While most people are enjoying a long weekend off, others are busy hacking websites, writing malware, sending spam and monitoring the progress of their growing Botnet(s).
Microsoft has hardly announced Windows 8 and the first cyber-criminals are already on top of it. Below a copy of a curious email that is being spammed over the “Ascension holiday/weekend”:
From: Microsoft.com [mailto:firstname.lastname@example.org]
Send on: Wednesday 1 June 2011 21:40
Subject: Windows 8 released.
Microsoft R Corporation is proud to announce the latest and the best
operating system available yet. For more details, click here
When clicking on the link, a file called “8final.gif.exe” is downloaded from a hacked website.
File length: 1136678 bytes.
MD5 hash: b3babe1040d10ab4cbbc62ee2d986f85.
SHA1 hash: 096d5248144240097bc4eb398301a4d355713a09
Depending on your view settings you might not be able to see the second file extension (.exe)
The website (http://ed???ormer.com) which hosts the malware is an educational interest organization, which has unfortunately been compromised by criminals.
This malware is not installed by itself. You have to click on the download link AND double click the downloaded file to be able to infect yourself. One picture is shown you while in the background the malware is installed and started.
The currently downloaded malware is a Trojan which installs an IRC Backdoor which can be used to flood IRC channels. It talks to hxxp://irc.darkbit.info and sets up a connection to 18.104.22.168 and 22.214.171.124 on port 6667.
By adding itself to the Run section of HKLM\Software\Microsoft\Windows\CurrentVersion the malware will automatically load itself when restarted.
This malware was first reported on June the 1st around 10:50 (UTC) and was still available while writing this. More spam and malware will be using the upcoming Windows 8 to lure you into their net.
Don’t fall for this type of spam. Do not open suspicious emails and/or links. Keep your computer up-to-date and use common sense.
For more technical details see the Threat Expert Report: b3babe1040d10ab4cbbc62ee2d986f85
- Lucky H