madison

Zero Day

Ryan Naraine and Dancho Danchev
Home / News & Blogs / Zero Day

Twitter worm hits goo.gl, redirects to fake anti-virus

By | January 20, 2011, 5:55am PST

Summary: A fast-moving Twitter worm is in circulation, using Google’s goo.gl redirection service to push unsuspecting users to a notorious scareware (fake anti-virus) malware campaign.

A fast-moving Twitter worm is in circulation, using Google’s goo.gl redirection service to push unsuspecting users to a notorious scareware (fake anti-virus) malware campaign.

At 8:45 a.m EST today, this Twitter search shows thousands of Twitter messages continuing to spread the worm.

According to malware hunters tracking the threat, the worm’s redirection chain pushes users to a Web page serving up the “Security Shield” Rogue AV.   The page is using obfuscation techniques that include an implementation of RSA cryptography in JavaScript to obfuscate the page code.

Kaspersky Lab malware researcher Nicolas Brulez (see important disclosure) said the original “goo.gl” links in the Twitter messages are redirecting users to different domains with a “m28sx.html” page.  That page then redirects to a static domain with a Ukrainian top level address.

As if it was not enough, this domain redirects the user to another IP address which has been linked in the past to fake anti-virus distributions.  ”This IP address will then do the final redirection job, which leads to the actual Fake AV site,” Brulez explained.

Once a user’s browser session is redirected to the malicious site, a warning message claims the computer is running suspicious applications and the user is encouraged to run a scan.  As usual, the result is that the machine is infected with malicious threats and the scam is to trick the user into downloading a fake disinfection tool.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Twitter Inc., Antivirus, Worm, Ryan Naraine, Redirection Service, Cyberthreats, Viruses And Worms, Security

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a security evangelist. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Talkback Most Recent of 51 Talkback(s)

  • all a twitter
    Why didn't you just tweet this?
    ZDNet Gravatar
    cwallen19803@...
    20th Jan 2011
  • Message has been deleted.
    ZDNet Gravatar
    james347
    24th Jun
  • RE: Twitter worm hits goo.gl, redirects to fake anti-virus
    @james347
    If you look at the US Cyber Secuirty website. you will see that Linux and Mac OS are more effected by this kinds of attacks then Windows boxes are.
    Like this one
    http://blogs.computerworld.com/mac_os_x_vulnerable_to_new_trojans
    ZDNet Gravatar
    rparker009
    20th Jan 2011
  • RE: Twitter worm hits goo.gl, redirects to fake anti-virus
    @rparker009
    Can u give linux specific links,all i found is Mac Os and no linux
    ZDNet Gravatar
    ankitsingh
    20th Jan 2011
  • RE: Twitter worm hits goo.gl, redirects to fake anti-virus
    @rparker009 Anything that can affect Mac OS could very likely affect Linux, too.
    ZDNet Gravatar
    fairportfan
    20th Jan 2011
  • RE: Twitter worm hits goo.gl, redirects to fake anti-virus
    @rparker009

    No they're not.

    Since the vast majority of trojans are geared towards Windows, even if there was an even split between Mac and Windows users who choose to download these things, more Windows users would be affected.

    Happy to clear that up for you.
    ZDNet Gravatar
    windypops
    20th Jan 2011
  • RE: Twitter worm hits goo.gl, redirects to fake anti-virus
    Anything that can affect Mac OS could very likely affect Linux, too.

    @fairportfan - but you have no proof of this, so your statement is nothing but greenish brown FUD.
    ZDNet Gravatar
    ahh so
    20th Jan 2011
  • RE: Twitter worm hits goo.gl, redirects to fake anti-virus
    @james347
    No argument with that. On the other hand, Google has long seemed fairly oblivious to spammers and scammers using their free services, making it far more difficult than it should be to report their activities in such a way as to lead to their investigation. The same goes for all the numerous free URL shortening/redirection services - or as I prefer to call them, "misdirection" services. These types of services are ultimately of far more harm than good IMO and I'd be glad to see them all disappear.
    ZDNet Gravatar
    spectre0
    20th Jan 2011
  • You must still be using XP
    @james347

    In that case, you should hop onto Vista or 7 and see how much better security has come in the 10 years since XP was released. wink
    ZDNet Gravatar
    Cylon Centurion
    20th Jan 2011
  • RE: Twitter worm hits goo.gl, redirects to fake anti-virus
    @Cylon Centurion 0005
    Windows Vista and 7 are vulnerable to this very same attack. I've had to clean both OS from this. Fortunately it is easier to recover from with both Vista and 7, but they both get hit by it just as easily as XP did.
    ZDNet Gravatar
    rdawson@...
    20th Jan 2011
  • That would take an independent thought
    @Cylon Centurion 0005, and james347 only does what he is instructed to do, and nothing more.
    ZDNet Gravatar
    John Zern
    20th Jan 2011
  • Sounds like james347 is a free thinker
    Not ruled by the proprietary tools of Redmond.
    ZDNet Gravatar
    ahh so
    20th Jan 2011
  • RE: Twitter worm hits goo.gl, redirects to fake anti-virus
    @Cylon Centurion 0005

    Has it? Or is that the opinion of MSFT and their fanboys? I don't recall any genuine and genuinely objective secrurity experts going public with a statement to the effect that Vista or 7 has "much better security".

    Your statement is also suspicious for another reason: you say "in the 10 years since XP". Well, guess what: XP's security has got a lot better over these 10 years too.
    ZDNet Gravatar
    mejohnsn
    21st Jan 2011
  • RE: Twitter worm hits goo.gl, redirects to fake anti-virus
    @james347 James, If there was no Microsoft OS in the world do you think that would stop the people who make all this malacious stuff. The BIG ANSWER IS NO. Apple OS is also infected with viruses and everything. If not why do companies like Symantec, Kaspersky and Mcafee make their programs for both MS OS and MAC??? If people would keep their computers updated and use a little common sense, Which few people have on the internet they would not have as many problems. The next thing people beleive too much what is said on the internet. They think it is gospel truth. All these people who use Facebook, Myspace, Twitter and all this dont know that what they say on these social networking sites can keep them from ever getting a job, even after they are told.
    ZDNet Gravatar
    wcosales@...
    20th Jan 2011
  • RE: Twitter worm hits goo.gl, redirects to fake anti-virus
    @wcosales@...

    Yeah, because when I'm surfing the web I always put my administrator password in when a pop up asking whether I want to install xyz software pops up.

    That's the only way OSX can get a "virus" which then isn't a "virus" as it's not self replicating, requiring user intervention to be installed.

    There are no OSX viruses.
    ZDNet Gravatar
    alsobannedfromzdnet
    20th Jan 2011
    • Flagged
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources