Update: On 2013-04-18 Kelihos stopped leveraging the Boston tragedy for a fresher one: the massive explosion at a fertilizer plant north of Waco, Texas. The subjects found in spam are:

CAUGHT ON CAMERA
Fertilizer Plant Explosion Near Waco
Plant Explosion Near Waco
Texas Explosion Injures Dozens
Texas Plant Explosion
Video footage of Texas explosion
Waco Explosion HD
West Tx Explosion

On April 16, ESET warned Internet users about possible scams related to the Boston Marathon bombing. What we feared would happen was confirmed the next day: a wave of spam shamelessly exploiting this horrific event to lure victims into clicking on a malicious link. Many others have reported this, with Trend Micro's Aisa Escober publishing one of the most complete reports on this malware attack.

It is clear that the spam campaign is being used to install the Win32/Kelihos malware. By digging into our botnet monitoring data, we were also able to confirm not only that the spam aims to spread Win32/Kelihos, but that the spam messages themselves are being sent by the botnet itself. Less than 24 hours ago, Win32/Kelihos abandoned its pump and dump spam campaign – which has been running for many weeks – to switch to this new campaign: These messages, which then arrive in the inboxes of unsuspecting users, look something like this:

When clicking on the link, the potential victim does see real videos from Youtube but these are seasoned with a malicious iframe pointing to a Redkit exploit page:

The last iframe points to the exploit pack page, which triggers the chain of infection that ends with the installation of Win32/Kelihos:

We are closely monitoring the botnet, blocking every new malicious URL as they appear and making sure that the binaries are properly detected by our engine.

A bit of Kelihos history

Let's take a step back in time and look at the history of Win32/Kelihos. ESET's Kelihos expert Pierre-Marc Bureau has previously asserted that the botnet operators are the same as those operating the ancient Win32/Nuwar (aka Storm) botnet. His investigation is well explained in the 2011 Virus Bulletin presentation entitled "Same botnet, same guys, new code". You can download a PDF of the paper here.

This information prompts us to look back at the techniques used by Win32/Nuwar to spread itself. The malware was first seen in 2007 and named after a spam campaign exploiting a climate of extreme political tension between the USA and Iran, at a time when Iran was threatening to take military action against Israel. The spam campaign announced an imminent NUclear WAR and generously offered more ‘information’ in an attached file. The subject lines used were eye-catching enough to trick victims into infecting thousands of computers:

From then on, Win32/Nuwar operators consistently employed the technique of misusing popular events to spread malware:

2007/10/31 Halloween /2007/10/31/safe-halloween/
2007/12/24 Christmas /2007/12/24/new-nuwar-for-christmas/
2007/12/31 New Year /2007/12/31/more-nuwar-for-the-new-year/
2008/01/31 Valentine's day /2008/01/15/nuwar-for-valentines-day/
2008/04/01 April Fool /2008/04/01/april-storm/

It comes as no surprise to discover that the gang is once again using the same old technique, this time exploiting the shock and tragedy of the Boston Marathon bombing. Why? Simply because it is still very effective.

Files analyzed:

fjnlj.exe  cea7f31873f9019b9de251de129cc796
Win32/TrojanDownloader.Bredolab.AN trojan (dropper for Win32/Kelihos)
~!#91.tmp.exe  0e84b9bc2f1d6f1e1729c3890495bfa3
Win32/PSW.Fareit.A trojan