We’ve been seeing a particular social engineering lure in spam runs in the past, where spammers leverage the death of a known celebrity or political figure. Recent examples of this include the death of Steve Jobs, and Amy Winehouse. In this spam run using Gadhafi’s death, however, a more compelling lure is being used to trick users into downloading malicious files.
We found several spammed messages that claim to lead to videos of Gadhafi’s death. It is important to note that videos of Gadhafi’s death do exist, and legitimate news sites like Reuters and The Washington Post tell of the graphic content in the video and even host the said videos on their websites. This existence of real videos of Gadhafi’s death relatively makes it a more compelling lure.
The first sample disguises itself as a CNN newsletter in Spanish. It tells the user to download the video footage of Gadhafi’s death through the link provided. However, the supposed video file, Video-Gadhafi.mpeg.exe, that the user is led to turns out to be malware which we detect as BKDR_IRCBOT.DAM.
BKDR_IRCBOT.DAM connects to a certain IRC server and waits for commands from a remote user. So far, the only command we’ve seen being triggered by this connection is the downloading and execution of a file from a certain IP address. The said file is another copy of BKDR_IRCBOT.DAM. We believe that this routine is this malware’s way of updating itself.
Another spam sample we found comes in plain text format and has a .RAR attachment. The mail says the attachment only contains the “late Muammar Gadhafi’s dead body pics”, but little does the user know that what he/she is extracting the malware.
The file Gadhafi.exe is verified as malicious and is already detected as BKDR_EXDEPH.A.. Upon execution, this backdoor drops and opens a .JPG file to trick users into thinking that the executed file is legitimate and to hide its execution in the background. Similar to BKDR_IRCBOT.DAM, what BKDR_EXDEPH.A does is connect to a certain URL to receive commands from a remote user. The said URL, however, is inaccessible as of this writing.
The third sample we received is in Portuguese. It has a screenshot of video footage of the bloody Gadhafi as well as a link supposedly pointing to the said video. However, the said link is currently unavailable.
The malicious files, URLs, and spammed messages are already detected and blocked accordingly through the Trend Micro Smart Protection Network. Nonetheless, users are still strongly advised to avoid clicking links found in emails sent by suspicious or unknown senders.