PhoenixDzine

A new Twitter worm is spreading fast, using the “goo.gl” URL shortening service to distribute malicious links.

The malicious links go through a number of redirections which are described below. The redirection chain may push Twitter users to a fake anti-virus (scareware) serving the “Security Shield” Rogue AV. The webpage is using exactly the same obfuscation techniques as a previous version (Security Tool), which is an implementation of RSA cryptography in JavaScript to obfuscate the page code.

Our users are protected from this worm and all the URLS are being blacklisted in our products.

Here are some of the technical details:

1. Redirection Chains

   Those “goo.gl” links are redirecting users to different domains with a “m28sx.html” page:

   

   This html page will then redirects users to a static domain with a Ukrainian top level domain:

   

   As if that was not enough, this domain redirects the user to another IP address which is related to Fake Anti Virus distribution:

   

   This IP address will then do its final redirection job, which leads to the Fake AV website:

   

At the end of 2010 I noticed a big wave of recruitment spam for money mule work. Initially, the criminals used spam sent from hacked email accounts. I even got some messages like this from people I know personally:

Right after that, to speed-up the recruitment process, the messages came via Windows Live Messenger (aka MSN):

And of course, the criminals also used legitimate accounts that had been hacked to spread their messages. Finally, right before the end of the year I saw a big campaign on Facebook, especially targeting Spanish speaking communities.

But yesterday I was completely surprised when I found an advertising banner on a legitimate IT site leading to the same page – money mule recruitment.

All these developments make think there is a huge demand on the black market for money mule workers. The criminals seem to have enough stolen information like credit card PINs, as well as details for online banking accounts and payment systems. Their problem now is how to launder the money they have made. Our statistics confirm there is a clear growth in Trojan-Spy malware able to steal any kind of personal information. This includes well known Trojans like Zbot (Zeus) or SpyEye.

It’s worth remembering that money mule activity is considered illegal. Basically, if nobody wanted to launder their money, cybercriminals would find it much harder to make money from stolen account details. Everyone can contribute in their own way to the global security, not just AV and other Security companies.

Programs for cracking commercial software are, sadly, not unpopular. They have also caught the attention of malware writers, who prepared a couple of surprises for those who don’t mind a free ride every now and then.

A short time ago, we detected a Trojan dropper which passes itself off as a key generator for Kaspersky Lab products. The file’s name is kaspersky.exe.

Once launched, the file displays a key generator window prompting the user to select a product. After one of the options is selected, the program proceeds to generate a key.

Keygen window

While the freebie lover is waiting for the result, two pieces of malware that were stealthily installed and launched by the dropper make themselves at home on the PC.

One of these is detected by Kaspersky Lab as Trojan.MSIL.Agent.aor. It steals registration data for other programs, as well as passwords, mostly for online games. It rather considerately stores all the stolen data in one file. A fragment of the file is shown on the screenshot below.

Cybercriminals like to register domain names that are very similar to actual, well known domain names but with one or more letters changed. In many cases a potential victim will mistype a letter and in this way arrives at a fake Web site instead of the original one.

Here is just one example of this: a copy of the official Russian Web page of Kaspersky. The criminals added just one small line inside of the ‘downloads’ tab promoting a fake download for a free, one year copy of Kaspersky Internet Security 2011.

Instead of KIS 2011 the victim gets malware. This is ransomware which, after the installation, forces a reboot of your PC. Upon completing the reboot the malware shows a fake message that you’ve won a prize of a Samsung Galaxy S cellphone for just 1200 rubles (40 USD)! To claim this prize, you should pay via SMS text or, optionally through one of the popular on-line payments systems in Russia.

Kaspersky Anti-Virus detects this threat as Trojan-Ransom.MSIL.FakeInstaller.e In the time of writing of this blogpost the malicious site was still on-line and also detected by Kaspersky Internet Security Web Anti-Virus as a fraudulent one.