Downloader, Micro-blogging, and Prophecy
We posted a blog "Twittering Botnets" a few days ago that gave details of malware that receives obfuscated URLs from Twitter messages. This malware is detected as Downloader.Sninfs. This blog also made a prophecy that alternative sites could be used in the same fashion, and unfortunately this one has come true.
A new variant of this threat has emerged that uses not only Twitter, but also another social networking and micro-blogging site Jaiku.com. Symantec detects this Trojan as Downloader.Sninfs.B.
Like the previous variant, Downloader.Sninfs.B also attempts to get URLs from obfuscated Twitter status messages. However, if that attempt fails, the Trojan will use the RSS feed from an account registered on Jaiku.com to obtain the location of remote files.
It is likely that we will see more threats adopt this approach in the coming months. In the meantime, Symantec customers can ensure they are fully protected by keeping their product definitions up to date.