- Hacking LinkedIn's password (and possibly user-) database.
- Sending an email to all obtained email addresses, which is urging you to check your LinkedIn inbox as soon as possible.
- A user unawarely clicking on the link.
- An exploit gets loaded. Malware gets dropped. Malware gets executed.
- User's computer is now a zombie (part of a botnet).
You can find that post back here:
LinkedIn spam, exploits and Zeus: a deadly combination ?
Seems this scheme is still being successfully employed, as well the usage of the latest Java exploit (CVE-2012-4681).
Let's clearly divide this clever trick into the 3 parts.
Part 1 - the spam email:
So called reminder from LinkedIn
Example subjects of this email:
Communication LinkedIn Mail
Connection LinkedIn Mail
Contact LinkedIn Mail
Immediate LinkedIn Mail
Invitation reminders LinkedIn
Link LinkedIn Mail
PENDING MESSAGES - LinkedIn Mail
Relation LinkedIn Mail
Relationship LinkedIn Mail
Rush LinkedIn Mail
Signaling LinkedIn Mail
Urgent LinkedIn Mail
First part of the whole set-up or scheme is of course letting the user click on a malicious link.
This is your typical social engineering trick: it seems you have pending messages from LinkedIn and you can check your inbox by clicking on the link.
Note that the other links also trigger the exploit.
Part 2 - the -in this case Java- exploit
Location of the actual exploit
Small part of the code; you can see a file called Leh.jar and 2 of its classes
Leh.jar classes, which contains CVE-2012-4681 exploit code
There's an excellent article over at the Immunity blog which takes a closer look at the classes used in this exploit. Remember the classes are just a name, they don't indicate something particular (as far as I know):
Java 0day analysis (CVE-2012-4681)
...and here's the same file, deobfuscated:
Part 3 - the Trojan - Zeus/Zbot
File called 3Wcg.exe will be downloaded and executed
When executing this file....:
...it crashed. Badly coded or Sandbox/VM aware
As you can see from the figure above, the sample crashed upon execution... Not much to do here.
Most probably your banking credentials and/or passwords would have been stolen, or you would be sending spam.
Some more information on the associated files:
Same as one of my previous posts in regards to exploits:
Patch your third-party applications. In cases of Java and Adobe, remove them if unneeded.
Use an antivirus which has or uses behavioural technologies and/or exploit prevention.
Always check the URL of a link. you can verify this by 'hovering' over the URL to check what is really behind.
If you really have messages waiting for you on LinkedIn, and you're curious, just go directly to it by typing it manually in your browser. Delete emails from unknown senders and never open any attachments from them!