September 17, 2010

Daniel Covington death spam leading to Rogue AV and Phoenix exploit kit

Ran Qiong

Websense Security Labs™ ThreatSeeker™ Network has detected a new virus spam outbreak after Daniel Covington's death. Websense customers were proactively protected against the malicious code by our Advanced Classification Engine(ACE). 

Most popular sport Web sites have reported this news: Daniel Covington, a former Louisville football player, was shot and killed after an altercation in downtown Louisville in the early hours of the morning on Sep 16, 2010.  Of course, hackers never lose their chance to extend their criminal activities and this time, Daniel Covington has been their victim. 

Let's track their vicious trail. Firstly, they send thousands of spam messages with a subject of "Daniel Covington die" to attract people's attention on the Internet. 

Screenshot of the email: 


Be careful of the HTML attachment: don't click it, as it hides malicious obfuscated JavaScript code and the obfuscation technique has been mentioned in our previous blog.


Let's see how evil they are. If a recipient clicks the HTML file, they will be redirected to two malicious sites. One site contains rogue AV, and the other one includes a Phoenix exploit kit - a well known kit used by web attackers. 


"Daniel Covington die" is not the only theme in this campaign. We have also found the virus spam in emails with these subjects:

    * America's Got Talent
    * Cops kill active shooter at Johns Hopkins Hospital
    * Church of Body Modification
    * failure notice
    * Jackie Evancho and Sarah Brightman
    * NFL Picks Week 2

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.