By Gregg Keizer, Computerworld, 12/28/07
Within hours of yesterday's assassination of former Pakistani Prime
Minister Benazir Bhutto, malware makers exploited the breaking news to
dupe users into downloading attack code, security researchers said
Searches for news about Bhutto's killing and the ensuing chaos in
Pakistan listed sites pimping a bogus video coder/decoder (codec),
said analysts at McAfee Inc., Symantec Corp. and WebSense Inc.
For instance, WebSense found such a site simply by using "benazir" to
search on Google. Meanwhile, McAfee quickly located 10 sites hosted on
Blogger.com, Google Inc.'s blog service, that were spreading the fake
The sites use the well-worn tactic of promising a video -- in this
case one of Bhutto's assassination -- but telling Windows users that
they need to install a new high-definition video codec, the program
that decodes the digital data stream, to view the clip. Naturally, the
so-called codec is no such thing, but is instead rigged code that
downloads a variant of the Zlob Trojan horse, a back door that can
infect the compromised PC with a wide range of other malware.
"Even death isn't sacred to some," said Symantec researcher Vikram
Thakur in a post to the company's security response blog.
Other hackers are relying on the news of Bhutto's assassination to
draw users to sites that forgo the codec angle and instead conduct
drive-by attacks, said Rahul Mohandas, a security analyst at McAfee's
Avert Labs unit. "There are a plethora of sites which attempt drive-by
installations when unsuspecting users visit search-engine results for
'Benazir Bhutto,'" said Mohandas in a post to the Avert Labs blog this
morning. "Many of these compromised pages have malicious scripts,
which point to the 3322 domain. These pages contain obfuscated
variants of the MS06-014 exploit, which is perhaps one of the most
popular of all the exploits we see on a daily basis."
MS06-014, issued in April 2006, patched a critical vulnerability in an
ActiveX control that is part of Microsoft Data Access Components
(MDAC), which are packaged with Windows XP and Server 2003.
Shilling bogus codecs is a popular pastime of attackers. The technique
has been used to plant malware on PCs from singer Alicia Keys' MySpace
page, for example, and was the vector used by hackers who went after
Macs last month.