The Latest in IT Security

KELIHOS Worm Emerges, Takes Advantage of Boston Marathon Blast

17
Apr
2013

Within a short time period of less than 24 hours, cybercriminals have already taken advantage of Monday’s explosion at the Boston Marathon as a newsworthy item. My colleague Mary Ermitano-Aquino noted a spam outbreak of more than 9,000 Blackhole Exploit Kit spammed messages, all related to the said tragedy that killed at least three people and injured many more. Some of the spammed messages used the subjects “2 Explosions at Boston Marathon,” “Aftermath to explosion at Boston Marathon,” “Boston Explosion Caught on Video,” and “Video of Explosion at the Boston Marathon 2013″ to name a few. Below is a spam sample she found:

Figure 1. Sample spam email related to the Boston marathon blast

Figure 1. Sample spam email related to the Boston Marathon blast

The spammed message only contains the URL http://{BLOCKED}/boston.html , but once you click it, it displays a web page with an embedded video, supposedly from YouTube. At this point, users who click the link may have already downloaded malware unknowingly, aka drive-by-download attacks. Here’s a screenshot of the web page with the embedded video:

Figure 2. Malicious web page with the embedded video

Figure 2. Malicious web page with the embedded video

Simply clicking the link in the email triggers an automatic download from the URL http://{BLOCKED}.boston.avi_______.exe . If you’ll notice the lower left-hand corner of the download bar, the file name boston.avi_____.exe is seen as a downloaded file. This is actually a malicious file which happens to be a new variant of WORM_KELIHOS malware.

WORM_KELIHOS.NB  routines

Throughout the course of my investigation, I noticed that the IP of the download link varies every time it is accessed. As of this writing, we confirmed that the locations of the IP addresses are found in several countries such as Argentina, Taiwan, Netherlands, Japan, Ukraine, Russia, and Australia. The URL also downloads other similar malware from different links, as seen in the URL log below:

Figure 3. Malicious URL log

Figure 3. Malicious URL log

The downloaded samples have the same behavior and same file size, except that it changes the icons used and the file names.

Our analysis also shows that WORM_KELIHOS.NB  hides all the directories on the removable drive and replaces them with a .LNK file that uses a folder icon. This executes the malware before it opens that original folder. In addition, it creates .LNK files on infected removable drives with the command C:\WINDOWS\system32\cmd.exe F/c “start %cd%\game.exe. Below is a screenshot of an infected removable drive:

Figure 4. Removable drive infected by WORM_NEWBOS.A

Figure 4. Removable drive infected by WORM_KELIHOS.NB

This worm has the capability to steal credentials from the different File Transfer Protocol (FTP) such as LeapFTP, P32bit FTP, FTP Control, SecureFX, BitKinex, FileZilla, and many more. One noteworthy routine about it is that it harvests email addresses from the affected computer’s local drive.

Spreading like wildfire
As of today, we have noted a significant number of malicious URLs gathered via the Trend MicroT Smart Protection NetworkT related to the Boston Marathon explosions, with the United States leading the pack among the other countries we monitored.

Figure 5. Trend MicroT Smart Protection NetworkT hits related to the Boston Marathon bombings

Figure 5. Trend MicroT Smart Protection NetworkT data for malicious URLs related to the Boston Marathon bombings

Aside from the spam sample discussed earlier, we also found that other platforms have also been exploited to spread similar threats. Malicious Tweets and links on free blogging platforms were also crafted just hours after the blast took place.

Figure 6. Malicious Tweets and blog posts

Figure 6. Malicious Tweets and blog posts

This goes to show that a cybercriminal’s work is never complete. Taking advantage of newsworthy events is indeed a cybercrime staple; each new scheme always seems to vary, which results in a never-ending cycle of malicious mischief.

Leave a reply


Categories

FRIDAY, MARCH 29, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments