Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    One recent report by Rik Ferguson said that malicious Twitter posts are getting dangerously more customized, increasing the possibility of users getting hooked into malicious schemes.

    A Twitter spambot is said to have been used in launching this recent attack. The spambot creates Twitter accounts and fashions them to appear as legitimate accounts by posting seemingly harmless posts like those sharing certain music they listen to, or websites they visit. The spambot accounts then post tweets directed to unknowing users, sharing a link to a PC repair tool they allegedly came across and used.

    As Rik Ferguson mentioned, the spambot posting tweets directed to specific users is a noteworthy social engineering technique that was clearly not seen as suspicious by Twitter admins. The spambot accounts were apparently created prior to a spam cleanup recently conducted by Twitter.

    Additionally, the spambot uses the URL shortener to mask the original URL in the posts, and for a not so good reason. The URL directs to a URL that triggers a couple of redirections that ultimately lead to the download of the file RegistryEasy.exe, which is detected as TROJ_FAKEAV.DAP. TROJ_FAKEAV.DAP comes off as an application that repairs registry problems. However, in true FAKEAV style, it merely displays false results to convince the user into purchasing the product.

    Click Click Click

    What’s also interesting is that in the root of one of the URLs the user is redirected to, an advertisement for an application dubbed as Bot Lite is posted. Bot Lite is, as the post describes, a light Twitter bot that virtually anyone can use.

    Rik confirmed that Bot Lite does function as a spambot for Twitter. Its file name is bot_lite_100.exe. Its detection name is HKTL_FAKEBOT. HTKL_ is the detection prefix used by Trend Micro for hacker-tools which are considered to be grayware. Grayware refers to applications that have annoying, undesirable, or undisclosed behavior but do not fall into any of the major threat (ie. Virus or Trojan horse) categories.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice