Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  
  • Email Subscription

  • About Us

    Web Reputation Services (WRS) encountered spammed malicious shortened URLs on Twitter that appear to contain a .JPEG file from a Facebook domain. The said .JPEG file is, in fact, not a picture file but an executable file already detected by Trend Micro as WORM_KOLAB.SMQX. Searching for the image file using Twitter‘s search function reveals an updated list of users who Tweeted the same malicious link.

    Clicking the links redirect to a shortened Twitter URL (http://t.co). Most of these Twitter users are from Indonesia. To lure users to click the URL, cybercriminals incorporated Facebook.com into the link where the malicious file is hosted. Upon clicking the said link, the unwitting user is led to facebook.com.{BLOCKED}e-505.tk . It contains the downloadable file http://{BLOCKED}f.by /images/news/Photo-G05971.jpeg.exe, which is included in the frame set of facebook.com.{BLOCKED}e-505.tk. Since September 2 2011, approximately 600 Tweets using the same link have been posted.

    Click for larger view

    When users post a Tweet, it is followed by the malicious link, http://www.facebook.com.{BLOCKED}e-505.tk/Photo-G05971.jpeg, with the text “hahaha!!!” It is also used in the re-Tweet and reply feature of Twitter.

    Click for larger view

    What happens after running the malicious file? Upon checking Local Settings, we found that the file creates a directory named aaa with the following files:

    • 3kal.cmd: A batch file that contains the command for executing mamatije2.exe.
    • hsbca.exe: A normal file (Hidden Start v3.2).
    • mamatije2.exe: Already detected as HKTL_BITCOINMINE.
    Click for larger view

    The file mamatije2.exe is a Bitcoin miner that connects to the malicious link http://y.{BLOCKED}ame:8332/ using the user name mrdd_ludacha and the password mama1. The login credentials don’t work and display a bad request (HTTP 400). Bitcoins are digital coins or a virtual currency you can send through the Internet via peer-to-peer (P2P) sharing. Bitcoins are generated over the Internet by running a free Bitcoin miner application.

    Apart from the other Tweets, it will connect to other malicious sites, which host the following malicious files:

    • http://robertpattinson.{BLOCKED}ion.org/pictures/Calc-3-9-2011.jpeg: Detected by Trend Micro as HKTL_BITCOINMINE.
    • http://{BLOCKED}alokab.go.id/images/news/JohnLennon-Imagine.exe: Detected as WORM_KOLAB.SMQX.

    Notice that it uses the names of famous personalities like Robert Pattinson and John Lennon.

    All related URLs are already being blocked and all files are already being detected as WORM_KOLAB.SMQX by the Trend Micro Smart Protection Network.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon






     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice