Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Within a short time period of less than 24 hours, cybercriminals have already taken advantage of Monday’s explosion at the Boston Marathon as a newsworthy item. My colleague Mary Ermitano-Aquino noted a spam outbreak of more than 9,000 Blackhole Exploit Kit (clarification below) spammed messages, all related to the said tragedy that killed at least three people and injured many more. Some of the spammed messages used the subjects “2 Explosions at Boston Marathon,” “Aftermath to explosion at Boston Marathon,” “Boston Explosion Caught on Video,” and “Video of Explosion at the Boston Marathon 2013″ to name a few. Below is a spam sample she found:

    Figure 1. Sample spam email related to the Boston marathon blast

    Figure 1. Sample spam email related to the Boston Marathon blast

    The spammed message only contains the URL http://{BLOCKED}/boston.html , but once you click it, it displays a web page with an embedded video, supposedly from YouTube. At this point, users who click the link may have already downloaded malware unknowingly, aka drive-by-download attacks. Here’s a screenshot of the web page with the embedded video:

    Figure 2. Malicious web page with the embedded video

    Figure 2. Malicious web page with the embedded video

    Simply clicking the link in the email triggers an automatic download from the URL http://{BLOCKED}.boston.avi_______.exe . If you’ll notice the lower left-hand corner of the download bar, the file name boston.avi_____.exe is seen as a downloaded file. This is actually a malicious file which happens to be a new variant of WORM_KELIHOS malware.

    WORM_KELIHOS.NB  routines

    Throughout the course of my investigation, I noticed that the IP of the download link varies every time it is accessed. As of this writing, we confirmed that the locations of the IP addresses are found in several countries such as Argentina, Taiwan, Netherlands, Japan, Ukraine, Russia, and Australia. The URL also downloads other similar malware from different links, as seen in the URL log below:

    Figure 3. Malicious URL log

    Figure 3. Malicious URL log

    The downloaded samples have the same behavior and same file size, except that it changes the icons used and the file names.

    Our analysis also shows that WORM_KELIHOS.NB  hides all the directories on the removable drive and replaces them with a .LNK file that uses a folder icon. This executes the malware before it opens that original folder. In addition, it creates .LNK files on infected removable drives with the command C:\WINDOWS\system32\cmd.exe F/c “start %cd%\game.exe. Below is a screenshot of an infected removable drive:

    Figure 4. Removable drive infected by WORM_NEWBOS.A

    Figure 4. Removable drive infected by WORM_KELIHOS.NB

    This worm has the capability to steal credentials from the different File Transfer Protocol (FTP) such as LeapFTP, P32bit FTP, FTP Control, SecureFX, BitKinex, FileZilla, and many more. One noteworthy routine about it is that it harvests email addresses from the affected computer’s local drive.

    Spreading like wildfire
    As of today, we have noted a significant number of malicious URLs gathered via the Trend Micro™ Smart Protection Network™ related to the Boston Marathon explosions, with the United States leading the pack among the other countries we monitored.

    Figure 5. Trend Micro™ Smart Protection Network™ hits related to the Boston Marathon bombings

    Figure 5. Trend Micro™ Smart Protection Network™ data for malicious URLs related to the Boston Marathon bombings

    Aside from the spam sample discussed earlier, we also found that other platforms have also been exploited to spread similar threats. Malicious Tweets and links on free blogging platforms were also crafted just hours after the blast took place.

    Figure 6. Malicious Tweets and blog posts

    Figure 6. Malicious Tweets and blog posts

    This goes to show that a cybercriminal’s work is never complete. Taking advantage of newsworthy events is indeed a cybercrime staple; each new scheme always seems to vary, which results in a never-ending cycle of malicious mischief.

    Update as of April 17, 10:34 AM PST

    We analyzed WORM_KELIHOS.NB further and uncovered that the malware also attempts to steal user’s bitcoin wallet, if stored in the vulnerable system. Bitcoins are known digital currency and are making waves in today’s IT and threat landscape. To know more about bitcoins, you may read our recent post Keep You Eye on the Bitcoin.

    Update as of April 17, 3:47 PM PST

    We also found certain links that lead to page hosting the exploit JAVA_EXPLOIT.BB, which targets Oracle Java 7 Security Manager Bypass Vulnerability (CVE-2013-0422). Once exploited, it attempts to download a malware onto the system. However, during our testing, the site where the exploit downloads its payload is no longer available.

    Update as of April 18, 2:18 AM PST

    We found another BHEK spam campaign has been spotted to leverage this tragic incident. This particular spammed mail purports itself to be sent from US-based news agency CNN, with the body of the mail styled to resemble an urgent news notification coming from the said agency. The text of the spammed mail offers the reader a hyperlink that promises controversial details about the bombing.



    The link, in fact, leads to BKDR_CRIDEX.CHX. This backdoor monitors the Internet Explorer (IE) activities of the affected system, specifically the address bar or title bar. It recreates a legitimate website with a spoofed login page if a user visits banking sites with cetain strings in the address bar or title bar.

    Update as of April 18, 10:04 AM

    Unfortunately, we saw certain URLs that are now taking advantage of the recent Texas fertilizer plant explosion. Based from our analysis, these URLs have the same characteristics as the Boston ones that lead to the Java exploit JAVA_EXPLOIT.BB. We encourage users to refer to credible news pages for any updates or information regarding these tragic events.

    Update as of April 18, 9:30 PM

    Further analysis of the first spam campign mentioned in this blog post has indicated that while it uses exploits, it does not specifically use the Blackhole Exploit Kit.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • Andrew

      Anyone know how to remove? I use Trend Micro worry free business advanced and some of my users got affected by this and it has cause chaos.

    • Chetty

      Do you think this kind of URL and file could potentially dangerous on MacOS 10.6.8 ?

      Usually i never click on unknown URL in spam. But i cannot explain why, this time, i had…Shame on myself…

      • TrendLabs

        Hi Chetty,

        We haven’t found an instance of this threat that can affect Macs, as the downloaded files only run on Windows platforms. We recommend you scan your system to be sure.

        • Chetty

          Thank you very much for your answer. I will scan my system anyway…

    • Rosy

      Everyone should be well informed about these criminal acts on the web. Thanks.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice