koob-Face or ter-Twit? The ongoing abuse of twitter feeds by malware distributors continues to net more social networking victims. As always, be wary of any executable you are prompted to download and execute. Currently, evil tweets for “My home video ” or “cool video! WOW!” redirect to a set of spoofed social network pages. The malicious pages present visiting users with a prompt for a plugin install, “Flash player upgrade required”. An example here:
The malicious Koobace worm that ThreatFire has been preventing on desktops is served up and named “setup.exe” from this site. Interestingly, a number of these ip addresses serving up Koobface have been in use by Waledac distributors.
The ThreatFire community has been reporting the Koobface nastiness being served from multiple web servers today, with fairly heavy Koobface volume from web servers hosted on these ip addresses:
// KROTEGvar abc1 = 'hxxp://kukuruku-290709. com/go/'; var abc2 = 'hxxp://kukuruku-290709. com/go/'; var ss = '' + location.search; if ((location.search).length>0) abc = abc1; else abc = abc2; var redirects = [ ['facebook. com', abc+'fb.php'], ['tagged. com', abc+'tg.php'], ['friendster. com',abc+'fr.php'], ['myspace. com', abc+'ms.php'], ['msplinks. com', abc+'ms.php'], ['myyearbook. com',abc+'yb.php'], ['fubar. com', abc+'fu.php'], ['twitter. com', abc+'tw.php'], ['hi5. com', abc+'hi5.php'], ['bebo. com', abc+'be.php']];
Again, if you are a user of these sites and receive a tweet from someone you don’t know that redirects you to a page that serves up an executable download, be very suspicious. And of course, run a behavioral-based solution like ThreatFire as a layer on your system.