07 Sep Twitter XSS in the wild
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
Over the weekend, a lot of Facebook users started receiving malicious chat messages from their friends that looked like this:
“Father crashes and dies because of THIS message posted on his daughters profile wall!” - followed by a shortened URL (using the bit.ly URL shortening services). The missing apostrophe in the word "daughter's" - i.e. "daughter's profile wall" – could be a clue that the message is not genuine, or at least that the author is not a native English speaker, but let’s take a look at what would happen to a user who falls for this social engineering trick.
A new Twitter XSS exploit was identified in the wild as it started to be used by cybercriminals overnight.
But how many people clicked the link? The bit.ly statistics for one of the malicious links are more than worrying, showing an alarming number: more than 100.000.
All clues point to Brazil as the originating country for this attack. First, the 2 domain names used to get the stolen cookies are registered under Brazilian names. More than that, one of them is actually also hosted in Brazil. Last, but not least, just take a look at the tweet used in distributing this malicious payload:
Pe Lanza da banda Restart sofre acidente tragico - it's a short tweet in Portugese about the Brazilian pop band Restart suffering a "tragic accident". I'd say there's not much doubt about the origins of this attack.
We've added detection for the malicious scripts as Exploit.JS.Twetti.a and also made sure the URLs used in this attack are blacklisted. We are currently working on taking down the malicious URLs and minimizing the damage as much as possible. Twitter along with other significant industry peers have of course been notified.
UPDATE: Twitter has confirmed the vulnerability is fixed now.
While I was reading the Wired article on how Alberto Gonzalez, the TJX hacker who caused $171.5 million in losses, was sentenced to 20 years in prison, I came across an interesting black SEO campaign that distributes fake AVs through Google.
Here's how the Google SERP looked like after my innocent search for this hot topic:
As you can see, some odd looking links are among the first results. And those links appeared very recently in the Google results page, within the last hour to be more specific. Still, the link that showed up just "9 minutes ago" is actually the second result in the Google ranking, right after the Wired article. Makes you think of how hard the cybercriminals are working to bypass Google's algorithms, eh?
As I was saying in yesterday's blog post, we were expecting the number of Koobface C&C servers to start growing sometime this week:
"Cybercriminals don't want the number of C&C servers to drop too much, as that would mean losing their control over the botnet. So, if the earlier strategy of the Koobface gang is anything to go by, we should be seeing new servers being added to control the botnet soon, most probably this week."
And, guess what? Yesterday evening the Koobface gang started adding new
The total number of active Koobface C&C servers went from a low of 65 yesterday to over 200 at the time of writing – 225, to be precise. This is the most Koobface C&C servers we've ever seen in a 24-hour period, and we keep discovering new ones.
We've already started contacting the owners of the compromised websites to get the C&C servers taken down and cleaned up as quickly as possible.
Two weeks ago we recorded a surge in Koobface, the highly prolific worm infecting social networking sites. It targets sites such as Facebook and Twitter and uses compromised legitimate websites as proxies for its main command and control server.
From the beginning of March the live Koobface C&C servers, which are used to send out commands and updates to all the computers infected by the worm, were shut down or cleaned on average three times per day.
The number of C&C servers dropped steadily from 107 on February 25, to as low as 71 on March 8. Then, in just 48 hours, the number doubled. As you can see in the graph, 10 March was the peak, with 142 active Koobface C&C servers. After that, the number started to drop constantly. We witnessed an average of 5 servers being taken down every day.
Right now, the number is just below 70, the lowest it has been in over a month.
Cybercriminals don't want the number of C&C servers to drop too much, as that would mean losing their control over the botnet. So, if the earlier strategy of the Koobface gang is anything to go by, we should be seeing new servers being added to control the botnet soon, most probably this week.
We will continue to monitor the situation and let you know if there are any important developments.
Kaspersky Lab would like to provide a few tips for users:
Kaspersky Lab users running any of the Company’s current anti-malware products are fully protected from all known variants of Koobface.
Greetings from Geneva, Switzerland! I am here this week for the Virus Bulletin 2009 conference.
Virus Bulletin started out in 1989 as a simple magazine dedicated to preventing computer viruses. It quickly became the leading specialist publication in the field of viruses and related malware. The inaugural VB conference took place in 1991 and its objectives are to present factual information about computer viruses, to demonstrate defensive procedures, to discuss probable future virus developments and countermeasures and to attempt to harmonize research efforts. Virus Bulletin is the main event where the whole Anti Virus industry gets together.
Kaspersky Lab is represented very well here at VB2009, with 25 of my colleagues from around the world joining the conference. We have 5 presentations here, on topics ranging from Web 2.0 threats and scanning Twitter for malicious URLs to Brazilian banking Trojans and Russian SMS fraud.
You can find the exact abstracts for our papers and the full conference programme here on the VB website.
My colleagues from Threatpost are covering the whole event live on the VB Conference dedicated blog. And, if you are a Twitter addict, the hashtag for this conference is #vb2009. Enjoy!
The URL which Koobface was spreading from (see this post for an overview) has now been brought down so attacks are blocked.
As the previous attacks was reaching peak activity, Twitter went offline.
The guys at Twitter are yet unsure of the cause of the problem (http://status.twitter.com/post/157160617/site-is-down).
Most likely the Koobface attack and Twitter going down at the same time is just a coincidence - but hey, there's a good part about this story too: at least we're not seeing new malicious tweets anymore.
UPDATE:Seems Twitter has changed its IP address during the downtime we're currently seeing. The server is responsive to pings, but not HTTP requests. Signs of a DDoS attack?
UPDATE 2: Twitter has confirmed it is "fighting against" a denial-of-service attack.
Once again, there's a new wave of Koobface.
But this time, the tactics have changed. There's a new twist to the social engineering, with links from infected messages leading to a very well designed Facebook lookalike page (far more convincing than the previous YouTube page)
And Koobface is now sending unique tweets. Messages sent in previous attacks were all the same:
"My home video :) [URL]"
Now there's a random component being added, with strings like "HA-HA-HA!!", "W.O.W.", "WOW", "L.O.L.", "LOL", ";)" or "OMFG!!!" at the end of each tweet, so the malicious tweets look like this:
They are also adding a random component to the Koobface landing page so now, the URL gets shortened to a different bit.ly URL each time (see my post about the dangers of short URLs) making it harder for Twitter to filter and delete infected messages.
i.e. http://u*******.se/pub1icm0vies/?[RANDOM] -> http://bit.ly/[RANDOM]
This week everyone's been talking about how Twitter started to use the Google Safebrowsing API to block tweets containing malicious URLs. It is definitely going to stop some attacks, but as we're seeing with the current attack, it won't eradicate the problem completely. It's clearly a step forward, but a single swallow doesn't make a summer.
We detect the malicious binary as Net-Worm.Win32.Koobface.d and the script that is doing the redirect on the landing page as Trojan-Clicker.HTML.IFrame.ob.
Currently we’ve identified almost 100 unique IP addresses hosting Koobface. We'll keep you posted!
UPDATE: We're working on getting the main Koobface page taken down.
In June, we saw an explosive rise in the number of Koobface modifications - the number of variants we detected jumped from 324 at the end of May to nearly 1000 by the end of June. And this weekend brought another flood, bringing us up to 1049 at the time of writing.
As we've said before, Koobface spreads via major social networking sites like Facebook and MySpace. It's now spreading via Twitter as well.
Normally the increase in the number of malicious programs slows a bit over the summer with lots of people (virus writers, cybercriminals etc.) taking a bit of time off. But in the case of Koobface, the opposite has happened. This is probably because cybercriminals have realized that spreading malware via social networking sites is very effective.
June 2009 is an important milestone in the history of social network malware; the activity we've seen this month far exceeds anything we've previous seen. With everyone who's anyone now having a Facebook page, Twitter account or similar, the pool of potential victims is growing day by day - just take a look at the Alexa stats for Facebook. So naturally, cybercriminals are going to be targeting these sites more and more often.