Spam Mails Using Japan Tragedy to Push Malevolent Excel Attachments

The multitude of tragic events in Japan seemingly is the latest cause of enormous types of Internet frauds. One such fraud involves spam mails that have .XLS files attached while carrying malicious Flash components. Help Net Security published this on March 24, 2011.

Using the caption, "Japan Nuclear Radiation Leakage and Vulnerability Analysis," the spam mails reportedly purport to be from the Nuclear Security and Incident Response Office attached to the United States Nuclear Regulatory Commission.

Unfortunately, recipients who open the Excel file find a blank Excel document, which triggers an attack code through a Flash component. This Flash component runs active via performing a buffer overflow having a few shell-codes.

One of these shell-codes merely installs as well as transfers execution onto another, implanted on the .XLS file. This other shell-code takes care of decoding as well as running an .exe file that too is implanted on the .XLS file. Meanwhile, the Flash component creates another Flash component, which it installs.

This 2nd Flash component acts as the primary attack code within the malware that abuses the CVE-2011-0609 vulnerability for running the shell-code within the buffer overflow. End-users normally identify this Flash component as Exploit.CVE-2011-0609.A.

Significantly, the primary attack code is pushed like this so that detection can be avoided. Since it's uploaded to the computer's memory, there isn't any file that an anti-virus program can scan. Implanting the Flash component, which installs the primary attack code within an .XLS file, is possibly an effort for camouflaging the assault further.

In the meantime, considering that the Fukushima reactor's diffusion is a cause of anxiety for the general public, it indeed works effectively to entice un-savvy Internet users.

Stated security researchers at F-Secure, the spammers thought that the attack code should be so pushed that it would bypass detection, adding that since the exploit was installed in memory, there wasn't any file that an anti-virus product could scan. Help Net Security reported this on March 24, 2011.

Nevertheless, Adobe, on March 21, 2011, released a patch for the security flaw; therefore, it's recommended that users should make their Flash Player up-to-date.

Related article: Spam Scam Bags a Scottish Connection

» SPAMfighter News - 4/4/2011