Twitter link malware:
By AVM Technology, LLC a computer security and computer forensics company based in Richmond, VA

Hackers are now spreading malware through Twitter. It makes perfect sense, many Twitter users are "click happy" and the platform is somewhat more "trustworthy" than links on emails that many now recognize as spam.

There are at least two variations of the tweets: one of them is formatted as @(your username) followed by the question "It's you on photo?" paired with a link. A second variety is very similar and just as grammatically challenged "It's about you?" also with the link. What they have in common is that it is not about you.

The tweet looks similar to these:

The wording of the tweets can change at any time. The accounts that are spreading the messages have either been compromised by hackers or have been created by hackers with the purpose of spreading the infected links.

The script that is executed when the link is clicked redirects to various IP addresses that in turn redirect to .CU (Cuba top-level domain), .CC, .SU (Soviet Union top-level domain even if the Soviet Union no longer exists), or .RU (Russian Top Level Domain. After all the redirects, you are treated to the Blackhole exploit kit.

The Blackhole Exploit Kit:

Exploit Kits are an important part of malware as they provide the tools for hackers to create and distribute malware as well as the systems used to manage the networks of infected machines.The operation of the Blackhole Exploit Kit can be summarized as follows:
  1. The hacker licenses (rents) the Blackhole exploit kit and specifies various options to customize the kit.  
  2. The victim loads a compromised web page or opens a malicious link in a spammed email, or in this case the link received through Twitter.
  3. The compromised web page or malicious link sends the user to a Blackhole exploit kit server's landing page.
  4. At this point, the Blackhole exploit kit is installed and ready to scan the victim's machine for vulnerabilities.
The Blackhole Exploit kit's settings allow hackers to choose a language for the interface (Russian or English).  The interface also allows the hacker to change name of the malicious payload file and parameters to make it undetectable by anti-virus software.  The exploits can also be encrypted with custom algorithms, to make it even more difficult to analyze with anti-virus software.

The Black Hole exploit kit uses the Java OBE (Open Business Engine) toolkit to spread exploits and load the malicious executable to the victim's machine. Once a victim clicks on the link. the victim's machine will download a Java file with a URL parameter. The URL will be concatenated with an HTTP GET parameter which will be used in downloading other malicious files, also known as the payload.

The ultimate landing page contains obfuscated JavaScript that determines what is on the victim's computers and loads all exploits that this computer is vulnerable to and sometimes a Java applet tag that loads a Java Trojan horse. If there is an exploit that is usable, the exploit loads and executes a payload on the victim's computer and informs the Blackhole exploit kit server which exploit was used to load the payload.
A screenshot of the kit is as follows:

Here is a screen shot of the statistics page:

Some vulnerabilities that have been used with the Black Hole exploit kit include:

CVE-2010-1885 HCP
CVE-2010-1423 Java argument injection vulnerability in the URI handler in Java NPAPI plugin
CVE-2010-0886 Java Unspecified vulnerability in the Java Deployment Toolkit component in Oracle Java SE
CVE-2010-0842 Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability
CVE-2010-0840 Java trusted Methods Chaining Remote Code Execution Vulnerability
CVE-2009-1671 Java buffer overflows in the Deployment Toolkit ActiveX control in deploytk.dll
CVE-2009-0927 Adobe Reader Collab GetIcon
CVE-2008-2992 Adobe Reader util.printf
CVE-2007-5659 Adobe Reader CollectEmailInfo
CVE-2006-0003 IE MDAC

Recently, Blackhole's authors added the XML Core Services vulnerability and also changed the JavaScript code that initiates the exploitation sequence so that it can dynamically generate new domain domains.
Defenses against the Blackhole exploit kit:
  1. The most obvious defense is not to click on links anywhere online (including emails, Twitter, Facebook, etc.).  
  2. Make sure your browser, browser plugins, and operating system are up to date since many of the exploits target vulnerabilities in old versions of browsers and plugins, such as Adobe Flash, Adobe Reader, Firefox, Google Chrome,Internet Explorer, Java, and Safari.
  3. Run a security utility with a quality antivirus and even perhaps a host-based intrusion prevention system (HIPS).  Since the exploit code is polymorphic, anti-virus software (which is based on malware signatures) will be behind the new versions of the Blackhole exploit kit., while changing the algorithm used to load malware onto victims' computers takes more effort from the criminal or criminals who are developing this exploit kit. 
We recently discussed this with Gray Hall, a reporter with NBC 12 in Richmond, VA 

This Information Security post has been presented by AVM Technology, LLC, a leading Computer Forensics, E-Discovery, and Computer Security consulting company with offices in Richmond, VA and San Francisco, CA and serving clients throughout the United States. AVM technology can be reached at (804) 332-5752.

Add a comment