Shock Waves from Texas and Boston Blasts Hit Internet in Form of Spam Waves

The blasts that killed 15 people and injured 160 at a Texas fertilizer plant yesterday triggered a global wave of “malicious” spam today, even as the internet is still infested with spam messages that exploit the Boston Marathon bombings to spread password-stealing malware.

Only hours after the blasts in Texas, spammers injected keywords and subject headers related to the explosion into about 5 per cent of all spam that hit the internet, according to the Bitdefender anti-spam labs. The Texas-related spam, which is expected to intensify in coming hours, comes as 20 percent of spam hitting the internet exploits the Boston bombings.

The Bitdefender research, based on a sample pool of 2 million unsolicited e-mails, turned up hundreds of thousands of spam messages that had been altered at the last minute to promise breaking news, graphic videos and more related to the Boston Marathon attacks.

In the spam wave, Bitdefender found spam harboring a component of the infamous Red Kit exploit pack. Threats downloaded by RedKit include Trojan.GenericKDZ.14575, a password stealer that grabs users’ account passwords. It also watches the network traffic of the infected machine by dropping three legitimate WinPcap components, some of which were reported to also steal bitcoin wallets and send e-mails.

The same criminal group that launched the Boston spam has apparently changed the subject tag line to read: Fertilizer Plant Explosion Near Waco, Texas, Texas Explosion Injures Dozens, West Tx Explosion, Raw: Texas Explosion Injures Dozens, Caught on Camera: fertilizer Plant Explosion Near Waco, Texas. They replaced the ending of the malicious URL with “texas.html” but kept the e-mail format, the compromised domains, the modus operandi, and the RedKit.

As with the Boston Marathon situation, attackers promise breaking news, videos of the blast, and images caught on camera. They also push malicious e-mails with links to malicious websites corresponding to domains registered across the globe, some of which coinciding with the ones used in the Boston attack – including the US, Japan, Ukraine, Russia, China, Taiwan, and Argentina. IPs from other countries, however, could easily have been used in the spam attacks.

Users who click the URLs land on a website displaying YouTube videos on the Texas plant blast while, in the background, a component of RedKit downloads malicious software.

Please be cautious and avoid opening e-mails promising exclusive videos about the blast – and never click on the included links.

This article is based on the spam samples provided courtesy of Ionut-Daniel RAILEANU, Bitdefender Anti-spam Analyst and the technical details offered by Doina COSOVAN, Bitdefender Virus Analyst.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.