New Twitter worm sends users to virus-ridden websites

21 Jan 2011

Users should beware of a new worm on Twitter that posts links on Twitter users’ accounts that redirects them to a fake anti-virus website.

Kaspersky Lab warns users about a new, fast-moving Twitter worm which exploits Google’s service of truncated links.

The truncated URLs are lightweight and popularly used in microblogging systems, limiting the length of messages for users of services such as Twitter.

However, shortened links can seriously threaten computer security, because the text of a truncated URL is relatively obscure and a user does not know what it contains prior to ending up on an infected site. Hackers are managing to successfully lure the unwary into using their malicious truncated links.

Worm redirection chain

A recently discovered Twitter worm’s redirection chain pushes users to a webpage that delivers a rogue AV called ’Security Shield’.

After several redirections, a user is transferred to the page related to the rogue AV distributive. The page uses obfuscation code techniques that include an implementation of RSA cryptography in JavaScript. Kaspersky Lab experts have found thousands of Twitter messages continuing to spread the worm.

Kaspersky Lab malware researcher Nicolas Brulez discovered that once you are on this website, you will receive a warning that your machine is running suspicious applications.

“The warning invites users to remove all the threats from their computer, and download the ‘Security Shield’ rogue AV application. As usual, the result of downloading the program is that the user’s machine is infected with malicious programs,” Brulez said.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years