Blog for hpHosts, and whatever else I feel like writing about ....

Wednesday 17 June 2009

Malware: Your friend invited you to Twitter!

I don't use Twitter myself, don't have a need for it, so was surprised to see the following arrive in my inbox as it instantly aroused my suspicion - Twitter have no need to e-mail me, and certainly have no need to send me any files.

Alas as you've probably guessed, and I already knew, it wasn't from Twitter. This one is from some jackass (12.96.196.234 - maha.matisp.net) that obviously doesn't know enough about trying to infect people, to either change icons, use a packer, or even try a bit harder to hide the real file type - they just tried disguising it using "document.chm{lots of spaces}.exe" - childs play stuff (little note my dear malware guy, this doesn't really work when you've sent in a zip file - the zip shows the real extension without my having to look for it).

Exported by: Outlook Export v0.1.6


From: invitations@twitter.com
E-mail:invitations@twitter.com [ 168.143.162.100 - Resolution failed ]
Date: 17/06/2009 16:49:09
Subject: Your friend invited you to twitter!
**************************************************************************
Links
**************************************************************************

Link: http://m.twitter.com/
Domain: m.twitter.com
IP: 128.121.146.100 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Unknown

Link: http://twitter.com/home
Domain: twitter.com
IP: 128.121.146.228 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Listed
PhishTank Status: Unknown

Link: http://assets1.twitter.com/images/tour_1.gif
Domain: assets1.twitter.com
IP: 128.121.146.229 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Unknown

Link: http://dotsub.com/api/smallplayer.php?filmid=3066&filminstance=3068&language=none
Domain: dotsub.com
IP: 8.17.173.15 [ Resolution failed ]
hpHosts Status: Listed
MDL Status: Not Listed
PhishTank Status: Unknown

Link: http://twitter.com/account/resend_password
Domain: twitter.com
IP: 168.143.162.100 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Listed
PhishTank Status: Unknown

Link: http://twitter.com/account/complete
Domain: twitter.com
IP: 168.143.162.100 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Listed
PhishTank Status: Unknown

Link: http://twitter.com/about#about
Domain: twitter.com
IP: 168.143.162.100 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Listed
PhishTank Status: Unknown

Link: http://twitter.com/about#contact
Domain: twitter.com
IP: 128.121.146.228 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Listed
PhishTank Status: Unknown

Link: http://blog.twitter.com/
Domain: blog.twitter.com
IP: 74.125.77.121 [ ew-in-f121.google.com ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Unknown

Link: http://status.twitter.com/
Domain: status.twitter.com
IP: 72.32.231.8 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Unknown

Link: http://twitter.com/downloads
Domain: twitter.com
IP: 128.121.146.228 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Listed
PhishTank Status: Unknown

Link: http://apiwiki.twitter.com/
Domain: apiwiki.twitter.com
IP: 208.96.32.2 [ pbwiki.com ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Unknown

Link: http://search.twitter.com/
Domain: search.twitter.com
IP: 128.121.146.107 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Unknown

Link: http://help.twitter.com/
Domain: help.twitter.com
IP: 65.74.185.41 [ zendesk.com ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Unknown

Link: http://twitter.com/jobs
Domain: twitter.com
IP: 128.121.146.100 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Listed
PhishTank Status: Unknown

Link: http://twitter.com/tos
Domain: twitter.com
IP: 168.143.162.100 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Listed
PhishTank Status: Unknown

Link: http://twitter.com/privacy
Domain: twitter.com
IP: 168.143.162.100 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Listed
PhishTank Status: Unknown


**************************************************************************
Text Version
**************************************************************************
* Skip past navigation
* On a mobile phone? Check out m.twitter.com <http://m.twitter.com/> !
* Skip to navigation
* Skip to sign in form


Select Language ... English Japanese
Twitter.com <http://twitter.com/home>

Your friend invited you to twitter!

Your friend invited you to twitter!<http://assets1.twitter.com/images/tour_1.gif>

Twitter is a service for friends, family, and co-workers to communicate and stay connected through the exchange of quick, frequent answers to one simple question: What are you doing?

To join or to see who invited you, check the attachment.

________________________________

Arrow_on_red Watch a video! <http://dotsub.com/api/smallplayer.php?filmid=3066&filminstance=3068&language=none>

Please sign in

user name or email address:

password:

Remember me



Forgot password? Click here <http://twitter.com/account/resend_password> .

Already using Twitter from your phone? Click here. <http://twitter.com/account/complete>

________________________________

*

Twitter is the first thing on the web that I've been excited about in ages.

Jason Kottke, Blogger
*

I really like Twitter.

Jeff Barr, Amazon.com, Senior Manager
*

Incredibly useful

Wired

________________________________


Footer


* 2009 Twitter
* About Us <http://twitter.com/about#about>
* Contact <http://twitter.com/about#contact>
* Blog <http://blog.twitter.com/>
* Status <http://status.twitter.com/>
* Apps <http://twitter.com/downloads>
* API <http://apiwiki.twitter.com/>
* Search <http://search.twitter.com/>
* Help <http://help.twitter.com/>
* Jobs <http://twitter.com/jobs>
* Terms <http://twitter.com/tos>
* Privacy <http://twitter.com/privacy>

close
Galleries
of
by

**************************************************************************
Headers
**************************************************************************
Return-Path: invitations@twitter.com
Delivered-To: {REMOVED}
X-FDA: 62358624678
X-Panda: scanned!
X-Filterd-Recvd-Size: 428259
Received: from twitter.com (maha.matisp.net [12.96.196.234])
by imf12.hostedemail.com (Postfix) with ESMTP
for <{REMOVED}>; Wed, 17 Jun 2009 15:51:05 +0000 (UTC)
From: invitations@twitter.com
To: {REMOVED}
Subject: Your friend invited you to twitter!
Date: Wed, 17 Jun 2009 09:49:09 -0600
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0006_DFD94041.4B307F70"
X-Priority: 3
X-MSMail-Priority: Normal
X-EsetId: 81896726F0AC3330DBCF




Oh and yep, detection for it is rubbish;

http://www.virustotal.com/analisis/1bd8f69e0cb0bf9dbb030017b443a1a29b621ace505a4e7511af60e07e71e447-1245256337

http://anubis.iseclab.org/?action=result&task_id=1c37c92a7e9740054a572a01b5f330b23&format=html

/edit

I've not looked at this yet as it's only just arrived, but here's the TE report for you (JoeBox couldn't analyze it, and my test machine isn't back up yet - still in pieces);

http://www.threatexpert.com/report.aspx?md5=ead830f63ee1e868bcca769e86fbbdd4

No comments: