Malware Developers say Tweet This

Wednesday, March 14, 2012 @ 02:03 PM gHale

Use of social media continues to grow in the manufacturing automation arena along with the use of mobile devices.

That combination has malware developers salivating as security researchers from Symantec are seeing cyber criminals increasingly using Twitter as a way of luring mobile device users to their malware.

RELATED STORIES
Reprise for Kelihos Botnet
Botnet Clients Integrate Exploit
New Botnet Goes to Market
Malware has Bots Acting as C&C Server

Tweets are becoming a popular way for cyber-criminals to bring people to the Android.Opfake malware, said Symantec’s Joji Hamada.

“Users can potentially end up infecting their mobile devices with Android.Opfake by searching for tweets on subjects such as software, mobile devices, pornography or even dieting topics, to name a few,” Hamada wrote on the Symantec blog. “Android.Opfake is not hosted on the Android Market (Play Store) and these tweets lead to malicious Websites developed for the Opfake application.”

These tweets usually have short URLs, and are primarily in Russian, with some English mixed in, Hamada said. In addition, once the users get to the site, they get a prompt to install the malicious code. However, while those are common aspects of most cyber criminals using Twitter, their individual tactics vary, making it difficult to determine which tweets are bad, short of actually clicking on the link.

In the blog post, Hamada gives several examples of malicious tweets.

He also outlines other characteristics of malicious tweets, though cautions that they can vary wildly. Some are easy to spot because similar tweets go out constantly and have no followers, Hamada said. That said, there are others that don’t tweet as often and do have followers. Some have content in the profiles, while others don’t. Some have strange account names, but other account names are pretty common.

Symantec is finding there are malware operations running continuously, with some executed at the same time. Hamada pointed to one operation that ran for eight hours and included more than 130,000 tweets from about 100 accounts before it stopped. Another occurred at the same time and sent out more than 1,500 tweets from more than 50 accounts in about an hour.

Hamada said those cyber-criminals running malicious tweeting operations are now following a similar “cat-and-mouse game” that occurs with traditional malware. That is, security vendors update detections for malware, and the malware developers then update their malware.

“Cyber-criminals mix their game around, thereby making it difficult to recognize all bad tweets and most of all: they are persistent,” he wrote.

“Smartphones have allowed users to access the Internet anytime, anywhere and perform tasks that were only possible using computers,” Hamada said. “While the convenience provides so many great advantages, cyber criminals are also taking this opportunity to accomplish their bad deeds. So be wary when using mobile devices. For tweets in particular, be selective when deciding which links in the tweets to click on. You may want to only trust tweets you are familiar with. Tweets are similar to email. You wouldn’t open an email from an unknown sender and then click on the included link, would you? This usually means bad news and the same goes for tweets.”