If you follow the news that comes from your inbox, then you already know that the U.S. military has started World War III by attacking Iran. Like other news that comes in e-mail form, the recent outbreak of war in Iran is not because the U.S. crossed borders. The recent news of war comes courtesy of the Storm (Dorf) botnet.
According to recent emails, WW3 is in full swing. (IMG:Graf/sxc)
Widely spammed out e-mails, with subject lines including: "Third World War has begun"; "20,000 US Soldiers in Iran"; and "US Army crossed Iran's borders," have been intercepted by Sophos, McAfee, Trend Micro and other security labs online. The e-mails all contain links to malicious webpages that display what appears to be a video player showing the mushroom cloud of a nuclear explosion.
According to Sophos: “The “Ad banner” for “Veteran Accredited Program” is at the top of the site, which is not seen in all Dorf sites. Clicking on the banner will try to download the executable form.exe. The video player and the “click on the video” links will attempt to download iran_occupation.exe. Both executables are detected as Troj/Tibs-UO. Like the Independence Day campaign, the Dorf site also contains a 1×1 iframe to ind.php, which we detect as Mal/ObfJS-AY.”
Thanks to FastFlux, the domains hosting the Malware are too many to list, and ever changing. Virus Bulletin comments that: “Fast flux is a technique where many computers in a botnet act as proxies to a domain serving malicious and/or illegal content. In fast flux hosting, many nodes on a botnet frequently register and de-register their addresses for a single DNS entry. A URL on that domain will therefore point to a continuously changing IP address.”
"Receiving or reading the emails themselves does not mean you are infected - but visiting the link contained in them, or trying to watch the video, is definitely a bad idea," said Graham Cluley, senior technology consultant at Sophos.
Fake news is not the only news that Storm spreads. Real news events, such as the earthquake in China, also gain attention, as do holidays and events like the Olympic Games. In 2005, a widespread spam campaign pretended to be a link to news about Iran's controversial decision to continue work at a nuclear plant, but was really an attempt to infect users with a Trojan. The year before, the Cycle worm (the bastard child of Storm) dropped a message complaining that European governments were supporting the regime in Tehran, because of the war in neighboring Iraq.
View blog reactions
There are currently no comments for this article. Be the first to comment! (no registration required)
Advertising
There are currently no comments for this article. Be the first to comment! (no registration required)