Yesterday, amid the heavy Michael Jackson news coverage and tabloid autopsy speculations, another round of email was spammed out with the following text:
Michael Jackson Was Killed…
But Who Killed Michael Jackson?
Visit X-Files to see the answer:
(hxxp://xfiles link here)
The link redirected to a site hosted at 87.97.116. 131 in an x-file-esque directory “x-files/x-file-mjacksonkiller.exe”, which is currently down. The site hosted a malformed pdf and Zbot banking password stealing variant. The ThreatFire community prevented the file in very low prevalence, so very few users are falling for this sort of shameless scam. But we remind you to always think twice before running an unknown executable or visit an untrusted site (the url for this one is most likely not a domain one would recognize: jillih. com), regardless of the news. And update third party plugins on your system like pdf readers.
Update (7/8/09): hooks added to the Zbot code described here.