The malicious tweets have continued over the weekend. I found some evidence that these attacks had appeared for a short time on Facebook as well. Facebook has added most of the malicious links and URLs to their blacklist to prevent the attacks from circulating the Facebook user community.
The newest tweets I have seen attempt to leverage interest in Barack Obama. I still can’t tell whether these bots are politically motivated or just taking advantage of popular topics. Unlike previous Twitter bots that follow many hundreds of users in the hopes that they will follow back, these bots are @ replying to people on topics they are using in their tweets. If you talk about Obama, they @ reply you with a message about Obama and a malicious link.
As I mentioned yesterday, some of the messages are targeting the conflict in the Middle East and there may be a serious component to this. In addition to different hacking groups defacing their opposition’s websites, these attacks could be, for example, assembling a botnet for DDoS attacks.
I investigated six different malware variants this afternoon (Sophos detects them as Mal/Refreso-A) and five of them had their command-and-control operations in Muslim countries. Three were based in Morocco and two in Saudi Arabia, both on ADSL connections. All of the threats call home to domain names that are related to dynamic DNS services, in this case no-ip.biz.
More free file hosts were involved such as 4shared.com and RGhost.net. None of them showed a tremendous number of downloads, but not all of them show statistics. The attacks are quite crude and I don’t expect most users would fall victim to the tactic.
I hope Twitter will take action to remove these accounts and take actions similar to those taken by Facebook. While I do not have knowledge of Twitter’s internal systems, I expect they are able to blacklist URLs just like Facebook.
Sophos Anti-Virus users are protected against these threats through a variety of identities, including Mal/Refroso-A, HIPS/ProcInj, HIPS/Filemod. Additionally, many of the domains hosting the content are blocked by the Sophos Web Appliance.
Strangely, these attackers are not using shortened URL services, but you should still proceed with caution. Whether or not you think you know where a link leads, don’t trust links from unknown sources. Names are just that, names. Often misleading, but always just a label.