Jun25
6:23 pm (UTC-7)   |   by Jonell Baltazar (Advanced Threats Researcher)

Twitter is a very popular platform for expressing whatever is on a user’s mind, making it a favorite target of malware authors. Trend Micro has published several blog entries that discussed attacks on Twitter. Now, the creators of Koobface included a new component in the malware to target the vast number of Twitter users. They’ve come up with the latest update to the Koobface loader binary and other known Koobface components that target social networking sites like Facebook, MySpace, Hi5, Bebo, Tagged, and Netlog.

The new component uses a victim’s Twitter account to post tweets using Internet-browsing cookies to log in to the target user’s account. Tweets can more successfully be posted when the victim is currently logged on to his/her Twitter account as the ‘evil’ Koobface binary runs in the background.


Figure 1. Twitter account of an infected PC

The supossed tweets are retrieved from a Koobface C&C domain and use Tinyurl.com to shorten and kind of obfuscate the URL included in the message.


Figure 2. Network stream of an affected PC

Visiting the posted URL leads to a Koobface redirector page that opens the same old ‘fake’ YouTube page that hosts the Koobface loader posing as an Adobe Flash Player update also known as the infamous setup.exe.


Figure 3. Fake YouTube page that installs setup.exe

As with earlier Koobface-related attacks, however, Trend Micro product users need not worry about being infected as Smart Protection Network already blocks malicious sites and files from running on their systems. They should, however, still keep in mind that an ounce of prevention is always better than a pound of cure.

Related posts on Koobface:

Twitter, likewise, was never that safe from attacks:

alt=

Update on June 28:

Setup.exe is now detected as WORM_KOOBFACE.DC. It has the ability to fetch information from the affected PC and to send said info to URLs via HTTP POST.

Moreover, Koobface writers immediately updated their mal-tweets, cleverly using current events related to Michael Jackson’s death. Luckily, the URL included in the message did not change and is still being blocked by Smart Protection Network.

Along with the updated tweets is an update of a Koobface binary (TROJ_KOOBFACE.AJ) targeting Facebook. This binary is already being processed. More details will be provided as analysis progresses.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!



This entry was posted on Thursday, June 25th, 2009 at 6:23 pm and is filed under Botnet, Hacked Sites, Malicious Sites, Malware, Security, Spam . You can leave a response, or trackback from your own site.



12 Responses to “Koobface Tweets”

Trackbacks

  1. TrendMicro (TrendMicro)
  2. rik_ferguson (Rik Ferguson)
  3. TrendLabs (TrendLabs)
  4. GNSC (GNSC)
  5. costigaj (Art Costigan, CISSP)
  6. nspr (NSPR)
  7. adamclatworthy (Adam Clatworthy)
  8. Menardconnect (Menard)
  9. Koobface worm joins the Twittersphere | Zero Day | ZDNet.com
  10. Social Networks May Provide A Chattering Class For Viruses « Dr Nelson P
  11. Hacking Twitter…. Using Koobface | Blog For Noob
  12. Twitter and Facebook: Targets of a Not-so-Normal DDoS Attack | Trend Micro | Malware Blog

Leave a Reply


MSN Bot Plays on Controversy over Michael Jackson’s Death
Italy: Political Controversy Spam


 
TrendWatch Hijack This Web Protection Add-On
Free Online Virus Scan Rootkit Buster Submit Suspicious Files
Global Malware Map RUBotted? Trend Micro
 



    		 
© Copyright 2009 Trend Micro Inc. All rights reserved. Legal Notice