Websense Security Labs ThreatSeeker Network has discovered a new, malicious social-engineering
November 2008 by Websense
Websense Security Labs ThreatSeeker Network has discovered a new, malicious social-engineering spam campaign that is disguised as an official email sent from Google’s Web 2.0 social networking site, Orkut. This campaign is another attempt by spammers to profit from popular Web 2.0 services. A spoofed personal message, in Portuguese, is sent from a user allegedly on the Orkut network seeking love. This campaign continues a previous attempt to target Orkut. We issued an alert about the previous attempt last week.
The message contains several links that appear to lead to the official Orkut Web site. Clicking on a link actually leads to a malicious executable file, which is a Trojan Downloader named "imagem.exe" (SHA1: 6862b862877e5cb9f2180cc53ee4338977bc0efb). The malicious file opens the legitimate Orkut network login page, and in the background downloads a password stealing Trojan named "msn.exe" (SHA1: eee7ea71e6ce023fb9000ed75854a8cfd1fafe63). "msn.exe" is copied to various system locations, using different names: "plugin.exe","kss.exe." These copies are bound to the system’s start up.
The Trojans in this attack are hosted on a compromised labor union Web site from southern Brazil. This continues the trend of malcode hosted on compromised Web sites.
Websense Messaging and Websense Web Security customers are protected against this attack.