Trojans use Bin Laden's Death, Royal Wedding To Dupe The Unsuspecting
According to Fabio Assolini, a lab expert with Kaspersky, poisoned search results purporting to show bin Laden's corpse began appearing within Google Image results within hours of the formal announcement. Clicking on such images transfers the user to a hostile domain where the much-loved "Antivirus XP" (currently billing itself as Best Antivirus 2011) pops up and attempts to convince users that they've contracted a virus. The other major vector is flash-based and a bit more subtle. Instead of attempting to lure the user into an anti-virus scan, it shows a broken video window and claims that a necessary plugin must be updated or installed. Users who then click are handed XvidSetup.exe, a seemingly legitimate file that installs an adware trojan known as hotbar.
Google image search. The lower-left hand result isn't just Photoshopped--it's infected.
Kaspersky Labs also reports that bin Laden-infected trojans are spreading via Facebook via the 'Like' button, with promises of free food, plane tickets, or a donkey. Multiple users spam pages with a URL redirect claiming such goodies are a click away, but provide a TinyURL address that bounces users from page to page until they eventually register an email address and eventually pay money.
These unsophisticated social attacks work because they take advantage of a user's sense of security. This is doubly true on Facebook where people are used to seeing short messages from their friends that link to all manner of games, photos, or random statements. Under such circumstances it's not surprising that a number of otherwise-savvy computer users are willing to click on malicious links and follow the trail. These abuses are effective precisely because they take advantage of our curiosity regarding the macabre and our willingness to trust people we consider friends--even by minimal Facebook standards.
On a positive note, it doesn't seem as though the malware programs are anything new. The trojans in question are hotbar (an adware tool) and Trojan.Win32.FakeAV.cvoo. Both of these are already detectable (though hotbar is only picked up on 19 of the 41 engines available at VirusTotal.com). We recommend readers steer well clear of Google Image and Facebook groups on either topic, and pass the word to friends/relatives to do the same.