Evil Twitter… Finding malware amongst the maelstrom..
Would it surprise you to know that yesterday, more than 5000 tweets were posted with URLS which would have dropped you on sites which distribute malware?
It was only a small portion of the total number of tweets containing URLs, around 2.5 million or so, and there were an additional ~200,000 that went to sites about which McAfee was not too sure about the status (we are busy scanning them, as we do all sites which come to our attention where we don’t have a “reputation”). Still – there were 5000 tweets, guaranteed to get you in trouble.
You can guess perhaps, that for a while now McAfee, or rather my Innovation Team has been working on a project to generate some deep analytic evidence from the Twitter fire hose – We’re trying to answer the question “how do you apply the concept of reputation to a social media system?” Knowing how cyber-criminals use Twitter to entice people to visit their sites is just the first step in the process.
Our project lets us probe the the Twitter stream for malware related concepts – some interesting things you can see from the charts below for example, that there’s a pretty consistent trend of tweets containing URLs to malware which follow the general twitter tweet rate.
When you compare to the known good, and currently unflagged sites (a small portion of which may turn into bad sites over the next few days)
If this was not bad enough, the vast majority of the tweets are shortened links, either by twitters built in engine, t.co, or one of the hundreds of other link shortening engines like http://mcafe.ee and http://bit.ly.
Yes, you read that right – people try to propagate malware over Twitter, using McAfee’s GTI protected short link service – what are they thinking?
Looking at the average user experience, not only are they unaware that tweets may contain links to malware, but the links are “obscured” by short URL services, making it even easier for you to be tempted to…
“Click here to see pictures of cute puppies - http://mcaf.ee/09db36“
Digging a little deeper, It’s interesting to look at the domains these links are coming from – for example, in the last 24 hours looking at all tweets with URLS, and taking the top offenders of known bad URLS (ones guaranteed to get you in trouble)…
Curious don’t you think that there’s not one safe, suspicious or unknown tweet to these domains? That every single tweet in the last 24 hours containing a URL to these domains would have dropped you on a know malware site?
In a future blog, I hope to be able to tell you more about the engine we’re using to generate this data – it’s not as simple as it may seem on the surface (try absorbing hundreds of tweets a second and expanding all the URLS to work out the final destination, then working out the GTI reputation of that destination etc), but thought this result interesting enough to share.
Next for us, is looking at user behavior - we can already pick out known “bad actors” – accounts which only ever propagate malware, but we are thinking about the problem of users whose tweets are mostly good, with the occasional bad one – how do they fit into the equation?
And of course, on the horizon for 2012 are products using this data – would you like these bad tweets stripped out of your feed, or flagged in your Tweet reader? Would you like to have these known “bad users” and domains automatically ignored?
|Simon Hunt is the VP and Chief Technology Officer for McAfee Endpoint Protection, and formally the CTO for SafeBoot International. Simon has been designing, implementing and speaking about data security since 1996. You can read my full Bio.|
- Multi-faceted #security protection - Does it work or is it a fad? @Westcoastlabs shares findings mcaf.ee/m2tbi 1 month ago
- Kevin Mitnick revisits 10 year old argument and confuses John McAfee with McAfee Inc. mcaf.ee/e5mli . Funny, but way out of touch. 1 month ago
- Buzzed about our new ATD product - mcaf.ee/zyb7d. Not only will it "detonate" malware, but static analysis as well. Unbeatable! 2 months ago
- TMI? - Boat just drove past, Now I know the owners name, phone and addr - how? He posted his boat name in a signature on a forum. #chatstc 4 months ago
- Cryptography (25)
- Data Loss (66)
- Everything Else (2)
- McAfee/SafeBoot/Intel (41)
- Programming (20)
- Security/Exploits (46)
- My Bio…
- Speaking Engagements
- Programming and Hardware
|Simon Hunt on Disaster Recovery, WinTech and…|
|Keith on Disaster Recovery, WinTech and…|
|Simon Hunt on Disaster Recovery, WinTech and…|
|Patricio on Disaster Recovery, WinTech and…|
|Simon Hunt on About Bindings in McAfee Endpo…|
- Simplifying Security – An Interview with SC Magazine
- Decrypt Full Disk Encryption products for $299 – Well, it got cheaper at least
- The Connected Home – Introducing the McAfee Little Red Box
- Speaking at Evanta CISO, Los Angeles on 14th May 2012
- ISACA Orlando Event – thanks to those who attended…
- Evil Twitter… Finding malware amongst the maelstrom..
- Speaking at ASIS International Orlando, 20th September
- Piggybacking WiFi at 60mph
- Take Two Of These Pills And Call Support In The Morning…
- AutoDomain 5.60…
- Mobile Device or Not? That is the question…
- Underground Economies – The rise of Intellectual Capital Theft.
- ToastCache for EEPC/EEM v5
- Improving Security On Solid State Drives
- Two London, UK councils fined $100,000+ each for lost laptops..
- May 2013
- December 2012
- November 2012
- May 2012
- December 2011
- September 2011
- June 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- March 2009
- December 2008
- October 2008
- September 2008
- November 2007