Tuesday, June 30, 2009

Michael Jackson headline used in Password Stealing scheme

Last week we reported that a Fake Microsoft Critical Update was one of the top sources of active computer exploitation being delivered in the emails we were watching in the UAB Spam Data Mine. That campaign took the weekend off and emerged Monday morning with a new feature that we shared with you yesterday. The same campaign has mutated yet again, but now is pretending to be a conspiracy email about Michael Jackson!

The new campaign uses email like this one:



which redirects visitors to more than 40 different websites which all look like this:



The list of websites we've seen so far in our spam include all of these:

MJackson.1ffli.com.mx
MJackson.hhili.com.mx
MJackson.hilli.com.mx
MJackson.ijjik1.com
MJackson.ijjik1.net
MJackson.ijjil1.com
MJackson.ijjil1.net
MJackson.ijjilk.com
MJackson.ijjilk.net
MJackson.ijjill.com
MJackson.ijjill.net
MJackson.ijjkl1.net
MJackson.ijkil1.com
MJackson.ijkil1.net
MJackson.ikikij.com
MJackson.ikilfk.com
MJackson.ikilij.com
MJackson.ikilij.net
MJackson.ikilik.net
MJackson.ikilkj.com
MJackson.ikilkj.net
MJackson.ikjil1.com
MJackson.ikjil1.net
MJackson.ikklij.com
MJackson.ilifi.com.mx
MJackson.iljihli.com.mx
MJackson.kiffil.com.mx
MJackson.kjjil1.com
MJackson.kkilij.com

Analysis of the malware performed by UAB Malware Analyst, Brian Tanner, a Computer Forensics student, reveals that just visiting the website is enough to infect your computer. Especially if the visitor doesn't have the current version of Adobe Acrobat Reader.

Older versions of Adobe Acrobat have a vulnerability that allows JavaScript to run when a PDF file is viewed. Visitors to the Michael Jackson X-Files website are asked to download and run a program called:

x-file-MJacksonsKiller.exe

But even if the visitor is wise enough not to open the file, a secret IFRAME embedded on the site will cause an infected PDF file to be downloaded and opened in a background window. If the Adobe Reader is an old version, the Javascript in the PDF will cause the .exe file to download and execute anyway.

VirusTotal reveals that only 10 of 41 anti-virus products currently detect this malware. Here's a VirusTotal Report.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.