Paris Hilton spam

06 Feb 2008

minute read

Authors

Roel Schouwenberg

Last week there was a lot of speculation going round that Paris Hilton has changed her sexual orientation. A couple of years ago when she was making the news, IM-Worm authors played on this. With these latest rumours – I am an AV researcher after all – I immediately thought that the bad guys would find some way to use these rumours. Unsurprisingly, this prediction turned out to be true. Over the last couple of days we’ve seen spam being sent out which contains a link in it claiming to be a Paris Hilton video.

The social engineering is obvious – although it’s amusing that the video title mentions men rather than women. Putting this aside, it’s rather an odd case from a technical point of view.

The URL leads to a simple Trojan-Downloader which is packed using FSG. It doesn’t have any anti-AV functionality. In turn the Downloader downloads two files, one for harvesting email addresses from the victim machine and one for sending out spam. One of those is stuffed with anti-AV techniques.

Of course, using Trojan-Downloaders is extremely common these days. What’s strange is the combination of such a simple Trojan-Downloader which downloads highly sophisticated malware.

And given that the Trojan-Downloader will be heuristically detected by quite a number of virus scanners, including ours, the chances of actually getting infected are slim. This leaves me wondering if this unusual combination was created by the authors by accident, or by some strange design.

Authors

Roel Schouwenberg

Paris Hilton spam

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest Posts

Latest Webinars

Reports

Kaspersky GReAT experts dive deep into the BlueNoroff APT’s GhostCall and GhostHire campaigns. Extensive research detailing multiple malware chains targeting macOS, including a stealer suite, fake Zoom and Microsoft Teams clients and ChatGPT-enhanced images.

Kaspersky researchers discovered previously unidentified commercial Dante spyware developed by Memento Labs (formerly Hacking Team) and linked it to the ForumTroll APT attacks.

Kaspersky GReAT experts describe the latest Mysterious Elephant APT activity. The threat actor exfiltrates data related to WhatsApp and employs tools such as BabShell and MemLoader HidenDesk.

According to Kaspersky, Librarian Ghouls APT continues its series of attacks on Russian entities. A detailed analysis of a malicious campaign utilizing RAR archives and BAT scripts.

Paris Hilton spam

GReAT Ideas. Balalaika Edition

GReAT Ideas. Green Tea Edition

GReAT Ideas. Powered by SAS: malware attribution and next-gen IoT honeypots

GReAT Ideas. Powered by SAS: threat actors advance on new fronts

GReAT Ideas. Powered by SAS: threat hunting and new techniques

ZeroLocker won’t come to your rescue

A Post-PC BlackHat?

Adobe Updates April 2014

Trust. Trust. Trust

Adobe’s First Patch Tuesday of 2014

Deep analysis of the flaw in BetterBank reward logic

Post-exploitation framework now also delivered via npm

Massive npm infection: the Shai-Hulud worm and patient zero

The SOC files: Rumble in the jungle or APT41’s new target in Africa

XZ backdoor: Hook analysis

Latest Posts

The evolving landscape of email phishing attacks: how threat actors are reusing and refining established techniques

PassiveNeuron: a sophisticated campaign targeting servers of high-profile organizations

Post-exploitation framework now also delivered via npm

SEO spam and hidden links: how to protect your website and your reputation

Latest Webinars

Fortify your mobile protection: Building customer trust with advanced security

Unmasking email dangers: Detecting and defending against mail threats

Kaspersky Scan Engine: Built to integrate, engineered to protect

Kaspersky’s way of cloud workload protection

Reports

Crypto wasted: BlueNoroff’s ghost mirage of funding and jobs

Mem3nt0 mori – The Hacking Team is back!

Mysterious Elephant: a growing threat

Sleep with one eye open: how Librarian Ghouls steal data by night

Subscribe to our weekly e-mails