Osama Home Videos Used to Distribute Scareware

Security researchers from Kaspersky Lab warn that the recently released Osama home videos are being used as lure in drive-by download attacks that distribute scareware and trojans.

The attacks are launched from legitimate websites that have been compromised by exploiting a vulnerability in the nginx Web server.

The buffer underflow vulnerability, identified as CVE-2009-2629, dates back to 2009 and has been patched in versions 0.6.39, 0.7.62 and 0.8.15.

It allows attackers to execute arbitrary code by sending maliciously crafted HTTPS requests to the vulnerable server.

The compromised websites are injected with code advertising Osama bin Laden's home videos that were released by US officials.

The pages are then used to poison search results related to this topic on Google Images in what is known as a black hat SEO campaign.

Visitors landing on these infected pages are redirected to a malicious website hosted on a .cc domain that launches an exploit for the Windows XP Help and Support Center vulnerability (CVE-2010-1885).

The exploit payload includes a fake antivirus program from the XP Anti-Spyware family which tries to convince users to buy  a license, and also a trojan.

Known as Trojan-Downloader.Win32.CodecPack, the second piece of malware is part of an advertising botnet called Artro.

In light of such attacks capitalizing on people's interest into Osama bin Laden-related topics, security researchers warn users to only obtain their news and related footage from trusted sources.

Keeping all of their software, as well as the antivirus program and operating system, up to date is critical in preventing drive-by downloads.

According to Kaspersky Lab expert Dmitry Bestuzhev, despite this attack serving Windows malware, the people responsible also try to monetize traffic from other operating systems. For example, Mac users are being redirected to an adult website.