Trojan capitalizes on Bhutto assassination

Status
Not open for further replies.

sourav123

Thinking Different
Whatever else malware creators might be, they're quick to take advantage of any event that might enable a new attack vector. The Storm Worm has already morphed twice in the past week, attacking with both a Christmas and a New Year's theme. Now, less than two days after the assassination of Benazir Bhutto, former Prime Minister of Pakistan and leader of the Pakistan People's Party, there's a new malicious Javascript in town. The script in question isn't brand-new, but its creators have quickly adapted it to prey on surfers interested in additional details regarding Bhutto's death.

According to Trend Micro researchers, certain sites purporting to contain information on the assassination have malicious Javascript embedded within them. End users wanting more information on the event can conceivably be directed to one of these infected sites, where the script (identified by Trend Micro as JS_AGENT.AEVE) runs and downloads a Trojan (TROJ_SMALL.LDZ). This new Trojan then downloads and installs WORM_HITAPOP.O and TROJ_AGENT.AFFR.

While the authors of this particular gem are obviously trying to exploit Bhutto's murder, Trend Micro found evidence that the malicious Javascript is actually present on a number of sites, including Autoworld, Vino, MSN, and BlogSpot. The number of infected sites that specifically discuss the assassination is small compared to the total number of sites that appear to be infected—103 vs. 4,240—but the ratio will undoubtedly shift if the topic proves to be an effective attack vector. Trend Micro has stated that its customers are already protected from the exploit; other vendors will probably be quick to follow with patches as they are needed.

Source: *arstechnica.com/news.ars/post/20071228-malware-authors-capitalizing-on-bhuttos-assassination.html
 

shadow2get

In the zone
You can check this link for more visual info:

*www.avertlabs.com/research/blog/in...sassination-new-avenue-for-spreading-malware/

Seems like Mcafee have updated their AV database to counter this one.
 
Status
Not open for further replies.
Top Bottom