Hackers bait Zeus botnet trap with dead celeb tales

Massive 'die-off' of celebrities in plane and car crashes tries to trick users into infecting themselves with malware

Hackers are using tales of dead celebrities to build out Zeus botnets by duping users into compromising their own PCs, security experts said today.

The list of celebrities -- actors and singers for the most part, with an occasional sports star tossed in -- range from Anniston (Jennifer) and Cruise (Tom) to West (Kayne) and Z (Jay), said Symantec.

According to the spam that carries the malware, the personalities perished along with 34 others when their aircraft crashed into a mountainside during a landing. Later, the hackers changed the campaign to claim that the celebs were killed in car accidents.

The messages are accompanied by a .zip file attachment. If the recipient opened the archive file and then launched the resulting executable, her machine was hijacked by the Zeus Trojan and added to the growing botnet.

Using stars as bait is an old trick for malware makers, admitted Marc Fossi, the director of Symantec's security response team. "[But] this is a fairly heavy run. We've seen the .zip attachment rate double over the last couple weeks," Fossi said in an instant message interview.

Earlier this month, Symantec said the percentage of spam sporting .zip file attachments soared to 13%, a seven-fold jump over the rate just three weeks before.

Rival McAfee, the security firm that just agreed to be acquired for nearly $8 billion by Intel, also reported on the spike in Zeus attacks using celebrity fatalities as a draw. McAfee noted that the accounts of the demise of Beyonce or Bon Jovi, Johnny Depp or Justin Timberlake, were identical to the real-life airplane crash that claimed the life of then-U.S. Commerce Secretary Ron Brown in 1996.

In that crash, Brown and 34 others died when their U.S. Air Force aircraft hit a mountain while on approach to a Croatian airport.

Fossi said it was likely that a single group or even person was responsible for the campaign, citing the rapid rise in attacks as evidence. He also speculated that the increase in Zeus-based malware campaigns may be due to the recent release of a new version of the popular do-it-yourself crimeware kit.

"A newer version of the kit was released in the last while, [and] that could mean the price of the original dropped, allowing more people to get into the scene," Fossi said.

Last March, Zeus' makers added Microsoft-like anti-piracy technology to lock the software to a single machine, much like Windows' product activation fixes a copy of the operating system to a specific PC. At the time, researchers saw the move as a way for Zeus' creators to stablize the kit's price tag, estimated at between $3,000 and $4,000 for the basic edition.

Zeus was first uncovered in late 2007 by SecureWorks researcher Don Jackson, and has been tagged as the malware most-used by criminals specializing in financial fraud.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com.

A look inside the Microsoft Local Administrator Password Solution
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies