Erin Andrews Used to Propagate Malware via Twitter

Print Friendly, PDF & Email

Posted by: Barracuda Labs

Earlier today, malicious links that claimed to offer videos and pictures of Erin Andrews began appearing on Twitter. Search terms leading to these malicious tweets include the following:

erin andrews peephole video link rapidshare
espn reporter erin andrews
erin andrews peephole pictures
erin andrews video torrent
erin andrews hot pics

The malicious tweets were (automatically) created using numerous accounts and the Twitter API; the links have been shortened using bit.ly.

 

If the the user clicks on one of the links, the following series of redirections occur:

hxxp://bit.ly/1bkUV9
-> hxxp://xombag.com/video/go.php?sid=2&name=erin+andrews+hot+pics&theme
=trends&hostingtype=twitter

-> hxxp://sunny-tube-world.com/xplays.php?id=40014&name=erin+andrews+hot+pics&the
me=trends&hostingtype=twitter

The name parameter in the above URLs corresponds to the text of the tweet that started the chain, which allows the operators of the propagation campaign to determine which combinations of terms (listed at the beginning of this post) made the best lures. The series of redirects ends at the page shown in the screenshot below, which offers a fake video that the user will likely assume is of Erin Andrews.

 

The fake video, served via hxxp://newfileexe.com/onlinemovies.40014.exe, is a trojan downloader– a small piece of malware that (when executed) will download and execute other malicious programs. AV detections for this instance are practically non-existent.

One of the most fascinating parts of this campaign is how the trojan downloader retrieves additional malware. Instead of downloading executables, the downloader fetches the following image files:

hxxp://isyouimageshere.com/item/b6bc3e14a0639460413e87d5c4d82e8267c6a66
1217f2f1530b599dd6f76ee
1d23103cd88fd83fc10/b4a0d091c46/titem.gif

hxxp://imgesinstudioonline.com/perce/861c5e6420337400215e97e5c4d81e42b74

62631f1af8f65702579fdbff64e4d03a0ac38ef284f117/d40040b1148/qwerce.gif

hxxp://yourimagesstudio.com/werber/d4300051f41/217.gif

Hidden inside these viewable GIF files (as comment blocks) are encrypted malware executables. After retrieving the files, the downloader extracts the comments, transforms them back into malware, and executes them.

Users of the PWSS are protected from this threat.

Scroll to top
Tweet
Share
Share