Using independently developed tools that scan tweets for threats, security researchers from Kaspersky and Trend Micro concluded that the micro-blogging platform has become a popular attack vector. The number of malicious URLs identified on Twitter suggest that the problem is slowly, but surely getting worse.

Because the results of their independent research into the Twitter attacks problem were almost identical, Costin Raiu, chief security expert with Kaspersky Lab's Global Research & Analysis Team, and Mortom Swimmer, advanced threat researcher at Trend Micro, have decided to give a joint presentation of their findings during the Virus Bulletin 2009 conference being held this week in Geneva.

The Kaspersky team led by Mr. Raiu built a service to analyze URLs posted in tweets, which they dubbed “Krab Krawler.” The tool watches the public Twitter timeline, which currently averages to 300 tweets per second, and extracts the URLs from them. In order to process most, if not all, of the tweets, the researchers had to get their tool added to a special Twitter whitelist, which allows them to perform 20,000 queries per hour, with a query being able to return multiple results.

All the identified URLs are saved in a database, but because most of them are shortened, a common practice on Twitter, the Kaspersky team also built a module to expand them into their original form. In an interview for threatpost, Mr. Raiu notes that more than 99% of URLs found on Twitter are obscured using a URL shortener service, and of those, over 75% are using bit.ly.

After the URLs have been expanded, another module processes them and downloads the content, which is then scanned for malware. According to Costin Raiu, Krab Krawler is processing around half-a-million URLs per day and judging on a scale from one to ten, he estimates that the threat level of malicious links on Twitter is currently seven.

The statistics revealed that the most frequently posted URL during the month of August was pointing to a dating website, which has been linked to malware in the past. Raiu notes that, based on the data gathered for the past four months, the situation is slowly deteriorating.

In terms of identified threats, the researchers found that many of the malicious URLs apparently point to regular spam, but a decent percentage of them are also linking to legit websites that have been compromised in mass injection attacks and are now attempting to infect visitors. Then there's the URLs generated by social networking worms such as Koobface, the ones used to distribute scareware and of course the ones pointing to phishing websites.

Watch Costin Raiu's interview for threatpost at the Virus Bulletin 2009 Conference:



View the slides of Costin Raiu and Mortom Swimmer's joint presentation at the Virus Bulletin 2009 Conference: