You’ve got Twit…err Problems!

There is a new spam going around dropping malicious binaries and variants of rogue security softwares. We got this specific email few hours ago

Fake Email

There have been few alterations of the same email, ( More can be seen here ), and if looked closely all hyperlinked texts point to a non-twitter related url. We went to the specific link, and here is what we were looking at

Suspicious enough, and though currently the link seems to be not working we were able to get the sample. As of currently the detection rate is reasonably good, with most major vendors detecting the malware. Emsisoft Anti-Malware (EAM) was one of the first few vendors detecting the sample , and EAM users are completely safe from this specific malware dropper. We have already started analyzing the sample and related dropped samples , and we will keep you updated.

Few observations

1. Attachment comes with the name Twitter_security_model_setup.zip

2. Subject of the email varies like

  • 481-58
  • 291-58
  • New Service for Sports Twitter …. etc

3. Normally the start of the email has something similar to

  • From: Twitter [mailto:twitter-discover-user email address@postmaster.twitter.com]

The malware drops some random named files,like topwesitjh. A search made on the word brings out references of rogue security softwares and we encountered something similar in our lab. On execution, the malware finally leaves behind another rogue security software in the user’s system. Here are some screenshots of the malware’s payload.

1. Creates following files on the desktop

2. Fake warnings through balloon like popups starts appearing

3. Replaces Security Center with a fake resemblance

4. Another rogue security software on it’s way

We are currently carrying out a detailed analysis, and we plan to make another post very soon with our findings. Till then, happy twitting but make sure you click safe. Keep your Emsisoft Anti-Malware updated with latest definitions and also make sure Anti-Malware Guard is enabled.