Sick malware authors exploit Boston Marathon bombing with Trojan attack

Filed Under: Featured, Malware, Spam, Vulnerability

With sick inevitability, cybercriminals have exploited interest in the breaking news story of the explosions at the Boston Marathon by spreading malware.

Messages spammed out by attackers claim to contain a link to video footage of Monday's terrorist activity in Boston, with subject lines such as "2 Explosions at Boston Marathon".

Malicious email about Boston Marathon bombing

Other subject lines used in the campaign include:

  • Aftermath to explosion at Boston Marathon
  • Boston Explosion Caught on Video
  • Video of Explosion at the Boston Marathon 2013

It's no surprise to see that the links used in the malicious email can vary - no doubt in an attempt to avoid rudimentary email filtering but they all appear to be based in Ukraine and Latvia.

If you make the mistake of clicking on the link, however, you are taken to a website which - while showing you genuine YouTube videos of the the horrific incident - attempts to infect your computer with a Windows Trojan horse that Sophos products detect as Troj/Tepfer-Q.

Malicious website

If installed, the malware makes changes to the Registry and installs the following files, allowing hackers to gain remote access to infected computers:


The file NPF.sys is registered as a new service named "NPF", with a display name of "WinPcap Packet Driver (NPF)".

Clearly, there are no depths to which cybercriminals are not prepared to stoop in their hunt for victims.

The sick truth is that malware authors and malicious hackers lose no sleep about exploiting the deaths of innocent people in their attempt to infect computers for the purposes of stealing money, resources and identities.

Remember to be on your guard against such tactics. Maybe it's time to get your news from legitimate news websites rather than an unsolicited email which arrives in your inbox?

Thanks to Julie Yeates and Hajnalka Kópé of SophosLabs for their assistance with this article.

, , , ,

You might like

10 Responses to Sick malware authors exploit Boston Marathon bombing with Trojan attack

  1. sick · 905 days ago

    OK, so these ways of spreading malware are more than obnoxious. But when reading this article I get the feeling that the author is more interested in demonstrating how horrible he feels the method used to spread malware is than actually reporting on the issue that a security blog should focus on.

    Any info on percentages of infected machines, domains to be blacklisted, e-mail address used to spread malware on so on? I mean, this is a Sophos blog, how about a few pointers on how to remove the malware if infected? Now THAT would be helpful!

    If the point of this article is to conclude that the method used to spread the malware is 'sick', then it almost has no point does it? At least not here...

    And this is not the first (and probably not the last) that these methods have been described here. Which is fine, I think that people should be aware when cybercriminals exploit major events in this fashion. But it would be nice if you put more effort into reporting the cybercrime aspect of the matter, and less time distancing yourself from the lacking ethics of the people behind the spreading method ..

    • The point of the article is to warn you about the malware campaign. It tells you a subject line that is being used (the email addresses that it is sent from can vary) and shows you what a typical example of a malicious email looks like.

      Sophos products have been updated to detect the malware, as described in the article. We haven't had any reports of customers who have had their computers infected - but if there are any, I would recommend contacting our support department for assistance.

      Hope that helps

    • Informative · 905 days ago

      How to remove the malware? Install Sophos and run AV scan. Pretty obvious. Don't you think if they've put an article out on this campaign that they've made detections for it first?

      The article also gave you multiple possible subject lines. That's more than enough to create an alert/block/signature. Also, file names for the malware were also given. You can use that too. Mitigation right there. I guess you were looking for something more? If so? What else do you need?

      I felt the article was very informative and support Sophos in their efforts to remain updated and publish articles on the latest threats.

      • What? · 905 days ago

        Ummm what? There are plenty of virus scanners available. Don't suggest one option over another, just say virus scan generically.

    • Nigel · 905 days ago

      You're complaining that a blog article that reports the method used in the attack happens to express the opinion that it's unethical.


      Perhaps you might be better served by finding a different security blog that is more to your liking...maybe one that you pay to read, or one that doesn't consistently win top honors.

  2. Wiz Feinberg · 905 days ago

    I wrote a related blog article about this last night. While I remained impassionate and technical throughout the body of the article, I did express my strong indignation at the very end. Are normal human beings supposed to act like machines when reporting on terrible events and their aftermath?

    BTW: All of the links I have intercepted are numeric IPs, not domain names. This may change in the near future. In addition to the iframes with videos on the exploit page, there is one more iframe with a Java Applet exploit attack and a 60 second timeout that begins a Trojan file download. These guys really mean business.

  3. marclouis64 · 905 days ago

    I have also seen the virus links posted as comments on Facebook.
    the text included something similar to “SCUM ARAB SAUDI … WATCH THE VIDEO BEFORE IT GETS REMOVED!!”

    I agree with the author, its worth noting the social engineering used here

    #OpUSA is only a couple of weeks away, wouldn't be surprised if we saw a lot more of this.

  4. James · 905 days ago

    The files listed in this post are in fact WinPcap components that the malware installs on the machine - for instance, on my test machine, I already had WinPcap installed, do it didn't drop those files as they were already present. I don't think they are malicious. The primary component can be found by looking for the autorun registry key"HKLMSoftwareMicrosoftWindowsCurrentVersionRunSonyAgent", which points to the location of the executable (which will be hidden). I ran it from my desktop, so that is where the key pointed.

  5. Nicholas · 905 days ago

    All kinds of sick people try to exploit such attacks, ie. politicians, hackers and news outlets. Who profits from the fear caused? Those who already have power, like governments, security companies/military & radical groups.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley