About Me

Rahul Mohandas

Rahul Mohandas

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

Benazir Bhutto Assassination: New Avenue for Spreading Malware

Friday, December 28, 2007 at 5:32am by Rahul Mohandas
Rahul Mohandas

A few weeks back we blogged about malware-laced codecs embedded in various Blogspot domains. Today within hours after the assassination of former Pakistani Prime Minister Benazir Bhutto, malware authors have started capitalizing on this news to spread a new fake codec. This time it is purported to be an assassination video of the former PM.

Claiming to be a New HD Codec, these malware authors attempt to social engineer users into believing they are downloading a legitimate codec for playing the video. At least 10 Blogger websites are observed to be hosting this fake video (at the time of writing this blog) which redirects the users to the typo-squatted domain containing fake codec:

http://video.googl.[removed]

Malicious code hosted on the 3322 domain is not something novel. One of the recent high profile attacks which pointed to a malicious script from the 3322 domain was the Indiatimes Mail hack.

There are a plethora of websites which attempt drive-by installations when unsuspecting users visit websites returning search engine results for “Benazir Bhutto”. Many of these compromised webpages have malicious scripts injected into the webpage which points to the 3322 domain. These webpages contain obfuscated variants of the MS06-014 exploit which is perhaps one of the most popular of all the exploits we see on a daily basis.

This fake Trojan Codec is detected by the current DATS as Puper. The downloaded exploit is detected as VBS/Psyme and the executable is detected as Generic Downloader.c

(Credits to Pradeep Govindaraju for the great malware analysis)

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (3)

  • SMB Antivirus December 31, 2007 8:55AM

    It is so crazy how much social engineering plays into a lot of today’s attacks. That is one thing that software cannot overcome, human curiosity…like an email with the subject “I Love You”. How simple that sounds now, but genius at the time it came out.

    Maybe, some day, software can help fend off curiosity!

    All the best,
    Michael Rowles
    CopiaTECH
    SMB Security

    Reply
  • pat December 30, 2007 11:25PM

    i was infected by this when i was on a softball message board serioussoftball.com …message board illinois message stated britney did it again and like a fool i enterd the link and now i can not find a way to get rid of this.i dont know much about computers so im having a hard time

    Reply
  • marquita December 29, 2007 7:50PM

    i just got that puper on my computer when my sister went to look at one of her friends profiles on myspace. i dont think it just on websites that have videos about the PM being assassinated. i think it’s going to all kinds of websites. i been tryin to take it off, by following the instructions at McAfee but its not working. i think this is one trojan that can’t be removed.

    Reply