Searching for Malware 3: Trending Topics Exploiting

Read previous: Searching for Malware 2: Prevalent Patterns of Malware Distribution

Barracuda Labs’ representatives focus here on trending topics exploiting by attackers, and provide preliminary facts about Twitter misuse.

Top domains hosting malware

Top domains hosting malware

Paul Judge: From there, let’s do a transition a little bit over to something more specific, looking at the domains, looking at some actual examples of malware that we saw on the other side of these links (see image).

David Maynor: So, these are not big surprises, except for the Poland thing. I mean, the most malware we found seems to be hosted in Poland, or technically somewhere around the Eastern Europe place that everybody close to the media knows the malware comes from.

So it’s normal stuff: kazaa.com, fiveouncesofpain.com, mchawking.com – you know, it might sound like you’ve never looked at these before, but every time we look at these it’s just shocking. And what is this – hopedworaczyk.com? We don’t know, but this was one of the top domains that we found. Like Paul said, we used three different methods to do this: the Google Safe Browsing, our internal database, and a tool called MJD, and we would cross-verify the results with each one of those tools, and actually figure out if we actually got malware, and whether or not it was false positives.

Malware from fake Flash Player update download

Malware from fake Flash Player update download

So, here is an example of a guy named Lebron James, I don’t personally know who he is, I think he is a golfer, I don’t know. But if you would look a couple of weeks ago on Google, you would find there is a link with Lebron James’ name, it would take you to a website that would ask you to install a Flash Player update, and we all know how great flash player updates are. You see it in the news all the time, so you wanna get the latest and greatest. So when you download that – bam! (See screenshot).

What’s funny as we are looking at examples of malware is I don’t really think there is any other profession where you spend a lot of time looking at, like, the worst-case scenarios of things, except for maybe doctors. I would think that looking at malware like this is a classic example of that.

So, let’s go with Darryl Stingley. Does anybody know who Darryl is? I felt bad because, you know, like we’ve said several times, most of the stuff that’s used for this malware search poisoning is pop culture stuff. And we looked at the list of these, and I don’t know who any of these people are. One of them appeared like being an LPGA player, and this guy apparently took the hardest hit ever in the NFL. And, you know, being a computer hacker type, I don’t really know what NFL is.

This actually happened on Tuesday, and wanted to show you a more recent example. So if you would put his name in Google, you’d get a site that redirects you, that sells malware that does this. And it’s pretty well documented, it’s malware; and if you noticed – this is for the free open source advocates – ClamAV does not catch this. So you take that same term and go over to Twitter, you know there will be a whole lot of people, there are a whole lot of links and discussions about him. And there are a lot of different URLs that all take you to the same kind of site – YouTube; and if you look at the right-hand side, they used this video of Darryl to promote Lindsey Lohan porn, which, although I am not happy with, is better than Justin Bieber stuff we find. They even show you a message not to embed these videos, and they put overlays over the videos, like this one about the Copyright like in the YouTube Terms of Service, that they cannot play the whole video, so you are told to go to this website instead. And apparently people follow this stuff. And, you know, you’ll get pawned.

Malware from malicious Twitter accounts

Malware from malicious Twitter accounts

So, the last example: we have 3 different accounts, talking about 3 different trending topics, with 3 different URLs, but when you follow them all, they all lead you to a .cn site, and as everybody knows you should not click on anything in .cn, and if you do, bad things happen (see screenshot).

Paul Judge: So, a couple of the other examples that David was just showing – some of them were on Google, some on Twitter. What’s interesting is the relationship between the different ones. You know, you saw an attack going from Google to YouTube, or from Twitter to YouTube, and really the interrelations that are happening – I mean people using these terms to take it to a malicious site, people using these terms to take it to a spam site, or also using it to poison YouTube clips, whether they’d be porn or otherwise.

So as we saw earlier, you know over the snapshot that we examined, only 1% of results were to Twitter. But we talked about why that was – because of the lack of the actual ranking, right, we were really kind of going to it from the eyeballs of a user. If you come online, and you search for a term, you get top search results. So that’s all we examined. We looked at the top search results. And Twitter, from the point of view of an attacker trying to reach eyeballs, is actually a little inefficient for you because you don’t have an opportunity to make your stuff go higher in the ranking.

So when it comes to Twitter, you want to take a look a little bit closer at what actually is going on – even though from a viewpoint of a random user clicking, you know, your chances are a little bit lower – and what else is taking place in that network. And so we spent some time looking at the different characteristics and types of Twitter accounts. We spent some time looking at, if we connect to the Twitter stream (and we did this for two standpoints: one was through the streaming API, getting a view of almost real-time sample of all the tweets that were happening; the other is through a whitelisted API key access, being able to come back and query accounts to ask for particular information.

And so, what we were able to see is, for any particular account, how many times they’ve tweeted, how many people were following them, how many people they were following. I mean, if you think about Twitter, there are really only three things that you can do, and so this is really your feature space, I mean you can also look at someone’s profile, you can also look at, as we just did, the actual URLs that are in the tweets. But we wanted to really kind of understand what’s the behavior; how legitimate users are using this network; and then kind of how illegitimate users are using it; and whether there is an opportunity to build out a reputation, an opportunity to, based on that behavior, actually separate out this set and build out user reputation. So there is certainly a fair amount of work on doing kind of content based classification. But when you think about, like what was happening in the email world, everybody was doing kind of content based classification, everybody was doing reg access and so forth. And then the world looked up and realized, wait a second, there is a small set of good senders, and then there is a big set of bad guys. So we can actually use the reputation, or the behavior of this particular IP address to classify them and make a decision.

And so, our goal here to understand is whether there is a potential for the same type of classification for social networks, to be able to take those users and without looking at their profile, without waiting to look at the content that they posted, to be able to build some user reputation and classify them.

Read next: Searching for Malware 4: Exploring Twitter Accounts

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: