This article was published on December 7, 2010

New Twitter Worm on the loose, don’t click suspicious links. Details here.


New Twitter Worm on the loose, don’t click suspicious links. Details here.

Updates at the foot of the post.

There’s a worm spreading rapidly across twitter. It appears to be a tweet with no text but just a URL. A twitter search highlights the extent of the problem.

The URL appears to be identical: http://goo.gl/R7f68 on every tweet but it’s highly likely that it will alter itself at some point.

What we’ve been able to learn is that the worm seems to be either creating or using a number of spam/newer accounts – that said a few influentials have also tweeted the URL. The results of the search only go back about 6 hours, so it hasn’t been around that long and appears to stem from mobile.twitter.com.

More interesting is this screenshot from a tool that lets you check the full URLs behind short ones. It apparently redirects to http://artcan-developpmement.fr/tw.html. Very odd.

Update: Nils Geylen posted the following in the comments section, highlighting that attackers look to have compromised a legitimate French furniture website and then loaded forwarding scripts to take users to a number of different malicious domains which look to serve malware:

http://artcan-developpement.fr (without the extra m: oppement instead of oppmement) is a regular French site selling design furniture of some sort. The bit after the slash of course redirects to various exe or php files on several other domains (e.g. detecproforyou.us/twit.php or robsearch.info/tre/sena.exe) then results in a 404 for that file. But at the source for that page and it’s empty. Tried this on a secondary Linux machine. Not sure what was supposed to happen.

Update 2: There are a number of tweets showing up in many users’ streams that are advertising the service Fllwrs, all links are cloaked using the Goo.gl domain shortener. The tweet read as follows:

Just found the easiest way to track who follows and unfollows you – http://goo.gl/kLE5M

We have spoken with the developers at Fllwrs and have been assured that the tweet was a by-product of code used for testing purposes and has now been resolved. The service is not malicious, it just sent out a lot of automated messages recommending people to use the service.

Remember, if you have think your Twitter account may have been compromised by a service, you should head to Twitter.com and revoke its access.

To do this, head into: Settings -> Connections -> Find the app and REVOKE ACCESS!

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with