Twitter Worm Spreads Antivirus Malware Via Goo.gl URLs

A Twitter worm is using the widely popular micro-blogging site to spread antivirus malware.

The social networking powerhouse said it is working to thwart the spread of the malware, which is permeating through malicious links using the goo.gl URL shortening service. Twitter and security watchers said those malicious links are directing users to domains with an "m28sx.html" page. From there, that page redirects users to another domain that eventually points clickers to an IP address that is pushing fake antivirus software. According to a Kaspersky Lab researcher, the series of redirects is similar to a prior Twitter worm that spread antivirus malware.

"The redirection chain may push Twitter users to a fake anti-virus (scareware) serving the 'Security Shield' Rogue AV. The Web page is using exactly the same obfuscation techniques as a previous version (Security Tool), which is an implementation of RSA cryptography in JavaScript to obfuscate the page code," Kaspersky Labe Expert Nicolas Brulez wrote in a blog post highlighting the Twitter worm.

Del Harvey, Twitter's Trust and Safety lead Tweeted: "Did you follow a goo.gl link that led to a page telling you to install "Security Shield" Rogue AV? That's malware. Don't install." Later, Harvey added: "We're working to remove the malware links and reset passwords on compromised accounts."

Kaspersky's Brulez said the new Twitter worm works like this: "Those 'goo.gl' links are redirecting users to different domains with a "m28sx.html" page. This html page will then redirects users to a static domain with a Ukrainian top level domain. As if that was not enough, this domain redirects the user to another IP address which is related to fake antivirus distribution. This IP address will then do its final redirection job, which leads to the fake AV Web site. Once you are on this Web site, you will get warning that your machine is running suspicious applications and you are encouraged to scan it. After approval, the scanning begins. The user is invited to remove all the threats from their computer, and will download a fake antivirus application called 'Security Shield.'"

Sophos Senior Technology Consultant Graham Cluley wrote in a blog post that the Twitter worm is affecting thousands of users and that affected accounts are Tweeting out the goo.gl links that lead to the antivirus malware without user permission. Cluley said that most affected Twitter users are "oblivious" to being infected by the worm.

Cluley added that it's uncertain how users discovered they were infected by the Twitter worm, but said it serves as a reminder to change passwords frequently.

"What isn't yet clear is how the Twitter users found their accounts compromised in this way," Cluley wrote. "The natural suspicion would be that their usernames and passwords have been stolen. It certainly would be a sensible precaution for users who have found their Twitter accounts unexpectedly posting goo.gl links to change their passwords immediately."

The new Twitter worm comes on the heels of a recent Sophos Security Threat Report highlighting the security threats posed by social networking sites like Twitter and Facebook.

According to data gathered for the Sophos Security Threat Report, about 40 percent of the 1,200 social networking users polled have been sent malware, such as worms, via the social networking sites they frequent. That's an increase of about 90 percent since the summer of 2009. Additionally, two thirds of users queried, said they have been spammed via a social networking site, which is more than double the proportion of social networking users just two years earlier. And, Sophos found, 43 percent of respondents said they have been on the receiving end of phishing attacks, which is more than double the number from 2009.