Kaspersky: Truncated URLs May Lead To Botnet Hell

The use of shortened URLs is becoming more popular for malware attacks, according to Kaspersky Lab’s latest Monthly Malware Statistics report. As anti-malware software continues to improve its traps for infected sites, the attackers are finding other ways to attract the unsuspecting browser.

Shortened URLs, provided by sites such as TinyURL, Bit.ly and Goo.gl turn long and cumbersome URLs into simple alternative URLs of less than a dozen characters – which is particularly useful for character-constrained Twitter messages.

Pointers To Infected Destinations

The shortened URL can be placed in tweets, on websites or in emails to avoid problems that can occur when a long URL may get broken by line breaks. The substitute URL is used and, when clicked on, connects the user to a look-up table at the source site which then forwards the download request to the original site.

The real address is hidden from the user and an attacker may use the disguised URL to lead the unwary user to a malicious site or straight into a malware download.

The problem has been prevalent for over a year. In December,2009, Bit.ly partnered with VeriSign and Websense to check each registered URL target for malicious content. In reaction, the attackers have found ways to create complex redirections across the Internet, ultimately leading to an infected site.

In July last year, Symantec warned that spam containing shortened hyperlinks led to botnet downloads, naming Storm as a popular infection. And now Kaspersky has added that December 2010 saw a high level of malevolent uses of shortened URLs, especially in Twitter messages.

Fake AV still rife

Another trend mentioned by the Russian-based lab is in the use of fake antivirus scans. These will notify users that their computer is infected and offer to clean it up or suggest downloading a scam antivirus package. Kaspersky said that these methods have now entered the Top 20 malicious programs list.

Topping the list is AdWare.Win32.HotBar.dh, a program that is installed using a legitimate program as a Trojan horse screen. Once installed, it plagues the user with unwanted advertising and can be very difficult to track down and remove.

In its home country, Kaspersky Lab has seen the rise of the .рф (Cyrillic abbreviation for the Russian Federation) domain name. Online scammers have grabbed the new domain with glee to make enticing offers of software downloads, unbelievable bargains and fake music and film archives, Almost all are designed to infect visitors with botnet software. Fortunately for Western Europe, few people use Cyrillic alphabets on their computers but, combined with URL shortening, users still have to be wary.