The Latest in IT Security

Boston Marathon – malicious emails

25
Apr
2013

The things that Virus Writers are doing are always bad and unwanted. But sometimes they are even disgusting. Using very sad events such as wars or terror acts are making this difference. People spend their time to get rid of unwanted emails all the time and now Virus Writers are using Boston Marathon tragedy for their “social engineering tricks”.

The subjects of these malicious emails may vary.
Here are few possible examples:

    “Marathon Explosion 2013”
    “Runner captures. Marathon Explosion”
    “Boston Explosion Caught on Video”
    “Boston Marathon 2013”
    “Explosion at Boston Marathon”
    “Explosions at Boston Marathon”
    “Explosions at the Boston Marathon”
    “Aftermath to explosion at Boston Marathon”
    “BREAKING – Boston Marathon Explosion”
    “BREAKING NEWS- Boston Marathon Explosion””
    “Video of Explosion at the Boston Marathon 2013”
    “Aftermath to explosion at Boston Marathon”
    “2 Explosions at Boston Marathon”

Sometimes, the string CNN.com will be added to any subject of those emails in order to confuse the receiver even more.

The body of these malicious emails are very small and contains only one malicious URL.
First part of this URL will be always:
“http://”

Second part maybe various, for example:
“118.141.37.122” but it may vary.

And the last part may be:
“/boston.html” , “/news.html”, “/bostoncnn.html”, “/cnn_boston.html” or “/boston_cnn.html”

There is a possibility that nothing will happened if careless user will click the link, because most of the sites have been removed/blocked/suspended from the internet.

Otherwise the following will happen on affected machine:
Most likely the site will show one or few videos from YouTube and these videos may contain the scenes from Boston tragedy.

Along with that java exploit will attempt to be executed and will attempt to download and run malicious hidden executable. This executable can be modified or replaced by different threats.

Most likely, it will be mass mailing Trojan that designed to send malicious messages to all email addresses in the address book.

It will move itself to %TEMP% folder of Windows and create registry keys to run each time the Windows start.

If this executable will be updated, modified or replaced by different threat – the detection by AV vendors is not guaranteed. Total Defense AV detects this threat heuristically and generically.

Anyway, Virus Writers face are discovered once again as an ugly one. I wish to all the people of the world – to be safe and to live in peace – always.

Leave a reply


Categories

FRIDAY, JULY 19, 2019
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments

Social Networks