Johannesburg, 11 Jul 2008
Hackers are attempting to infect computers using the camouflage of a news report claiming that the US has invaded Iran, says Brett Myroff, CEO of regional Sophos distributor, Sophos South Africa.
"Widely spammed out e-mails with subject lines including 'Third World War has begun', '20 000 US Soldiers in Iran', and 'US Army crossed Iran's borders' have been intercepted by Sophos," says Myroff. "The e-mails contain links to a malicious Web page that displays what appears to be a video player showing the mushroom cloud of a nuclear explosion."
Myroff says the following text appears beneath the video player: "Just now US Army's Delta Force and US Air Force have invaded Iran. Approximately 20 000 soldiers crossed the border into Iran and broke down the Iran's Army resistance. The video made by US soldier was made today morning. Click on the video to see the first minutes of the beginning of World War III. God save us."
The Web site pretends to contain a video showing US soldiers fighting in Iran, explains Myroff.
"However, users visiting the Web page and clicking on the 'video player' run the risk of being infected by a Trojan horse, designed to compromise their computer," he says. "Sophos detects the malware hiding behind the fake video as Troj/Tibs-UO and a malicious JavaScript hidden on the Web site as Mal/ObfJS-AY."
Don't go there
"Receiving or reading the e-mails themselves does not mean you are infected - but visiting the link contained in them, or trying to watch the video, is definitely a bad idea. Once your computer is under the control of hackers, they could steal your personal information to commit identity theft, or use your PC to spam out junk mail to millions of people around the world," says Myroff.
"Hackers are taking advantage of the fact that many people today get their fix for breaking news via the Internet. People, especially those with loved ones in the Middle East, may rush to watch the video without engaging their common sense. Everyone should ensure they keep their anti-virus protection up-to-date and never follow links in unsolicited e-mail messages."
Sophos experts note this is not the first time hackers have exploited news about rising tensions between Iran and the West, says Myroff. "In 2005, a widespread spam campaign pretended to be a link to news about the controversial decision by Iran to continue work at a nuclear plant, but was really an attempt to infect users with a Trojan horse."
The year before, he says, the Cycle worm dropped a message complaining that European governments were supporting the regime in Tehran, because of the war in neighbouring Iraq.
According to Myroff, this week's line-up of low to medium prevalence Trojans affecting Windows users includes:
Troj/Agent-HFH
Troj/Agent-HFI
Troj/BHO-GC
Troj/Bckdr-QOG
Troj/Dwnldr-HFE
Troj/Mdrop-BTU
Troj/Zlob-AMF
Troj/Agent-HFF
Troj/Agent-HFG
Troj/Bckdr-QOF
Share