Bitcoin virtual money malware spreading via Twitter
Now, even virtual currency is no longer safe from malware. A computer security firm warned malicious links are now spreading over micro-blogging site Twitter, leading to malware that can mine for Bitcoins, a virtual currency used in peer-to-peer sharing. In a blog post, Trend Micro said the spammed malicious shortened URLs on Twitter appear to contain a JPG image file from a Facebook domain. âClicking the links redirect to a shortened Twitter URL (http://t.co). Most of these Twitter users are from Indonesia. To lure users to click on the URL, cybercriminals incorporated Facebook.com into the link where the malicious file is hosted. Upon clicking the said link, the unwitting user is led to (a link on facebook.com) ... Since September 2 2011, approximately 600 tweets of the same link have been posted," Trend Micro fraud analyst Paul Pajares said. Pajares pointed out the JPG image file is not a picture file but an executable file that Trend Micro detects as WORM_KOLAB.SMQX. He noted searching for the picture file using Twitterâs search function reveals an updated list of users who tweeted the same malicious link. Trend Micro said that when users post a tweet, it is followed by a malicious link with the text âhahaha!!!" It is also used in the retweet and reply feature of Twitter. Investigation showed the malicious file creates a directory âaaa" with the following files:
- 3kal.cmd: a batch file that contains the command for executing mamatije2.exe
- hsbca.exe: a normal file (Hidden Start v3.2)
- mamatije2.exe: detected as HKTL_BITCOINMINE that connects to a malicious link with the username mrdd_ludacha and password mama1.
- http://robertpattinson.{BLOCKED}ion.org/pictures/Calc-3-9-2011.jpeg (HKTL_BITCOINMINE)
- http://{BLOCKED}alokab.go.id/images/news/JohnLennon-Imagine.exe (WORM_KOLAB.SMQX)