Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
  • About Us

    We’ve been seeing a particular social engineering lure in spam runs in the past, where spammers leverage the death of a known celebrity or political figure. Recent examples of this include the death of Steve Jobs, and Amy Winehouse. In this spam run using Gadhafi’s death, however, a more compelling lure is being used to trick users into downloading malicious files.

    We found several spammed messages that claim to lead to videos of Gadhafi’s death. It is important to note that videos of Gadhafi’s death do exist, and legitimate news sites like Reuters and The Washington Post tell of the graphic content in the video and even host the said videos on their websites. This existence of real videos of Gadhafi’s death relatively makes it a more compelling lure.

    The first sample disguises itself as a CNN newsletter in Spanish. It tells the user to download the video footage of Gadhafi’s death through the link provided. However, the supposed video file, Video-Gadhafi.mpeg.exe, that the user is led to turns out to be malware which we detect as BKDR_IRCBOT.DAM.

    BKDR_IRCBOT.DAM connects to a certain IRC server and waits for commands from a remote user. So far, the only command we’ve seen being triggered by this connection is the downloading and execution of a file from a certain IP address. The said file is another copy of BKDR_IRCBOT.DAM. We believe that this routine is this malware’s way of updating itself.

     

    Click for larger view Click for larger view

    Click for larger viewAnother spam sample we found comes in plain text format and has a .RAR attachment. The mail says the attachment only contains the “late Muammar Gadhafi’s dead body pics”, but little does the user know that what he/she is extracting the malware.

    The file Gadhafi.exe is verified as malicious and is already detected as BKDR_EXDEPH.A.. Upon execution, this backdoor drops and opens a .JPG file to trick users into thinking that the executed file is legitimate and to hide its execution in the background. Similar to BKDR_IRCBOT.DAM, what BKDR_EXDEPH.A does is connect to a certain URL to receive commands from a remote user. The said URL, however, is inaccessible as of this writing.

    The third sample we received is in Portuguese. It has a screenshot of video footage of the bloody Gadhafi as well as a link supposedly pointing to the said video. However, the said link is currently unavailable.

    The malicious files, URLs, and spammed messages are already detected and blocked accordingly through the Trend Micro Smart Protection Network. Nonetheless, users are still strongly advised to avoid clicking links found in emails sent by suspicious or unknown senders.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon






     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice