Infection Links target Orkut Users On Twitter

| | Comments (2)
Orkut has long been a popular target for hackers, and we've come across evidence of Orkut users being targeted via Twitter pages carrying infection links. Here is the page in question, the profile carrying three links that have been sent out to the 17 people following the profile (and also fired into the "all-users" timeline):

orktwit1.jpg
Click to Enlarge

As you can see, we've already clicked one of the links which requests one of the three executables linked to from the page (the messages themselves say things like "To download the album with photos from the profile directly from orkut click on the link below" and "Take a look at the pictures" in Portuguese, according to Google Translator!)

The pages linked to either try and get you to download an infection file straight away, or pretend you're installing a Flash update:

orktwit2.jpg
Click to Enlarge
orktwit3.jpg
Click to Enlarge

Once the files are run on the end-users PC, a variety of malicious files will be installed and various types of data theft may be attempted. For example, one of the EXEs will pop open the Orkut website in what is obviously an attempt to get you to fill in your user details:

orktwit5.jpg
Click to Enlarge

Of course, you need to sign into Orkut with your Google Account, so if you happen to see the Orkut website magically appear on your desktop prompting you to login, think twice about entering your login until you can ensure your PC is free of infection. "Luckily", you'll have a very large clue in the form of the following error messages constantly cycling on your desktop:

orktwit6.jpg
Click to Enlarge

Similarly, run one of the other files and you'll end up with this rather happy looking person appearing in your web browser:

orktwit4.jpg

Apparently "Malandro" means "trickster" in Portuguese -I don't know about you, but I would tend to suspect all is not well with my PC when something like that shows up unannounced! As with many Orkut themed / targeted attacks, the files being used are a collection of older attacks, with some pieces clearly being reused from this infection.

What's particularly interesting to me is the use of Twitter to push these Orkut attacks, and also the fact that the attackers have seemingly created the majority of the profiles 17 followers - presumably to make the infection link carrying profile seem more legitimate and part of a small group or community of friends.

orktwit7.jpg
Click to Enlarge

Most of them have no user image, random sounding names and (the dead giveaway) most of them are following each other, despite none of them seemingly sending out any messages since joining that would make people want to follow them in the first place. The small amount of messages sent from the profile would tend to suggest a trial run, perhaps - or maybe they have many accounts and are sending out only a few tweets at a time from each one to keep themselves under the radar.

In some ways, then, this is a refinement of the attack noted by Kaspersky here because they're targeting a specific group of users instead of taking the "Come and get it, everybody" approach. Obviously, just because you don't use Orkut doesn't mean you're safe from this - the URLs are entirely indescriminate with regards who clicks them and becomes infected, so if you see any profiles on Twitter that mention Orkut with hyperlinks that reference "Photo albums" or "galleries" (the oldest Orkut-targeted infection tactic in the book), steer well clear. For now, we've notified Twitter of this particular profile.

We detect this as Orkontron.

(Thanks to Senior Threat Researcher Chis Mannon for additional research).

2 Comments

This is rather old news - see story from Kaspersky Lab in August:

http://viruslist.com/en/weblog?weblogid=208187551

I'm confused, did you read all of the blog entry?

Because I link to the same article you mention in your comment...

"In some ways, then, this is a refinement of the attack noted by Kaspersky here:

http://viruslist.com/en/weblog?weblogid=208187551

because they're targeting a specific group of users instead of taking the "Come and get it, everybody" approach."

The attack Kaspersky found didn't target a specific group of people using a particular service, this one did - which was why we wrote about it.

Leave a comment

About this Entry

This page contains a single entry by Christopher Boyd published on September 8, 2008 5:03 PM.

VBulletin Spam Tool In Circulation was the previous entry in this blog.

Twitter Malware Profile D.O.A. is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.