Whatever else malware creators might be, they're quick to take advantage of any event that might enable a new attack vector. The Storm Worm has already morphed twice in the past week, attacking with both a Christmas and a New Year's theme. Now, less than two days after the assassination of Benazir Bhutto, former Prime Minister of Pakistan and leader of the Pakistan People's Party, there's a new malicious Javascript in town. The script in question isn't brand-new, but its creators have quickly adapted it to prey on surfers interested in additional details regarding Bhutto's death.
According to Trend Micro researchers, certain sites purporting to contain information on the assassination have malicious Javascript embedded within them. End users wanting more information on the event can conceivably be directed to one of these infected sites, where the script (identified by Trend Micro as JS_AGENT.AEVE) runs and downloads a Trojan (TROJ_SMALL.LDZ). This new Trojan then downloads and installs WORM_HITAPOP.O and TROJ_AGENT.AFFR.
While the authors of this particular gem are obviously trying to exploit Bhutto's murder, Trend Micro found evidence that the malicious Javascript is actually present on a number of sites, including Autoworld, Vino, MSN, and BlogSpot. The number of infected sites that specifically discuss the assassination is small compared to the total number of sites that appear to be infected—103 vs. 4,240—but the ratio will undoubtedly shift if the topic proves to be an effective attack vector. Trend Micro has stated that its customers are already protected from the exploit; other vendors will probably be quick to follow with patches as they are needed.
Source:
http://arstechnica.com/news.ars/post...ssination.html
Trojan capitalizes on Bhutto assassination
Re: Trojan capitalizes on Bhutto assassination
Linear Mode
