New Twitter Worm Redirects Users to Rogue AV

21 Jan 2011
Virus News

Kaspersky Lab, a leading developer of secure content and threat management solutions, warns users about a new, fast-moving Twitter worm which exploits Google's goo.gl service of truncated links.

The truncated URLs are lightweight and popularly used in micro-blogging systems, limiting the length of messages for users of services such as Twitter. However, shortened links can seriously threaten computer security, because the text of a truncated URL is relatively obscure and a user does not know what it contains prior to ending up on an infected site. Hackers are managing to successfully lure the unwary into using their malicious truncated links.

A recently discovered Twitter worm's redirection chain pushes users to a webpage that delivers a rogue AV called ’Security Shield’. After several redirections, a user is transferred to the page related to the rogue AV distributive. The page uses obfuscation code techniques that include an implementation of RSA cryptography in JavaScript. Kaspersky Lab experts have found thousands of Twitter messages continuing to spread the worm.

Kaspersky Lab malware researcher Nicolas Brulez discovered that once you are on this website, you will receive a warning that your machine is running suspicious applications. The warning invites users to remove all the threats from their computer, and download the ‘Security Shield’ rogue AV application. As usual, the result of downloading the program is that the user’s machine is infected with malicious programs.

All Kaspersky Lab products are capable of detecting this threat via their inbuilt heuristic analyzer. However, users should always bear in mind that clicking on random links may lead to severe infection of their machine.