Tuesday, July 21, 2009

Twitter search leads to Naked Newscaster malware (Erin Andrews)

Some folks saw this ABC News story yesterday, and sent me surprised questions that I hadn't blogged about it, so, here is the after-the-fact blog about a situation that is still continuing.



(click for ABC News story)

The story actually goes much bigger than that. Sure there are lots of people who have "erin andrews peephole photos" links on Twitter, and almost all of them are pointing to a virus, as we mentioned in the ABC News story.

As we've discussed several times in the past, this is another case of shortened URLs taking you to unknown pages, and Twitter training us all to blindly follow the link. Many of the links we've checked out all go to the same place. So, for example:

http://bit.ly/uUplf
http://bit.ly/zgkG1
http://bit.ly/31YLP9
http://bit.ly/105NfM
http://bit.ly/Wjtxe

all point to the same place . . .



Attempting to play the video there actually redirects you to a malware page where you will grab a link to the website lyy-exe.com and download a piece of malware called onlinemovies.40014.exe.

When we first scanned the malware yesterday morning, VirusTotal indicated that it was detected by four of 41 anti-virus products. By last night that was up to 10 of 41, and this morning when we rescanned (July 21st) the detection rate was XXXXXXXXXX

The rest of the story comes out as we look at the other posts made by some of the people who were posting links to the malware. We decided to grab a few that have posted in the past two hours, and see what else they were posting. Here's our sample group:

estefanikime, corinnenamlo, kaylahjofa, haydenluyan, sandynifa, stacilaqu, margaritloomm, beverlykineo, jazminekayam, stasianika, patsykasex, giselleheni, nadinebeeca, sidneydame, margaretfaxe, marniexuqu, unanilu, shanicebibee, trudypoohm.

It looks like the malware may actually be creating its own Twitter accounts, as these accounts for the most part have no followers, and are following no one. They seem to be depending on the fact that people actually "search" twitter, and their results will be found among the other results. This really points out the fact that Twitter needs to do something more than just their current LIFO (Last In First Out) search. If you search for a term, and I am the last person to post something with that term, you will see MY post, even if nobody follows me at all, even if I am an account that was created thirty minutes ago. Wouldn't it make more sense to see what the people are saying who are at least being followed by SOMEONE?

estefanikime has 0 followers and follows no one. Her recent news stories point to the sites:
legalmusic4all.com (an illegal music site hosted on NetDirekt in Germany)
fusionstories.com (an entertainment blog hosted on NetDirekt in Germany)

and several shortened URLs which use the subject lines:
watch erin andrews video => thecooltube.com
spinnerette => thecooltube.com
2009 espy award winners => thecooltube.com
tour de france stage 16 => thecooltube.com
t.o. show => thecooltube.com
blue spark => thecooltube.com
bachelorette men tell all => thecooltube.com

corinnenamlo has 4 followers but is following no one.
Her shortened URLs use the subject lines:
andrea mcnulty
tokyo rose => thecooltube.com
charleston high school mississippi => thecooltube.com
chuck yeager => thecooltube.com
throw it in the bag remix lyrics => thecooltube.com
jesse holley => thecooltube.com
inhaling duster => thecooltube.com
neil armstrong death => thecooltube.com
chris brown apology => thecooltube.com

Wait! I believe I'm detecting a pattern!

Other links being used included:
arturo gatti funeral
mullah krekar
aaron brink wife vanessa
tna victory road 2009 results
nomura s jellyfish
verizon wireless amphitheater irvine
lee westwood golfer
hgsi stock
labor pains lindsay lohan

All point to the malware site, "thecooltube.com".

When ABC News called yesterday, I was on my way to teach a class for the University of Alabama at Birmingham (UAB)'s Computer Forensics program. The course is called "Investigating Online Crime", and is a mix of Computer & Information Science and Criminal Justice students who are interested in careers in cybercrime investigations. I had been looking for an example for them to work on digging into a case using a variety of online tools, and Maltego from Paterva. I did a quick change-out on the case we would look at, and asked them to follow their leads on this one instead. They certainly found some interesting things!

