A new Twitter worm is spreading fast, using the “goo.gl” URL shortening service to distribute malicious links.
The malicious links go through a number of redirections which are described below. The redirection chain may push Twitter users to a fake anti-virus (scareware) serving the “Security Shield” Rogue AV.
Our users are protected from this worm and all the URLS are being blacklisted in our products.
Here are some of the technical details:
- Redirection Chains
Those “goo.gl” links are redirecting users to different domains with a “m28sx.html” page:
This html page will then redirects users to a static domain with a Ukrainian top level domain:
As if that was not enough, this domain redirects the user to another IP address which is related to Fake Anti Virus distribution:
This IP address will then do its final redirection job, which leads to the Fake AV website:
- The Rogue AV site
Once you are on this website, you will get warning that your machine is running suspicious applications and you are encouraged to scan it:
After approval, the scanning begins:
The user is invited to remove all the threats from their computer, and will download a fake Anti Virus application called “Security Shield”:
The graphical user interface gets translated to the language of the OS the Rogue AV is running on. During my test, a French version of Windows XP was used, hence the French translation of the interface.
- Rogue AV web site uses RSA for code obfuscation
Obfuscation techniques are very common for malicious web sites. Here is a quick look into the one used by the Rogue AV web site.
While looking at the obfuscation, I found out that it is comprised of two steps:
- Base64 Decode (trivial)
- RSA with a very small Modulus
Here is chunk of code from the obfuscated page:
Both the Class and the Method used are using random names. The “camunqjr” method is taking a BASE64 decoded parameter.
If we investigate the class, we end up right inside the RSA algorithm:
Anyone familiar with cryptography will recognize the RSA algorithm here. We have a function taking 3 parameters: C, D and N which is using the “powmod” operator.
- ‘c’ is known as the cyphertext
- ‘d’ is known as the secret exponent or decryption exponent.
- ‘n’ is known as the modulus
In order to get ‘m’ (Message) , the decryption goes like this: m = cd mod n
Bear in mind that clicking on random links may lead to severe infection of your machine.