Threat Level: green Handler on Duty: Russ McRee

SANS ISC: Possible new Twitter worm - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Possible new Twitter worm

Looks like there is a new twitter worm out there. There are an increased number of messages like the following ones:

 Tweet SCAM

Those short URL points to the servers providing the malware. The following are some of the malicious URL I could gather (CAREFUL: THEY ARE STILL ACTIVE):

  • http://cainnoventa.it/m28sx.html
  • http://servizialcittadino.it/m28sx.html
  • http://aimos.fr/m28sx.html
  • http://lowcostcoiffure.fr/m28sx.html
  • http://s15248477.onlinehome-server.info/m28sx.html
  • http://www.waseetstore.com/m28sx.html
  • http://www.gemini.ee/m28sx.html

After clicking to the URL, you are sent to a faveAV web page:

The malware downloaded is named pack.exe, md5 264ebccca76bdb89f4ae9519c4cd267e, sha1 d16573ce7ce7710865b34bc1abeef699c20549ed. 2 of 43 AV from virustotal detect it as SecurityShieldFraud as of january 20 2011 16:19:58 UTC.

When the malware infects the machine, it copies itself to C:\Documents and Settings\<your username>\Local Settings\Application Data\mbcjmhny.exe, ensures that cmd.exe exists, kill the malware, deletes the downloaded malware and starts it again from the location it copied itself with the following instruction:

"C:\WINDOWS\system32\cmd.exe" /c taskkill /f /pid 1576 & ping -n 3 127.1 & del /f /q "C:\pack.exe" & start C:\DOCUME~1\ADMINI~1\LOCALS~1\APPLIC~1\mbcjmhny.exe -f

We will keep analyzing the malware and post an update with more information.

-- Manuel Humberto Santander Peláez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org

Manuel Humberto Santander Pelaacuteez

185 Posts
ISC Handler
I did some investigation and found some useful info for possibly detecting a post compromise. After being installed, the fake AV makes the following requests:

GET /cb_soft.php?q=***&uu=0
Host: 91.193.195.19

GET /buy.php?q=***
Host: 194.28.113.25

GET /js/jquery=1.3.2.js
Host: 194.28.113.25
Anonymous
... a bit late:
- http://www.pcworld.com/article/217308/twitter_targeted_with_fake_antivirus_software_scam.html
Jan 21, 2011 "... Del Harvey, head of Twitter's Trust and Safety Team, wrote on her Twitter account that 'we're working to remove the malware links and reset passwords on compromised accounts.' 'Did you follow a goo.gl link that led to a page telling you to install 'Security Shield' Rogue AV?' she wrote. 'That's malware. Don't install'..."
.
Jack

160 Posts

Sign Up for Free or Log In to start participating in the conversation!