Large scale malware attack using URL shortening services

We've seen spammers abusing URL shortening services on a huge scale for quite some time, which was also reported in-depth as part of the May 2011 MessageLabs Intelligence Report [http://www.symanteccloud.com/mlireport/MLI_2011_05_May_FINAL-en.pdf]. The explosion in popularity of micro-blogging services and social networking status updates has seen a huge increase in the number of URL shortening sites. The simple and semi-anonymous nature of these sites allow spammers to easily create thousands of links which they then include in their spam in an attempt to evade URL-based spam blocking.

Recently we saw a large malware attack using URL shortening services.
The attack abused at least five different URL shortening sites. The message claimed to be from an inter-bank funds transfer service, claiming that a funds transfer had been cancelled. To find out why the transfer was cancelled, recipients were encouraged to click on a link supposedly pointing to a PDF file, but actually pointing to a shortened URL. This shortened URL then redirects to a site with several drive-by
exploits:

The malware site is heavily obfuscated. Almost its entire content is obfuscated and contained inside a single huge HTML "DIV" element, hidden with inline CSS. When a web browser renders the page, JavaScript is used to de-obfuscate the content and run more JavaScript to carry out exploits. The page attempts several exploits including exploits targeting PDF and Java, and also uses a Windows Help Center exploit to download more malware.

We saw hundreds of unique shortened URLs being used to link to this malware, and expect to see malware authors using this technique in future.