Emails with malicious URLs use the tragedy in Boston to exploit vulnerable Java installations (updated)

Yesterday the USA has suffered a bomb attack during a marathon that took place in Boston. This attack was characterized by the US President as a “terrorist attack” since it involved civilians.

Not even 24h later, we have started to see massive spam amounts which contain subjects like “Explosion at Boston Marathon”, “Boston Explosion caught on Video”. This social engineering technique is not new. We see this every time there is something happening in the world (war, natural catastrophes, social events) that is potentially interesting for a lot of people. It is called social engineering, it is an old technique, but every time it finds new victims.

2

1

 

Also on Facebook there were posts with links to various websites which are still being categorized. It is to be assumed that a big part of them point to such websites containing malware.

The emails contain only one single line which is an URL consisting of an IP address and an HTML page called “news.html” or “boston.html”.

Once visited, the page redirects to three other URLs which try to drop a JAR file on your system, if they detect that the computer has a vulnerable Java installation installed.

Boston Marathon Malware 2

 

Updated: we have also a screenshot of such a website which shows a short film while trying to execute the JAR file which exploits the JAVA vulnerability.

We wrote many times that Java is dangerous because of the so many exploits and most probably you don’t need it on your system. Learn here is how to disable or uninstall it.

The file will be downloaded from a randomly generated URL which is for each visitor different:

urls

 

The malicious file is saved in the TEMP directory of the logged on account and named “alifna.exe”.  Further on it seems that the file is also random generated because each visitor gets a slightly different version of this.  Fortunately, the files are not so much changed (not polymorphic) because our products already detect them generic as “TR/Crypt.ZPACK.Gen”.

So, nothing to worry, all Avira users are already safe.

 

Many thanks to Eric Burk from the VLAB in Germany for the analysis.

 

Sorin Mustaca

IT Security Expert