Avatar

Summary

On April 16th at 11:00pm GMT, the first of two botnets began a massive spam campaign to take advantage of the recent Boston tragedy. The spam messages claim to contain news concerning the Boston Marathon bombing. The spam messages contain a link to a site that claims to have videos of explosions from the attack. Simultaneously, links to these sites were posted as comments to various blogs.

The link directs users to a webpage that includes iframes that load content from several YouTube videos plus content from an attacker-controlled site. Reports indicate the attacker-controlled sites host malicious .jar files that can compromise vulnerable machines.

On April 17th, a second botnet began using a similar spam campaign. Instead of simply providing a link, the spam messages contained graphical HTML content claiming to be breaking news alerts from CNN.

Cisco Intrusion Prevention System devices, Cloud Web Security, Email Security Appliances, and Web Security Appliances have blocked this campaign from the start.

Threat Detection and Defense

Cisco became aware of a range of threats forming on April 15th when hundreds of domains related to the Boston tragedy were quickly registered with DNS providers. Regarding the botnet spam-specific threat, from a volume perspective we’ve seen peaks approaching 40% of all spam being sent as demonstrated in the graphic below:

Spam Volume

Cisco’s Email Security Appliances (ESA) have been blocking these threats since the campaigns began. Cisco’s Web Security Appliances (WSA) and Context Aware Firewalls (ASA CX) have been blocking websites that host the iframes with the malicious content based on poor reputation scores. Cisco’s Web Security Appliances (WSA) and Cloud Web Security products have blocked the malicious executable, as well as exploitation of CVE-2012-1723. Cisco Intrusion Prevention System products detect exploitation of CVE-2012-1723 with signature 2083-0.

Activity related to this campaign is also available via IntelliShield Security Activity Bulletin 29020.

Technical Details

Some of the malicious links were posted to blogs as evidenced by the screen captures below:

link

comment

The initial spam assault also contained these same links. The link in the spam referenced a malicious site that appears to be a collection of YouTube videos in a column. In the source HTML, the final iframe (obfuscated here) is for a malicious website:

attack_source

Upon loading the content from the last iframe, the user would be prompted to download a malicious jar file that is detected as an attempt to exploit CVE-2012-1723. The user may also be prompted to download a suspicious Windows executable masquerading as a movie file.

The second botnet’s spam campaign is masquerading as a message from CNN. These spam messages entice the user with a link claiming: “You have received the following link from BreakingNews@mail.cnn.com”.

cnn_spam

 

In reality, the link takes users to a compromised website that contains an instant HTTP meta-refresh redirect to an attacker controlled site that we believe is attempting to install the Blackhole Exploit Kit (BHEK).

Conclusion

It is not uncommon for spam to take advantage of high profile events that capture worldwide attention such as the Boston tragedy. Often such attempts aim to persuade the victim into launching malware, providing sensitive information, advanced-fee fraud, fake pharmaceutical websites, or purchasing spamming services.

Every time an event attracts worldwide attention it is often used as a target of opportunity. In this particular instance, one of the botnets is spreading via a well-known Java vulnerability. It appears that many of the infected links have been removed or remediated, so it is possible the life of these specific campaigns will be relatively short. Cisco believes that it is very likely that additional threats will make use of the recent tragedy for malicious means.



Authors

Craig Williams

Director

Talos Outreach