Now, in China, twitter is the hottest stuff, sharing information, finding something interesting newly happened. In China the most popular twitter is weibo.com belongs to sina, and has nearly 150 millions of registered users. This is a huge number even in China and increasing day to day, so the malware writer will never miss this chance. And now we found one.
Everyday, we need to check twitter time to time, it’s a really boring if the twitter client ask us to input the name and password every time, so many twitter will remember your password automatically, at least, weibo.com will do this for you without any reminding or user’s permission. So if you ever logon weibo.com on this computer, next time, even if you only input weibo.com in your browser, it will redirect to your main account page automatically. Definitely, this is so convenience, but it also give some chance to malware to do some bad stuff with your account.
Back to this malware, if your computer is infected by this kind of malware, you will be the fan of the user malware specified. The following snapshot shows that my test twitter (weibo.com) account add fans automatically. Maybe this guy has some relationship with this malware.
Please forgive me weibo.com has only Chinese version. The above snapshot shows the friends followed by me. We can see that, this bad guy have more then 3 thousand fans. May be many of them already infected by this kind malware.
The malware is using the following method to achieve its goal:
It will send the above http request to “http://t.sina.com.cn/attention/aj_addfollow.php”, uid means the friend you want to follow, and the fromuid stands for your id. Until now, this way still works well.
The way malware used is not complicated. But this trick can do so many bad things. Every twitter user follow so many friends. Sometimes, they even don’t know who are their actual friends, and they think friends they followed are trustful, so if this guy send a fake information, they can easily be cheated. Bad guys use this tool to increase their fans to a large number and they can get so many benefits.
This malware will also connect to the weibo.com/atme, using InternetReadFile to get the information of this page. And then parsing the page to find following tags:”attention” and “myfans”
The tag “attention” related to the users you followed on your twitter. And “myfans” related to the friends focus on you. So via these two tags, the malware can get a list of friends related to you. On the other hand, because twitter wants to share information quickly and find the people you interested in more easily, you can see you friends’ fans and the people your friends follow. So the malware can easily get the same list from your friend. It seems like a recursion and a disaster if the malware continue do this. But fortunately, this malware doesn’t finish this part, but we will see. And I also read sdk about weibo, many operations can be successfully implemented without user’s logon authority. It’s really dangerous.
This kind of malware is newly found in China. Comparing to other long history malware, it is still in its childhood period, But as the time goes by, we can expect more of this kind of malware.
Frank Zheng
Leave a reply
