There’s been a couple of rather nasty spam runs taking place on Twitter over the last few days. Heres an example of a rogue URL being spread at the weekend:
Click to Enlarge
The link in question – fuuut(dot)tk, was being sent by both compromised accounts and spambots. Anybody visiting the link would find themselves redirected to detectoptimizersupervision(dot)info where a piece of Fake AV was just dying to introduce itself:
Click to Enlarge
Click to Enlarge
The file above had a detection rate on VirusTotal of 3/42, and we caught it as Trojan.Win32.Fakeav.tri (v). A member of the FakeVimes family, the sites involved in this one would be replaced every three to six hours.
Today things continue to take a turn for the worse with all new spam links spreading on Twitter, which we have of course reported. Example:
Click to Enlarge
The links being spread at the moment are particularly nasty, using the Blackhole exploit kit to drop Winwebsec (example here) on the target PC, then redirect the end-user to another Fake AV site where a “24 hour rogue” (so called because the files are changed every 24 hours or so) lies in wait – Windows Antivirus Patch being the malicious file in question.
Hopefully Twitter will have these rogue links taken down quickly – at time of writing, they’re still in circulation so please be careful of any messages that look out of place on a Twitter feed linking to (dot)tk URLs.
Christopher Boyd (thanks to Matthew, Patrick and Jovi for additional research)
Leave a reply
