Within hours of yesterday's assassination of former Pakistani Prime Minister Benazir Bhutto, malware makers exploited the breaking news to dupe users into downloading attack code, security researchers said Friday. Searches for news about Bhutto's killing and the ensuing chaos in Pakistan listed sites pimping a bogus video coder/decoder (codec), said analysts at McAfee Inc., Symantec Corp. and WebSense Inc. For instance, WebSense found such a site simply by using "benazir" to search on Google. Meanwhile, McAfee quickly located 10 sites hosted on Blogger.com, Google Inc.'s blog service, that were spreading the fake codec.
The sites use the well-worn tactic of promising a video -- in this case one of Bhutto's assassination -- but telling Windows users that they need to install a new high-definition video codec, the program that decodes the digital data stream, to view the clip. Naturally, the so-called codec is no such thing, but is instead rigged code that downloads a variant of the Zlob Trojan horse, a back door that can infect the compromised PC with a wide range of other malware. "Even death isn't sacred to some," said Symantec researcher Vikram Thakur in a post to the company's security response blog.