Zenith Live 2019 Keynotes Watch Now
Zenith Live 2019 Keynotes Watch Now
Blogs > Security Research

Osama Bin Laden Related Malware


By: ThreatLabz


Osama Bin Laden Related Malware

We'll continue to update this blog post with new malware we're seeing related to Osama bin Laden's death, as we expect to see plenty.

leads to low A/V detection malware:
VirusTotal Report (3/41): Trojan / Koobface

More Facebook scams, attempting to trick the end user into pasting Javascript into the URL bar in order to further propagate the scam.



Interesting statistic: Zscaler went from seeing fewer than 1,000 URLs containing the terms 'osama', 'usama' or 'laden' on Sunday afternoon, to a peak of over 4 million by 10am PST on Monday morning.
There are a handful of sites cropping up that are advertising that Osama is alive. When visited the page appears as follows:

The go.php script redirects to an Osama is Alive Facebook profile, such as:

This particular profile is down, however there do appear to be a number of other related Facebook profile pages recently created:
I have not witnessed anything malicious at the moment in this campaign. But because the spammy nature and number of sites / profiles it makes our list.
V/T Report (32/42): Trojan Rinecud / Pincav


Asks Facebook users to 'like' the scam and then copy/paste Javascript into their URL bar, in order to generate Facebook content promoting the scam. The page alleges that once 25,000 Facebook users have promoted the scam, they will reveal the Osama Bin Laden death video.


Let's just call this 'poor man's Likejacking', with a dash of malvertising. The site manually walks a user through manually 'liking' content and then posting it to their Facebook page, which is allegedly required, before the video can be viewed. Upon clicking on the 'WATCH THE VIDEO NOW' link a fake 'age verification' screen is displayed, requiring the user to click on advertising links.
Osama Bin Laden Death Video Facebook Scams:
For example,
--> spyingonyou.info/osama/a.js
Many other Facebook profiles as well:



News story which includes links to video with fake VLC warnings. The page may be infected with malvertising. The malware is not consistently displayed on the page.

V/T report (19/41): Hotbar Adware



A variety of attacks are included on the page, including Likejacking and Adware.

V/T Report (20/41): Hotbar Adware
302 redirects to:

V/T Report (24/41): Trojan Banload
Seen spread primarily through spamvertised messages to mail.live.com
Others seen:
Other Banload:
V/T Report (19/41)
V/T Report (7/41): Password Stealing Trojan

Suggested Blogs