Kaspersky system analyzes malicious URLs on Twitter for malware

By Robert Westervelt, News Editor 29 Oct 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Extensive analysis of links posted on the popular Twitter microblogging service has found that Twitter users are contributing to the spread of malicious URLs posted on the site.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Nearly half of the URLs analyzed by security vendor Kaspersky Lab are links posted by Twitter users to websites that attackers are using to spread malware, or marketing sites, which could be considered spam.

The security vendor's analysis system, called Krab Krawler, pulls in thousands of URLs every hour and feeds them into a central database for analysis. The goal is to better understand the intent of the cybercriminals using social networks to spread malware and conduct phishing attacks, said Costin Raiu, chief security expert at Moscow, Russia-based Kaspersky Lab.

"It seems that most of the malicious traffic is generated by users themselves who are unsuspectingly posting links to websites which they think are clean that actually turn out to be infected," Raiu said. "The malware keeps changing every week."

Twitter security problems: Twitter, Facebook hit by denial-of-service attacks: Twitter was shut down for more than two hours and Facebook service slowed as the ubiquitous social networking websites were hit by denial-of-service attacks. Should enterprises be concerned with Twitter in the workplace? Expert Michael Cobb explains how concerned you should be with Twitter use inside the company.  Twitter vulnerability project highlights Bit.ly flaws: Link shortening service Bit.ly had several cross-site scripting flaws that could be used to view a user's browsing history, tamper with bit.ly settings and abuse Twitter accounts.

Kaspersky Lab said Thursday that it is using its extensive analysis of shortened URLs posted to Twitter to help protect its customers in the wake of a rising number of attacks targeting social network users. Twitter was targeted by a cross-site scripting worm in April, and the Koobface Facebook worm spread to the microblogging service in June. Over the summer, a denial-of-service attack knocked the service offline for hours.

Krab Krawler runs on Linux; it fetches and extracts URLs that appear in Twitter's public timeline and feeds them into a database for analysis. A set of modules scan each website being linked to by the URL, looking for malware. Raiu said the tool currently analyzes about 500,000 unique URLs per day for malicious content and as many as 1,000 are malware attacks.

About 26% of all Twitter posts contain URLs. The analysis has found some shortened URLs leading users to websites injected with code that deliver a standard iFrame attack. Raiu said much of the malicious malware can be attributed to the Gumblar Trojan, which used an automated method earlier this year to infect vulnerable websites and set up drive-by attacks.

Automated bots are driving much of the malicious traffic by using malicious accounts. The most popular URL leads to an online dating website that has hosted malware in the past.

"It indicates the fact that most of the URLs posted on Twitter seem to be generated by spammers or by people with malicious intent," Raiu said.

SearchSecurity radio:

Most of the malware spreading on Twitter can be detected by antivirus programs. Raiu said Kaspersky is using its analysis to help bolster its protection. It takes two to 12 hours from the time a link is posted to Twitter for the Krab Krawler analysis to take place and for signatures to be deployed to Kaspersky customers, Raiu said.

Other security vendors offer browser plug-in tools that scan URLs and block them before they can be clicked. AVG Technologies offers LinkScanner, a tool that checks out URLs and blocks the user from going to a suspicious site. The tool uses a blacklist of known harmful sites to filter the URL. Security vendor Finjan Inc. has a SecureTwitter tool that issues a warning message when a malicious URL is detected.

Twitter announced a service last summer that internally filters URLS using the Google Safe Browsing API. A number of browser add-on tools enable users to check suspicious URLs before clicking them.

Tags: Malware, Viruses, Trojans and Spyware,  Web Application and Web 2.0 Threats,  Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware Increase in Gumblar backdoors poses FTP credential problems Hackers to sharpen malware, malicious software in 2010 iPhone worm Rickrolls jailbroken phones Israeli Mossad add Trojan Horse to Syrian laptop Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Silon malware intercepts Internet Explorer sessions, steals credentials Web Application and Web 2.0 Threats Web security firm ranks Firefox, Safari browsers as flaw prone Web application vulnerability assessment shows patching progress Layoffs prompt insider threat fears, cybersecurity survey finds Botnet masters turn to Google, social networks to avoid detection Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Pushdo botnet uses Facebook to spread malicious email attachment Do Facebook URL security concerns justify blocking social networks? Gumblar Trojan drive-by exploits spike following Adobe update Some Facebook applications lead to Russian attack sites Web Browser Security InZero Systems launches hardware-based security gateway Web security firm ranks Firefox, Safari browsers as flaw prone Microsoft fixes security update that breaks Internet Explorer Mozilla update repairs Firefox buffer overflow vulnerabilities Silon malware intercepts Internet Explorer sessions, steals credentials Do Facebook URL security concerns justify blocking social networks? Phishing attacks to remain a major problem, say security experts Adrian Perrig: Improve SSL/TLS Security Through Education and Technology New Bahama botnet evades search engines, fuels click fraud SANS: Application threats, website flaws pose biggest security threats Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary