Hackers step up game, spread malware using Bin Laden bait
Facebook scams also ramp up as criminals exploit major news event
Hackers today stepped up their use of Osama Bin Laden's death by shoving malware into PCs when users fall for phony claims of photographs and video, security researchers said today.
"It's not really surprising," said Mikko Hypponen, the chief research officer of Helsinki-based F-Secure. "We were expecting to see related malware."
The shift to direct attacks follows Monday's campaigns to push fake security software, dubbed "rogueware," to both Windows and Mac users.
Earlier today, F-Secure warned users to steer clear of spam that included the "Fotos_Osama_Bin_Laden.zip" archive attachment. The messages claim the file contains photos of Bin Laden after he was shot and killed by U.S. special forces during a 40-minute firefight in his compound in the northern Pakistani city of Abbottabad.
Running the resulting Windows executable file doesn't display photographs, but instead launches a new banking Trojan horse belonging to the three-year-old "Banload" line, said Hypponen. The malware sniffs out online banking sessions and then tries to redirect payments to other accounts.
Other security companies have also snared malware packaged with Bin Laden spam.
Today, Symantec said it had found email messages touting photos and video of the U.S. attack's aftermath. The messages, which so far have been written in French, Portuguese and Spanish, lead users to a fake CNN Web site where they're told to download video.
As in the F-Secure instance, the download is, in fact, a "dropper" that in turn downloads malicious code to the Windows PC.
Bin Laden scams are also spreading quickly on Facebook, Hypponen and others said.
The latest scam plays on the reputation of Wikileaks, the organization that has leaked thousands of U.S. military and diplomatic messages during the last year.
"Osama is dead, watch this exclusive CNN video which was censored by Obama Administration due to level of violence, a must watch," claims the Facebook spam. "Leaked by Wikileaks."
The criminals make money, said security firm Commtouch, by eventually shunting to users a marketing page that generates pay-per-click revenues.
Hackers and scammers are able to rapidly ramp up attacks whenever a major news story breaks because they're simply tweaking existing malware or schemes, said Hypponen. And some of their processes are even automated.
"The [search engine poisoning] is fully automated," Hypponen said, referring to the tactic where hackers and other cyber criminals pollute search engine results with pages containing links to malicious sites.
"They automatically generate pages with worthless content, or sometimes with no content at all," said Hypponen. "This works especially well when the news hasn't yet been covered by a normal site. It's possible for anybody to get their page within the top 10 [results] by being fast enough."
Hypponen expected that cyber criminals will continue to exploit Bin Laden's death for some time to come. "They usually keep trying longer than it actually works," he said. "Most people won't be falling for [such scams] for very long, but the video might work for a while, because I wouldn't expect the U.S. to release a real video."
Also part of the Bin Laden campaigns, experts said yesterday, was the first attempt by online crooks to push Mac-specific rogueware to Apple's customers.
This exploit is already covered by McAfee. It was included in DAT 6335, which went out on May 3rd.
Threat Identifier(s): Generic.dx!zcy
Threat Type: Malware
Risk Assessment: Low
Main Threat Vectors: Web; LAN; WAN; Peer-to-Peer Networks; E-Mail
User Interaction Required: Yes
Description: The Generic.dx!zcy Trojan lures victims with bogus links to photos of Osama Bin Laden. Similar malware attacks have occurred across various social media sites and image repositories and other vectors (Google image searches, Facebook, email-spam campaigns). This Trojan downloads additional malware (fake-alert variants, Generic Downloader.x) and disables specific components (Windows Task Manager) of the compromised operating system. Common filenames are "Fotos_Osama_Bin_Laden.exe," "fotos-do-osama-morto.exe," and similar variations.
Importance: Low. This threat has gained media attention.
McAfee Product Coverage *
DAT files: Coverage is provided as "Generic.dx!zcy" in the 6335 DATs, released May 3.