KELIHOS Worm Emerges, Takes Advantage of Boston Marathon Blast

 Within a short time period of less than 24 hours, cybercriminals have already taken advantage of Monday’s explosion at the Boston Marathon as a newsworthy item. My colleague Mary Ermitano-Aquino noted a spam outbreak of more than 9,000 Blackhole Exploit Kit spammed messages, all related to the said tragedy that killed at least three people and injured many more. Some of the spammed messages used the subjects “2 Explosions at Boston Marathon,” “Aftermath to explosion at Boston Marathon,” “Boston Explosion Caught on Video,” and “Video of Explosion at the Boston Marathon 2013″ to name a few. Below is a spam sample she found:

The spammed message only contains the URL http://{BLOCKED}/boston.html , but once you click it, it displays a web page with an embedded video, supposedly from YouTube. At this point, users who click the link may have already downloaded malware unknowingly, aka drive-by-download attacks. Here’s a screenshot of the web page with the embedded video:

Simply clicking the link in the email triggers an automatic download from the URL http://{BLOCKED}.boston.avi_______.exe. If you’ll notice the lower left-hand corner of the download bar, the file name boston.avi_____.exe is seen as a downloaded file. This is actually a malicious file which happens to be a new variant of WORM_KELIHOS malware.

WORM_KELIHOS.NB  routines

Throughout the course of my investigation, I noticed that the IP of the download link varies every time it is accessed. As of this writing, we confirmed that the locations of the IP addresses are found in several countries such as Argentina, Taiwan, Netherlands, Japan, Ukraine, Russia, and Australia. The URL also downloads other similar malware from different links, as seen in the URL log below:

The downloaded samples have the same behavior and same file size, except that it changes the icons used and the file names.

Our analysis also shows that WORM_KELIHOS.NB  hides all the directories on the removable drive and replaces them with a .LNK file that uses a folder icon. This executes the malware before it opens that original folder. In addition, it creates .LNK files on infected removable drives with the command C:\WINDOWS\system32\cmd.exe F/c “start %cd%\game.exe. Below is a screenshot of an infected removable drive:

This worm has the capability to steal credentials from the different File Transfer Protocol (FTP) such as LeapFTP, P32bit FTP, FTP Control, SecureFX, BitKinex, FileZilla, and many more. One noteworthy routine about it is that it harvests email addresses from the affected computer’s local drive.

Spreading like wildfire

As of today, we have noted a significant number of malicious URLs gathered via the Trend Micro™ Smart Protection Network™ related to the Boston Marathon explosions, with the United States leading the pack among the other countries we monitored.

Aside from the spam sample discussed earlier, we also found that other platforms have also been exploited to spread similar threats. Malicious Tweets and links on free blogging platforms were also crafted just hours after the blast took place.

This goes to show that a cybercriminal’s work is never complete. Taking advantage of newsworthy events is indeed a cybercrime staple; each new scheme always seems to vary, which results in a never-ending cycle of malicious mischief.

We analyzed WORM_KELIHOS.NB further and uncovered that the malware also attempts to steal user’s bitcoin wallet, if stored in the vulnerable system. Bitcoins are known digital currency and are making a wave in today’s IT and threat landscape.

Here is a list of subjects I've seen hit spam traps:

