A new Twitter worm is spreading fast, using the “goo.gl” URL shortening service to distribute malicious links.
Our users are protected from this worm and all the URLS are being blacklisted in our products.
Here are some of the technical details:
Those “goo.gl” links are redirecting users to different domains with a “m28sx.html” page:
This IP address will then do its final redirection job, which leads to the Fake AV website:
Once you are on this website, you will get warning that your machine is running suspicious applications and you are encouraged to scan it:
Obfuscation techniques are very common for malicious web sites. Here is a quick look into the one used by the Rogue AV web site.
While looking at the obfuscation, I found out that it is comprised of two steps:
Both the Class and the Method used are using random names. The “camunqjr” method is taking a BASE64 decoded parameter.
If we investigate the class, we end up right inside the RSA algorithm:
Anyone familiar with cryptography will recognize the RSA algorithm here. We have a function taking 3 parameters: C, D and N which is using the “powmod” operator.
Bear in mind that clicking on random links may lead to severe infection of your machine.