Guy Kawasaki’s Twitter Feed Used to Spread Porno Trojan

By

post-12167-image-7f8e490ae894b45b809e33548f84f5b8-jpg
Guy Kawasaki's hugely popular Twitter feed was used to spread a rare Mac Trojan.

Ex-Apple evangelist Guy Kawasaki’s Twitter feed has been used to spread a Mac Trojan.

Kawasaki’s popular feed, which has 140,000 subscribers, included a link on Tuesday night to a what purported to be a sex tape featuring Gossip Girl actress Leighton Meester. However, the link pointed to the OSX/Jahlav-C Trojan, a rare Mac Trojan that has popped up recently on a couple of porno websites.

Kawasaki said the link was the result of leaving his feed open to “user generated” stories.

“Here’s the scoop,” Kawasaki said by email to CoM. “I used Twitterfeed to insert the Truemors feed into my tweets (Here’s the feed). I thought that was a 100% safe, moderated feed, but I now know it isn’t. ‘User generated’ stories can get inserted into that feed. The bottom line is that my Twitter account wasn’t hacked; Twitter-Twitterfeed was all working right. It’s just that a bad story got into the feed that was refed by me.

“My short career as a pornographer lasted 45 minutes. :-)”

Graham Cluley, a spokesman for Sophos, a British security firm which first publicised the malware tweet, said it was the first time he’d heard of Twitter being used to spread the Mac malware.

“Guy is the only person we’ve discovered by this attack, but it may just be that he’s the most high profile,” said Cluley.

However, Twitter has been used before to spread malware on Windows. In August, security firm Kapersky Labs warned of banking Trojans posing as porno tapes of Brazilian pop star Kelly Key.

The malware affects Windows as well as Mac users. But on the Mac, it’s a fairly pathetic Trojan. It poses as an ActiveX Video Object, which is associated with Windows. In addition, Mac users have to type their username and password during the install procedure. It installs automatically on Windows.

“Of course, there is much more malware for Windows than Mac, and users have to give permission to install the code,” said Cluley. “Nevertheless a high profile Twitterer like Guy publishing the link could mean a higher number of victims.”

The OSX/Jahlav-C Trojan is what Sophos calls a “DNS changing Trojan,” and may attempt to download further malware from the net. What the malware might be, no one seems to have discovered yet. If anyone’s been infected on the Mac, they are not rushing forward to report what the payload does.

osx_jahlav
Screenshot from Sophos' webpage detailing the OSX/Jahlav-C Trojan.