New Twitter worm redirects to Fake AV

A new Twitter worm is spreading fast, using the “goo.gl” URL shortening service to distribute malicious links.

The malicious links go through a number of redirections which are described below. The redirection chain may push Twitter users to a fake anti-virus (scareware) serving the “Security Shield” Rogue AV. The webpage is using exactly the same obfuscation techniques as a previous version (Security Tool), which is an implementation of RSA cryptography in JavaScript to obfuscate the page code.

Our users are protected from this worm and all the URLS are being blacklisted in our products.

Here are some of the technical details:

1. Redirection Chains

   Those “goo.gl” links are redirecting users to different domains with a “m28sx.html” page:

   

   This html page will then redirects users to a static domain with a Ukrainian top level domain:
   

   

   As if that was not enough, this domain redirects the user to another IP address which is related to Fake Anti Virus distribution:

   

   This IP address will then do its final redirection job, which leads to the Fake AV website:

   

2. The Rogue AV site

   Once you are on this website, you will get warning that your machine is running suspicious applications and you are encouraged to scan it:

   

   After approval, the scanning begins:

   

   The user is invited to remove all the threats from their computer, and will download a fake Anti Virus application called “Security Shield”:

   

   The graphical user interface gets translated to the language of the OS the Rogue AV is running on. During my test, a French version of Windows XP was used, hence the French translation of the interface.
3. Rogue AV web site uses RSA for code obfuscation

   Obfuscation techniques are very common for malicious web sites. Here is a quick look into the one used by the Rogue AV web site.

   While looking at the obfuscation, I found out that it is comprised of two steps:

   • Base64 Decode (trivial)
   • RSA with a very small Modulus
   Here is chunk of code from the obfuscated page:

   

   Both the Class and the Method used are using random names. The “camunqjr” method is taking a BASE64 decoded parameter.

   If we investigate the class, we end up right inside the RSA algorithm:

   

   Anyone familiar with cryptography will recognize the RSA algorithm here. We have a function taking 3 parameters: C, D and N which is using the “powmod” operator.

They are using RSA to decrypt the JavaScript locally

• ‘c’ is known as the cyphertext
• ‘d’ is known as the secret exponent or decryption exponent.
• ‘n’ is known as the modulus

In order to get ‘m’ (Message) , the decryption goes like this: m = c^d mod n

RSA is used as an obfuscation technique more frequently than any other, since the private key is available in the JavaScript page. The modulus “N” seems to be 26 bits in length most of the time, which is ridiculously small.

Here is a screenshot of the parameters taken from the JavaScript:

Bear in mind that clicking on random links may lead to severe infection of your machine.