Softpedia
 
HomepageWindowsGamesDriversMacLinuxScripts buttonMobileHandheldNews

NEWS CATEGORIES:



NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
MEET THE EDITORS >>
Home > News > Security

May 5th, 2011, 18:38 GMT · By

US Government Departments Targeted in bin Laden Death-Themed Attack

SHARE:

Adjust text size:


Government employees targeted via exploit-rigged DOC files
Enlarge picture
Security researchers warn that many departments in the US government were targeted in an email attack using a bin Laden death theme and distributing malicious .doc files.

The rogue emails bear a subject of "Courier who led U.S. to Osama bin Laden's hideout identified" and carry a simple message reading "to whom it may concern."

The emails have a "Laden's Death.doc" document attached, which, according to researchers from F-Secure, is rigged with an RTF exploit that targets a stack buffer overflow vulnerability (CVE-2010-333) patched by Microsoft last November.

This is not the first time when this vulnerability is targeted. Microsoft warned about similar attacks at the end of December.

In this case, a clean document is also opened in order to avoid raising suspicion. It contains information about Abu Ahmad al-Kuwaiti, the man believed to have led US intelligence agents to Osama bin Laden's location.

According to independent security researcher Mila Parkour, the rogue email messages were sent to many targets in the US Government on Wednesday.

If exploitation is successful, the shellcode installs a variant of the Protux trojan. Microsoft describes Protux as a trojan backdoor which allows remote access and control.

The F-Secure researchers say the malware installs itself as dhcpsrv.dll under c:\windows\system32\ and attempts to hijack the DHCP service by making registry modifications.

DNS hijacking is a technique that can be used by attackers to easily redirect legitimate traffic and information to a server under their own control.

In addition, the backdoor can also download and install other malware, send back to remote servers and act as a proxy server through which attackers can connect.

The decoded and unpacked version of the trojan has a 42% AV detection rate according to Virus Total at the time of writing this article.

Users are strongly advised not to open unsolicited files, like documents, archives or executables, sent to them via email. However, if running such a file cannot be avoided, scanning it on Virus Total first can serve as an indication if it is infected or not.

TELL US WHAT YOU THINK:

1,001 hits · Link to this article · Print article · Send to friend · Subscribe to news

MUST-READ RELATED ARTICLES:


Osama-Themed Scams Spreading on Twitter
Facebook Scammers Use Osama bin Laden's Death as Lure
Watch Out for Osama bin Laden Spam and Poisoned Search Results

READER COMMENTS:



No user comments yet.
Be the first to express your opinion!
Copyright © 2001-2012 Softpedia. Contact/Tip us at

WindowsGamesDriversMacLinuxScriptsMobileHandheldNews

SUBMIT PROGRAM   |   ADVERTISE   |   GET HELP   |   SEND US FEEDBACK   |   RSS FEEDS   |   UPDATE YOUR SOFTWARE   |   ROMANIAN FORUM
© 2001 - 2012 Softpedia. All rights reserved.
Softpedia® and the Softpedia® logo are
registered trademarks of SoftNews NET SRL.		 Copyright Information | Privacy Policy | Terms of Use