Symantec Connect: WikiLeaks.org is in the news after their recent publications linked to leaked government documents. Spammers are now leveraging the current level of interest with social engineering techniques to infect users’ computers. Symantec is observing a wave of spam spoofing WikiLeaks to lure users into becoming infected with a new threat.

The spam email has subject line “IRAN Nuclear BOMB!” and spoofed headers. The “From” header purports to originate from WikiLeaks.org, although this is not in fact the case, and the message body contains a URL. This URL downloads and runs WikiLeaks.jar which has a downloader ‘WikiLeaks.class’ file. The downloader pulls the threat from http://ugo.file[removed].com/226.exe. Symantec detects this threat as W32.Spyrat.

Below is screenshot of the email and website that downloads the threat:

WikiLeaks

W32.Spyrat opens a backdoor using a predetermined port and IP address, allowing an attacker to perform the following actions on the compromised computer:

  • Read, write, and execute files
  • Steal stored passwords
  • Issue commands
  • Activate and view a webcam, if present
  • Log keystrokes
  • Create an HTTP proxy to route traffic through the compromised computer

We caution users not to open or click on the links or attachments of emails such as these. Symantec recommends having anti-spam and antivirus solutions installed and up to date to prevent the compromise of personal machines or networks. We are closely monitoring this threat and update our readers.