Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Spammers Use Kenya Terrorist Attack to Spread Malware

Created: 03 Oct 2013 14:11:54 GMT • Updated: 23 Jan 2014 18:03:57 GMT • Translations available: 日本語
Ashish Diwakar's picture
+2 2 Votes
Login to vote

Spammers are now leveraging news around the Kenya terror attack by targeting users through an email message that claims to contain news on the attack but in fact contains malware. The spam email includes a malicious URL in the body of the message that redirects users to a compromised Web page that downloads W32.Extrat.

When the malware is executed, it may create the following file:

  • %Windir%\installdir\server.exe

This allows the attacker to steal passwords and gain access to sensitive files and information belonging to the user.

Kenya.png

Figure. Screenshot of spam email asking user to download .exe file

The email displays a message to “Click HERE to view & watch” videos and images of the terror attack at the Westgate mall. Clicking the link opens up a compromised Web page. After loading the Web page, the user is presented with a popup asking them to download the file “Kenya terror Video.exe.” This executable binary file is a generic form of malware named W32.extrat that, if downloaded, could exploit vulnerabilities on the user’s computer. Spammers use the promise of video and pictures as a trap to lure large number of users seeking information about the terror attack.

The spam email message may have the following subject line:

  • Official: Kenya mall attackers Video

The following is a sample of a malicious URL included in the spam email:

  • http://[REMOVED].[REMOVED].com/u/210772057/Kenya terror Video.rar

Symantec endpoint protection technology allows preventative detection and identification of this kind of malicious site, even in cases where the site has not yet been reported to Symantec as malicious. Symantec protects customers from this type of attack with products that include antivirus and antispam technology such as Norton AntiVirus and Norton Internet Security.

The malware used in this attack is detected by Symantec as W32.Extrat.

Users are advised to adhere to the following best practices in order to avoid malicious attacks:

  • Do not open attachments or click on links in suspicious email messages.
  • Avoid providing any personal information when answering an email.
  • Never enter personal information in a pop-up page or screen.
  • Keep security software up-to-date.