Earlier today Rik Ferguson at the Countermeasures blog posted about a new malware threat that came from Twitter. The details are at his post but the short version is as follows:

Somehow, the Twitter account of noted venture capitalist and writer/columnist, Guy Kawasaki, was hacked into posting a malicious tweet/update (see Figure 1). It came with a link that claimed to connect to a free download of the latest Hollywood sex tape, one belonging to the actress from the TV series Gossip Girl, Leighton Meester. While the tape may be real and quite timely, the link was not, as after making the user jump through a few hoops, he/she ends up being asked to download not the sex tape but a malware.

If this all sounds a little familiar, it should be. It has been said that sex sells, and, in this case, it does so particularly well. In addition, because it was seen on the Twitter feed of a fairly reputable person—Guy Kawasaki—people would think it wasn’t necessarily malicious.

Somewhat uniquely, both Mac and Windows users are affected by this threat. Mac users automatically download OSX_JAHLAV.B while visiting malicious sites. This arrives as ActiveXsetup.dmg, a disk image file that contains an INSTALL.PKG file, which contains the preinstall and preupgrade files, both detected as UNIX_JAHLAV.B. Executing the INSTALL.PKG file displays a message, prompting the user to click Continue to finish installing the software or, rather, malware while connecting to a certain IP address, to download and execute an additional PERL script in the background. This script changes the DNS settings of the system; as a result users may be redirected to malicious websites when they think they’re going to perfectly innocent ones.

Windows users, on the other hand, download TROJ_JAHLAV.B. As with its OS X counterpart, this can be unknowingly downloaded by users while visiting malicious sites. And like the former, it also displays a graphical user interface (GUI) to hide its execution, which can be triggered by clicking any button. It then connects to a site where it downloads TROJ_ALUREON.AME, which exhibits malicious routines on the affected system.

Fortunately, through the Trend Micro Smart Protection Network, all malicious sites are blocked and all related malware are detected.

Users should always take be careful about the sites they visit, even if the link comes from a “safe” source, lest they suffer the same fate as the proverbial curious cat.

Updates as of 24 June 2009, 9:00 PM

Mr. Kawasaki denies that his Twitter account was hacked, and instead says that the page or feed that he pointed to was the one hacked. This was found stated in a later post through Twitter.

Hacked or not, the fact still remains that malicious files are being distributed through the link in the post. Below is a screenshot of the obfuscated bash script from OSX_JAHLAV.B which contains the malicious code:

Here are screenshots which show how Trend Micro Smart Surfing for Mac blocks the website and detects the malware in real-time, if “Web Reputation” is disabled:

While testing some Google searches, I came across an interesting result searching for Cialis, a popular anti-erectile dysfunction drug commonly sold by dubious online resellers. The fourth Google result returned a forum for Silverlight, a programmable web browser plugin by Microsoft (Figure 1). Interested, I clicked on the link and found an interesting post.

This doesn’t really look like a med spam, since everything is just plain text advertisement with no Buy Now or Click this link, but this is close to being a med spam, probably a failed attempt to create one on the Silverlight forum website. So I kept on looking and found other Silverlight forum members peddling other Cialis and other drugs, and this time, successfully creating a med spam site on the Silverlight site.

I found around fifty of these med spam pages hosted free by Silverlight, all of which are supposed to be profile pages of Silverlight Community members, but crafted by the “member” to advertise med spam.

More troubling is that this doesn’t end with med spam. Some spam profile leads to fake anti-virus programs. Several “RedTube” profiles (supposed to be porn video streaming) link to a site which needs you to “download the Tube Video player to play this video”.

The downloaded file install.exe is actually a fake AV detected as TROJ_FAKEAV.ODN.

We’ve alerted Microsoft of this abuse. We are hoping that the spam posts will be deleted as soon as possible. Meanwhile the Trend Micro Smart Protection Network provides users complete protection against this threat.

In our recently published white paper on Pushdo we noted that the malware used a certain string as part of its encryption routine.

Poshel-ka ti na hui drug aver

This string roughly translates to “Screw you my friend Aver” (well it’s actually a lot less polite than that, but you get the idea). We theorized that the word Aver could refer to a certain computer hardware reseller based in Moscow, but one of our peers at Kaspersky pointed out that this word could mean “AVer” (a slang term used mainly on english virus writing forums meaning AV researcher).

Doh!

This is not the first time that malware writers have left hidden messages that are only revealed during reverse engineering. My personal favorite is from a sample of the WORM_RINBOT family which included a message for a fellow AV researcher, after he assigned the name RINBOT to the malware family instead of the criminal gangs prefered name:

Dear Symantec:
For years I have longed for just one thing,
to make malware with just the right sting,
you detected my creation and got my domains killed,
but I will not stop,
I can rebuild.

P.S. F*** you a**holes, especially Stephen Doherty who is the biggest f****t I know of.

