Websense Alert Update - Fake Celebrity News
September 2008 by Websense
Threat Type: Malicious Web Site / Malicious Code
Websense® Security Labs™ ThreatSeeker™ Network has discovered a new replica wave of fake celebrity news being sent out via spam emails. Similar to previous attacks related to ’MSNBC.com Breaking News’ and ’Bogus CNN Custom Alerts ’, these emails contain links to a malicious Web page on a compromised site, that is designed to encourage users to download a malicious application posing as a video codec. This malicious Web page also holds Iframes leading to an exploit site.
Over the last few days, the ThreatSeeker Network has seen huge volumes of spam wrapped up in CNN and MSNBC themed templates. Recently, email alerts listing different popular events and news articles also encouraged users to download a video codec, which was actually a malicious file.
Here is a screenshot of a sample spam email:
The malicious payload is only accessed when the user clicks on the ’READ FULL STORY’ link, which takes them to a Web page on a compromised site named index97.html, which issues a pop-up encouraging users to download a ‘missing’ video codec, a file called video98.exe.
Here is the screenshot of index97.html page showing the popup and download window:
The obfuscated source code from index97.html:
The source code from index97.html, deobfuscated by ThreatSeeker:
Here are a few examples of the varied subjects we have seen in this campaign:
Sensational news. Check the message.
Breaking news! Be the first to know.
Very important news.
Astonishing Please take a look.
Sensational information inside.
Check this out. This is a bomb
This is really great news. Please check.