|
The same gang that brought us the W32/Nuwar virus variants (a.k.a. "The Storm Worm") and multiple variants in the W32/Waledac
family has come out with a particularly pernicious new attack. In brief, one gets an email with a vaguely worrisome title
that cointains body text that sounds concerned about the recipient's well-being, and provides a link to a somewhat
familiar-sounding URL.
In general, this has been the strategy of this criminal gang:
-
Using a botnet (leaving our site), send email
that uses social engineering
(leaving our site) to convince the recipient to open an attachment or, more recently, click on a link embedded
in the email. The gang's first use of this was about a large storm disaster, in January 2007; subsequently they have used
other hooks -- nuclear war, pornography, various electronic greeting cards (in general, and for notable days like Valentine's
Day, Halloween, etc.), political campaigns -- whatever might be likely to induce the recipient to click on the link.
-
The link points to another machine on the botnet; this one contans malicious software that, usually, masquerades as video
footage of whatever the hook was in the first step -- sometimes this masquerades as an update to the video display software
(Flash, Quicktime, Real, etc.). If you click on the link, software will be downloaded to your machine that, if launched, will
turn YOUR machine into a node of the botnet. [If there is an attachment instead of a link, launching the attachment does much
the same thing, without having to visit a URL. But that is easier to block, so the preferred method is having the malisious
software at a remote location instead of attached to the email itself.]
-
The nodes of the botnet are used for various nefarious purposes -- sending spam, stock and advance fee scams, identity theft,
money laundering, and probably a lot of other nasty things.
-
Repeat: To generate new victims (and increase the size of the botnet), go to Step I.
Anyway, back to the case at hand: they have upped the ante....
If you have the misfortune of clicking in the URL in the email (Dont!), it will take you to a web page
that claims there was a bomb attack nearby your location.
Unfortunately, the email is bogus, the URL is fraudulent, the familiar-sounding web site is actually unrelated to anything
you actually know and trust, and the web server looks at your IP address ... and serves you text related to your
location. So if you view that URL from U-M, it will refer to a bomb blast in Ann Arbor; visit the same URL at
the same time from London, however, and it will refer to a bomb blast in England. More details on this at McAfee's
Computer Security weblog (leaving our site).
Moreover, the URL actually points to a machine that is part of a botnet and, worse yet, that botnet is fast-flux: that means
that when your computer looks up the URL now, it will get an IP address -- but if it looks an instant later, it will get a
different IP address. That makes the thing a lot more difficult to shut down. And since it is part of a botnet, it is
particularly easy for the Bad Guys to put out new variants of the malware (Day Zero exploits) that are not yet detected by
VirusScan or other anti-malware products.
So, what are the take-home lessons here?
-
Never open attachments or click on links in unsolicited email --
not even when they appear to be from those you know
and trust.
-
If the email comes from someone you don't know, best just to delete it.
- If it does appear to come from someone you know, do not continue -- instead, contact that person by a means
other than email (phone, in person) to see if s/he actually sent it (email is trivial to forge) and, if so, what it contains.
-
If you feel you must look at the email, be particularly suspicious of vagueness.
-
If there is a URL in the email and you feel that you must view it, type it in by hand instead of clicking on it ... and of the
URL isn't quite what you remember (e.g., cnnnews.com instead of the actual cnn.com), type in the URL you trust.
-
If you should happen to get to the actual URL owned by the Bad Guys, don't click on anything! In particular, if it says you
need to upgrade software to view a video, you're almost certain to shoot yourself in the foot if you try to "upgrade" --
instead, you'll be installing malware on your system. In this case,
another W32/Waledac variant.
For this particular case, here are some of those vague subjects used:
Are you in the city now
Are you Ok
Bomb explosion
Bomb killed 18 citizens
Bomb was blasted in your town
Damn it!!
Did it really happen in your city
Damned terrorists!!!
Did you see it
Have you heard about it
Have you seen it
Haven't you been there at that time
Haven't you seen this
How do you feel
I hope everything ok with you
I hope that you are fine
I hope you are in good health
I hope you are not in the city now
I hope you are ok
I worry about you
Is it everything fine
Is it really happened near you
Is it truth
It's awful!!
It's terrible!
Look at this!!
Oh God, did it really happen
Oh s**t!!! [censored by bpb]
Oh, my God!
Take care about yourself!
Take care!
We hope that you are ok
What a hell
What a tragedy!
Who did that
Why did it happen in your city
Why did they do that
Why did they explode bomb there
the body text of the email might be (there probably are more variants):
Are you and your friends fine? URL
Are you in the city now? URL
Bombing killed 18 citizens URL
Is it everything okay? URL
Oh, my God! URL
where the URL might be designed to look like somethign reminiscent of
cnn.com, tnt.com, breakingnews.com, worldnews.com, or something local
(e.g., michigan.com)
and the text at the URL looks like this:
Powerful explosion burst in [Location_near_you] this morning.
At least 12 people have been killed and more than 40 wounded in a bomb
blast near market in [Location_near_you]. Authorities suggested that
explosion was caused by "dirty" bomb. Police said the bomb was
detonated from close by using electric cables. "It was awful" said the
eyewitness about blast that he heard from his shop. "It made the floor
shake. So many people were running" Until now there has been no claim
of responsibility.
You need the latest Flash player to view video content. Click here to
download.
Related Links:
http://en.wikipedia.org/wiki/Dirty_bomb
http://www.google.com/search?q=[Location_near_you]+terror+attack
I don't need to reiterate that the link to the "Flash upgrade"is
actually the virus do I?? I hope not!
-BPB
If you'd like to pass this information along to others, I suggest that you
provide a pointer to this URL
(http://virusbusters.itcs.umich.edu/waledac.html)
For virus or hoax info, please see our main page
(http://virusbusters.itcs.umich.edu/) or go to another reputable site,
like The Urban Legends Reference Pages.
by Bruce P. Burrell (bpb@umich.edu)
for the U-M Virus Busters (virus.busters@umich.edu)
virus.busters@umich.edu
ITS | University of Michigan
Copyright © 1996-2008 The Regents of The University of Michigan
 visits since this site was redesigned 5/21/04
This page last updated March 18, 2009
|
