Twitter Gets More Malicious Ways to Hurt You – Watch Out for Rabbits

Svetlana Gladkova,

on August 05, 2008,

It should have happened, obviously. We have already seen spammers invading Twitter with their one or two updates linking to the same webpage trying to sell you something. We have already seen manuals explaining how to sell on Twitter efficiently. But obviously this is not the worst that could have happened: after all, Twitter has a great potential to distribute anything, both legitimate links and opinions and spam and viruses as well. So we see someone using Twitter in a malicious way that could not only hurt your budget if you chose to buy something from those tricky marketers, this time you could also have your computer infected by a virus, as reported by the Kaspersky Lab blog, and lose much more money to the intruders.

Beware of an almost empty profile in Portuguese (screenshot below courtesy of Kaspersky Lab blog) advertising porn videos (as far as I can read Portuguese - which is not much) in its two updates. The profile only has the name that is reportedly translated into English as "pretty rabbit".

Profile distributing trojan virus on Twitter, courtesy of Kaspersky Lab

I have to admit, my curiosity made me actually try to find the profile myself so I did a quick search in Google translate for "pretty rabbit" which provided two results in Portuguese: "bonita coelho" (English - Portuguese) and "linda coelho" (Russian - Portuguese). Search for both versions on Twitter produced no results but since I was certain that "coelho" stands for "rabbit", I repeated a search on Twitter for "coelho" only. This time I received 3 pages of results but none of the rabbits hiding under those users in the results pages resembled any content of the profile in the screenshot so I believe the profile has already been banned or removed from Twitter - which is a good reaction, obviously.

So now that we seem to be safe already, let me share with you how this profile worked. First of all, there's no real need to be scared of the profile itself - it won't damage you in any way unless you are tempted to watch the porn video advertised in the updates. It looks like the rules with Twitter viruses are the same as with infected emails: in the majority of cases you are safe unless you click anything.

But if you do choose to click the link, a file will start to download masking itself as a download for the latest Adobe Flash version that you presumably need to watch the video. This is exactly how you get a Trojan downloader on your computer which in turn will download 10 bankers. So instead of watching the porn video the user expected, he is ready to provide his online banking information to the violators.

The engineers in the Kaspersky Lab determined that the malware originates in Brasil - proven both by the Portuguese and the servers hosting the malware along with the email embedded in the malware that is intended to receive all the information from the infected computers.

But what I find particularly interesting is that the company promises it will be watching for malicious Twitter profiles looking to infect your computer. It looks to me that we will soon be offered new anti-virus software releases that protect not only our emails and web surfing but Twitter desktop clients as well. It will be interesting to watch another industry profiting off Twitter while it still seems to have no idea how to monetize their own service. But anyway don't click suspicious links on Twitter, it may be dangerous.

And don't blame Twitter for viruses - only you can protect yourself by approaching unknown Twitter users with the same cautioun that you handle suspicious emails and websites with.

UPDATE: The commenter mpsilva (presumably from the Brasilian office of Kaspersky Lab judging by the URL provided) explained that the profile name should be "coelhinhas. Apparently both my experients with machine translation failed again. It was not difficult to find the Twitter account in question using this word but it currently shows as "have not updated yet" with both posts containing malicious links deleted. I don't know why the account itself is still there but I at least hope that some investigation has been initiated.

If you enjoyed this post, make sure you subscribe to profy RSS feed!

Twitter Refines the War on Spam

What Will You Choose for Your Child: Some Porn or a Video Game?

Ask.com Rolls Out Yet Another Overhaul to Make Search Faster and More Relevant

Find 2.0

4 Comments (Subscribe to rss)

Stephen Kelly - August 05, 2008 at 01:03 am PDT

Hi - Isnt it annoying - any new service, with in a few months of it becoming popular there are always people that want to make a quick illegal buck from it.
Svetlana Gladkova - August 05, 2008 at 01:26 am PDT

It is annoying but this is exactly how it is everywhere - when there is a potential for a quick buck (legal as with all those marketers or illegal as in this example), someone will invariably jump in on the opportunity. This is how life is everywhere - online or offline.
mpsilva - August 05, 2008 at 06:53 am PDT

Profile name in Portuguese is “coelhinhas”, that means “bunnies” like for Playboy (Playboy bunnies would be “Coelhinhas da Playboy”).
Svetlana Gladkova - August 05, 2008 at 07:41 am PDT

@mpsilva: Thanks a lot for the information. I guess I should finally stop relying on machine translation for anything at all (I am constantly arguing machine translation is terrible but had not choice today). The search for “coelhinhas” has found the profile in question easily but it shows “has not updated yet” so it looks like both tweets with malicios links were removed. I’ll update the post accordingly, thank you.

Leave a comment (We support avatars from Gravatar, MyBlogLog, and FriendFeed)