New Twitter worm redirects to Fake AV
A new Twitter worm is spreading fast, using the “goo.gl” URL shortening service to distribute malicious links.
The malicious links go through a number of redirections which are described below. The redirection chain may push Twitter users to a fake anti-virus (scareware) serving the “Security Shield” Rogue AV. The webpage is using exactly the same obfuscation techniques as a previous version (Security Tool), which is an implementation of RSA cryptography in JavaScript to obfuscate the page code.
Our users are protected from this worm and all the URLS are being blacklisted in our products.
Here are some of the technical details:
- Redirection Chains
Those “goo.gl” links are redirecting users to different domains with a “m28sx.html” page:
This html page will then redirects users to a static domain with a Ukrainian top level domain:
As if that was not enough, this domain redirects the user to another IP address which is related to Fake Anti Virus distribution:
This IP address will then do its final redirection job, which leads to the Fake AV website:
Tags: anti-virus, Industry News, Industry News, Information Technology, Internet Security, Kaspersky, security, Software, virus
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.