Sunday, May 1, 2011

Malware sites already capitalizing on announcement of Osama Bin Laden's Death

Update (025/02/11 9:40am EST): A before/after comparison of the photoshopped image used in the malicious post can be found here.

Within hours of the announcement of Osama Bin Laden's death, we are already seeing malicious sites emerge to capitalize on the news. One Spanish language site displays a purported photo of a murdered Osama Bin Laden and includes a story about the US led operation. Farther down the page, the reader is presented with a Flash Player window with a message indicating that the user must first update a VLC plugin, which is a popular media player, in order to view the video. When the user clicks on the link, they will download a file titled XvidSetup.exe. This file is actually a popular adware tool known as hotbar. At present, 19 of 41 antivirus engines are blocking the file.

Sadly, there will be no shortage of scams taking advantage of this historic global news. Users should use caution any time a site claims to be offering video or photos related to this news.

- michael

8 comments:

SpamLoco said...

The capture of the spanish site is this? (http://bit.ly/l66iso+) because it is the same but do not see the player false.

www.segu-info.com.ar said...

Hi ;)
It seems similary but without the links and fakes.

Zscaler, that cature is real ? From where ?

Cristian

Michael Sutton said...

@SpamLoco The fake VLC warning was below the narrative of the story, which is now displaying rotating ads. It isn't clear if the malicious content was replaced by the ads or if the news site itself was the victim of malicious advertising taking advantage of the story.

Michael

Michael Sutton said...

Cristian - Take a look at the response to SpamLoco and also see the live blog that we're maintaining to post Osama Bin Laden related malware as we see it http://research.zscaler.com/2011/05/osama-bin-laden-related-malware.html

Anonymous said...

Any word on whether or not this is affecting mobile devices (Apple &/or Android)? It reposted on my facebook page, but how can I tell if my iPad has been compromised?

Anonymous said...

Any word on whether or not this is affecting mobile devices (Apple &/or Android)? It reposted on my facebook page, but how can I tell if my iPad has been compromised?

SpamLoco said...

Thanks for the reply. The ads on the site are very suspicious, also by the IPs probably saw different things.

(sorry for my bad english writing)

Michael Sutton said...

@Anonymous we haven't yet seen mobile specific attacks, but as many of the scams leverage social engineering and would therefore also affect users accessing them via mobile devices.