IT security firm Sophos has warned of a spam campaign that poses as a breaking news report about the death of Russian President, Vladimir Putin, but is actually an attempt by hackers to infect computer users with a Trojan horse.
The spammed emails have the subject line ‘ATTENTION !!! President of Russia has dead’ and encourage users to click on a link for more information.
Embedded in these spammed emails is a hidden script that exploits the ADODB.Stream vulnerability in Internet Explorer to secretly download the malicious Dloadr-ZP Trojan horse from a Russian website. The Trojan horse is designed to download further malicious code which could allow remote hackers to gain unauthorised access to the victim’s computer.
The HTML emails also contain a URL, which pretends to link to a BBC News report. However the user is really directed to another Russian website purporting to be the home of a construction firm which provides heating systems for apartments and advertising training seminars.
“It appears whoever sent this spam is trying to discredit the Russian firm in what we call a ‘joe job’. Users may think that the spam was purely an attempt to drive traffic to the construction company’s products and seminars, whereas in fact hackers are also using the opportunity to try and infect unprotected PCs,” explained Graham Cluley, senior technology consultant for Sophos. “Everyone should protect their computers with security patches, as well as up-to-date and integrated security software which protects against viruses, spyware and spam. Hackers have used bogus breaking news stories in the past to encourage people to open emails, and they’re likely to do so again.”
Sophos’s anti-malware products were automatically updated to protect against the Dloadr-ZP Trojan horse at 05:22 GMT on 12 July 2006.
“Normally, a ‘joe job’ is a spam campaign forged to appear as though it came from an innocent party, with the intention of incriminating or pinning blame onto them,” continued Cluley. “In this case, users wanting to read the news report may think that the emails came from the Russian website that sells seminars and heating systems. In truth, they came from a zombie network of compromised computers around the world, being exploited by the hackers. If users aren’t careful they could find their PCs part of the zombie network as well.”