The Northern Territory is the focus of a new e-mail causing havoc throughout Australia. According to Sophos, Australian organizations need to be aware of malicious spam circulating in Australia which pretends to be from the Bill and Melinda Gates Foundation.
Sophos Asia-Pacific head of technology, Paul Ducklin, said the news quoted in the spam is real, current, and topical.
It has the subject line ‘Life for Life’ and leads with the recent news that the Northern Territory Library has received the 2007 Access to Learning Award from the Bill and Melinda Gates Foundation.
This is true. However, Ducklin said the link inviting you to read more about the award takes you off to an infected Web site in Korea.
Sophos detects the malware downloaded from Korea as Mal/ObfJS-H. ObfJS, which stands for “obfuscated JavaScript”, and is the second most prevalent Web-borne malware in Sophos’s latest monthly roundup of online nasties.
This JavaScript page unscrambles itself to create a Web page which Sophos detects as Mal/JSShell-B, which in turn tries to exploit a Windows XML vulnerability (patched in 2006) to download a malicious Windows program hidden on the same compromised server in Korea. Sophos blocks this file as Mal/Basine-C.
Ducklin said SophosLabs analyses millions of spam messages, and uncovers more than 30,000 new infected Web pages, every day.
“Many of these make little attempt to hide what they are, coming straight out and offering you porn, or pills, or other dubious products. In this case, however, the spammers have cynically exploited the likely Australian interest in the Northern Territory Library’s success story.”
Ducklin advises users to remain vigilant when reacting to what look like innocent news releases. In this case, the e-mail claims to come from the genuine Internet domain “gatesfoundation.org,” yet the news stories link to a completely different site.
Sophos also advises businesses to aim for defense in depth through a consolidated solution. Scanning incoming e-mail provides a chance to block the initial inbound spam while filtering Web traffic provides a second chance to block access to any malicious links, and a third chance to identify any malicious content coming back from links which aren’t known yet.
