Scores of Twitter posts, related to World of Warcraft, Naruto, Beyonce, and Ron Paul, were discovered earlier this week, and in each case the shortened URL used in the tweets pointed to Malware or Rogue anti-Virus installations.
Account compromises on Twitter suspected in recent Malware rush. (IMG:J.Anderson)
Researcher Andrew Brandt of Webroot explained the drive-by attack, which started when another researcher looking for Ron Paul related news, perhaps plans for a 2012 bid, discovered a clever little campaign spoiling search results using Twitter.
The researcher Brandt mentions noted that there were several tweets from Twitter, coming from fake, or more likely compromised, accounts, pushing “YouTube” videos for Ron Paul, as well as Naruto, World of Warcraft, and Beyonce. Each of the links used a shortened URL from bit.ly, or in some cases TinyURL, and pointed to Stage Time Magazine. (Stage Time was a victim in this case, as were the other hijacked sites. Most have been cleaned up.)
If a user visited the links, several payloads were attempted, including older PDF Reader exploits and Flash exploits, which if successful, delivered various types of Malware, including Rogue anti-Virus.
“Drive-by downloads such as these serve to illustrate a point I can’t emphasize enough: No matter how careful you might think you are, one wrong click can lead to an infection. In the case of this drive-by, the malicious website attempted to load first an Adobe Flash video, then a PDF file, which tricked the browser into downloading more Malware. Now more than ever, browser plug-ins like Flash and Adobe Reader need to be kept up to date. For additional protection, you can disable Javascript in Adobe Reader; in this case, it would have stopped the initial infection in its tracks,” Brandt said.
The usage of Twitter allowed the malicious links to spread faster as services such as Tweetmeme picked them up and ran them, as well as the fact that other Twitter users saw them.
A search for some of the terms used in the attacks on Twitter, such as searching for "BEST NEW VIDEO", or "Stage Time Magazine" shows several malicious tweets, from seemingly legit users. There are also more keywords aside from Ron Paul and Naruto, such as “Make Money Online” and mentions of Paris Hilton.
Examples:
YOUTUBE DOWNLOADS | BEST NEW VIDEO | WATCH NOW - Stage Time Magazine
YOUTUBE-BEYONCE | BEST NEW VIDEO | WATCH NOW - Stage Time Magazine
YOUTUBE TO IPOD CONVERTER | BEST NEW VIDEO | WATCH NOW - Stage Time Magazine
MAKE MONEY ONLINE WITH YOUTUBE | BEST NEW VIDEO | WATCH NOW
YOUTUBE BRITNEY SPEARS | BEST NEW VIDEO | WATCH NOW - Stage Time Magazine
“A lot of Twitter feeds posted links like these, all within a short amount of time. It’s not clear exactly how the malware distributors accomplished this, but most of the Twitter user accounts appear to have been compromised,” added Brandt.
On one of the sites, the one that was linked to Paris’ video, they were using an old redirect trick that was previously exploitable in Google News. Google prevents the redirect, but it shows how serious some of these criminals are when it comes to infecting the masses.
“The best thing you can do to protect yourself is follow our common sense guidelines: Keep your operating system, programs, and antivirus definitions up to date; Disable Javascript in Adobe Reader and in your browser (the NoScript add-on to Firefox makes this easy),” Brandy concluded.
The Webroot post is here, which contains images and more examples.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story