Breaking News: Waledac Terror Attack in a City Near You

Users should always take care while surfing the Internet and reading mail, and today maybe more than usual: Another spam run from the Waledac botnet is on the loose, this time misusing the good reputation of the news agency Reuters. After the “President Inauguration,” “Valentine Scam,” and the “Economic Crisis,” this time the social-engineering trick is a “Terror Attack” in your city. Mails with subjects such as “Why did they explode bomb there?” or “Why did it happen in your city?” are being sent out by the botnet right now.

Again the bad guys are using geolocation services to better target their audience. As described in my earlier blog, they are using the city name of the user visiting the fake website and inserting this name into the website itself. So the “breaking news” gets even more attention, because when an attack happens in your home town, everyone would be anxious and curious, right? The screenshot below is an example what a user from New York would see; other users would see the same message but with their local city being “attacked”:

The website claims that a “dirty bomb” exploded in the user’s city and that at least 12 people have been killed. A video from Reuters is presented but “You need the latest Flash player to view video content. Click here to download.” It’s another example of the time-worn missing-codec trick. The needed “update” named main.exe or save.exe is in fact the real malware.

The fast-fluxing website also includes a malicious IFRAME that refers to malicious code trying to exploit unpatched computers with an additional drive-by infection.

The Waledac/Storm authors try to keep their botnet running and always craft new social-engineering tricks to fool unsuspicious users to follow their lure. As always, the best advice is to not click links in spam mails. And the malicious IFRAME pointing to a drive-by infection is another good reminder that “curiosity killed the cat.”