Angelina Jolie Guest Stars in Malware Scheme

July 2008


BitDefender researchers have identified a new wave of spam messages that use fake events related to actor Angelina Jolie in order to trick users into downloading and installing Trojan malware onto their computers.

This new campaign of spreading malware is mostly carried via spam messages based around an alleged adult video footage with the movie star. In order to watch the movie, users have to download binary file, video-nude-anjelina.avi.exe, which is infected with Trojan.Agent.AGGZ.

The spam message is comprised of an explicit image of Angelina Jolie, along with some text claiming that the mail has been sent as part of the MSN Featured Offers program. The text message plays a double role by it trying to trick the user into thinking that this is a legitimate news message and by preventing spam filters from labelling the entire mail as spam message.

⌠The spam wave is part of a larger category of unsolicited mail messages that rely on social engineering techniques in order to lure unwary users into installing Trojans,■ said Vlad Valceanu, Head Of Antispam Research. ⌠This type of attack seems to be extremely successful, as the number of messages has quickly escalated over the last couple months. In order to achieve their goals, spammers usually rely on international celebrities and their pictures, along with catchy, yet fake news leads.■

This is not the only incident involving Angelina Jolie. Recently, the actor has given birth to two children, and spammers took advantage of the event in order to infect more computers. The spam campaign following the event wrongfully announced the fact that Jolie gave birth to no less than five children, and even offered users a link to a website allegedly hosting a small video with the event. The announcement, combined with Angelina Jolie▓s fame was meant to take advantage of users▓ hunger for sensational events.

Once on the respective page, users were shown an image impersonating a flash video player. When the user landed on the compromised webpage, the download started immediately, without any user intervention (a procedure also refered to as drive-by download). The binary file was infected with Trojan.Downloader.Exchanger.Gen.1, a piece of malware that has been widely used in another spam campaign promoting an alleged antivirus utility, called Antivirus XP 2008.

Although the approach is relatively new, the underlying technique has been widely used in the past. This campaign mostly targets computer users who are not educated in computer security - as they are not aware about free online scanners offered by major security providers.


The spam message directs the user to a legitimate webpage who▓s index page has been doubled to facilitate the attack. For instance, while the normal home page is index.php, the compromised URL would always end in index1.php. This secondary index page is neatly crafted using the Windows Vista look-and-feel (the Aero wallpaper and icon buttons). The professional look dramatically contributes to gaining users▓ confidence, but there are a few details that should tip off the visitor about the scam.

For instance, the virus top on the upper right side of the screen displays the most aggressive viruses that were active during May - meaning the page has not been updated. Secondly, the other text elements are written in plain English, with ambiguous explanations (such as ■Trojan attacks damage more than $3 million/hour.■) The spam message itself is written using poor grammar, with multiple obfuscations to trick spam filters.

■This spam wave built on an older recipe, making heavy use of text obfuscation in order to prevent spam filters from identifying and marking the message as junk,■ said Vlad Valceanu. ⌠The message itself should be enough of a warning for the user that the advertised piece of software is not legitimate and might come from ▓unorthodox▓ sources. More than that, users should pay extra attention to webpages that automatically try to download a file on the computer.■

Once installed on the computer, the rogue antivirus utility would stealthily start installing other high security risks such as adware, spyware or other malware from multiple servers or sources on the internet. Also, when run, the antivirus would display that it found multiple fake or false security threats on the host computer. This is a common tactic for rogue security applications, as they try to mislead unaware computer users and make them pay for the ⌠full■ version of a bogus utility.



Share This ON: