Malicious Google Spam Alleging News Video from Bin Laden
We're seeing a new Google Spam run with a malware component making the rounds where the subject line of the message alleges that some of the more popular news agencies have released a Special Report with respect to a new video having been released from Osama bin Laden. Volume is currently only less than 1% of total inbound virus traffic, so it is pretty low, but is yet another abuse of the Google PageRank system in an attempt to deliver malware.
Some of the subject lines that we have seen include:
Special issue of news from CNN! Urgent Fresh News Usama Ben Laden!
Special issue of news from CNBC! Urgent Fresh News Usama Ben Laden!
Special issue of news from Financial Times! Urgent Shocking News Usama Ben Laden!
Special issue of news from CNN! Urgent Apocalyptic News Usama Ben Laden!
Special issue of news from Bloomberg! Urgent Fresh News Usama Ben Laden!
You can see a fairly common theme here.
The email itself is somewhat lengthy and mostly discusses the tragedies that bin Laden has orchestrated against targets around the world. The most pertinent parts of the message appear at the top (as usual, many grammatical errors exist throughout the message):
Special issue of news from Reuters! Urgent Dangerous News!
hxxp://www.google.com/pagead/iclk?sa=l&ai=PBXCNHM&num=03311&adurl=
Usama bin Laden(Osama bin Laden) one of the largest organizers of terrorist
activity, and similarly the largest leaders of terrorist organization of Al
Kaeda, detained American soldiery force in
Also, as of the time of this posting the link to hxxp://cavelldemar.org/news_usa.php (domain registered in Spain) is still active and AV identification is spotty:
| Antivirus | Version | Last Update | Result |
|---|---|---|---|
| AhnLab-V3 | 2008.4.22.0 | 2008.04.21 | Win-Trojan/Agent.77824.DX |
| AntiVir | 7.8.0.8 | 2008.04.21 | TR/Crypt.XPACK.Gen |
| Authentium | 4.93.8 | 2008.04.20 | - |
| Avast | 4.8.1169.0 | 2008.04.21 | - |
| AVG | 7.5.0.516 | 2008.04.21 | Downloader.Zlob.12.AH |
| BitDefender | 7.2 | 2008.04.21 | - |
| CAT-QuickHeal | 9.50 | 2008.04.19 | (Suspicious) - DNAScan |
| ClamAV | 0.92.1 | 2008.04.21 | - |
| DrWeb | 4.44.0.09170 | 2008.04.21 | - |
| eSafe | 7.0.15.0 | 2008.04.17 | Suspicious File |
| eTrust-Vet | 31.3.5720 | 2008.04.21 | - |
| Ewido | 4.0 | 2008.04.21 | Backdoor.Agent.gxg |
| F-Prot | 4.4.2.54 | 2008.04.20 | - |
| F-Secure | 6.70.13260.0 | 2008.04.21 | Backdoor.Win32.Agent.gxg |
| FileAdvisor | 1 | 2008.04.21 | - |
| Fortinet | 3.14.0.0 | 2008.04.21 | - |
| Ikarus | T3.1.1.26 | 2008.04.21 | Trojan.Win32.Revelation |
| Kaspersky | 7.0.0.125 | 2008.04.21 | Backdoor.Win32.Agent.gxg |
| McAfee | 5277 | 2008.04.18 | - |
| Microsoft | 1.3408 | 2008.04.21 | TrojanDropper:Win32/Nuwar.gen!lds |
| NOD32v2 | 3043 | 2008.04.21 | - |
| Norman | 5.80.02 | 2008.04.18 | - |
| Panda | 9.0.0.4 | 2008.04.20 | - |
| Prevx1 | V2 | 2008.04.21 | - |
| Rising | 20.41.02.00 | 2008.04.21 | - |
| Sophos | 4.28.0 | 2008.04.21 | Mal/Generic-A |
| Sunbelt | 3.0.1056.0 | 2008.04.17 | - |
| Symantec | 10 | 2008.04.21 | - |
| TheHacker | 6.2.92.285 | 2008.04.19 | - |
| VBA32 | 3.12.6.4 | 2008.04.16 | Trojan.Win32.Revelation |
| VirusBuster | 4.3.26:9 | 2008.04.21 | - |
| Webwasher-Gateway | 6.6.2 | 2008.04.21 | Trojan.Crypt.XPACK.Gen |
Fake video downloads and updates have been a pretty common theme for the Storm Worm folks for quite some time now. This "news story" social engineering tactic is what Storm originally used to get most people infected back in January, 2007, so many people have already "been there, done that" which is likely why infection rates are staying pretty low.
Posted by smasiello at 11:32 AM | Link | 0 comments
Comments
No comments found.
