It would appear the folks behind the previous related attacks we have blogged about [1,2] are not bored yet. As Brett highlighted in a previous post [3], these spam runs are accounting for a high volume of email traffic at the moment.

The latest ‘theme’ [4] is only marginally changed from previous. Many of the spam messages masquerade as news alerts (from CNN, Bloomberg, Financial Times and the like).



Clicking on the link in the spam message redirects victims to a compromised web site that hosts the malware, using a variety of filenames (including get_flash_update.exe and news_usama_video.exe). As for previous spam runs, a large number of compromised web sites are being used in this attack. When the victim views the compromised site, the following image is displayed:


The filename may be changing but thankfully the protection is not – messages are being proactively blocked as spam, and the malware itself continues to be proactively detected by Sophos as Mal/EncPk-DA.