Large-Scale Spam Campaign Continues

As expected, the arrival of the 2008 Olympics in Beijing was accompanied by an increase in Olympics-related spam. From fake news to performance enhancing medication, spammers are taking full advantage of the Games to entice us to click their links and open their attachments.

The majority of the malicious links lead to one of a number of variants of Downloader, Backdoor.Trojan, Infostealer, Trojan.Erotpics, and, more recently, Trojan.Pandex. These threats, which use filenames such as get_flash_update.exe, get_flash_codec.exe and install.exe, are entry points for the target install which is a fake antivirus product.

The tried-and-true method of malicious file delivery for this round is the use of false news stories relating to the Olympics:

This particular link (circled in red in the above image) points to one of a range of fraudulent pages hosting the file install.exe (detected as Trojan.Pandex) which, once executed, gets down to work.

After an encrypted check-in with one of the control servers, several DNS lookups are performed for the malicious domain, which points to a range of fluxing IP addresses under the control of the attackers. The "stub" retrieves a copy of the file 14scan1.exe (detected as Trojan.DesktopHijack.), which changes the victim's desktop:

Then, fake security software known as "Antivirus XP 2008" (detected as AntivirusXP2008) is downloaded and installed on the victim's machine:

The results from this supposed scan are, of course, fraudulent and rely on unsuspecting victims to pay the activation fee in order to mitigate these non-existent threats. To add to the confusion, a fake "Blue Screen of Death" screensaver is silently installed and activated, and some of the graphical display controls in the Display Properties tab are disabled so the user cannot change the screensaver back to the original one easily.

As mentioned above, Symantec has a number of detections for the malicious files. In addition, Symantec Browser Protection triggers on malicious pages as HTTP Fake Codecs WebPage.

You may also have seen reports of malicious spam doing the rounds with updates to Microsoft products, including the Malicious Software Removal Tool and Internet Explorer 7, videos with adult material, and news alerts from CNN and MSNBC. The links contained within these spam emails also end up downloading and installing the fake Antivirus XP 2008 software.

Whether the group behind Antivirus XP 2008 are controlling this entire campaign or have employed the services of additional malicious parties to enhance the success of their spam delivery service, over 500,000 spam emails have been recorded via our probe network with links to Antivirus XP 2008 in the past 14 days, representing quite a large spike in activity for a single threat. As always, make sure you update your security products regularly to ensure you are protected against the latest threats.