Tuesday, August 05, 2008

CNN Lends Authenticity to News Spam

UPDATED!

At the UAB Spam Data Mine we've been tracking the recent malware attacks which use news headlines as their spam bait. You've seen a few previous stories on the subject in this blog, NuWar Looks for News Readers, News Headlines Still Out of Control, and Top News in Spam Old News.

The thing that makes last night's new spam campaign newsworthy is the inclusion of a very authentic looking CNN wrapper on the spam.



We received more than 1,400 copies of this spam email so far in the UAB Spam Data Mine. While the subject of the email has always been "CNN.com Daily Top 10", the listed stories are composed of a random mix from the following 84 topics:

`Dark Knight' - download it instantly fo free
12-year-old with HIV applauded at AIDS conference
16 Police Die in Pre-Olympic Attack
6 NFL greats inducted into the pro football hall of fame
8-Foot Python Becomes Laundry
95-year-old Paul Batman calls Texas -- not Gotham City -- home.
A drunken driver slams into car as officer wrote a ticket.
A prostitute waits for customers
Afghan, NATO troops kill1 7 militants in southern Afghanistan
Aged Tires: A Driving Hazard?
Ancestor of T-Rex dinosaur unearthed in Poland
Angry, late, tired passengers make computers crash
Attackers kill 16 police at Chinese border post
Bikers down to bare basics for eco demonstration
Bill Clinton and Monika seen again
Bill Clinton Regrets, 'I Am Not a Racist'
Boy Loses Arm in Gator Attack
Boys bounce for 24 hours in world record attempt
Breaking Dawn' Book Excerpt Exclusive!
Bush urgently flies to Asia
Can a party game reveal flaws in U.S. wiretapping and war plans?
Celebrity was seen naked on the beach
Cheesus! Jesus Spotted in a Cheeto
Chef: sorry for suggesting poison plant in salad
China Rising: Will It Overtake the U.S.?
Christina Applegate treated for breast cancer
Cops May Close Anthrax Probe Today
Corrupt China official betrayed by leaky toilet
Dinosaurs Come to Life at Exhibit
Dog Plays Mom for Tiger Cubs
Dog Rides a 'Hog'
Don't streak, get drunk or sleep outside at Olympics
Doping scandal rush out before the opening
Drunken Man Can't Erase Arrest
Edouard Triggers 'Cane Watch for Texas
Ernest Hemingway look-alikes hit Key West's streets to honor the author.
Facebook Grows, but Where's the Profit?
FBI reveal sealed docs describing anthrax attack details
Find you friend online for free
Five Secrets to Get a Bargain on a House
Funnies: Celebrity Candidates?
Furnished Nazi bunkers surface in Denmark
GPS-equipped turtle stumbles upon field of marijuana in a D.C. park.
Guinea Pigs Get Dressed ... and Eaten
Half-scale replica of German tank built for paintball competition.
Harried family forgets 3-year-old daughter at airport.
Illusionist Chris Angel races against time in a building set to detonate.
In the first surgery of its kind, a German farmer gets a new pair of arms
It's a buyer's market if you know what 'code words' to look for.
Kevin Costner appreciates politics and making movies.
Key to Biz Success: The Conference Table?
Kidnap Dad In Custody, Girl Found Safe
Maine island loses trash can mail delivery service
Man presumed dead in 1976 Colo. flood found alive
Man wins appeal in bizarre gasoline suicide case
Meet the Real Batman
Michael Jackson is sued by his own dog
Mortgage rates rise to heavens
Mysterious 'Monster of Montauk'
Naked Madonna blows the press conference
NY girl falls 14 stories, saved by sooty landing
Obama beats McCain
Olympic Sport: Blocking the Internet
Olympics-Wear ox pendant to avoid rat clashes, leaders
Paris Hilton's mom takes offense at McCain's humor
Police killed in west China ahead of Games
Pool Parasite Infections on the Rise
Rig dumps tons of dirt when nature calls driver
Russian stocks take hit as govt. looks to nationalize steel, oil companies.
Sex and the city forbidden,
Social networking sites have lots of users, but no one seems to be buying
Superheroes Get Sandy
Teenage Mutant Ninja NARC
Tehran says it launched nuke missile
The three New Jersey brothers delight teens with fun, wholesome music.
Tropical Storm Edouard moving toward Texas coast
Vet Aids Endangered Shark
War, Spying and Party Game Delusions
What Is Microsoft So Afraid Of?
Whoopi Kissed a Girl and She Liked It
Will nearly all Americans be obese by 2030? Diet experts have their say.
Woman Attacked by Beau's Pitbull
Woman Survives Bear Attack


