Part2: Twitter malicious spam or Threat Cocktail

Websense® Security Labs™ ThreatSeeker™ Network has detected another wave of spam posing as a Twitter password reset notification. So far we have seen over 170,000 emails,  all with subjects like Twitter 281-01, Twitter 137-40, and Twitter 260-96. The numbers in the subject vary.

The spam emails contain a link to googlegroups hidden under the Twitter URL. Once the link is clicked, the user is prompted to download a malicious executable called Twitter_security_model_setup.zip. 

The attack is detected as malicious (SHA1 : 6c9e6494045dd450d3598f46f7dc78b5b2a3f1fc) and is currently recognized by 14 of the 41 engines on Virus Total.

The malicious file downloads rogue AV, which is a part of the "Protection Center" trend we saw on 3rd June, onto the computer. When it runs, it silently installs itself into the "ProgramFiles\Protection Center" folder. It also adds itself to the Start menu and places several files into the Temp folder, such as kernel64xp.dll, mscdexnt.exe, and wscsvc32.exe.

The threat pops up different warnings like this:

If the user clicks on the icon, it then installs the rogue AV:

After this it keeps displaying a warning about serious security threats on the computer even though there is no threat.

Also it creates several icons on the desktop, several of which are links to porn sites:

Once the computer is infected, there is a blended threat cocktail on the computer. The ingredients: rogue AV, porn site links, and spam and trojan agents.

Websense® Messaging and Websense Web Security customers are protected against this attack.