Well we have another one following on the heals of the CNN Alert and CNN.com Daily Top 10. These are the same and have links to download an updated flash player. The flash player is NOT flash player at all but a trojan.
Some examples of the Subject:
msnbc.com - BREAKING NEWS: All Baseball Players May Be Indicted For Steroid Abuse
msnbc.com - BREAKING NEWS: SJC Loosens Handgun Control To Stimulate Economy
msnbc.com - BREAKING NEWS: Elizabeth Taylor found murdered at home
msnbc.com - BREAKING NEWS: Nature Did Not Connect the Funny Bone to the Satire Bone
They are also starting a BBC NEWS and just a breaking news. None of the From: fields are msnbc, cnn, or BBC. So lets just start calling this the news alert virus. These viruses are based on the assumption that someone they are sending to is signed up to receive the alert. Without looking just clicking links, I know for one I am signed up to receive some of these type of alerts. I guess one of the things that have saved me is I only receive email in plain text and I do not click on the links if they are not from the sending domain. For instance in one of the breaking news from msnbc.com the link goes to www.4×4.co.rs and well this is NOT msnbc.com. So some tips:
If you receive breaking news alerts instead of clicking the link move your mouse over the link and copy the shortcut. Open your web browser and paste it into the web browsers URL field. If the URL is NOT to the site the email came from DO NOT GO TO IT. Delete it from the URL and delete the email.
Remember folks this is a simple one. If you are NOT expecting the email do not open it, especially if it has an attachment. If it is from someone you know and it has an attachment call them and ask “Hey what is this your sending me” if they do not know then do NOT open it. It is just common sense.
If you go to a web site and it wants you to update any software go to the original site to update it. For instance all these trojans want you to update FLASH Player. Go to the Adobe download site at http://www.adobe.com/products/flashplayer/ and update your flash player. Do NOT update it from a web site you do not know. You should never install and or update software from a web site that you do not know.
Others:
http://www.securitywatch.co.uk/2008/08/13/msnbccom-breaking-news-spam/
http://blog.mxlab.be/2008/08/13/msnbccom-breaking-news/
http://www.securitywatch.co.uk/2008/08/13/msnbccom-breaking-news-spam/
http://www.securitymanagement.com/news/beware-msnbc-com-breaking-news-spam-e-mails-004502
http://securitylabs.websense.com/content/Alerts/3159.aspx
Tags: cnn, email, fedex email virus, fedex postal service virus, fedex virus, msnbc, msnbc.com breaking, virus, virus fedex
Follow up to yesterdays post about CNN.Com Daily Top 10, today we have a new one. This one has the subject of CNN Alerts: My Custom Alert. The email “From” address is random, and the content looks legit except for the Full Story link. This is the one that takes you to the site that immediately ask for you to install an updated version of flash. This is the virus, the payload…. This virus is part of the Rustock Rootkit and Spam Bot.
Tags: cnn.com, cnn.com alert, spam, virus
Recently I wrote about the “UPS, FedEx, and US Customs Email Virus” today I want to tell you about the CNN.Com Daily Top 10 email going out. I’m seeing this from allot of different sources and it is pretty heavy out in the wild. I’m sure you have probably already seen it somewhere. The interesting points of this one, the virus payload is not in the email but from the links in the email. This allows it to by pass most virus scanners. It is NOT From: user@cnn.com but from a randomly generated or infected users email address. The links in the email take you to sites, not cnn.com, that want to show you a video but says you have the wrong flash player installed. Other points:
- The URL’s are not cnn.com
- The writing is poor (even worst then mine)
- It ask you to install Flash Player 0
- The ActiveX installer does not seem like a standard ActiveX installer
- It is not digitally signed.
CNN Daily Top 10
Tags: cnn.com, spam, Spamassassin, top 10, virus
This is a question I get asked nearly daily. So why do people send spam? I could answer this real fast and be done. Its simple, Money! That is the reason, plain and simple.
So the next question is, What?!?! Yes people buy the things being hocked by the spammers. If they didn’t and there was no money, then what would be the point of spamming?
Reasons..
The reasons people buy the things spammers are hocking is simple. Vanity, Men are Vane! Oh there I said it. Even more so then women. Notice that most spam is for either sexual dysfunction, or balding. I do not know of any women that are having trouble getting their P3N!S hard. But yes even when someone spells something wrong like that, men will buy it. It is the anonymity of the Internet that makes it so easy for men to buy the items being sold. So while you are at work today, look around, I’m sure you’ll see several men that have bought something from an email. Just speaking statistically there has to be someone buying.
“I don’t even have a penis why do they keep sending me penis pill spam!”
Because they are shooting in the dark, hoping that you have one! They don’t know for sure. This is how it works. Send to millions of address and hope that a small percent will buy the products being sold.
The math speaks..
A company sends out 1.5 Million emails, each one sent to an address they have bought or generated themselves. Now most of them are going to be stopped by some type of filter. Some are address that no longer exist. Out of all this 11,000 people click on a link in the email, and 6000 purchase the bottle of pills for $50. This is $300,000 dollars, maybe not good for you, but not to bad for me. This is a %0.4 turn around, and this is a good thing. Most get less. Most are only getting around %0.01. When thinking of this, also know that one botnet is sending out over 1 billion emails a day.
In the last week I’ve seen this hit in the wild several time and at several locations. At one location this virus infecting over 200 computers. The email arrives as follows
From: United Parcel Service [user@not_ups.com]
Subject: UPS Paket N473133142
Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office
Your UPS
Attachment: UPS_Invoice.zip
There is a variant of this from FedEx and from United States Customs. They have even posted this response to the email at http://www.customs.gov/xp/cgov/newsroom/alerts/email_virus.xml
Good afternoon,
We have received a parcel for you, sent from France on July 9. Please fill out the customs declaration attached to this message and send it to us by mail or fax. The address and the fax number are at the bottom of the declaration form.
Kind regards,
Rolland Hanna
Your Customs Service
The ones I have seen install a Trojan that then begins sending out Spam. They have all been part of the Cutwail Botnet. This botnet includes around 150,000 computers, sending over 16 Billion Spam emails a day.
None of the Virus scanners I had could clean this, and all the information is about older version of the cutwail virus. I always recommend if you get infected with any type of trojan/virus like this to just do a reinstall, never ever trust an infected machine again. I had this cleaned or so I thought on one computer until I rebooted and it was found again by Trend. Trend could not clean or quarantine this virus.
This version created a file in c:\windows\system32\drivers\tcpsr.sys and c:\windows\system32\drivers\Win32x.sys, there was also several registry keys created I did not copy these down before the reinstall.
Side note:
Let me just point this out also. None of the systems that where infected are protected by the Spam and Virus protection provided by my employer. I have checked the logs on all of our spam/virus gateway systems and this virus has been stopped all along. If you own your own domain, and want Spam and Virus protection, you can contact me for pricing.
Tags: alert virus
