Earlier today Rik Ferguson at the Countermeasures blog posted about a new malware threat that came from Twitter. The details are at his post but the short version is as follows:
Somehow, the Twitter account of noted venture capitalist and writer/columnist, Guy Kawasaki, was hacked into posting a malicious tweet/update (see Figure 1). It came with a link that claimed to connect to a free download of the latest Hollywood sex tape, one belonging to the actress from the TV series Gossip Girl, Leighton Meester. While the tape may be real and quite timely, the link was not, as after making the user jump through a few hoops, he/she ends up being asked to download not the sex tape but a malware.
If this all sounds a little familiar, it should be. It has been said that sex sells, and, in this case, it does so particularly well. In addition, because it was seen on the Twitter feed of a fairly reputable person—Guy Kawasaki—people would think it wasn’t necessarily malicious.
Somewhat uniquely, both Mac and Windows users are affected by this threat. Mac users automatically download OSX_JAHLAV.B while visiting malicious sites. This arrives as ActiveXsetup.dmg, a disk image file that contains an INSTALL.PKG file, which contains the preinstall and preupgrade files, both detected as UNIX_JAHLAV.B. Executing the INSTALL.PKG file displays a message, prompting the user to click Continue to finish installing the software or, rather, malware while connecting to a certain IP address, to download and execute an additional PERL script in the background. This script changes the DNS settings of the system; as a result users may be redirected to malicious websites when they think they’re going to perfectly innocent ones.
Windows users, on the other hand, download TROJ_JAHLAV.B. As with its OS X counterpart, this can be unknowingly downloaded by users while visiting malicious sites. And like the former, it also displays a graphical user interface (GUI) to hide its execution, which can be triggered by clicking any button. It then connects to a site where it downloads TROJ_ALUREON.AME, which exhibits malicious routines on the affected system.
Fortunately, through the Trend Micro Smart Protection Network, all malicious sites are blocked and all related malware are detected.
Users should always take be careful about the sites they visit, even if the link comes from a “safe” source, lest they suffer the same fate as the proverbial curious cat.
Updates as of 24 June 2009, 9:00 PM
Mr. Kawasaki denies that his Twitter account was hacked, and instead says that the page or feed that he pointed to was the one hacked. This was found stated in a later post through Twitter.
Hacked or not, the fact still remains that malicious files are being distributed through the link in the post. Below is a screenshot of the obfuscated bash script from OSX_JAHLAV.B which contains the malicious code: