Twitter worm hits goo.gl, redirects to fake anti-virus

Twitter worm hits goo.gl, redirects to fake anti-virus

Summary: A fast-moving Twitter worm is in circulation, using Google's goo.gl redirection service to push unsuspecting users to a notorious scareware (fake anti-virus) malware campaign.

SHARE:

A fast-moving Twitter worm is in circulation, using Google's goo.gl redirection service to push unsuspecting users to a notorious scareware (fake anti-virus) malware campaign.

At 8:45 a.m EST today, this Twitter search shows thousands of Twitter messages continuing to spread the worm.

According to malware hunters tracking the threat, the worm's redirection chain pushes users to a Web page serving up the “Security Shield” Rogue AV.   The page is using obfuscation techniques that include an implementation of RSA cryptography in JavaScript to obfuscate the page code.

Kaspersky Lab malware researcher Nicolas Brulez (see important disclosure) said the original "goo.gl" links in the Twitter messages are redirecting users to different domains with a “m28sx.html” page.  That page then redirects to a static domain with a Ukrainian top level address.

As if it was not enough, this domain redirects the user to another IP address which has been linked in the past to fake anti-virus distributions.  "This IP address will then do the final redirection job, which leads to the actual Fake AV site," Brulez explained.

Once a user's browser session is redirected to the malicious site, a warning message claims the computer is running suspicious applications and the user is encouraged to run a scan.  As usual, the result is that the machine is infected with malicious threats and the scam is to trick the user into downloading a fake disinfection tool.

Topics: Social Enterprise, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

51 comments
Log in or register to join the discussion
  • all a twitter

    Why didn't you just tweet this?
    cwallen19803@...
  • Message has been deleted.

    james347
    • RE: Twitter worm hits goo.gl, redirects to fake anti-virus

      @james347 <br>If you look at the US Cyber Secuirty website. you will see that Linux and Mac OS are more effected by this kinds of attacks then Windows boxes are.
      Like this one
      http://blogs.computerworld.com/mac_os_x_vulnerable_to_new_trojans
      rparker009
      • RE: Twitter worm hits goo.gl, redirects to fake anti-virus

        @rparker009 <br>Can u give linux specific links,all i found is Mac Os and no linux
        ankitsingh
      • RE: Twitter worm hits goo.gl, redirects to fake anti-virus

        @rparker009 Anything that can affect Mac OS could very likely affect Linux, too.
        fairportfan
      • RE: Twitter worm hits goo.gl, redirects to fake anti-virus

        @rparker009

        No they're not.

        Since the vast majority of trojans are geared towards Windows, even if there was an even split between Mac and Windows users who choose to download these things, more Windows users would be affected.

        Happy to clear that up for you.
        windypops
      • RE: Twitter worm hits goo.gl, redirects to fake anti-virus

        [i]Anything that can affect Mac OS could very likely affect Linux, too.[/i]

        @fairportfan - but you have no proof of this, so your statement is nothing but greenish brown FUD.
        ahh so
    • RE: Twitter worm hits goo.gl, redirects to fake anti-virus

      @james347 <br>No argument with that. On the other hand, Google has long seemed fairly oblivious to spammers and scammers using their free services, making it far more difficult than it should be to report their activities in such a way as to lead to their investigation. The same goes for all the numerous free URL shortening/redirection services - or as I prefer to call them, "misdirection" services. These types of services are ultimately of far more harm than good IMO and I'd be glad to see them all disappear.
      spectre0
    • You must still be using XP

      @james347

      In that case, you should hop onto Vista or 7 and see how much better security has come in the 10 years since XP was released. ;)
      The one and only, Cylon Centurion
      • RE: Twitter worm hits goo.gl, redirects to fake anti-virus

        @Cylon Centurion 0005
        Windows Vista and 7 are vulnerable to this very same attack. I've had to clean both OS from this. Fortunately it is easier to recover from with both Vista and 7, but they both get hit by it just as easily as XP did.
        rdawson@...
      • That would take an independent thought

        @Cylon Centurion 0005, and james347 only does what he is instructed to do, and nothing more.
        John Zern
      • Sounds like james347 is a free thinker

        Not ruled by the proprietary tools of Redmond.
        ahh so
      • RE: Twitter worm hits goo.gl, redirects to fake anti-virus

        @Cylon Centurion 0005

        Has it? Or is that the opinion of MSFT and their fanboys? I don't recall any genuine and genuinely objective secrurity experts going public with a statement to the effect that Vista or 7 has "much better security".

        Your statement is also suspicious for another reason: you say "in the 10 years since XP". Well, guess what: XP's security has got a lot better over these 10 years too.
        mejohnsn
    • RE: Twitter worm hits goo.gl, redirects to fake anti-virus

      @james347 James, If there was no Microsoft OS in the world do you think that would stop the people who make all this malacious stuff. The BIG ANSWER IS NO. Apple OS is also infected with viruses and everything. If not why do companies like Symantec, Kaspersky and Mcafee make their programs for both MS OS and MAC??? If people would keep their computers updated and use a little common sense, Which few people have on the internet they would not have as many problems. The next thing people beleive too much what is said on the internet. They think it is gospel truth. All these people who use Facebook, Myspace, Twitter and all this dont know that what they say on these social networking sites can keep them from ever getting a job, even after they are told.
      wcosales@...
      • RE: Twitter worm hits goo.gl, redirects to fake anti-virus

        @wcosales@...

        Yeah, because when I'm surfing the web I always put my administrator password in when a pop up asking whether I want to install xyz software pops up.

        That's the only way OSX can get a "virus" which then isn't a "virus" as it's not self replicating, requiring user intervention to be installed.

        There are no OSX viruses.
        alsobannedfromzdnet
    • re: Thanks MS...

      @james347 The last malware I picked up was a couple weeks ago when I plugged a flash drive into a Mac 10.6. LOL. Happily, my MS Security Essentials caught it and squashed it when I brought it back to my PC. The virus is still in the Mac, of course, because the owner doesn't believe that Macs can be infected.
      XXP
      • RE: Twitter worm hits goo.gl, redirects to fake anti-virus

        @XXP The "virus" is on the stick, if it's an .exe file it won't run on a Mac.

        Nice try but a total fail nonetheless.
        alsobannedfromzdnet
    • Thanks james347

      there I said it, everyone was already thinking it, I had the guts to place blame where it belongs. If not for james347's idiotic posts, there would be no trolls and no fake-users.
      John Zern
      • We know the truth hurts, @John Zern

        Care for a tissue?

        ;)
        ahh so
      • ahh so, how many screen names do you

        post under?
        Interesting that when particular users are "chastised", you appear.

        As I said, Interesting.
        Tim Cook