Bogus CNN custom alerts...
FYI...
Bogus CNN Custom Alerts
- http://securitylabs.websense.com/con...erts/3154.aspx
08.08.2008 - " Websense... has discovered replica CNN Custom Email Alerts being sent out via spam emails. These emails contain links to a legitimate news page, but have been designed to encourage users to download a malicious application posing as a video codec. Over the last few days, the ThreatSeeker Network has seen huge volumes of spam wrapped up in CNN-themed templates - most recently email alerts listing the Daily Top 10 Stories and Videos, which also encouraged users to download a video codec (again a malicious file)... The malicious payload is only accessed when the user clicks on the ‘FULL STORY’ link - the first link behind the story title leads to a legitimate news page hosted on CNN. The news story is a recent article centered around the Beijing Olympics. The ‘FULL STORY’ link takes users to a Web page by the name of cnn****.html. This issues a pop-up encouraging users to download a ‘missing’ video codec, a file called adobe_flash.exe... Our Security Labs have also seen evidence of this campaign and recent others being distributed via blog spam to further increase the chance of success..."
(Screenshots available at the URL above.)
:fear::mad::fear:
Yahoo! Messenger fraud...
FYI...
IM: Instant Malware... Yahoo! Messenger fraud
- http://blog.trendmicro.com/instant-malware/
08.10.2008 - "Instant messaging (IM) applications are popular infection vectors — malware authors are known to use instant messaging platforms to spread malware by sending either malicious files or URLs. Trend Micro researchers have recently witnessed spammed email messages that use the popular IM application Yahoo! Messenger in propagating malware, but in a very different way than previosuly mentioned... Clicking the Download now link downloads the file msgr8.5us.exe into the affected system. When executed, it drops the following files:
* mirc.ini - detected by Trend Micro as Mal_Zap
* csrss.exe - detected by Trend Micro as BKDR_ZAPCHAST.AX
* sup.exe - detected by Trend Micro as BKDR_MIRCHACK.CE
For targeted victims which do, in fact, use Yahoo! Messenger, the promised update may prove hard to resist. The same email message even instructs users to pass the news to friends by sending them the source - not very friendly if the supposed update would lead one’s contacts to malware... Downloading from the software vendors themselves still is the safest way to go."
(Screenshot available at the URL above.)
:fear:
Trojan CME-711 - new -drive-by- wave on the web...
FYI...
- http://preview.tinyurl.com/5wqxqt
08-14-2008 (Symantec Security Response Blog) - "...With infections dating back to January 2007 and a P2P structure largely unchanged in about a year, Peacomm continues to evolve and infect new hosts. In early August our honeypots began capturing a new version of Peacomm. This iteration has been relatively low key as it propagates via users visiting infected Web sites, rather than by spam. Although Peacomm has been distributed via infected Web sites in the past, they were usually Web sites that were spammed to users as opposed to relying on drive-by downloading to gather its new recruits. The attack toolkit used to install Peacomm in these drive-by attacks has changed as well. The infection begins with a user visiting an infectious Web site, which silently -redirects- the user to hostile content on a set of registered domains via an IFRAME. At this point, Kallisto TDS will serve a set of exploits against the victim. These include Acrobat PDF CollectEmailInfo*, ANI Header Size**, and MDAC***..."
* http://www.securityfocus.com/bid/27641/solution
** http://www.securityfocus.com/bid/23194/info - MS07-017
*** http://www.securityfocus.com/bid/17462 - MS06-014
> AKA CME-711 - http://cme.mitre.org/data/list.html#711
:fear::fear:
More "Breaking News..." SPAM and MALWARE...
FYI...
- http://isc.sans.org/diary.html?storyid=4913
Last Updated: 2008-08-17 21:43:58 UTC - "The spoofed CNN and MSNBC messages from last week have altered a bit, taking on a more generic approach. The subject of the message is still: BREAKING NEWS. Michael has been tracking these botnets for a while, his work is available here: http://www.vivtek.com/projects/despammed/stormspam.html .
Like the others, this first stage is a downloader, still reaching out to 66.199.240.138* to get the rest of the goodies. Unlike the previous waves, the first executable is named install.exe instead of adobe_flash.exe..."
* http://centralops.net/co/DomainDossier.aspx
canonical name: 66-199-240-138.reverse.ezzi.net.
Registrant: EZZI.net
A Service of AccessIT
75 Broad Street
Suite 1902
New York, NY 10004 US
Domain Name: EZZI.NET
:fear::fear:
Malware SPAM - Russia-Georgia conflict...
FYI...
Russia-Georgia conflict - malware SPAM
- http://www.us-cert.gov/current/#malw...russia_georgia
August 21, 2008 - " US-CERT is aware of public reports* of malware circulating via spam email messages related to the Russia/Georgia conflict. These messages contain factual information about the conflict. The messages also contain download instructions for the user to watch a video that is attached to the message. If a user opens the attachment, malware may be downloaded and installed onto their system..."
* http://preview.tinyurl.com/58u83x
08-21-2008 (Symantec Security Response Blog)
Russia/Georgia Conflict News Used to Hide Malicious Code in Spam
"...The messages themselves contain an attachment, along with instructions and passwords for the download of the attachment... One subject line that has been seen reads:
“Subject: Journalists Shot in Georgia”... The attachment contains no videos; rather, the attachment redirects to a link that delivers a payload identified as Trojan.Popwin... We have observed several -million- instances of this particular spam attack delivering malicious code..."
:fear::spider::fear: