The Hindu Business Line : Websense spots malicious code

Pune, July 15 “Dear Customer, Our Robot has detected an abnormal activity from your IP address on sending e-mails. Probably it is connected with the last epidemic of a worm which does not have official patches at the moment. We recommend you to install this patch to remove worm files and stop e-mail sending, otherwise your account will be blocked. Customer support.”

This is the latest in the downloads of malicious code that has been found by Websense Security Labs. According to Websense, it appears as though the same group was behind the widespread attacks on July 4, which used greeting card lures to spread. The July 4 greeting card had more than 250 sites that were hosting a variety of malicious code.

The Web sites use the same JavaScript obfuscation technique and exploit code just like the greeting card.

“All e-mails use URLs that send users to an IP address that will attempt to exploit the users if their browsers are vulnerable. If the browser is not vulnerable the exploit code will not work. However, the page will attempt to download a file called patch.exe by displaying a message “If your download does not start in approximately15 seconds click here to download”.

The theme of the new e-mail campaigns are based around a new patch that is available for users who may have been infected with a recent worm, Websense pointed out.