Twitter link malware:
There are at least two variations of the tweets: one of them is formatted as @(your username) followed by the question "It's you on photo?" paired with a link. A second variety is very similar and just as grammatically challenged "It's about you?" also with the link. What they have in common is that it is not about you.
The tweet looks similar to these:
The wording of the tweets can change at any time. The accounts that are spreading the messages have either been compromised by hackers or have been created by hackers with the purpose of spreading the infected links.
- The hacker licenses (rents) the Blackhole exploit kit and specifies various options to customize the kit.
- The victim loads a compromised web page or opens a malicious link in a spammed email, or in this case the link received through Twitter.
- The compromised web page or malicious link sends the user to a Blackhole exploit kit server's landing page.
- At this point, the Blackhole exploit kit is installed and ready to scan the victim's machine for vulnerabilities.
Some vulnerabilities that have been used with the Black Hole exploit kit include:
CVE-2010-1423 Java argument injection vulnerability in the URI handler in Java NPAPI plugin
CVE-2010-0886 Java Unspecified vulnerability in the Java Deployment Toolkit component in Oracle Java SE
CVE-2010-0842 Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability
CVE-2010-0840 Java trusted Methods Chaining Remote Code Execution Vulnerability
CVE-2009-1671 Java buffer overflows in the Deployment Toolkit ActiveX control in deploytk.dll
CVE-2009-0927 Adobe Reader Collab GetIcon
CVE-2008-2992 Adobe Reader util.printf
CVE-2007-5659 Adobe Reader CollectEmailInfo
CVE-2006-0003 IE MDAC
Defenses against the Blackhole exploit kit:
- The most obvious defense is not to click on links anywhere online (including emails, Twitter, Facebook, etc.).
- Make sure your browser, browser plugins, and operating system are up to date since many of the exploits target vulnerabilities in old versions of browsers and plugins, such as Adobe Flash, Adobe Reader, Firefox, Google Chrome,Internet Explorer, Java, and Safari.
- Run a security utility with a quality antivirus and even perhaps a host-based intrusion prevention system (HIPS). Since the exploit code is polymorphic, anti-virus software (which is based on malware signatures) will be behind the new versions of the Blackhole exploit kit., while changing the algorithm used to load malware onto victims' computers takes more effort from the criminal or criminals who are developing this exploit kit.