We have reported numerous times about the dangers that lure around as soon as any kind of special holiday is around or a hot topic floods the news. And, as expected: Recently, there has been various malware connected to Osama Bin Laden. Let's have a look at two examples:
The whole world wanted to see a proof of his death, and the spammers are willingly providing it:
The file linked to is a downloader - In this particular case it downloaded several files (one DLL-file and two exe-files), executed the exe-files to install an IE "Add-On" and sends back a message to the server, including the computer's name, to report the infection.
The files are detected as follows:
IE "Add-On": Gen:Variant.Kazy.20476
The installed browser plug-in, a BHO, has full access to the data a users enters and can therefore harvest and steal information - in this case, especially online banking details.
The MS Word document spreading malware:
This text document was designed to execute remote code in Microsoft Word and Microsoft Outlook by using a vulnerability described in CVE-2010-3333) to drop and execute an embedded malicious exe-file.
In this particular case the prepred RTF document unpacks a backdoor/bot (Trojan.Generic.KDV.211541). The bot tries to connect to some C&C-Server to report some general information about the infected computer (hostname, etc.). Furthermore, it enables the botmaster to send commands to the victim's computer, e.g. to download and execute even more arbitrary files to execute. So, additional malware can be installed on the victim's computer at any time.
The following screenshot shows the dedicated code areas for the RTF document, the exploit/shellcode and the payload:
Besides the fact that both examples are connected to one of the hot topics of the past days, the methods to infect the computers are nothing new. Moreover the attack seems to be a quick reaction of the malware authors to 'go with the flow'. Unfortunately, there will have been many unwary users who clicked the links and fell for the sensation scam.
G Data's advice: