Following the sudden and shocking death of The King of Pop, Senior Threat Researcher Loucif Kharouni reports that a slew of malicious links related to Michael Jackson’s last moments in the hospital before his death are now being proliferated in the wild via the instant messaging (IM) application, MSN. Below is a sample screenshot of an MSN IM window containing various templates of the said malicious links:
When recipients of such messages click on any of these links, they are prompted to save a file named PIC-IMG029-www.hi5.com.exe (with an MD5 checksum of 031429fc14151f94c8651a3fb110c19b), instead of being led to an image site or gallery. Initial analysis shows that the said file is a variant of the SDBOT family.
More updates shortly. Stay tuned.
Update as of 27 June 2009
The botnet is said to push the templated messages through an IRC to the client to be spammed. Below is a sample screenshot of the botnet’s activity:
The malware responsible for this is detected as WORM_IRCBOT.GAT. It opens a certain port on the affected system then listens for remote commands. Kharouni reports that commands to download certain files are received and executed by the affected system, ultimately leading to the download a PUSHDO variant. PUSHDO is a botnet responsible for a huge amount of spam activity. More information on PUSHDO can be found here:
- Pushdo/Cutwail – The Art of Spamming (Part 1 of 5)
- Pushdo/Cutwail – From Russia with Love (Part 2 of 5)
- Pushdo/Cutwail – Can’t Touch This (Part 3 of 5)
- Pushdo/Cutwail – Sniffing for the Win (Part 4 of 5)
- Pushdo/Cutwail – Traditional AV is Useless (Part 5 of 5)
A whitepaper showing findings by the research of Trend Micro analysts on PUSHDO/CUTWAIL is also available and can be downloaded here.
Trend Micro clients are rest assured that all URLs are already blocked through the Smart Protection Network.