Thursday, January 20, 2011

Twitter worm spreading virally

Since today there's a Twitter worm spreading virally with the name "m28sx" . People and bots tweeting links that end with m28sx.html or have only an URL in their tweet are common today on the social network platform.

At time of writing this threat still persists, although Google has already disabled a lot of URLs. (URLs used in this attack are mainly t.co and goo.gl)


After different redirects starting at:

to

and eventually landing on

Presents you with a nice message that you are infected:

Immediately you receive the well known fake scan page:


Infected search terms on Twitter also include:
50th anniversary of JFK's inauguration
John F. Kennedy inaugural address
Love the new homepage

Check out these search results for m28sx (be careful with the links on these pages, some of them might still be active ! ) on Twitter:
https://twitter.com/#!/search/links/m28sx.html or
https://search.twitter.com/search?q=m28sx.html

Dropped files:

pack.exe
Result: 3/43 (7.0 %)
MD5: bae499fc5844d814f942e870900c9d57

pack(2).exe
Result: 3/43 (7.0 %)
MD5: 921b903e2ff6ae23833301aa2961be95

They payload is a rogueware called 'Security Shield'.

When executing either of the dropped files:

A warning that Security Shield was installed successfully.



Security Shield rogueware finding (non-existant) infections.



Conclusion

Pretty straightforward: do not click on any of the links ! ( You also might want to use a 3d party application to browse on Twitter, like Echofon or Twhirl. )

Always be careful when clicking on a URL that you do not recognize or is shortened so you cannot see the real URL.

If you do happen to land on one of these rogueware pages presenting you a fake scan of your disks, open Task Manager and end your browser's process.

3 comments:

  1. What was the FakeAV? Was it Security Shield or something else?
    All the goo.gl links seems to have been disabled, and the website appears to be shutdown. Do let me know if you managed to get a sample of the installer.

    ReplyDelete
  2. Hi sunilkjoseph, I have fully updated my post. The Fake AV loaded was indeed Security Shield.

    ReplyDelete
  3. Thanks.. I already have the installer for that.

    ReplyDelete