Local Terror Attacks

Attacks on our inboxes are constant. There are some that tend to stand out, much like one that came through yesterday on St. Patrick's Day. Yes, whilst most people were daydreaming of green beer, the Waledac authors decided it was a good time to strike. The techniques used in this attack were very similar to their last run, and included a new "feature", if you will, that was first introduced in the last wave, and that is the use of GeoIP Location. By utilizing the visitors' IP addresses when they arrive at Waledac's target sites, they can customize the information to appear to be local to the victim. In this case they wanted victim's to believe that a terror attack had just ocurred in their own home town. This included a brief, and fake news story supossedly from Reuters that claims "At least 12 people have been killed and more than 40 wounded in a bomb blast near market in [insert your town here]" Click on the picture above to read the rest of the "story".
Below the story is where video of the devestation is supossed to be, but of course, you need to download the latest version of Flash to view it. Instead you'll be downloading a file by the name of Run.exe, which is the malicious payload. However, which has also become a staple of these Waledac attacks, they're not going to wait for you to download the malicious exectuable on your own, through the use of a hidden iframe, once you arrive at the site, they're already downloading it for you. This domain is on the same fast flux type network that this group has been using since Waledac was known as The Storm Worm.Finally, at the bottom of the fake page are two links to help make it all look believable. The first is to a Wikipedia entry for the topic "dirty bomb" which according to the story, is what was used, and the second link uses the IP geolocation again to combine your town's name with the words "terror attack" to perform a Google search.