Fake shooting scam used in Trojan attack

Earlier this morning SophosLabs noticed a new scam designed to fool users into viewing a web site where they would be hit with a malicious script that installs a spy Trojan. We saw several spam messages alerting users to the supposed shooting of the e-Gold founder, for example:


A variety of domains have been used in the scam. Browsing to each of the domains redirects to a malicious page on another server. This page contains a malicious Javascript which attempts to install a Trojan on the victim’s computer. Fortunately, the malicious script is pro-actively detected as Mal/ObfJS-B. The script attempts to exploit several client-side vulnerabilities in order to download and install a Trojan (click image to enlarge).


The Trojan is detected by runtime HIPs protection as HIPS/FileMod-005:


Specific detection for the Trojan and the files it installs has been added as Troj/Agent-GUJ.

This is yet another example of the attackers using a blend of spam and malicious web sites to infect victims. Such cases provide perfect illustrations of the need for quality security solutions, encompassing anti-spam, web content inspection, URL filtering and runtime protection technologies in addition to ‘plain old’ file scanning.