With ten minutes to go before class, I also asked one of my graduate students, Malware Analyst Brian Tanner, to run a quick dynamic analysis of the malware in the lab. He pulled out some IP addresses of interest for the malware and some of the students included those IP addresses and domain names in their Maltego charts as well. Here are some of the sites that the malware connects to immediately after launching:

myart-gallery.com - 64.27.5.202
isyouimageshere.com - 66.197.155.150
imgesinstudioonline.com - 69.10.35.251
yourimagesstudio.com - 200.35.151.36
imagesrepository.com - 216.240.157.91
delphiner.com - 94.75.207.219
searchzoeken.com - 216.240.149.156

After this basic setup, the malware infected box goes nuts doing advertisement clickfraud, jumping back and forth between a variety of search sites, and following the resulting links, such as "homesearchnova.com" and "top100search.com" and "www-news-today.com" and "ad.reduxmedia.com" and "ad.yieldmanager.com" and "abcsearch.com" and "lucky5forme.com"

In our particular case, we were for some reason doing a lot of "Bollywood" related traffic, doing searches such as "hindi film actor photo" and ending up following links to places like "bollywoodhungama.com"

Someone interested in Advertising Click-Fraud may want to dig into this particular malware much more deeply.

Some of the other interesting clusters the students found were based on nameserver - for instance the nameserver "ns1.alvobs.com" is used by many domains which seem to be involved in tricking people into infecting themselves. Here are some of the domain names that they found were being actively visited:

agro-files-archive.com
allshemes.com
all-tube-world.com
analiticstat.com
best-light-search.com
besttubetech.com
chamitron.com
circuitsradio.com
datasheetcatalog.biz
dipexe.com
dirtydogaudio.com
downloadnativeexe.com
exedownloadfull.com
exe-paste.com
exe-soft-development.com
exe-xxx-file.com
eyeexe.com
getdatasheet.com
go-exe-go.com
greattubeamp.com
green-tube-site.com
holidayhomesearch.com
hotexedownload.com
humorbestimages.com
imagescopybetween.com
isyouimageshere.com
kazus.info
labsmedcom.com
last-exe-portal.com
lost-exe-site.com
luxartpics.com
lyy-exe.com
main-exe-home.com
my-exe-load.com
protectionimage.com
robo-exe.com
sk1project.org
softportal-extrafiles.com
softportal-files.com
sphericalart.com
storeyourimagehere.com
super0tube.com
super-exe-home.com
supertubetop.com
sysreport1.com
sysreport2.com
techdatasheets.com
testtubefilms.com
texasimages2009.com
the-blue-tube.com
thecooltube.com
thetubeamps.com
thetubesmovie.com
tiaexe.com
tube-best-4free.com
tube-collection.com
tubefaster.com
tvtesttube.com
yourtubetop.com

Many of these sites have already been shut down due to malware complaints. Hopefully Directi will look into the others as well.

One of the students ran the WHOIS on many of these domains and noticed that in addition to having invalid phone numbers (such as Tasha Chambers in Kearns Utah, who has the telephone: Tel. +001.98985647689) the pattern was to make either a gmail or a yahoo address using the first portion of the first and last names, so we had whois name/email pairs such as:

Chuck Jackson / chucjack@gmail.com
Colette Milton / colemilto@yahoo.com
Dion Choiniere / noelwollenberg@ymail.com (ok, breaks that pattern!)
Jamie Sires / jamisires@gmail.com
Leota Allison / leotallison@gmail.com
Malcolm Cromer / malccrome@gmail.com
Michael Barnes / michabarn@gmail.com
Norman Troup / normtroup@yahoo.com
Queenie Ziegler / queeziegl@gmail.com
Robyn Hamilton / robrhamil@gmail.com
Tasha Chambers / tashcham@gmail.com

Almost all of the domains that were owned by the people above had been terminated. Almost all of the domains registered to "PrivacyProtect.org" had NOT been terminated - which is probably because PrivacyProtect makes it hard to lodge a complaint based on the fact that the domain has false WHOIS information.

Domains that are still live are:

holidayhomesearch.com
protectionimage.com
imagescopybetween.com
greattubeamp.com
luxartpics.com
analiticstat.com
lyy-exe.com
chamitron.com
exe-soft-development.com
sk1project.org
dirtydogaudio.com
texasimages2009.com
allshemes.com
circuitsradio.com
datasheetcatalog.biz
kazus.info
techdatasheets.com
tubefaster.com
humorbestimages.com
labsmedcom.com
storeyourimagehere.com

After class, Brian got back into the lab to prove to me why he was better than the "automatic unpacker" I had used in class. As usual, he was amazing. He stepped through the malware with a debugger until it had unpacked itself fully into memory, and then dropped the image from memory to reveal even more hard-coded website names, including:

superarthome.com
and
robert-art.com

which seem to be "backup" command & controls. When we launched we sent a string "/senm.php?data=" to "myart-gallery.com", but apparently if that domain is unavailable, the code will try "robert-art.com" or "superarthome.com" instead.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.