Home / mailings WSLabs, Malicious Websites / Malicious Code: New fake patch malicious code run
Posted on 09 July 2007
Websense Security LabWebsense® Security Labs(TM) has received reports that a new email campaign is spreading that attempts to lure users into downloading malicious code. It appears as though the same group that was behind the widespread attacks July 4th, that used greeting card lures to spread, are behind this also. The July 4th greeting card had more than 250 sites that were hosting a variety of malicious code. The websites are using the exact same JavaScript obfuscation technique and exploit code as the greeting card run also.
All emails use URL's that send users to an IP address that will attempt to exploit the users if there browsers are vulnerable. If the browser is not vulnerable the exploit code will not work, however the page will attempt the user to download a file called patch.exe by displaying a message "If your download does not start in approximately 15 seconds click here to download".
The theme of the new email campaigns are based around a new patch that is available for users who may have been infected with a recent Worm.
Subject lines we have seen so far are:
* Virus Detected!
* Trojan Alert!
* Worm Alert!
* Worm Activity Detected!
Assuming users are running vulnerable browsers, several files will be downloaded and run on their machines and Trojan Horses will be installed. As in the July 4th greeting card attacks their are several versions of the code that are being uploaded by the attackers in order to thwart detection.
Websense security customers are protected against customer connecting to the websites hosting the malicious code.
For additional details and information on how to detect and prevent this type of attack:
http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=786