Almost a full year has passed since we discovered the first trending topic attack on Twitter. This time the attack came back in the same fashion, but it was much less aggressive than the prior attack thanks to the swiftly acting Twitter security team.
In this latest attack, the tweet messages were coupled with the trending topic items such as Justin Bieber, Oil Spill, and Official Twitter App. The tweets all contained the text “haha this is the funniest video ive EVER SEEN!” followed by a link to the malware campaign.
In the following image, you can see the results of a search taken shortly after the attack started. As you can see, the accounts were communicating via the Twitter API, so it’s safe to assume that the cyber criminals behind the attack used some sort of script to make it all happen.
Clicking any of the URLs starts the redirection process to a website where a malicious file is downloaded using the technique known as “drive by download”, which runs this file automatically in the affected computer, without user’s awareness.
The malware site used for the attack is hxxp://pc-tv.tv/stickam/index2.html
In the following image you can see how it seems that a java complement is being loaded, which is necessary to view the video:
However, if we look at the code of this website, you can see how it’s actually calling an EXE file, which belongs to the malware. It has been detected as W32/Lolbot.B.worm.
The code is the following:
