We have become familiar enough with malware creators poisoning popular search engine terms through SEO techniques in order to deliver their malicious files to a greater pool of unsuspecting users. Other popular services such as Twitter have not escaped the watchful eyes of the miscreants. This attack involves pumping out many of the same tweets with different accounts to push them into the Twitter trending list. That way more people are likely to see them even if the individual user accounts being used to send the tweets don't have that many followers. Incidentally many of the accounts used in this attack don't have that many followers and are quite fresh - meaning they are probably fake accounts set up specifically for the purpose of spamming tweets.
To carry out this kind of attack, the miscreants are clearly following a tried-and-tested recipe, borrowed from SEO-based attacks and tweaked for Twitter.
The recipe goes something like this:
- See what's in fashion
- Find a suitable host
- Mask the URLs
- Start spreading the news
- Repeat until cooked
1. See what's in fashion
The miscreants are a pretty smart bunch when it comes to Web marketing. They do the research to know what people are interested in. They typically watch for latest newsworthy events or occasions and then zero in on them as the hook for their campaign. Attackers can watch the latest trending topics on Twitter to see what people are currently most interested in.
On December 2nd, one of the hooks used was the Jewish holiday, Hanukkah. As you can imagine, this step is quite fluid and most likely to change daily, making it hard to recognize and defend against. Once they know what hooks to use, they can then set about creating messages that use social engineering techniques to trick users into clicking on them.
Here are some example messages (note the trending Twitter terms planted randomly into the message):
- Nobody cares about :) Hanukkah
- Get me sex, woman, por fa vor! (((((( Advent Calendar
- Check this link and change your mind 'bout :)) Sundance
- Get through this viagra store and read a shocking article about F*****k!!!
- What's in this trend OMG World AIDS
- Damned, I didn't know THAT about :( Morgan Freeman
2. Find a suitable host
Like any good parasite, the miscreants need to find a suitable host for their attack. Attackers these days typically choose a number of ways to host malware. They can use their own hosting, with a bullet hosting service. Alternatively they could use a bot under their control, rent a bot, or hack into a third party website. The latter choice is a low cost and quite effective option, especially when you consider the shelf life of these attacks—there little point in investing money in something that will be terminated in a few days.
Once a suitable host server is found, the choice is whether to attach the malcode to existing pages using a redirect or iframe or to create brand new pages specifically to host the malcode. The first option has the bonus of catching unsuspecting visitors to the site, as well as any traffic driven to the site by the attackers themselves. The second option limits the victims to those that the attackers direct to the page, but the advantage here is that the page can stay below the radar (i.e. if the page is not linked into any part of the real web site, nobody is likely to find it unless they went looking for it).
3. Mask the URL
Masking URLs is clearly of great benefit to malware creators. Some URL-shortening services are used by mainstream publications and services like Twitter in order to conserve space. The downside is that the final destination of the link is hidden. Because of this obfuscation, it is more difficult for users to recognize risky domains let alone block them. Some URL shortening services are better than others in so far as they offer previewing capabilities. In the case of tiny.cc, it even offers a stats page where anybody can see how many hits were made as well as the destination of the shortened URL. Some services, such as bit.ly, have also integrated link blacklisting services, automatically filtering out attempts to create shortened links to known malware sites.
Based on the click stats of the shortened URLs (tiny.cc) used in this attack, we can see that a very large number of users may have potentially been compromised in this attack:
- tiny.cc/swkw4 — 42340 clicks
- tiny.cc/3cxal — 42527 clicks
- tiny.cc/v123p — 42564 clicks
- tiny.cc/isuny — 43678 clicks
As far as we can tell, the shortened URLs were only created on December 1st.
At this time, we have noted that the masked URLs end up at either mybuger.info or ljivore.info (through several levels of redirection). Mybuger.info uses a social engineering trick, asking the user to download a file to view a video (activex.exe - detected as Trojan.Bamital). Note that the URL in the browser says bestvideo.has.it but the content is actually from mybuger.info.
The ljivore.info site hosts several exploits including:
- Adobe Acrobat and Reader Multiple Arbitrary Code Execution and Security Vulnerabilities
- Adobe Reader 'CoolType.dll' TTF Font Remote Code Execution Vulnerability
- Oracle Java SE and Java for Business Unspecified Vulnerabilities
- Oracle Java SE and Java for Business JRE Trusted Method Chaining Remote Code Execution Vulnerability
- Apple QuickTime '_Marshaled_pUnk' Remote Code Execution Vulnerability
Successful exploitation will result in the download and installation of the same executable file as found on mybuger.info.
4. Start spreading the news
Once the initial ground work is done, the attackers need to get their malicious content to as wide a pool of people as possible. It is likely that the attackers have at their disposal a large collection of accounts from which they can automate the sending of messages. Automation of tweets can be quite easily done by creating bots to periodically and randomly send tweets from a predefined selection of messages created in step one and adding a shortened URL from step three. As the number of accounts used is likely to be quite large and tweets frequent, the likely overall effect is to push these tweets into the live Twitter feeds when users go to check the trending topics. In addition the tweets are also making use of features such as hash tags to help it reach an even wider audience.
While many of the accounts used appear to be created for the purpose of the attack, there may be some accounts used that are legitimate accounts that have been hacked. The advantage of tweeting through hacked accounts is that the account may already have a built-in network of followers. By tweeting through such an account you tweet to all its followers. This is indeed a powerful way to spread the news.
5. Repeat until cooked
The last step of the process is to repeat the previous step as necessary until the goal is achieved. It is likely that the goal here is to make money (e.g. affiliate schemes). The final payload downloaded is Trojan.Bamital, which is used for manipulating search results to include links to adverts and so forth. Because this is a profit-driven exercise, the attacker is likely to have an operational process that continually monitors and adjusts each step of the process to keep it working in a optimal manner, maintaining the flow of money. Despite the section title, this metaphorical goose is never going to be cooked so the process will continue indefinitely until either the money making avenues are closed or these guys are put out of business, neither of which are likely to happen anytime soon.
In the mean time our best advice is to be wary of bizarre-looking messages on Twitter, particularly those found in the trending feeds and avoid following the links. To their credit, Twitter has put in place processes to stem the flow of malicious tweets coming from trend abusers.
Use a URL filtering/rating service such as Norton Safe Web can help to keep you away from malicious sites. As this attack makes extensive use of software vulnerabilities, it is important to keep any installed software up-to-date, applying relevant security patches that are made available. Finally, keeping your antivirus and firewall software active and up-to-date is always a good idea.
The various files used in this attack are detected by Symantec with the following signatures:
- Trojan Horse
IPS-enabled products are also capable of blocking the redirections and does so with this signature:
HTTP Malicious Toolkit IFrame Injection
For more information on social networking based attacks and how to avoid them, please see Candid Wueest's excellent paper.
Thanks to Piotr Krysiuk for his technical contributions.