You probably think the person or people behind the Boston Marathon bombing are reprehensible and callous at the very least.

Well, meet their cousins – the slimebags behind the latest malware-distributing spam run we have seen ramp-up overnight.

Members of the AVG Web Threats Research team have discovered spam messages using the Boston Marathon explosion to lure potential victims to malware and exploits.

These spam messages are very simple with Subject lines that include:

– “Explosion at Boston Marathon”,

– “Runner captures. Marathon Explosion”

– “BREAKING – Boston Marathon Explosion”

– “Aftermath to explosion at Boston Marathon”

– “2 Explosions at Boston Marathon” and the message consists of just a numeric URL ending in “/boston.html” or “/news.html”.:

Boston avi


There may be other URL patterns we have not seen yet, or the scum behind this scam may alter the URL format as the ongoing spam run progresses. So, please do not assume that just because the message you received about the Boston Marathon bombing with a different looking URL is therefore probably safe!

Clicking the link in the email message takes potential victims to the following webpage:

“Hot News::Videos of Explosions at the Boston Marathon 2013″

Boston Scam


The page contains the following:

  1. An automatic download for a malicious executable. This is currently named “boston.avi_______.exe” but again, that may change.
  2. Four links to Youtube videos of explosions at the Boston Marathon.
  3. An IFrame to a Redkit Exploit Kit page.

Depending on the configuration of your web-browser, the automatic download might be automatically and silently saved to your “downloads” folder, or it may cause a confirmation dialog to appear asking you to save the “Boston.avi exe” to a file.

Boston Scam video

Choosing to run this program would certainly not be a good idea. While performing the initial analysis of this scam, the file that was being downloaded was a Trojan and will start sending out spam as soon as it is run. It was poorly detected by virus scanners.


Boston Scam trojan


Fortunately for those running AVG security products, LinkScanner detects and blocks the Redkit exploit kit page in the IFrame, alerting them to not run the program file presented to them.

LinkScanner detection of Boston scam


Heed this advice to avoid downloading and distributing the malware.


Members of the AVG Web Threats Research team have discovered a second attempt by spammers today to lure victims to malware and exploits. Samples we collected are not well written: the images don’t work, the text is sloppy and the hyperlinks don’t work. There is some danger still as users who move their mouse pointer over the link could get enough information, type the URL into their browser and become infected. Also, when the bad guys do notice their mistakes they are sure to fix them in hopes of tricking more victims.

The most recent spam email messages carried the below subject line:

“Subject: [SPAM] Opinion: Boston Marathon Explosions made by radical Gays? Really? –”

Boston Spam


If the hyperlinks work or the spam messages are fixed, the user will be redirected to a page that AVG LinkScanner detects as Blackhole exploit kit. The exploit kit downloads a Trojan that could be used for remote access, denial of service or distributed denial of service attacks. It also could send spam or capture information from the victim’s PC.


Boston spam


After the malicious pages are served, the user is redirected to a (non-malicious) Google search for “CNN Boston:”

Boston Spam  CNN pic

AVG Web Threats Research Group