A new Twitter virus that hijacks users’ tweets has been discovered by cyber-crime prevention firm Trusteer.
In research revealed at Infosecurity Europe in London yesterday, the firm reported that they had found a repurposed version of the financial malware TorRAT, normally used to target online banking transactions, spreading through Twitter.
The malware steals Twitter authentication codes which allow it to publish tweets on behalf of the victim, which include a link to a malicious website, according to director of enterprise security at Trusteer Dana Tamir.
“It’s basically a new way of spearphishing users who trust the Twitter users they follow,” she says. “The shortened URL masks the real URL so there’s no way to know this is a suspicious link.”
The malware was found very recently and the firm is not sure what the malicious website is designed to do as the link is disabled, but they believe it is an exploit that allows the hacker to download malware to the user’s PC.
“We don’t know what the purpose of this attack is in the end, but we know what this malware is capable of,” says Tamir. “Right now it’s targeting the Dutch market. All the tweets we’ve found have been in Dutch so we are assuming some kind of Dutch target here.
“But the same type of attack can be used against all users all around the world. There’s no reason the same method won’t be used in other places.”
The firm have told Twitter though they have yet to receive a response. Tamir says the best way of stopping this type of attack is with an exploit prevention system.
The firm is using the discovery to promote their latest product, Trusteer Apexn unveiled at Infosecurity Europe yesterday, which uses what they call Stateful Application Control to prevent exploits.
Trusteer Apex monitors the execution of endpoint applications that process external content and is capable of associating operations (what the application is doing) with the application state (why is it doing that).
“This is a new technology that really changes the game when it comes exploit protection,” says Tamir.
“If we don’t recognise what’s going on, we see an operation with no legitimate state we can block it saying this is abnormal user behaviour and an exploit is taking place.
“So this allows us to stop any exploit of a vulnerability even if it’s a zero-day or an unpatched vulnerability, if it’s known malware or unknown malware. We don’t care about the source of the malware.”
The firm claim the software can prevent exploitation of zero-day or unpatched application vulnerabilities in widely deployed endpoint applications, such as web browsers, Adobe Acrobat, Flash, Java and Microsoft Office.