Analyzing Twitter short URLs
Short URL is a concept of reducing long and non-human friendly URLs. This is especially useful when it comes to micro blogging sites like Twitter.
Twitter has a word limit of only 140 characters for a tweet. Hence posting long URLs along with a descriptive message is somewhat difficult. A link shortening service from twitter reduces the length of URL to 19 characters to fit in the tweet. As per twitter, their URL shortening service checks the URL to be posted against potentially dangerous sites and when a match is observed, a message same as below is displayed.
Twitter warning message
Yesterday, I stumbled upon a similar short URL from twitter http://t.co/637ov58H.
Social engineering Tweet
This URL was redirecting to hxxp://rcbraziltrading.com/ups/uploads/1327600787.exe and that’s when I realized how much security work twitter performs on short URLs 
This post’s contents will show you the capabilities of the so-called video on President Obama’s sex life.
I pulled the binary to see the below file with a nice media player icon.
For a quick analysis, I ran it under the sandbox to check its capabilities. The highlights of the analysis are as under:
File System changes:
Obama Pic
- As soon as the binary was executed in the sandbox, it dropped an interesting file by name OBAMA DO SEX.exe under C:\Documents and Settings\Administrator\Local Settings\Temp\ folder and later executed it to display adjacent image.
- Downloaded the file 1327370303.exe from rcbraziltrading.com and saved it as a1.exe in %WINDIR%
- Dropped binary a1.exe then injected thread in explorer.exe and copied itself as server.exe under C:\Program Files\Bifrost\ folder
- Changed the timestamp of server.exe to 14th April 2008 6:12 AM and also changed file properties to Read-Only and Hidden.
Registry changes:
- Set itself as a path of multiple special folders so that whenever special folder is expanded, malware gets executed.
- These special folders included –
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
Network Activity:
- Malware tried to resolve following 2 domain names:
- rcbraziltrading.com (184.173.103.226)
- 88tamazight.zapto.org (41.92.24.226)
- Connected on HTTP port and GET 84.173.103.226/ups/uploads/1327370303.exe
Detection:
One can easily detect potential infections of these malwares by tracing above specific requests in proxy or DNS logs. As the detection rate from VirusTotal is not that great; you can also blackhole these IP addresses and block domains at proxy servers to inert the threat unless your antivirus catches it.
However, Microsoft detects this threat (SHA1: 61ad5ea5d8a2a27f889c04877d4e4971b4e2e14e) as TrojanDownloader:Win32/Small.AIN 
Below SNORT rules can also help detect this specific threat on your network.
1 | alert udp any any -> any 53 (msg:"DNS request to malicious domain Detected"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|rcbraziltrading|03|com|00 00 01|"; fast_pattern:only; sid: 1000006;rev:1;) |
alert udp any any -> any 53 (msg:”DNS request to malicious domain Detected”; flow:to_server; byte_test:1,!&,0xF8,2; content:”|0B|88tamazight|05|zapto|03|org|00 00 01|”; fast_pattern:only; sid:1000007;rev:1;)
Conclusion:
Don’t click on the short link no matter whoever shares it unless you expand it to see actual long URL. You can use http://longurl.org/ to expand short urls.
Stay safe!
