Here Come (more of) The Ghouls

Here Come (more of) The Ghouls

[Update: it's likely that the attacks described below will also take advantage of the more recent bombings in Dagestan, as described by the BBC here. Isn't it bad enough that horrors like this take place at all, let alone provide revenue for cybercriminals?] Late last  night (30th March) I added a pointer to my earlier

[Update: it's likely that the attacks described below will also take advantage of the more recent bombings in Dagestan, as described by the BBC here. Isn't it bad enough that horrors like this take place at all, let alone provide revenue for cybercriminals?] Late last  night (30th March) I added a pointer to my earlier

[Update: it's likely that the attacks described below will also take advantage of the more recent bombings in Dagestan, as described by the BBC here. Isn't it bad enough that horrors like this take place at all, let alone provide revenue for cybercriminals?]

Late last  night (30th March) I added a pointer to my earlier blog on criminal exploitation of the Moscow Metro bombings to a blog on the ESET Latin America's blog page. The post was written in Spanish by Jorge Mieres, and is at http://blogs.eset-la.com/laboratorio/2010/03/30/campana-infeccion-bomba-moscu/. My first job today was going to be to put a translation up here, but Sebastián Bortnik has beaten me to it.

Infection campaign using the bomb in Moscow as an strategy

Latin America's ESET Research Laboratory has detected a major malware infection campaign, carried out through Twitter microblogging social network and through major websearch engines such as Google: these attacks are attempts to spread malicious code by tricking end users into running it.

In the first case, the strategy is to use Twitter profiles to publish malicious web addresses that claim to be about the bomb attacks on trains in Moscow. Each URL (the gangs are using shortened URLs such as bit.ly) links to a web site that allegedly displays a streaming video. However, within seconds of trying to access it, a popup tells the victims that they need a codec in order to view it, and offers them the option to download it . Of course, the codec is (as is usually the case), really a malicious program.

Twitter malware

All the malicious pages that carry this malware are hosted at the same IP address: a server in Israel, identified as serving spam and malware.

We have already detected more than 1,000 malicious links in Twitter profiles that are being used and we are committed to having these profiles removed.

This campaign is directly related to the other attack, which is conducted using BlackHat SEO (Search Engine Optimization) techniques (search engine index hijacking). Below you can see a search related to the incident in Moscow, which links to harmful sites:

malicious search results

This shows the range of attack vectors that can be used to propagate malware and unfortunately, the techniques mentioned are regularly seen.

Files downloaded in both cases are detected by advanced ESET NOD32 heuristics as variants of the threat family Win32/Kryptik.

Therefore, we warn users to avoid clicking on suspicious messages spread through social networks or in search engine results and, above all, keep your antivirus software updated.

Jorge Mieres
Security Analyst

As I commented in my previous blog: "It makes sense to be cautious about following links on the topic, especially the ones that appear around the top. The gangs have become expert at manipulating search engine ranking so that malicious URLs are among the first links you see in a search." Search terms on twitter and on Google relating to the Moscow bombings have, in recent days, been very highly ranked.

David Harley CISSP FBCS CITP
Research Fellow & Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter:
http://twitter.com/esetresearch; http://twitter.com/ESETblog
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macvirus.com/

Discussion