The new campaign uses email like this one:
which redirects visitors to more than 40 different websites which all look like this:
The list of websites we've seen so far in our spam include all of these:
MJackson.1ffli.com.mx
MJackson.hhili.com.mx
MJackson.hilli.com.mx
MJackson.ijjik1.com
MJackson.ijjik1.net
MJackson.ijjil1.com
MJackson.ijjil1.net
MJackson.ijjilk.com
MJackson.ijjilk.net
MJackson.ijjill.com
MJackson.ijjill.net
MJackson.ijjkl1.net
MJackson.ijkil1.com
MJackson.ijkil1.net
MJackson.ikikij.com
MJackson.ikilfk.com
MJackson.ikilij.com
MJackson.ikilij.net
MJackson.ikilik.net
MJackson.ikilkj.com
MJackson.ikilkj.net
MJackson.ikjil1.com
MJackson.ikjil1.net
MJackson.ikklij.com
MJackson.ilifi.com.mx
MJackson.iljihli.com.mx
MJackson.kiffil.com.mx
MJackson.kjjil1.com
MJackson.kkilij.com
Analysis of the malware performed by UAB Malware Analyst, Brian Tanner, a Computer Forensics student, reveals that just visiting the website is enough to infect your computer. Especially if the visitor doesn't have the current version of Adobe Acrobat Reader.
Older versions of Adobe Acrobat have a vulnerability that allows JavaScript to run when a PDF file is viewed. Visitors to the Michael Jackson X-Files website are asked to download and run a program called:
x-file-MJacksonsKiller.exe
But even if the visitor is wise enough not to open the file, a secret IFRAME embedded on the site will cause an infected PDF file to be downloaded and opened in a background window. If the Adobe Reader is an old version, the Javascript in the PDF will cause the .exe file to download and execute anyway.
VirusTotal reveals that only 10 of 41 anti-virus products currently detect this malware. Here's a VirusTotal Report.
0 comments:
Post a Comment