the Twitter account of noted venture capitalist and writer/columnist, Guy Kawasaki, was hacked into posting a malicious tweet/update (see Figure 1). It came with a link that claimed to connect to a free download of the latest Hollywood sex tape, one belonging to the actress from the TV series Gossip Girl, Leighton Meester. While the tape may be real and quite timely, the link was not, as after making the user jump through a few hoops, he/she ends up being asked to download not the sex tape but a malware.

If this all sounds a little familiar, it should be. It has been said that sex sells, and, in this case, it does so particularly well. In addition, because it was seen on the Twitter feed of a fairly reputable person—Guy Kawasaki—people would think it wasn’t necessarily malicious.

Somewhat uniquely, both Mac and Windows users are affected by this threat. Mac users automatically download OSX_JAHLAV.B while visiting malicious sites. This arrives as ActiveXsetup.dmg, a disk image file that contains an INSTALL.PKG file, which contains the preinstall and preupgrade files, both detected as UNIX_JAHLAV.B. Executing the INSTALL.PKG file displays a message, prompting the user to click Continue to finish installing the software or, rather, malware while connecting to a certain IP address, to download and execute an additional PERL script in the background. This script changes the DNS settings of the system; as a result users may be redirected to malicious websites when they think they’re going to perfectly innocent ones.

Windows users, on the other hand, download TROJ_JAHLAV.B. As with its OS X counterpart, this can be unknowingly downloaded by users while visiting malicious sites. And like the former, it also displays a graphical user interface (GUI) to hide its execution, which can be triggered by clicking any button. It then connects to a site where it downloads TROJ_ALUREON.AME, which exhibits malicious routines on the affected system.

Fortunately, through the Trend Micro Smart Protection Network, all malicious sites are blocked and all related malware are detected.

Users should always take be careful about the sites they visit, even if the link comes from a “safe” source, lest they suffer the same fate as the proverbial curious cat.

Updates as of 24 June 2009, 9:00 PM

Mr. Kawasaki denies that his Twitter account was hacked, and instead says that the page or feed that he pointed to was the one hacked. This was found stated in a later post through Twitter.

Hacked or not, the fact still remains that malicious files are being distributed through the link in the post. Below is a screenshot of the obfuscated bash script from OSX_JAHLAV.B which contains the malicious code:

Here are screenshots which show how Trend Micro Smart Surfing for Mac blocks the website and detects the malware in real-time, if “Web Reputation” is disabled:

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

While testing some Google searches, I came across an interesting result searching for Cialis, a popular anti-erectile dysfunction drug commonly sold by dubious online resellers. The fourth Google result returned a forum for Silverlight, a programmable web browser plugin by Microsoft (Figure 1). Interested, I clicked on the link and found an interesting post.

This doesn’t really look like a med spam, since everything is just plain text advertisement with no Buy Now or Click this link, but this is close to being a med spam, probably a failed attempt to create one on the Silverlight forum website. So I kept on looking and found other Silverlight forum members peddling other Cialis and other drugs, and this time, successfully creating a med spam site on the Silverlight site.

I found around fifty of these med spam pages hosted free by Silverlight, all of which are supposed to be profile pages of Silverlight Community members, but crafted by the “member” to advertise med spam.

More troubling is that this doesn’t end with med spam. Some spam profile leads to fake anti-virus programs. Several “RedTube” profiles (supposed to be porn video streaming) link to a site which needs you to “download the Tube Video player to play this video”.

The downloaded file install.exe is actually a fake AV detected as TROJ_FAKEAV.ODN.

We’ve alerted Microsoft of this abuse. We are hoping that the spam posts will be deleted as soon as possible. Meanwhile the Trend Micro Smart Protection Network provides users complete protection against this threat.