Sick Trojan spam attack poses as news about American marine deaths in Iraq, Sophos reports

August 04, 2005 Sophos Press Release

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have warned of a widespread spam campaign that poses as a breaking news report about the death of American marines in Iraq, but is really an attempt to lure innocent computer users into being infected by a Trojan horse and attacked by hackers.

An example of the email
The email pretends to be a breaking news report.

Subject lines used in the malicious emails include, but are not limited to, the following:

140 died
140 US marines kiiIled
14 US Marines Killed in Iraq Bombbing
Iraq Bommbing
140 lives was taken
Bomging takkes 140 lives
Deadly strike - 140 US marines kiilled
death in Irraq

Sophos experts believe that the people behind the email attack are using software to deliberately obfuscate and misspell the subject lines in an attempt to avoid rudimentary anti-spam filters.

Although the message pretends to be sent from a variety of different email addresses, it poses as a breaking news report from Associated Press. Unlike the changing subject lines, the body of the emails appears to always be the same:

14 US Marines Killed in Iraq Bombing
Guardian Unlimited

By ROBERT H. REID. BAGHDAD, Iraq (AP) - 40 minutes ago.

14 US Marines were killed when a huge bomb destroyed their lightly armored vehicle, urling it into the air in a giant fireball in the deadliest roadside bombing suffered by American forces in the Iraq war

Read more...

"Receiving or reading the emails themselves does not mean you are infected," explained Graham Cluley, senior technology consultant for Sophos. "However, users must be very careful not to click on the link contained inside the mails as that will take them to a malicious website. In an ideal world everyone would be running industrial-strength anti-spam software at their email gateways which would help reduce the chances of computers being put in this kind of peril."

Windows users who follow the web link visit a website which pretends to be a fuller version of the news story, but exploits vulnerabilities in Microsoft's Internet Explorer software to install the Cgab-A and Borodr-Fam Trojan horses. The malicious attack is designed to allow remote hackers to gain unauthorized access to the victim's computer.

Clicking on the link in the email takes users to a malicious website
Clicking on the link in the email takes users to a website which claims to contain a news story about the conflict in Iraq, but is really designed to secretly install malicious code onto the computers of unsuspecting users.

"The deaths of American marines in Iraq is a tragedy, and it's sickening to think that hackers are prepared to exploit the troubles in that country in an attempt to break into computers for the purposes of spamming, extortion and theft," continued Cluley. "Everyone should ensure they have defenses in place to properly protect against the very latest malware attacks."

Sophos recommends companies automatically update their corporate virus protection, and run a consolidated solution at the email gateway to defend against viruses and spam.