Hackers using Trojan to exploit Benazir Bhutto's assassination

Within 24 hours of assassination of former Pakistani Prime Minister Benazir Bhutto, malware makers exploited the breaking news to dupe users into downloading attack code, security researchers said Friday. Searches for news about Bhutto's killing(1, 2, 3) and the ensuing chaos in Pakistan listed sites pimping a bogus video coder/decoder (codec), said analysts at McAfee […]

Within 24 hours of assassination of former Pakistani Prime Minister Benazir Bhutto, malware makers exploited the breaking news to dupe users into downloading attack code, security researchers said Friday.

Searches for news about Bhutto's killing(1, 2, 3) and the ensuing chaos in Pakistan listed sites pimping a bogus video coder/decoder (codec), said analysts at McAfee Inc., Symantec Corp. and WebSense Inc.

For instance, WebSense found such a site simply by using "benazir" to search on Google. Meanwhile, McAfee quickly located 10 sites hosted on Blogger.com, Google Inc.'s blog service, that were spreading the fake codec.

According to Trend Micro researchers, certain sites purporting to contain information on the assassination have malicious Javascript embedded within them. End users wanting more information on the event can conceivably be directed to one of these infected sites, where the script (identified by Trend Micro as JS_AGENT.AEVE) runs and downloads a Trojan (TROJ_SMALL.LDZ). This new Trojan then downloads and installs WORM_HITAPOP.O and TROJ_AGENT.AFFR.

While the authors of this particular gem are obviously trying to exploit Bhutto's murder, Trend Micro found evidence that the malicious Javascript is actually present on a number of sites, including Autoworld, Vino, MSN, and BlogSpot. The number of infected sites that specifically discuss the assassination is small compared to the total number of sites that appear to be infected—103 vs. 4,240—but the ratio will undoubtedly shift if the topic proves to be an effective attack vector. Trend Micro has stated that its customers are already protected from the exploit; other vendors will probably be quick to follow with patches as they are needed.

The sites use the well-worn tactic of promising a video -- in this case one of Bhutto's assassination -- but telling Windows users that they need to install a new high-definition video codec, the program that decodes the digital data stream, to view the clip. Naturally, the so-called codec is no such thing, but is instead rigged code that downloads a variant of the Zlob Trojan horse, a back door that can infect the compromised PC with a wide range of other malware.

"Even death isn't sacred to some," said Symantec researcher Vikram Thakur in a post to the company's security response blog.

Other hackers are relying on the news of Bhutto's assassination to draw users to sites that forgo the codec angle and instead conduct drive-by attacks, said Rahul Mohandas, a security analyst at McAfee's Avert Labs unit. "There are a plethora of sites which attempt drive-by installations when unsuspecting users visit search-engine results for 'Benazir Bhutto,'" said Mohandas in a post to the Avert Labs blog this morning. "Many of these compromised pages have malicious scripts, which point to the 3322 domain. These pages contain obfuscated variants of the MS06-014 exploit, which is perhaps one of the most popular of all the exploits we see on a daily basis."[Computerworld]

Pakistan, Pak, Benazir, Bhutto, Benazir Bhutto, Prime Minister, Assassination, Killing, Hacker, Trojan, Malware, Security, Exploit, Javascript