The Sina microblog is the biggest microblogging platform in China and is very similar to Twitter. It has more than 140 million users, which is almost 10% of the population of China. On June 28 this year, it was attacked by a cross-site scripting (XSS) worm and more than 30,000 users were affected. The worm aggressively sends out messages containing enticing hot topics and a shortened link to the member's follower list. This is not the first time that threats have used shortened links and on this occasion, it was used as a very simple but powerful tool by the attackers to hide the actual malicious URL.
The following is a screenshot of some of the spam messages sent out by the threat:
Once the link is clicked, the user's computer is infected and the threat starts sending private messages with the same shortened link to their followers, and posts these messages on their microblogs. Compromised computers also automatically add a new follower to their follower list called "@hellosamy", who is suspected of being the attacker.
Not long after the worm first appeared, Sina posted a message stating that the vulnerability had been fixed. Sina has since removed the malicious links and locked the attacker's account. It has also reported the attack to the Chinese authorities.
This worm only sends messages to followers of the infected user and does not steal passwords or other sensitive information. Symantec detects this threat as JS.Weisamy.