The Twitter Malware Campaign Wants to Bank With You

In what appears to be a lone gunman malware campaign — where the malware spreader even left his email address within the binary – the now down Twitter malware campaign managed to attract only 69 followers before it has shut down, using a trivial approach for launching an XSS worm – Cross-site request forgery (CSRF). More info :

This week it’s Twitter’s turn to host an attack – one that is targeting both Twitter users and the Internet community at large. In this case it’s a malicious Twitter profile[skip]/ with a name that is Portuguese for ‘pretty rabbit’ which has a photo advertising a video with girls posted. 

This profile has obviously been created especially for infecting users, as there is no other data except the photo, which contains the link to the video. If you click on the link, you get a window that shows the progress of an automatic download of a so-called new version of Adobe Flash which is supposedly required to watch the video. You end up with a file labeled Adobe Flash (it’s a fake) on your machine; a technique that is currently very popular.

Let’s analyze the campaign before it was shut down. The original Twitter account used basically included a link to ( which was using a URL shortening service in order to redirect to the banker malware located at It’s detection rate is as follows :

Scanners Result: 14/36 (38.89%)


File size: 88064 bytes

MD5…: 25600af502758ca992b9e7fff3739def

SHA1..: 9262ca501ef388e0fe42c50a3d002ddbd6e254f2

Twitter isn’t an exception to the realistic potential for XSS worms though CSRF that could affect each and every Web 2.0 service, which as a matter of fact have all suffered such attempts, namely, Orkut, MySpace (as well as the QuickTime XSS flaw), GaiaOnline, Hi5, and most recently the XSS worm at, demonstrate that trivial vulnerabilities come handy for what’s to turn into a major security incident if not taken care of promptly.

Related posts:

XSS The Planet

XSS Vulnerabilities in E-banking Sites

The Current State of Web Application Worms

g0t XSSed?

Web Application Email Harvesting Worm

Author: Dancho Danchev

Leave a Reply

Your email address will not be published. Required fields are marked *