AusCERT today reported the proliferation of malicious email messages purporting to give information about how the Australian Prime Minister narrowly escaped death.
Among the subject lines that the said email messages use are the following:
- “Current Australia’s Prime Minister survived a hear attack”
- “The life of the Prime Minister is in grave danger”
- “Prime Minister survived a heard attack”
Security companies are on the alert because a similar wave of email messages spread a Trojan spyware in August 2006. While this appears to be a focused attack against the Australian computing community, it is interesting to note that there have been reports of similar email messages about other heads of state.
Furthermore, it will be remembered that another malware family found some “success” last year by using email messages announcing the supposed death of the US and Russian presidents. The NUWAR family’s eventual huge attack started with email messages that read “President Bush DEAD!” or “President Putin dead!”, among others.
The email messages contain links to malicious URLs. Trend Micro is working to monitor and analyze the said URLs. Updates will be posted as more information is gathered.
Once Trend Micro verifies the malicious nature of the said URLs, they shall be blocked by the URL Filtering Service. Meanwhile, users are advised to refrain from clicking links on email messages with the mentioned subject lines (or all email messages of dubious nature, for that matter).
The malicious URL in the email messages points to a site that contains two iFrames, one of which displays the legitimate theaustraliannews.com.au Web site, clearly an attempt to prevent users from easily detecting that something’s amiss. Meanwhile, another iFrame, this one non-visible, accesses another site, which contains an obfuscated script that downloads the file update.exe by exploiting the ADODB.Stream vulnerability.
The file update.exe is detected by Trend Micro as TROJ_SMALL.GHI. On execution, it downloads four files: 1.exe, 2.exe, 3.exe, and 4.exe. The downloaded file 1.exe, detected as TROJ_VB.BLV, has been found to install numerous other malicious files. Trend Micro is currently analyzing all files. More information will be posted as they are gathered.
All related URLs are now blocked by the URL Filtering Service.