Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Osama bin Laden's death, Twitter fame and malware

View all posts > 

Osama bin Laden's death, Twitter fame and malware

Posted: 02 May 2011 09:33 AM | Patrik Runald | 1 comment(s)

Cyber criminals will jump at any chance and use any news to spread malware, and news doesn't get much bigger right now (sorry William and Kate) than the death of Osama bin Laden. It was obvious that we would see SEO poisoning leading to malware, image search poisoning, spam campaigns, and so on. But at the same time, cyber criminals also like to get lucky, which happened here.


Twitter is a great source of information, and in the aftermath of the news of bin Laden's death, people started noticing that a Twitter account called @ReallyVirtual based in Abbottabad, Pakistan had tweeted about hearing helicopters and explosions in the area six hours before the news became public. Essentially he live tweeted during the attack.



As can be seen from the screenshot, Mr. Athar links to his blog, and I'm sure a lot of users who saw his tweets went there. Unfortunately for them, the site was compromised and was serving a poorly detected malware through the Blackhole Exploit Kit. Websense customers were proactively protected against this thanks to our real-time analytics in ACE. Below is a screenshot of what the site looks like:



And here's the exploit code on the page.


Anyone going to this page would also load content from the malicious URL above, and the Blackhole Exploit Kit would then try to use several exploits to automatically install malware on the PC.


The malware that the drive-by-download attempts to install is a fake system tool named 'WindowsRecovery' that claims to have found problems on the victim's computer:

To convince the user that something really is wrong with the system, the malware hides all files and folders in the hard drives and on the desktop:

But of course the scammers offer the user a quick solution to this problems with a purchase of the premium version of 'WindowsRecovery':


joel said on Wednesday, May 4, 2011 2:39 AM


Does people visit the site (without an AV) is as good as death, right?

I still don't understand how the fake AV work. When I see the WindowsRecovery screen, does it mean the virus is already installed in the computer or it is just a popup from the browser? Because if it is just a browser popup, I can just hit Alt + F4 to quit.

Leave a Comment


Email address: (required)