Twitter and MSN: Driving Malcode Distribution
by Jose NazarioWe recently came across a bot that merged MSN Messenger link spam with Twitter to get users to download malcode. Twitter malcode is nothing new, but this one adds a twist to those that monitor IM link spam bots. You have to do an extra level or two of link analysis to figure it out.
Once activated, the malcode fetches a file “/config.txt” from a server in Brazil which yields a configuration file for the malcode:
[GERAL] modulo=Q7HqS3elBtTtTovmON9XUc5lCZ0mE2vhQNGkRcLqBtTpOsvqPdWkQd1d ne=Q7HqS3elBtTtTovmON9XUc5lCZ0mE2vhQNGkRcLqBsrpRcKkQd1d plugin=Q7HqS3elBtTtTovmON9XUc5lCZ0mE2vhQNGkRcLqBt1oRsDbStCkQd1d autork=Q7HqS3elBtTtTovmON9XUc5lCZ0mE2vhQNGkRcLqBsrpSsXbR6mkQd1d automsn=Q7HqS3elBtTtTovmON9XUc5lCZ0mE2vhQNGkRcLqBsrpRNDkBcfmPm mensagemorkut=Oi, vc sumil o que foi?hoje escutei a musica da cantora internacional Colbie Caillat em um blog e lembrei de vc o nome da musica é Bubbly se quizer escutar to deixando o endereço do blog ( twitter.com/ColbieCaillat/statuses/894897063 ) Tudo de bom saudades e se cuida. AssuntoHotmail=ta ai as fotos da festa tinha esquecido. MensagemHotmail=Q7HqS3elBtTtTovsQMHXRczsOMrXQMmkQsbqBcvbT2zjSsTeRtGkQ7HjR0 AutenticacaoHotmail=Q7HqS3elBtTtTovsQMHXRczsOMrXQMmkQsbqBcvbT2zpRNHmBdHuT0 idmaquina=Q7HqS3elBtTtTovmON9XUc5lCZ0mE2vhQNGkRcLqBsbaRM5nCp8kQd1d php=Q7HqS3elBtTtTovhR68mCIvkPNGuD2vkPNGlQMvaPNWkS6Xm
That message loosely translates to:
Hi, you sumil what? Today heard the music of singer international Colbie Caillat
on a blog and you remembered the name of the song Bubbly is if you want to hear the address of leaving
blog (twitter.com/ColbieCaillat/statuses/894897063) All the best and miss it handles.
That Twitter profile has one message that reads (translated), Clik on the link below w / listen but the new success of the music singer Colbie Caillat Bubbly. That link, however, is the malcode itself. Users who think they’re getting the next big song from the band actually get malcode.
This account is now suspended, hurray. VirusTotal shows a mixed bag for detection with some ambiguous names at times:
[ scan result ] AhnLab-V3 2008.10.18.0/20081017 found [Win-Trojan/Xema.variant] AntiVir 7.9.0.5/20081017 found [TR/Dldr.Delphi.Gen] Authentium 5.1.0.4/20081017 found [W32/Trojan2.DIXN] Avast 4.8.1248.0/20081015 found [Win32:Banload-FZK] AVG 8.0.0.161/20081017 found [Generic11.NVP] BitDefender 7.2/20081017 found nothing CAT-QuickHeal 9.50/20081017 found [Trojan.Delf.ehi] ClamAV 0.93.1/20081017 found nothing DrWeb 4.44.0.09170/20081017 found [Trojan.DownLoad.4951] eSafe 7.0.17.0/20081016 found nothing eTrust-Vet 31.6.6154/20081017 found nothing Ewido 4.0/20081017 found [Downloader.Banload.usk] F-Prot 4.4.4.56/20081017 found [W32/Trojan2.DIXN] F-Secure 8.0.14332.0/20081017 found [Trojan.Win32.Delf.ehi] Fortinet 3.113.0.0/20081017 found [W32/DelpDldr.D!tr] GData 19/20081017 found [Win32:Banload-FZK ] Ikarus T3.1.1.44.0/20081017 found [Virus.Win32.Gamania.DG] K7AntiVirus 7.10.498/20081017 found [Trojan.Win32.Delf.ehi] Kaspersky 7.0.0.125/20081017 found [Trojan.Win32.Delf.ehi] McAfee 5407/20081016 found [PWS-Banker] Microsoft 1.4005/20081017 found [TrojanDownloader:Win32/Banload.gen!H] NOD32 3532/20081017 found [probably a variant of Win32/Delf] Norman 5.80.02/20081017 found [W32/Malware.DQAC] Panda 9.0.0.4/20081017 found [Trj/Downloader.MDW] PCTools 4.4.2.0/20081017 found nothing Prevx1 V2/20081017 found [Banking Info Stealer] Rising 20.66.42.00/20081017 found nothing SecureWeb-Gateway 6.7.6/20081017 found [Trojan.Dldr.Delphi.Gen] Sophos 4.34.0/20081017 found [Mal/DelpDldr-D] Sunbelt 3.1.1730.1/20081017 found [BehavesLike.Win32.Malware (v)] Symantec 10/20081017 found nothing TheHacker 6.3.1.0.117/20081017 found nothing TrendMicro 8.700.0.1004/20081017 found nothing VBA32 3.12.8.7/20081017 found [Trojan.Win32.Delf.ehi] ViRobot 2008.10.17.1425/20081017 found nothing VirusBuster 4.5.11.0/20081017 found nothing
And so it goes. Any new communications medium, once it has enough eyeballs, is fair ground for malcode attacks. This marriage – MSN and twitter – means that you can now drive visitors to the malicious profiles.
No idea how many more profiles like this exist. We’ve contacted Twitter about this one and encouraged them to do some digging to find more.
