Threat Level: green Handler on Duty: Pasquale Stirparo

SANS ISC: InfoSec Handlers Diary Blog - Update on Osama Bin Laden themed Malware InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Update on Osama Bin Laden themed Malware

Published: 2011-05-03
Last Updated: 2011-05-03 12:20:44 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

So far, we have seen very little Osama Bin Laden themed malware. The most prominent case that was discussed by a number of sites took advantage of facebook.

The page asks the user to copy / paste javascript into the URL. This technique isn't new, and it is still amazing what people will do to watch videos. The javascript wil... you guessed it... load more javascript.

Here a quick rundown of what the javascript will do:

- Send a message "See the Osama Bin Laden EXECUTION Video! http://clickily.ws/...." (full URL omited)
- add a message to your status pointing to the "video"

Some of the domain names and IP addresses involved in this scam:

- 208.110.85.172 (see code below)
- ow.ly and clickily.ws (URL shorteners used by the scam. not all URLs at these domains are malicious)
- cooldadssz.co.cc (tries to download a file called "laden.png". However, this file no longer appears to be available)
- www.hindustantimes.com (a non-malicious newspaper site. Only used to downlaod a "Loading" indicator)
- spprf.info - hosting an HTML page shown after the script runs

 

 

 

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

2 comment(s)
Diary Archives