Mobile, TDR

Bhutto assassination video, websites faked to spread malware

December 28, 2007
Cyberattackers are exploiting the assassination of former Pakistani Prime Minister Benazir Bhutto to spread malware, according to researchers at numerous anti-virus vendors.

Symantec Security Response researchers found that a search for “Pakistan prime minister assassination” led to a number of pages claiming to have video of the killing of Bhutto, who had returned from exile to again seek power.

The fake video displays what claims to be an ActiveX object error message, which infects PCs with a trojan, Vikram Thakur, Symantec Security Response researcher, said on a company blog.

“Following the link in the [pictured] image downloads a malicious file hosted on a server in Denmark. The malicious downloaded file is detected by Symantec products as Trojan.Emcodec,” Thakur said. “It just goes to show, even death isn't sacred to some.”

Bhutto was assassinated by a suicide bomber early Thursday morning after campaigning in Rawalpindi for  parliamentary elections scheduled for Jan. 8. The former prime minister had returned to Pakistan in October, surviving an earlier attempt on her life upon her arrival.  

Researchers at anti-virus vendor Trend Micro found a number of malicious websites taking advantage of PC users seeking news on the assassination via search engines.

One site uses a JavaScript redirect called JS_Agent.AEVE, which downloads a malware-seeking trojan, according to TrendLabs researcher Mayee Corpin.

“The malicious JavaScript is apparently not exclusive to new sites – it is also presently embedded on other websites with a broad scope of topics and interests,” said Corpin on the TrendLabs blog. “There are many other sites that have been possibly compromised, including Autoworld, Vino, Dogpile, MSN, BlogSpot, etc.”

Researchers at Websense also reported that malicious sites seeking to take advantage of the event had achieved high positions on prominent search engines.

The first site Websense researchers found was the second result in a Google search using “a generic and simple keyword,” according to a Websense alert, which added that the link did not prompt a warning from Google that the site may be malicious.
prestitial ad