Press Releases

Browse our press release archive

09 Aug 2005

Iranian nuclear crisis report disguises malicious Trojan horse attack, Sophos reports

"And here is the news... you're about to be hit by a Trojan horse"

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have warned of a widespread spam campaign that poses as a breaking news report, but really leads computer users to an infected website. The spam pretends to be a link to news about Iran's controversial decision to continue work at its Ishafan nuclear plant, but is really an attempt to lure innocent computer users into being infected by a Trojan horse and attacked by hackers.

An example of the email
The email pretends to be a breaking news report.

The Isfahan nuclear plant is the main uranium conversion facility in Iran. Conversion is part of the process used to produce nuclear fuel, and when enriched to a low level makes it suitable for use in atomic weapons. The United States and European Union had warned that resumption of work at the plant could lead to Iran being taken to the UN Security Council for sanctions.

"Hackers are spamming out messages claiming to be breaking news stories, in the hope that unwary internet surfers will visit the malicious websites for further information," said Graham Cluley, senior technology consultant at Sophos. "We saw the same gang of hackers use a near-identical trick about the tragic story of US marine deaths in Iraq last week."

Subject lines used in the malicious emails include, but are not limited to, the following:

Iran snubs pleas, resumes uranium shift
TThe PPhantom Menace
Iran to restart U productionn
What will they do with the refined uraniuum?
Where doees Iran get its uranium ores?
How easily ccould U-238 be used to makke a bomb?

Sophos experts believe that the people behind the email attack are using software to deliberately obfuscate and misspell the subject lines in an attempt to avoid rudimentary anti-spam filters.

Windows users who make the mistake of following the web link visit a malicious website which pretends to be a fuller version of the news story:


The website pretends to be a news story about the Iranian nuclear crisis.

In reality, the website exploits vulnerabilities in Microsoft's Internet Explorer software to install the Cgab-A and Borodr-Fam Trojan horses. The trojan horses are designed to allow remote hackers to gain unauthorized access to the victim's computer.

"Simply reading the spam email doesn't infect you. As long as you don't click on the link you have nothing to fear," continued Cluley. "But if you click on the link and visit the infected website then you are putting the safety of your data and computer at risk. Everyone should ensure they keep their anti-virus protection up-to-date and never follow links in unsolicited email messages."

Sophos recommends companies automatically update their corporate virus protection, and run a consolidated solution at the email gateway to defend against viruses and spam.

About Sophos

More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing complete security solutions that are simple to deploy, manage, and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, mobile and network security solutions backed by SophosLabs - a global network of threat intelligence centers.

Sophos is headquartered in Boston, US and Oxford, UK. More information is available at