Malware, Threat Management

Boston Marathon blasts breed malware ruses, surge in dubious websites

To no surprise, online malefactors are leveraging the huge public interest in the Boston bombings to take advantage of the curious and the compassionate. 

Researchers said they have identified a malicious executable, which is being served on web pages hosting actual YouTube clips of the blasts and the response.

According to security company Kaspersky Lab, the attack works like this: First, users receive an email – with a subject heading such as "2 Explosions at Boston Marathon" – that contains a link, ending with "news.html," to a rogue site.

Once on that page, users are greeted with URLs of "non-malicious" YouTube clips, but after about a minute, an executable, carrying the name "Boston.avi._.exe," automatically activates. A trojan known as Tepfer then is installe and attempts to connect to IP addresses in Argentina, Taiwan and the Ukraine.

Researchers at security firm Sophos have identified the same malware. In a blog post, Graham Cluley, the company's senior technology consultant, said Tepfer makes registry changes and installs additional files, which enables its controllers to gain remote access of the victim computer.

Other researchers have suggested the campaign is related to the BlackHole exploit toolkit.

"Clearly, there are no depths to which cyber criminals are not prepared to stoop in their hunt for victims," he wrote. "The sick truth is that malware authors and malicious hackers lose no sleep about exploiting the deaths of innocent people in their attempt to infect computers for the purpose of stealing money, resources and identities."

In addition, the incident in Boston already has given rise to a number of domains that reference the attack.

"By my current count, I see 234," wrote John Bambenek, an IT security consultant, on the blog of the SANS Internet Storm Center, where he is an incident handler. Bambenek is using an automated script to monitor the sites.

"Some of these are just parked domains, some are squatters who are keeping the domains from bad people," he wrote. "A couple are soliciting donations (one is soliciting Bitcoins, oddly enough)."

The Better Business Bureau warned Tuesday of an expected increase in bogus charities. This is a predictable ploy among fraudsters. Counterfeit relief sites have popped up in recent years after natural disasters like the Japan tsunami and the Newtown and Virginia Tech shootings.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.