Targeted Attack Designed to Infect Both Macs and PCs.

UPDATE (25th June): Guy Kawasaki has stated that his Twitter account was not compromised, the malicious tweet came from a feed that Guy’s account is subscribed to automatically post. The feed comes from NowPublic, a user generated news feed. According to the Wall Street Journal Michael Tippett, co-founder of NowPublic, responds, pointing out that Mr. Kawasaki’s auto-published tweets were from an unmoderated feed, not one of the moderated ones that the startup also operates.


That’s fine for Mr. Kawasaki’s personal peace of mind, but you have to ask yourself, with that many followers, is it sensible  to auto post unmoderated feed content? Is this going to happen again, with a more believable tweet?


Guy Kawasaki, the well-known venture capitalist and columnist was the victim of what appears to be a very targeted attack on Twitter today.


A single malicious tweet was inserted into Mr. Kawasaki’s profile without his knowledge




The obfuscated link seemed incongruous on Mr. Kawasaki’s profile only because it was using a different URL shortening service to the one he normally uses. Other than that he is a person who regularly posts many links, so his 139,000 followers will be very tempted to follow them and that’s exactly the kind of thing that makes this sort of attack attractive to cybercriminals.



In this case, following the link would be a Very Bad Idea, because it will lead you to a malicious website designed to infect both Macs and PCs with a DNS changing Trojan which at the time of writing has low-to non-existent detection rates by security vendors (although Trend Micro customers would already have been protected from visiting the known malicious site using our Smart Protection Network).



The first site you land at is below


Click to enlarge



The image with the blue text shows how many people have followed this link, it would normally display an image designed to look like a media player window, but the site has been hit so hard that the bandwidth limit for the image server has been reached (note the text is in Russian and English)


If you click the media player to view the video, you are redirected here:


Click to enlarge




Again, the image server bandwidth has been used up indicating how many other people have passed this way, but it should look like that media player again… You click it and hit paydirt!


Clcik to enlarge



There it is, the video you have been waiting for, but wait, you need to download an updated Codec… (sound familiar yet?)



Check out the TrendLabs malware blog for an in-depth analysis of the code involved in this interesting dual-platform attack.