Boston Marathon Bombing Used in Malicious Spam Campaign

Contributor: Christopher Mendes

On the afternoon of April 15, 2013, just when many people were on the cusp of conquering another personal milestone by completing the Boston Marathon, they were hit hard by an act of cowardice. Two bombs struck near the finish line of the Marathon on Monday. Within hours of the bomb blast, large malware-laden spam emails started doing the rounds.

Symantec customers are protected from this attack. Symantec blocks the attack by multi-level detection using Antispam, Intrusion Prevention System technology (IPS), and antivirus (AV). The AV detects the downloaded file as Packed.Generic.402. IPS detects the attack as Web Attack: Red Exploit Kit Website.

The spam email is very simple. The message body contains either a link to [REMOVED]/news.html or [REMOVED]/boston.html.

BostonFig1.png

Figure 1. Examples of spam emails

Clicking the link opens up a compromised Web page as shown in Figure 2. The Web page shows a series of videos of the attack site. There is an unloaded video at the bottom of the Web page that leads to the Red Exploit Kit which exploits various vulnerabilities on the user’s computer. Once an exploit has been successful, the user sees a popup asking them to download the file boston.avi_______.exe.

BostonFig2.png

Figure 2. Compromised Web page

The spam email messages may have the following subject lines:

  • Subject: 2 Explosions at Boston Marathon
  • Subject: Explosion at Boston Marathon
  • Subject: Explosion at the Boston Marathon
  • Subject: Boston Explosion Caught on Video
  • Subject: Boston attack Aftermath
  • Subject: Boston Aftermath

BostonFig3_0.png

Figure 3. Boston marathon spam email volume

The spammers’ intention is not to share videos or information regarding the bomb blast but to exploit a terrible tragedy to spread malware.

Don’t fall prey to such despicable acts! Symantec recommends users not to click on suspicious links in email messages and to update security software frequently.