News becomes valuable when it has accumulated a large amount of attention from the public. Such news could be used for massive agitprop campaigns, marketing, etc. On the other hand, it could also be used for malicious purposes. The recent swine flu news has motivated malware authors to create a virus and distribute it using swine flu-related spam emails.
A malicious swine flu-related PDF file that exploits an already known PDF vulnerability was mentioned in a previous post. In China, Symantec has discovered another attack utilizing this widely publicized topic: compromised news and informational websites that talk about swine flu.
As shown in the above screenshot, the website has been injected with a script that will redirect users to another encrypted, malicious Web page (23ff[REMOVED]22.org/a/cnzz.htm). Part of the encrypted code is shown below:
Here is the code after decryption:
The script could redirect users to different malicious websites based on their browser information. Those malicious websites may target any number of vulnerabilities in third-party software installed on the computers, such as games or media players.
Below is an example of an exploit against a popular game, the Lian Zhong Cyber Game. The code is from the malicious site 23ff[REMOVED]22.org/a/lz.htm, which attempts to exploit a vulnerability in the game.
If it successfully exploits the vulnerability in the Lian Zhong software, users may unwittingly download and run the following malicious files:
Symantec detects the above files as the following threats:
Infostealer.Gampass
Infostealer.Onlinegame
Infostealer
Trojan Horse
We advise users to patch all multi-media software in a timely manner. Meanwhile, be cautious with emails from unknown third parties and don’t open any suspicious attachments in emails such as these to avoid any potential threats that could be downloaded onto your computer.
Note: Special thanks to Dennis Tan for the virus analysis.