Date: 17 March 2009
Click here for printable version
 
...well maybe not but it can seem that way for the latest runs of the Waledac trojan. The spam messages seeding the trojan start out very generic and not geographically or even specific, eg:
Subject: What a tragedy!
From: "Sammy" <xsshiba@futterhaus.de>
Date: Mon, 16 Mar 2009 01:46:59 +0200
To: <matthew@auscert.org.au>
Are you fine? http://vwgyrd [dot] yourbreakingnew [dot] com/news.php
and
Subject: I hope everything ok with you
From: "Martin
" <bilgi@wnco.com>
Date: Sun, 15 Mar 2009 17:22:17 -0500 (Mon 08:22 EST)
To: matthew@auscert.org.au
It's awful!! http://grf [dot] breakingfreemichigan [dot] com/main.php
This returned a page with a title of "Reuters-Australia: Terror attack in Brisbane" and content of:
Powerful explosion burst in Brisbane this morning.
At least 12 people have been killed and more than 40 wounded in a bomb blast near market in Brisbane. Authorities suggested that explosion was caused by "dirty" bomb. Police said the bomb was detonated from close by using electric cables.
"It was awful" said the eyewitness about blast that he heard from his shop. "It made the floor shake. So many people were running" Until now there has been no claim of responsibility.
I thought this was a little unusual in that the authors of the site seemed to take the time to personalise the content to where I was browsing from and yet the original spam message made no reference to Brisbane.
A quick check from some accounts in the Netherlands and the USA returned slightly different content as per the images shown.
Trojan writers have been using geoip tools for a while to track infections. But using it as an enhanced social engineering trick and coupling it with a good hook about a "dirty bomb" is an interesting step. Mind you this approach isn't new for the Waledac trojan as it was used in the coupon campaign.
Matthew
|