The Rinbot authors where particulary well known for getting frustrated at antivirus companies for detecting their creations (ironically made easier by all of those nice messages they included for us to use in malware signatures). They were fairly generous in distributing their pent up annoyance with everyone from SANS to CNN included. In particular they really disliked people refusing to name their malware as they had intended.

Rinbot is not the only malware to include such strings, recently the TSPY_ZBOT family also started with messages giving out about blog articles by Avira and Microsoft. In fact these messages have been going on for years, another one from a WORM_MYDOOM variant back in 2004 read:

we will attack f-secure,symantec,trendmicro,mcafee , etc.
The 11th of march is the skynet day lol .

Its always nice to get feedback on your work, even more so when its the bad guys complaining that we are doing too good of a job.

The hype after recent mass compromises has not even died down yet and already another massive attack has been launched. Trend Micro was alerted to the emergence of another mass compromise, dubbed Nine Ball, for the same reason Gumblar was named Gumblar. This time, however, the Nine Ball domain was only one of hundreds of landing pages users could be redirected to.

As reported by Ivan Macalintal, Trend Micro Threat Research Manager, the infection starts when a user accesses a compromised site that automatically redirects him/her to several sites. These sites were actually a trio of malicious domains (specific .KZ and .TW sites) constantly used by attackers in their scheme of redirecting users to a malicious IP address registered somewhere in the Ukraine.

The chain ends when the user’s browser lands on a page that contains exploits for vulnerabilities in various software including Adobe Acrobat and Shockwave. Advanced Threat Researcher Joey Costoya also pointed out that a previously reported PoC in Office OCX Word Viewer is also among the exploits used in this attack.

Compromised websites were injected with blocks of obfuscated script, detected as JS_DLOADR.ALP (see Figure 1):

• hdOruVsHnKBXZuvtsRmw
• eMCeGjolMPJFNuucZWLk
• vIkytowORShQVZqTBFox

The number of blocks can be as many as seven to eight, which can be seen in the snapshot below of a compromised site of a Web hosting provider in Hong Kong. Hosting provider? Yikes!

The user will then be redirected to a series of websites that use referrers to avoid detection and subsequent removal. The infection chain ends when the user is finally redirected to an exploit-laden landing page.

The final pages in the infection chain, Costoya also reported, are part of a Web exploit toolkit called Yes Exploit System, which includes .PDF and .SWF exploits, detected as TROJ_PDFEX.J and TROJ_SWFLDR.AB, respectively.

Both .PDF and .SWF files lead to binary payload that look similar to a new kind of information stealer detected as TSPY_SILENTBAN.U. TSPY_SILENTBAN.U installs itself as a Browser Helper Object (BHO) on the affected system and monitors Internet activity. Gathered information are then sent to a remote user using HTTP POST.

Note that as of this writing, the binary payload retrieved from the attack uses this spyware. It is more likely that in future attacks, other payloads can be used.

Fortunately, Trend Micro Smart Protection Network blocks all malicious sites and detects all related malware. Thus, users need not worry about being infected.

Information on the vulnerabilities exploited in this attack can be found on the following pages:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0927
• http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2007-5659
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2496

Users are also strongly advised to update their software in order to avoid being affected by this attack.

Microsoft Corporation regularly issues updates to fix bugs and security vulnerabilities in its software products. These updates are meant to protect its users from different attacks that depend mainly on exploiting these documented bugs.

Close to the weekend, we identified spam (click Figure 1 thumbnail for larger view) claiming to be a Microsoft Outlook and Outlook Express critical update that “offers the highest levels of stability and security.”

A tricky difference here is that all the links in the email (the links to Contact Us, Privacy Statement, Trademarks, and Terms of Use) are legitimate–except one. The URL where the “critical update” may be downloaded looks legitimate, but hovering over the hyperlink (or checking the source code of the mail) reveals a totally different destination.

For content security experts this already bears the marks of an email-based cyber-criminal attack. True enough, the URL leads to the download of a file (detected as TROJ_ZBOT.BTS) that on its execution it accesses a website to download a .bin file with information referring to where the Trojan can download an updated copy of itself, and where to send stolen data. The list also contains compromised websites targeted for stealing information. Our engineers confirm that the list was containing several names of banking institutions, among other social networking targets like Facebook and MySpace, and media sites YouTube and Flickr. The list can be viewed here. Note that the said list may be changed at any time.
How does the scam work? Whenever the user visits any of the monitored sites, the Trojan starts logging keystrokes. It then saves gathered information (which presumably includes sensitive information like user name and password, credit card information, etc.) in a file and then sends the file to a dedicated server via HTTP POST.

Postings to spam as Microsoft updates can be read in the following blog posts:

Bogus ‘MS Update’ Comes with Malicious Attachment

Bogus Microsoft Update Delivers Nasty File Infector

Trend Micro Smart Protection Network blocks the related spam, the malicious URL, and detects TROJ_ZBOT.BTS.