MA-171.072009: MyCERT Alert - Michael Jackson's Death: Beware of Michael Jackson Spam/Malware Date: 3 July 2009 1. Introduction Cyber criminals once again used the passing of Michael Jackson, the 'King of Pop', a few days ago as an opportunity to go about with their malicious activities and attack innocent users. We spotted and learned a few malicious spam links, videos and emails about Michael Jackson's death. The modus operandi for this attack relies so much on social engineering technique to target Michael Jackson's fans. 2. Method Of Abuse MyCERT observed a few methods of malware delivery to end-users. The attacker will start with spamming emails by attaching malicious URLs or malicious files. Below is the detail explanations of the modus operandi used by the attackers. a. Spam Emails The spam message suggests that the icon was killed, and that information on who murdered him can be seen on the given URL. As for figure 1.0 shows, the attacker tries to lure users to browse or open the link provided. For the video details, please read the details on method abuse using video. Figure 2.0 shows the malicious website controlled by attacker with link provided by previous email. The malicious link is pointing (not accessible by now) to hxxp://mjackson.1ffli.com.mx/x-files/x-file-MJacksonsKiller.exe 
Figure 1.0 Michael Jackson Spam Email with malicious file
Figure 2.0 Malicious Website Hosted EXE File Related to MJ's death From the sample we retrieved from the website (MD5:1288b2311431d9e23a6675f51fb8068e), our analysis found out that the sample is a variant of zbot. Please refer to Appendix I for more details analysis of the sample. b. MSN Other than using email spam as a medium to spread the malware, attackers also use malicious links related to Michael Jackson's last moments in the hospital before his death via the instant messaging (IM) application, MSN. Below is a sample screenshot (Figure 3.0) of an MSN IM window containing various templates of the said malicious links: 
Figure 3.0 Malicious Link Related to Michael Jackson's Death Propagated Via MSN c. Video Other than two steps mentioned on the previous point, cyber criminals are also using video to spread malware. The video is also related to Michael Jackson top songs and videos. The said email also contained a suspicious-looking link to an ‘exclusive CNN video' about the event. Most of the other links on the spammed message were inaccessible and could not display the correct website. As shown in Figure 3.0, the attackers sending spam emails to lure users to browse the attacker website. 
Figure 3.0 Spam Email with Video Link Related to MJ's death 
Figure 4.0 Fake Flash Player Detection to force users to download malicious program As for figure 4.0, the attacker tries to tricks users by mentioning about outdated flash player version. The user is required to download a new version of flash player. Figure 5.0 show the fake flash player being downloaded by user and later on will execute the fake flash player. The user will actually download the malicious software instead of the real flash player. 
Figure 5.0 User will need to download and execute malicious program to continue watching MJ's video
3. Recommendations Generally, MyCERT advises users not to click or open any pictures or videos claiming to be secret or exclusive footage surrounding the death of Michael Jackson. MyCERT also advises the users to update with the latest security update and virus definition. Users who receive suspicious emails, videos or URL can forward them to MyCERT for further analysis. MyCERT can be reached through the following channels: E-mail : mycert@mycert.org.my
Phone : +603 89926969 or 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : +60 19 2813801 (24x7 SMS reporting)
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: http://www.mycert.org.my 4. Reference |
