Published: August 17 2009, 05:56 AM
by Zarestel Ferrer

Last Friday, we received reports about malware used as a botnet and utilizing micro- blogging websites such as Twitter, Jaiku and Tumblr for its command center operation.

The malware behind this is detected by CA as Win32/Kuwiter.A. Unlike other trojan-downloaders, this malware uses micro-blogging websites to get both information about commands, and updates from their masters.

                              [Figure 1 – Win32/Kuwiter.A using twitter.com to receive commands]

                              [Figure 2 – Win32/Kuwiter.A using jaiku.com to receive commands]

Currently, the username upd4t3 (from where the malware gets its command) has already been removed from the micro-blogging websites.

                                    [Figure 3 – User name giving malware commands was removed]

Win32/Kuwiter.A is capable of downloading malware to the infected system. It also sends information gathered from the system to a remote site.

       
                                      [Figure 4 – Information gathered and sent by the malware]

Please be aware of this kind of behavior. If you do notice any unusual or encrypted messages in a micro-blogging website please report them to the site’s administrator for close monitoring.

Also, make sure you keep your CA Security products up to date with the latest signatures.

Share this post:  Email

Share