Twitter worm hits goo.gl, redirects to fake anti-virus

A fast-moving Twitter worm is in circulation, using Google's goo.gl redirection service to push unsuspecting users to a notorious scareware (fake anti-virus) malware campaign.

At 8:45 a.m EST today, this Twitter search shows thousands of Twitter messages continuing to spread the worm.

According to malware hunters tracking the threat, the worm's redirection chain pushes users to a Web page serving up the “Security Shield” Rogue AV.   The page is using obfuscation techniques that include an implementation of RSA cryptography in JavaScript to obfuscate the page code.

Kaspersky Lab malware researcher Nicolas Brulez (see important disclosure) said the original "goo.gl" links in the Twitter messages are redirecting users to different domains with a “m28sx.html” page.  That page then redirects to a static domain with a Ukrainian top level address.

As if it was not enough, this domain redirects the user to another IP address which has been linked in the past to fake anti-virus distributions.  "This IP address will then do the final redirection job, which leads to the actual Fake AV site," Brulez explained.

Once a user's browser session is redirected to the malicious site, a warning message claims the computer is running suspicious applications and the user is encouraged to run a scan.  As usual, the result is that the machine is infected with malicious threats and the scam is to trick the user into downloading a fake disinfection tool.