Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have warned of a spam campaign that poses as a breaking news report about the death of Russian President Vladimir Putin, but is really an attempt by hackers to infect computer users with a Trojan horse.
The email claims that Vladimir Putin, president of the Russian Federation, has died.
However, embedded in the HTML email is a hidden script that exploits the ADODB.Stream vulnerability to secretly download the malicious Troj/Dloadr-ZP Trojan horse from a Russian website. The Trojan horse is designed to download further malicious code which could allow remote hackers to gain unauthorized access to the victim's computer.
Although the link pretends to be that of a BBC News report, the user is really directed to another Russian website purporting to be the home of a construction firm focused on providing heating systems for apartments and advertising training seminars.
"It appears whoever sent this spam is trying to discredit the Russian firm in what we call a 'joe job'. Users may think that the spam was purely an attempt to drive traffic to the construction company's products and seminars, whereas in fact hackers are also using the opportunity to try and infect unprotected PCs," explained Graham Cluley, senior technology consultant for Sophos. "Everyone should protect their computers with security patches, up-to-date anti-virus software, firewalls and a solid defense against spam. Hackers have used bogus stories about breaking news stories in the past to encourage people to open emails, and they're likely to do so again."
Sophos's anti-malware products were automatically updated to protect against the Troj/Dloadr-ZP Trojan horse at 05:22 GMT on 12 July 2006.
"Normally, a joe job is a spam campaign forged to appear as though it came from an innocent party, with the intention of incriminating or pinning blame onto them," continued Cluley. "In this case, users wanting to read the news report may think that the emails came from the Russian website they are directed to selling seminars and heating systems. In truth, the spam emails came from a zombie network of compromised computers around the world, being exploited by the hackers. If users aren't careful they could find their PCs part of the zombie network as well."
Sophos recommends companies automatically update their corporate virus protection, and run a consolidated solution at the email gateway to defend against viruses and spam.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.