What happens if you click the link? In our first wave of the attack, we've identified 45+ different websites, which, like the previous waves of news headline malware, seem to be hosted on sites which have been compromised for this purpose.

CAUTION! DO NOT VISIT THESE LINKS! LIVE MALWARE PRESENT!


http://1stbs.com/index2.html
http://realdecor.com.br/index2.html
http://turegalodesanvalentin-julieta.idoo.com/index2.html
http://www.sibercar-card.com/index2.html
http://autourdufeu.net/index2.html
http://208.112.108.239/index2.html
http://attomega.com/index2.html
http://tomar-a-andar.com/index2.html
http://renderize.net/index2.html
http://lombardi.ws/index2.html
http://3dtoy.com.br/index2.html
http://sol.innopulse.es/index2.html
http://vehne-cafe.de/index2.html
http://climatel.dot5hosting.com/index2.html
http://www.dj-ralfi.de/index2.html
http://dztransporte.de/index2.html
http://www.bardaue.com.br/index2.html
http://voxinterna.de/index2.html
http://hieber-ed.de/index2.html
http://www.wellnessantamaria.com/index2.html
http://hometrimwork.com/index2.html
http://isctrim.com/index2.html
http://borinsrl-store.com/index2.html
http://megadent.pl/index2.html
http://www.weddingsinsardinia.com/index2.html

UPDATE: Now we're seeing "/news/" as a valid path, instead of the earlier "/index2.html". We'll keep an eye out on this trend . . . so far there is not actually any content on these "/news/" pages, however they are all currently resolving to the same IP. Perhaps the spammer just got ahead of himself?

http://cafepaths077.com/news/
http://496dots.com/news/
http://ourmark75.com/news/
http://joogle2.com/news/
http://cafemarker52.com/news/
http://tao767.com/news/
http://open6098.com/news/
http://yooia97.com/news/
http://facecurve.com/news/
http://front7589.com/news/
http://620dreams.com/news/
http://stikimixer.com/news/
http://squinento96.com/news/
http://my3598.com/news/
http://styledesk86.com/news/
http://upgle12.com/news/
http://frontsend09.com/news/
http://true479.com/news/

Sites are hosted around the world, including the United States, Brasil, France, Italy, and Poland. Analysis of the malware and the websites by UAB students shows that it is clearly related to previous "news" campaigns, though you'll forgive me if we don't share all of those details here.

As before, malware detection is far from complete in the anti-virus community. A scan of this malware on VirusTotal still shows only 16 of 36 different detect the virus, although I'm happy to report that Symantec is now among those who do. (McAfee, Trend, and Microsoft are still among those who do not.)

The challenge to those wishing to block the virus is the same as we've been dealing with. The current malware name is "get_flash_update.exe", but even blocking by name may not be adequate. One of the website tricks is to cause machines to download the malware via a javascript program. In the javascript program, the name of the file is interspersed with "garbage characters", which are then removed by the program when it comes time to save the file.

For example:

g(e(t_f&l*a^s#h_$u!p*(date)#.!%e^x&#e!'

is followed by a command to remove:

replace(/\!|@|#|\$|%|\^|&|\*|\(|\)

which leads to the name to be stored being:

get_flash_update.exe

The actual filename then, would never occur in the web filters.

These viruses are on legitimate websites which have been compromised. Blocking the websites will protect your business, but may block a real company as penalty for their compromise. We are still working with webmasters and providers to learn how the sites are being compromised, but the leading theory at the moment is via an FTP password compromise.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.