Security Labs


  digg   |   |     reddit
  newsvine   |     furl   |     technorati

Orkut "Message Notification" Malicious Spam


Threat Type: Malicious Web Site / Malicious Code

Websense® Security Labs™ ThreatSeeker™ Network has discovered a new, malicious social-engineering spam campaign that is disguised as an official email sent from Google's Web 2.0 social networking site, Orkut.

This campaign is another attempt by spammers to profit from popular Web 2.0 services. A spoofed personal message, in Portuguese, is sent from a user allegedly on the Orkut network seeking love. This campaign continues a previous attempt to target Orkut. We issued an alert about the previous attempt last week.

Screenshot of the new message:

The message contains several links that appear to lead to the official Orkut Web site. Clicking on a link actually leads to a malicious executable file, which is a Trojan Downloader named "imagem.exe" (SHA1: 6862b862877e5cb9f2180cc53ee4338977bc0efb).

The malicious file opens the legitimate Orkut network login page, and in the background downloads a password stealing Trojan named "msn.exe" (SHA1: eee7ea71e6ce023fb9000ed75854a8cfd1fafe63). "msn.exe" is copied to various system locations, using different names: "plugin.exe","kss.exe." These copies are bound to the system's start up.

The Trojans in this attack are hosted on a compromised labor union Web site from southern Brazil. This continues the trend of malcode hosted on compromised Web sites.

Screenshot of the Brazilian labor union Web site's main page:

Websense Messaging and Websense Web Security customers are protected against this attack.