,

KELIHOS Worm Capitalizes On The Boston Bombing Incident

botnet

The Boston bombing incident was truly a sad day for the capital of Massachusetts. It just displays the inhumanity of other people. But what is more disgusting with it is that some people try to capitalize on the event. They try to put it to their advantage like the makers of the KELIHOS worm which has been going in circulation in the virtual community during the wake of the Boston incident based on TrendLabs.

Originally, the KELIHOS worm was thought of as an attack that utilizes the Blackhole Exploit Kit, which is a program that delivers a malicious payload to an unsuspecting user’s computer. However, the Trend Micro blog later reported that upon analysis of the malicious program, they found out that it does not exactly employ the Blackhole Exploit Kit. It does make use of a series of exploits numbering more than 9,000 though the blog added.

According to TrendLabs, the exploit will spam you with messages that appear to be related to the Boston blast. But, in reality, the messages contain links to sites that are packed with various malware. Some of the examples of the subjects used by hackers to pique the attention of the unsuspecting victims that the news source mentioned are “Video of Explosion at the Boston Marathon 2013”, “2 Explosions at Boston Marathon”, “Boston Explosion Caught on Video”, “Aftermath to Explosion at Boston Marathon” and many other variants.

First, you will get a message with a link promising you exclusive scoops of the event. Once you click it, a video that appears to be from YouTube gets shown. However, if you look at your download bar, it is actually downloading an executable file containing the WORM_KELIHOS malware.

The investigation conducted by Aisa Escober, Threat Response Engineer of Trend Micro, led her to IP addresses from different countries like Russia, Japan, Ukraine, Australia, Argentina, Taiwan and Netherlands. Several links containing the same features were noticed by the investigator. The only difference of each file was the filename, icon and subject.

Escober’s analysis revealed that the worm can effectively hide itself in your removable drive’s directories. Then, it replaces the folders with a file with .LNK extension. This way, the malware gets activated whenever you try to open each folder in your directory.

Based on the number of hits in the malicious URLs, the U.S. has the highest statistics. It is probably due to the nature of the issue being a national interest.

So, what can you get upon infection? Trend Micro said that the Boston bombing worm can steal all your credentials from the various file transfer protocols that you have. Next, it collects the details of your email contacts through your local drive. On top of these, the worm has the capability to drain your Bitcoin wallet, if you are a user of the virtual currency.

Cybercriminals usually take advantage of trending or newsworthy issues to spread their work. An example of this is when Jorge Mario Bergoglio, better known as Pope Francis, was elected into the highest position of the Roman Catholic Church. They also use the names of famous celebrities to drive fans into their website rigged with malicious programs like Emma Watson, which we featured in our earlier post.

Source: Trend Micro blog