1. Subject: 2 Explosions at Boston Marathon
2. Subject: Aftermath to explosion at Boston Marathon
3. Subject: Arbitron. Dial Global. Boston Bombings
4. Subject: Boston Explosion Caught on Video
5. Subject: BREAKING - Boston Marathon Explosion
6. Subject: Explosion at Boston Marathon
7. Subject: Explosion at the Boston Marathon
8. Subject: Explosions at Boston Marathon
9. Subject: Explosions at the Boston Marathon
10. Subject: Opinion: Boston Marathon Explosions made by radical Gays? Really? - CNN.com
11. Subject: Opinion: Boston Marathon Explosions - Romney Benefits? - CNN.com
12. Subject: Opinion: Boston Marathon Worse Sensation - Osama bin Laden still alive!? - CNN.com
13. Subject: Opinion: FBI knew about bombs 3 days before Boston Marathon - Why and Who Benefits? - CNN.com
14. Subject: Opinion: Osama Bin Laden video about Boston Marathon Explosions - bad news for all the world. - CNN.com
15. Subject:[SPAM] 2 Explosions at Boston Marathon
16. Subject:[SPAM] Boston Explosion Caught on Video
17. Subject:[SPAM] Explosions at the Boston Marathon
18. Subject:[SPAM] Video of Explosion at the Boston Marathon 2013
19. Subject: Stiri:EXPLOZIILE de la maratonul din Boston/Spaga este negociata la granita Romaniei/A inventat bautura care INLOCUIESTE MANCAREA/TUNELUL cu mecanisme de NEINTELES al lui STALIN/70 % din infrastructura RCS-RDS este amplasata ILEGAL/BOMBA ANULUI IN SHOWBIZ
20. Subject: Video of Explosion at the Boston Marathon 2013
21. Here is a list of malicious URLs in those messages (use at your own risk):
23. hxxp://109.87.205.222/boston.html
24. hxxp://109.87.205.222/news.html
25. hxxp://110.92.80.47/boston.html
26. hxxp://110.92.80.47/news.html
27. hxxp://118.141.37.122/boston.html
28. hxxp://118.141.37.122/news.html
29. hxxp://176.241.148.169/boston.html
30. hxxp://176.241.148.169/news.html
31. hxxp://178.137.100.12/boston.html
32. hxxp://178.137.100.12/news.html
33. hxxp://178.137.120.224/boston.html
34. hxxp://178.137.120.224/news.html
35. hxxp://188.2.164.112/boston.html
36. hxxp://188.2.164.112/news.html
37. hxxp://190.245.177.248/boston.html
38. hxxp://190.245.177.248/news.html
39. hxxp://212.75.18.190/boston.html
40. hxxp://212.75.18.190/news.html
41. hxxp://213.34.205.27/boston.html
42. hxxp://213.34.205.27/news.html
43. hxxp://217.145.222.14/boston.html
44. hxxp://217.145.222.14/news.html
45. hxxp://219.198.196.116/boston.html
46. hxxp://219.198.196.116/news.html
47. hxxp://24.180.60.184/boston.html
48. hxxp://24.180.60.184/news.html
49. hxxp://24.214.242.227/boston.html
50. hxxp://24.214.242.227/news.html
51. hxxp://31.133.84.65/boston.html
52. hxxp://31.133.84.65/news.html
53. hxxp://37.229.215.183/boston.html
54. hxxp://37.229.215.183/news.html
55. hxxp://37.229.92.116/boston.html
56. hxxp://37.229.92.116/news.html
57. hxxp://46.233.4.113/boston.html
58. hxxp://46.233.4.113/news.html
59. hxxp://46.233.4.113/xxxxx.html
60. hxxp://50.136.163.28/boston.html
61. hxxp://50.136.163.28/news.html
62. hxxp://61.63.123.44/boston.html
63. hxxp://61.63.123.44/news.html
64. hxxp://62.45.148.76/boston.html
65. hxxp://62.45.148.76/news.html
66. hxxp://62.45.148.76/xxxxx.html
67. hxxp://78.90.133.133/boston.html
68. hxxp://78.90.133.133/news.html
69. hxxp://83.170.192.154/boston.html
70. hxxp://83.170.192.154/news.html
71. hxxp://85.198.81.26/boston.html
72. hxxp://85.198.81.26/news.html
73. hxxp://85.204.15.40/boston.html
74. hxxp://85.204.15.40/news.html
75. hxxp://85.217.234.98/boston.html
76. hxxp://85.217.234.98/news.html
77. hxxp://91.241.177.162/boston.html
78. hxxp://91.241.177.162/news.html
79. hxxp://91.241.177.162/xxxxx.html
80. hxxp://94.153.15.249/boston.html
81. hxxp://94.153.15.249/news.html
82. hxxp://94.28.49.130/boston.html
83. hxxp://94.28.49.130/news.html
84. hxxp://95.69.141.121/boston.html
85. hxxp://95.69.141.121/news.html
86. hxxp://95.87.6.156/boston.html
87. hxxp://95.87.6.156/news.html