Thu, 01/08/2009 - 17:34 — Igor Donchenko
The Fortinet Global Security Research Team has investigated a series of malicious Twitter direct messages that push users to a site offering potentially unwanted software in the form of free games. Malicious "Direct Messages" (aka DM) circulating on Twitter leading unsuspecting users to a site offering potentially unwanted software in the form of free games.
The malicious messages "spamvertise" iPhone-related websites:
Wanna win the new iPhone?
It's so easy and cool, I love this thing!
Clicking on that link leads, via redirection, to a site known for its adware/spyware history - Freeze.com.
Freeze.com gained a controversial reputation due to the disputed morality of their business model, which consists in bundling several potentially unwanted components (thus generating money via the affiliation programs of those components) with games or applications such as screensavers.
Upon clicking anywhere on the ad, users are prompted to download and install a file named "games.exe". In addition to a game, running this file launches the installation of various applications (Yahoo Toolbar, Smartshopper, Seekeen, Revelant Knowledge, Registry Power Cleaner, etc...), depending on the user's hardware and software configuration. Needless to say, each of these applications rewards Freeze upon each successful installation, via their own affiliation programs. While not a malware, "games.exe" is a potentially unwanted application; Fortinet offers its customers grayware detection for it under the name "Adware/Freeze." Since redirects are used, it is important to be reminded that such attacks can quickly shift shapes and lead a victim to alternative sites at any given time.
Twitter's direct messages carrying these links are emitted by Twitter accounts that have been compromised - most likely in the recent Phishing Operation targeting Twitter. This two-stage operation (Phishing/Spamvertising) is a well documented trend of Spam 2.0 that has hit all the major Web 2.0 sites (MySpace, Facebook, YouTube, etc...) over the past two years. It leverages the trust that "Friends" on social networking have in each other: people are more likely to click on a link if it comes from a friend. This scheme efficiency ensures significant revenues in short time-frames. It is rare however that compromised accounts are used to push adware/spyware installation, or malware (although it recently happened to Facebook with the infamous Koobface worm).
Twitter has been notified, and freeze.com has been informed that one of their affiliates is using compromised Twitter accounts to seed their bundles and increase his/her installation bonus.