Security Labs

Alerts

BOOKMARK THIS ALERT
  digg   |     del.icio.us   |     reddit
  newsvine   |     furl   |     technorati

Orkut "Account Usage Notification" Malicious Spam

Date:11.13.2008

Threat Type: Malicious Web Site / Malicious Code

Websense® Security Labs™ ThreatSeeker™ Network has discovered a new malicious social-engineering spam campaign masquerading as official emails sent by Google's Web 2.0 social networking site, Orkut. Orkut is one of the most popular social networking sites in Latin America and the second most visited site in India. The email is spoofed, appearing to be from the domain google.com for this fake notification which advises the user that their account has been subject to investigation and will be terminated within 72 hours unless they click through the hyperlink and follow the necessary instructions.

Websense quotes in the 2008 Threat Predictions report have been accurate. In our previous alerts, we have seen spammers and malware authors switching tactics to persevere with their attacks over a longer time, with an increased success rate through defeating antivirus vendors and content learning technologies. This attack is another instance of such tactics, which is an ongoing trend increasingly targeting Web 2.0 sites to carry out a wide range of attacks.

Screenshot of the message:

From the above screenshot, it can be seen that the links in the message actually lead to a malicious executable, a Trojan Downloader named "regulamento_orkut.exe" (SHA1: 8eb1366d580aeab38d00a5c32835006c3648b8f3).

This malicious executable has a very low AV detection.

When run, the malicious executable downloads another malicious file, "fox.exe" (SHA1: 8e1df3d55a778550affea7c5216e58a55beaf979), from the same site. The file copies itself to multiple locations on the infected machine with different names. It also adds itself to startup, and monitors browser activities with the intent to steal user information.

While malicious code is being downloaded a browser window will also popup with objectionable material on it.


Screenshot showing "fox.exe" downloaded onto infected machine:

Screenshot showing user's machine infected:

Websense Messaging and Websense Web Security customers are protected against these threats.