Cybercriminals wasted no time riding on the tragic and shocking news of former Pakistan Prime Minister Benazir Bhutto’s assassination, as Websense discovered a number of malicious Web sites that came up on Google search results using the simple search term “benazir.” These sites attempt to infect users who want to know more about the unfortunate incident.
TrendLabs researchers found that one of the sites in question indeed has an embedded malicious JavaScript redirect, which Trend Micro detects as JS_AGENT.AEVE.
The malicious script downloads a Trojan (already detected TROJ_SMALL.LDZ), which in turn downloads more malicious files, namely WORM_HITAPOP.O and TROJ_AGENT.AFFR.
A graphical representation of this routine is as follows:
Upon further investigation, however, TrendLabs found that there is a host of other news sites and blogs taking advantage of this news.
Moreover, the malicious JavaScript is apparently not exclusive to news sites — it is also present in other Web sites with a broad scope of topics and interests. There are many other sites that have been possibly compromised (or that include the malicious JavaScript), including Autoworld, Vino, Dogpile, MSN, BlogSpot (yes, again), etc.
According to Trend Micro Advanced Threats Researcher Paul Ferguson, searching for this same malicious JavaScript code URL (the malicious script) yields 4,240 results. If the search is narrowed down to also include “benazir,” there would be only 103 results.
All related malicious URLs are already blocked by the Content Security Team and are thus inaccessible to Trend Micro customers.
December 29th, 2007 at 2:05 pm
[...] to Trend Micro researchers, certain sites purporting to contain information on the assassination have malicious Javascript [...]
December 29th, 2007 at 2:51 pm
[...] According to Trend Micro, certain sites that say to contain more information on the assassination have malicious Javascript embedded within them. End users wanting more information on the event can conceivably be directed to one of these infected sites, where the script (identified by Trend Micro as JS_AGENT.AEVE) runs and downloads a Trojan (TROJ_SMALL.LDZ). This new Trojan then downloads and installs WORM_HITAPOP.O and TROJ_AGENT.AFFR. [...]
January 1st, 2008 at 2:56 am
[...] makers are targeting people hungry for news about the Bhutto assassination (as well as a lot of other topics). This happened after the tsunami as well. Want to get every episode of WebbAlert automatically [...]
January 3rd, 2008 at 6:57 am
[...] compañia de seguridad y software antivirus Trend Micro, ha lanzado un aviso de seguridad en el que advierten de la creación de diversos sites que se aprovechan de la noticia del asesinato [...]
January 3rd, 2008 at 7:22 am
[...] detalles en blogantivirus o en la nota de prensa oficial de Trend [...]
January 3rd, 2008 at 8:30 am
[...] Información adicional: Trendmicro [...]
January 3rd, 2008 at 10:26 am
El asesinato de Benazir Bhutto se convierte en motivo para propagar malware…
Trend Micro alerta de la existencia de webs que contienen código malicioso aprovechando el asesinato de la ex primera ministra de Pakistán, Benazir Bhutto….
January 3rd, 2008 at 2:28 pm
[...] el blog de Trend Micro nos advierten de la propagacion de un Malware en mas de 4.240 sites, este codigo [...]
January 5th, 2008 at 7:04 pm
[...] Publicado el Enero 6, 2008 por Lestat La compañia de seguridad y software antivirus Trend Micro, ha lanzado un aviso de seguridad en el que advierten de la creación de diversos sites que se aprovechan de la noticia del asesinato [...]
March 31st, 2008 at 4:51 pm
[...] makers are targeting people hungry for news about the Bhutto assassination (as well as a lot of other topics). This happened after the tsunami as [...]