Spammers taking advantage of the attention garnered by the Boston Marathon bombing and the fertilizer plant explosion in Texas have reconfigured two major botnets to inundate Internet users with messages that purport to link to videos of the tragedies, according to security firms.
On April 16, the Kelihos and Cutwail botnets began sending out spam with subject lines such as “Aftermath to explosion at Boston Marathon” and “Boston Explosion Caught on Video,” managed security provider Dell SecureWorks stated in an email advisory.
Users that follow the link in the email will land at a site that will compromise their systems via the Redkit exploit kit, install several pieces of malware, including bot software and the ZeroAccess trojan, which makes money for its controller through click fraud and by mining the bitcoin digital currency, the company stated on April 19 in an analysis of the spam campaign.
“The volume of these spam campaigns was quite large, since the Boston Marathon attack theme was used by two different spam botnets at the same time, and two of the largest spam botnets,” Brett Stone-Gross, senior security researcher with Dell SecureWorks, told eWEEK in an email interview.
The attackers registered a series of domains on April 15, immediately after the Boston Marathon bombing occurred, according to networking giant Cisco. By April 17, the spam campaign had peaked, accounting for 40 percent of all spam seen by Cisco, the company said in an advisory.
“Cisco believes that it is very likely that additional threats will make use of the recent tragedy for malicious means,” the company stated.
The emails contain a simple link to a Web page—”boston.html”—at a specific IP address, stated managed security provider Trustwave in its own advisory.
“This style of campaign is a blast from the past,” the company said in the analysis. “Kelihos’s ancestor, Storm, got its name for exploiting storm-related news in early 2007, and the payload was more Storm bots.”
When users click on the link, they are taken to a page with videos, but invisible iFrame links load in one of two exploits for Java. If the exploits succeed, a variety of malware is installed on the system, suggesting that the spammers may be collecting affiliate fees for spreading malware.
The malicious software installed on the system following infection communicates with a server based in Russia, security-firm Invincea stated in an analysis. Russia and Eastern Europe are common havens for cyber-criminals
“The Boston Marathon tragedy is simply another opportunity for cyber-miscreants to exploit people’s curiosity in order to compromise their machines and the networks they run on,” Invincea security consultant Eddie Mitchell wrote in an analysis of the attack. “Based on the location of the command-and-control server we may conclude this is cyber-crime driven, but further examination of the command-and-control network is necessary to be definitive.”
Both botnets have been previously taken down by Microsoft—in the case of the Kelihos botnet, twice. On March 6, managed security firm Trustwave discovered that Kelihos, also known as Hlux, had started up once again and was sending spam related to stock pump-and-dump schemes.
“Despite such efforts, Kelihos and its code persists—each time it merely morphs into something else,” Trustwave said in its analysis. “It goes to show that botnet takedowns may be flashy, but unless you arrest the people running it, or otherwise hamstring them somehow, the chances of a long-term effect are minimal.”