Monday, May 2, 2011

Osama Bin Laden Related Malware

We'll continue to update this blog post with new malware we're seeing related to Osama bin Laden's death, as we expect to see plenty.

---

hxxp://www.pharmafutar.hu/images/home/fotos.php

leads to low A/V detection malware:

hxxp://www.pharmafutar.hu/images/home/urgentes.dyndns.tv.fotos-osama-bin-laden-morto.com

VirusTotal Report (3/41): Trojan / Koobface

---

More Facebook scams, attempting to trick the end user into pasting Javascript into the URL bar in order to further propagate the scam.

hxxp://www.facebook.com/pages/Heavenly-father-Help-Us-all/209589715729272
hxxp://www.facebook.com/pages/Osama-Death-Live/213631485333118



---

Interesting statistic: Zscaler went from seeing fewer than 1,000 URLs containing the terms 'osama', 'usama' or 'laden' on Sunday afternoon, to a peak of over 4 million by 10am PST on Monday morning.



---

There are a handful of sites cropping up that are advertising that Osama is alive. When visited the page appears as follows:

The go.php script redirects to an Osama is Alive Facebook profile, such as:
hxxp://www.facebook.com/pages/Osama-is-Alive/127361454008017


This particular profile is down, however there do appear to be a number of other related Facebook profile pages recently created:


I have not witnessed anything malicious at the moment in this campaign. But because the spammy nature and number of sites / profiles it makes our list.

---

hxxp://www.limitsmodelos.com.br/ans/TELEVISA.NOTICIAS.Video-Bin.Laden.AVI.exe

V/T Report (32/42): Trojan Rinecud / Pincav

---

hxxp://www.facebook.com/pages/Exclusive-Osama-Bin-Laden-Death-Video/201412819897862?sk=app_4949752878

Asks Facebook users to 'like' the scam and then copy/paste Javascript into their URL bar, in order to generate Facebook content promoting the scam. The page alleges that once 25,000 Facebook users have promoted the scam, they will reveal the Osama Bin Laden death video.



---

hxxp://www.binladensdeathvideo.info/

Let's just call this 'poor man's Likejacking', with a dash of malvertising. The site manually walks a user through manually 'liking' content and then posting it to their Facebook page, which is allegedly required, before the video can be viewed. Upon clicking on the 'WATCH THE VIDEO NOW' link a fake 'age verification' screen is displayed, requiring the user to click on advertising links.





---

Osama Bin Laden Death Video Facebook Scams:

For example,

hxxp://www.facebook.com/pages/Exclusive-Osama-Bin-Laden-Death-Video/201412819897862?sk=app_4949752878

--> spyingonyou.info/osama/a.js


Many other Facebook profiles as well:

---

hxxp://www.blogdelnarco.com/2011/05/cae-osama-bin-laden.html


News story which includes links to video with fake VLC warnings. The page may be infected with malvertising. The malware is not consistently displayed on the page.

V/T report (19/41): Hotbar Adware

---

hxxp://osamabinladenfotosineditas.blogspot.com/

Fake codec warning that leads to Hotbar Adware

A variety of attacks are included on the page, including Likejacking and Adware.

V/T Report (20/41): Hotbar Adware

---

hxxp://terrorismo.myhotting.com/videos/paquistao/terrorismo/osama/02/05/2011/video-em-que-OSAMA-BIN-Laden-aparece-segurando-jornal-com-a-data-de-hoje.php

302 redirects to:

hxxp://130.237.197.211/images/OSAMA-BIN-Laden-aparece-segurando-jornal-com-a-data-de-hoje-obama-se-passa-por-mentiroso.exe

V/T Report (24/41): Trojan Banload

Seen spread primarily through spamvertised messages to mail.live.com

Others seen:
68.7.242.6/images/OSAMA-BIN-Laden-aparece-segurando-jornal-com-a-data-de-hoje-obama-se-passa-por-mentiroso.exe
33.225.237.6/images/OSAMA-BIN-Laden-aparece-segurando-jornal-com-a-data-de-hoje-obama-se-passa-por-mentiroso.exe
148.227.118.6/images/OSAMA-BIN-Laden-aparece-segurando-jornal-com-a-data-de-hoje-obama-se-passa-por-mentiroso.exe
131.128.109.6/images/OSAMA-BIN-Laden-aparece-segurando-jornal-com-a-data-de-hoje-obama-se-passa-por-mentiroso.exe
100.166.108.6/images/OSAMA-BIN-Laden-aparece-segurando-jornal-com-a-data-de-hoje-obama-se-passa-por-mentiroso.exe

Other Banload:
noticias.terra.woonet.co.kr/videos/paquistao/terrorismo/osama/05/05/2011/video-proibido-mostra-momento-da-execucao-de-obama-por-agentes-na-operacao.exe

V/T Report (19/41)

---

hxxp://shop.akod.se/BinLadenMorto.avi_de_msn-videos.com

V/T Report (7/41): Password Stealing Trojan

---

No comments: