14 DAY TRIAL // Security researchers from anti-virus vendor Sophos warn that the creator of the Waled family of malware has released a new spam campaign that lures users with local breaking news claims. The new scheme is particularly interesting, because it modifies itself depending on the location of their IPs.
The subjects of the spam e-mails vary, but go along the lines of "Take Care!", "Are you and your friends in good health?", "At least 18 killed in your city," "I hope you are not in the city now," etc. The messages contain a malicious link masquerading as a Reuters news page.
"Powerful explosion burst in [city] this morning," the article title reads, where [city] is determined by checking the location of your IP address. The page displays a fake embedded video that, when clicked, prompts the download of the malware installer, identified as Mal/WaledPak-E by Sophos. The executable is passed as being a required video codec.
"At least 12 people have been killed and more than 40 wounded in a bomb blast near market in [city]. Authorities suggested that explosion was caused by 'dirty' bomb. Police said that bomb was detonated from close by using electric cables. 'It was awful' said the eyewitness about blast that he heard from his shop," the accompanying message that has clearly not been the work of a Reuters reporter goes on.
"Just like it did in the past, the campaign exploits the 'breaking news' theme in order to make you follow the malicious link," Dmitry Samosseiko, malware analyst at SophosLabs Canada, warns. The Waled creators have always been good at inventing attractive news stories regarding popular events.
In January, we reported about a Waled spam campaign, which was claiming that Barack Obama had decided not to go forward with being sworn in as the President of the United States. This story should have been of particular interest at the time, with the Inauguration Day approaching. In addition, to make the scheme more believable, the cybercrooks created a pretty good replica of Obama's official blog.
The computer worms from the Waled family send copies of themselves via e-mail from the infected computers through their own SMTP engine. They also contact remote servers over the HTTP protocol in order to receive updated instructions from their creators.
