The news update you never asked for
If you missed last week's chance to get your "airplane ticket", you currently have a second opportunity. Emails are making the rounds that claim to come from CNN, and carry a subject of "CNN.com Daily Top 10". Well, they are neither. But the emails contain click-friendly headlines with enticing subjects like "Will all Americans be obese by 2030?" Now who wouldn't want to read THAT?!
Clicking takes you to the netherworld, of course. You currently receive a file called "get_flash_update.exe" (yeah, sure!). Detection for the sample is coming on line, see http://www.virustotal.com/analisis/258fbdfb7eb6ecfedbf236533b03c945
The domain "idoo .com" seems to be up to no good. Other involved domains are too numerous to listen, but about 50 of them currently resolve to 200.46.83.233. That's in Panama.
Comments
Our Storm friends started the <i>new</i> email format at 10:45 California time today, according to my logs. I haven't adapted my link extraction script yet -- I just now noticed that the old script wasn't getting results any more, Googled the subject line, and lo! here you were.
But the exploit on the hijacked servers I've checked by hand is 100% identical to that they've been using for the last week. Actually, I'd been hoping they'd spring a new exploit soon; the old one's boring. Instead, pfft, they spring a new email format on me.
I'll update as soon as I've modified the script to cope with this new spam format. One dead giveaway - it's multipart/alternative, but the text part doesn't match the HTML; the text part contains actual CNN links and different headlines, while the HTML part uses their same hilarious joke headlines and all link to (apparently) the same hijacked server.
Anyway -- more later, but don't make the mistake of thinking the spammed domain is the culprit. They've been hijacked, in job lots.
Michael
Aug 5th 2008
1 decade ago
Michael
Aug 5th 2008
1 decade ago
Michael
Aug 5th 2008
1 decade ago