Pop King Suicide E-Mail Hoax Hides Trojan Horse

A spam campaign that claims that Michael Jackson has attempted suicide is seeking to infect e-mail users with a Trojan horse, SophosLabs said yesterday.

The message text claims, "Last night, while in his Neverland Ranch, Michael Jackson has made a suicidal attempt." When users click on the link they are taken to a Web site which secretly installs malicious code onto their PCs.

Sophos said it has identified hundreds of the spam messages being sent, preying on intense media interest in the trial of the controversial pop star.

"If you click on the link, the Web site displays a message saying it is too busy, which may not surprise people who think it might contain genuine breaking news about Michael Jackson," said Sophos security consultant Carole Theriault. "However, this is a diversionary tactic because behind the scenes, the Web site is downloading malware onto the user's computer without their knowledge."

Playing on Social Interests

Sophos experts have analyzed the downloadable code by clicking on the link, and determined that it then attempts to download another Trojan horse which Sophos detects as Troj/Borobt-Gen.

Ken Dunham, the director of malicious code research at iDefense, a Reston, Va.-based threat intelligence firm, told TechNewsWorld that this is another example of social engineering-based attacks. This strategy plays on the recipient's interest around religion, politics, pornography, sports or some other popular current topic.

"This is a downloader Trojan horse event. That is a technique that we've seen increasingly utilized in the past year. These e-mails are sent out containing a very small code. It is easy to package it so it's initially undetected by anti-virus companies," Dunham said. "That in turn starts a downloader event which installs more malware, which may then install even more code as well."

Tapping Star Power

Sophos notes that this is not the first time that virus writers and hackers have exploited the troubled pop star in attempts to spread their malware. Last October messages were posted on the Internet claiming that incriminating home videos belonging to Jackson had been discovered. But clicking on the link infected Web surfers with the Hackarmy Trojan horse.

"The sick minds behind viruses and other malware often exploit celebrity names and news stories in an attempt to infect as many people as possible," Theriault said. "All computer users should be very careful about clicking on Weblinks in unsolicited e-mail or launching unknown attachments."

Protecting the Network

Experts recommend companies automatically update their corporate virus protection, and filter attachments which may contain malicious code at the e-mail gateway with a consolidated solution to defend against viruses and spam.

"Network administrators should be looking for questionable outbound traffic," Dunham said. "They should have firewalls in place to either block or at least monitor this outbound traffic to identify if there are any suspicious requests being made on certain ports or certain known hostile URL addresses.