Malware scammers exploiting Boston bomb tragedy by email
April 17, 2013
Tonight, I discovered a new malware attack tactic in the MailWasher Pro Recycle Bin. It was automatically deleted because it matched the conditions I created in a filter I call Exploit Link. In this case, the filter was matched by a numeric IP in the URL, instead of a domain name. Numeric URLs, especially those ending with a .htm or .html file are hostile 99.999999999% of the time. This one sure was.
The email arrived very late, at about 1 AM, Eastern time. Its sender was nobody I know, but it contained this enticing subject:
Explosion at the Boston Marathon
The total content in the message body was only a link, in this (deactivated) form:
h**p://220.127.116.11/news.html (Don't go there!)
UPDATE; April 17, 2013, at 2:55 PM EDT:
I have now discovered some new numeric links containing the file name "/boston.html" - leading to exploit pages.
This is what is known as a numeric URL or hyperlink. It does not point to any known or registered domain name, just to an IP address. Spammers have set up a malicious web page on some compromised computer or hand held smart device that has been assigned a static IP address (usually by their broadband Internet service provider). In this case, the IP 18.104.22.168 is assigned to a "Kyivstar" GSM mobile broadband customer in Kiev, Ukraine. That IP address is already listed on my Russian Blocklist, under the CIDR 22.214.171.124/16.
All of the links I have found in these email scams are leading to computers or devices located in Russia, Bulgaria, Latvia, or The Ukraine. This is an attack hosted by criminals based in the Former Soviet Union.
What awaits you at this numeric URL, ending in the file named: news.html?
The destination web page, news.html, contained
four multiple iframes, three all but one of which have embedded YouTube videos of the Boston bombing scene. However, the 4th last iframe contains a link to a hostile Java Applet, located on a compromised web site. This Java Applet will attempt to jump out of the Java"Sandbox" and infect your operating system. This can only happen if you have Java installed and if it is a vulnerable version that they have specifically targeted for its vulnerabilities.
NOTE: Java was just updated on April 16, 2013. This was to fix 42 exploitable vulnerabilities! Go to www.java.com to see if you have Java installed and if so, what version. Then update to the newest version and make sure all older versions are uninstalled. Better yet and safer, uninstall all instances of Java from your computer and eliminate the number one attack vector used in all the major malware exploit kits.
But wait, there's more! What if you don't have Java installed, or it is unplugged from your browser, or if you operate with reduced user privileges?
In addition to the hostile iframe at the bottom of the page, there is also an HTML Meta Refresh after 60 seconds to begin downloading a malicious executable file, named: "boston.avi_______.exe." Those 7 connected underscores are there to move the .exe extension out of your line of focus, to make you think it is a harmless .avi movie. This all happens automatically. That downloaded file then attempts to install a backdoor into your computer and download other Trojans to it. It may cause a User Account Control box to appear, asking for permission to run that program. Some people may think it is just part of the video displays about the Boston tragedy and be tricked into allowing the installation to continue; by typing in their Administrator password, or just giving it an Okay. Do that and your machine becomes infected by the Trojan inside that fake .avi movie file that is really a .exe (executable program) file.
The latest incarnation of the Boston Bombing Exploits (BBE), on 4/17/2013, in the mid-afternoon, does not contain the 60 second timeout for a forced Trojan download. All of the exploiting comes via the included Java Applet and its .jar file. However, some of the exploit pages still contain the Meta Refresh timed download.
I wrote this to warn others about this new and present danger to your online security. Please stay alert to the tricks used by cyber criminals who want to steal your data, identity, bank accounts, extort money from you, or use your computer as part of a spam and/or attack botnet. Emails of this nature are very dangerous. If you must watch news articles about disasters and terrorist attacks, go to CNN, or Fox, or ABC, or CBC, or the BBC, or your preferred online authentic news web site and watch them there. All legitimate news web sites have video feed sections for breaking news.
God Bless the victims of the Boston Terror attack of April 15, 2013 and their families. God Damn the cyber criminals who exploit terrible events like this for their own unlawful benefit and our loss.
Trend Micro Internet Security products, for home and office users, use in-the-cloud malware definitions that are updated every day, all day, as soon as new or altered strains of viruses and other malware are detected in the wild and analyzed. By offloading the bulk of these ever changing virus definitions to cloud servers, the load on your computers is greatly reduced. All users of Trend security programs are instantly protected from hostile web pages laden with malware exploits and hostile email, by the Trend Micro Smart Protection Network.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.
Movable Type 4.38