Srizbi spam uses celebrities as lures

Currently we are seeing a protracted campaign that spams out emails with links to websites hosting malicious files.  The spam is using high profile celebrities as lures, and pretend to advertise videos, and DVDs of your favourite star.  Subject lines from today include:

NEW Kick-up video with a naked celebrity Kylie Minogue
NEW Gallery presentation Claudia Schiffer
NEW Kick-up mpeg4 Demi Moore
NEW Interesting video Salma Hayek
NEW Shocking sexy songs Carmen Electra
NEW Kick-up mp3 Paris Hilton

The messages are similar in format, with coloured HTML background and a 'Download Now' link. The following is typical of those we have seen over the last few days:

The messages use Google redirects to help avoid detection.  The websites where the malware is located appear all to be public websites that have been compromised with the addition of a PHP file 'rdown.php', as follows:

<a href="http://www.google.com/pagead/iclk?sa=l&ai=eIKMFc&num=162205&adurl=
http://[REMOVED].com/novo/fotos/tuir/rdown.php?sJEhcw">Download it now!</a>

This spam campaign is being sent by the Srizbi Trojan, a well known spambot, which has been particularly active lately.  If clicked, the link will prompt the user to download a malicious file, which in turn seeks to download other files, including the Srizbi Trojan itself.  Srizbi was also responsible for a similar campaign recently involving Hillary Clinton.

Using celebrities is a well worn trick to entice users to follow links in email.  Suffice to say, don't be tempted.