Sophos Cloud Optix
With the Olympic games in Beijing a little over a month away, spammers and malware authors are coming up with new campaigns to take advantage of this highly anticipated event. Today, we received a new spam campaign that reports a “new powerful disaster” in China, which threatened to derail the upcoming Olympic games.
A message sample is shown below:
The message claims that an earthquake has just occurred in China, and provides a link to a .cn domain for users to obtain extra information. When a user visits the site, they’re shown the following page:
The message on the site claims that a 9.0 Richter scale earthquake has hit Beijing and caused millions in casualties. To see additional details, a user may open or run the video. With the recent China Earthquake in Szchuen still fresh in people’s memory, many would open the file without a second thought. Unfortunately, instead of an online video as it appears to be, opening the link will actually execute the .exe file beijing.exe. Needless to say, the file contains malware and delivers a malicious payload.
Looking into this campaign, the .cn domains linked by the spam messages are likely part of a botnet. Each query to the nameservers for these domains returns a different IP address, indicating fast-flux behavior. The domains also serve webpages using the same web server seen in a number of botnet campaigns.
The spam messages for this campaign was blocked automatically as soon as they started to appear. The malware .exe is detected as W32/Nuwar-E.