August 6th, 2009

Twitter knocked offline by DDoS attack; Koobface returns with a twist

Posted by Ryan Naraine @ 9:46 am

Categories: Adobe, Anti Virus, Arbitrary Code Execution, Botnets, Browsers, Data theft, Denial of Service (DoS), Exploit code, Facebook, Flash, Malware, Punditocracy, Responsible disclosure, Social Networking Applications, Spam and Phishing, Viruses and Worms, Vulnerability research, Web 2.0

Tags: Kaspersky Lab, DOS, Twitter, Attack, Koobface, Security, Spyware, Adware & Malware, Cyberthreats, Ryan Naraine

Popular microblogging service Twitter was knocked offline for an extended period this morning by what appears to be a massive distributed denial-of-service attacks.

Twitter confirmed the outage was linked to malicious attackers in a brief status message posted around 11:00 a.m EST.

We are defending against a denial-of-service attack, and will update status again shortly.

Update: the site is back up, but we are continuing to defend and recover from this attack.

Here’s a chart from Arbor Networks showing how the DDoS attack affected Twitter:

The denial-of-service attack coincides with the launch of a new Koobface malware run using Twitter messages as a distribution vector for fake security software (scareware).

According to Kaspersky Lab’s Stefan Tanase (see important disclosure), the new wave of Koobface attacks includes a change in tactics.  The hackers are now using a well-designed Facebook lookalike page and unique Twitter messages to trick Windows users into downloading scareware programs.

This Twitter Search shows examples of the attacks underway.

A user clicking on a malicious link in Twitter is presented with a fake Facebook page with what purports to be an embedded video file.

The target is presented with an Adobe Flash Player upgrade message but this too is fake and dangerous. If the user attempts to apply the Flash Player update, the machine is infected with rogue security software that badgers the user into paying for a disinfection tool.

The latest wave of Koobface links are bypassing the Google Safe Browsing API that’s now being used by Twitter to filter out malicious links.

This week everyone’s been talking about how Twitter started to use the Google Safebrowsing API to block tweets containing malicious URLs. It is definitely going to stop some attacks, but as we’re seeing with the current attack, it won’t eradicate the problem completely. It’s clearly a step forward, but a single swallow doesn’t make a summer.

Kaspersky’s Tanase has identified about 100 unique IP addresses hosting Koobface malware executables.

Facebook and FriendFeed were also suffering through minor outages this morning.  It is not yet clear if this is related to Twitter’s problems.