Wednesday, August 13, 2008

MSNBC Breaking News replaces CNN Spam Wave

Want the freshest breaking news? You can subscribe to it from MSNBC by visiting their Breaking News by Email page. CNN has the same offer at CNN Alerts by Email.

But what if your trusted news delivery mechanism is the bad guys new delivery malware delivery mechanism? By imitating legitimate emails, criminals have built up a network of more than 250,000 spam-sending machines. Up until 2:12 AM today CNN had been the primary target, and we received CNN Alerts, at rates peaking as high as a dozen per minute. At 2:12 AM, the CNN campaign stopped.

Beginning at 3:15 AM today, August 13th, the UAB Spam Data Mine began receiving emails with news headlines in them that claimed to be from MSNBC. We're now receiving several each minute, with more than 500 archived already this morning. Here's the first one we received:



In that email, the unsubscribe link really goes to Microsoft, the Privacy statement really goes to Microsoft, but the "breakingnews" link went to:

(DO NOT CLICK! THIS IS A MALWARE PAGE!!!)

http://ndcbfworshipplanning.org/up.html

So far (and this campaign is still only 2.5 hours old) we have seen the malware distributed on the following 45 domain names:


http://01fe1e4.netsolhost.com/up.html
http://208.112.17.55/up.html
http://66.241.199.27/up.html
http://70x7riders.org/up.html
http://accara.org.ar/up.html
http://acevaleting.com/up.html
http://adultvision.contentcoders.com/up.html
http://alternativemicro.com/up.html
http://anygig.com/up.html
http://bamtec.hu/up.html
http://bg-buttisholz.ch/up.html
http://blocket.be/up.html
http://cirujanomonterrey.com/up.html
http://clarefoundation.org/up.html
http://criminallegalhelp.com/up.html
http://discoverpeople.co.uk/up.html
http://dmisystems.ro/up.html
http://dominostalknews.com/up.html
http://empoweringbirths.com/up.html
http://fecami.org.ar/up.html
http://foothillchristian.org/up.html
http://gallinaspuras.com.ar/up.html
http://gekkoeurope.com/up.html
http://gfranco.com.ar/up.html
http://interd.ru/up.html
http://jonathanwheat.com/up.html
http://ndcbfworshipplanning.org/up.html
http://pilotsupport.com/up.html
http://randymethven.com/up.html
http://starpt.net/up.html
http://stewsamuels.com/up.html
http://suruu.com/up.html
http://www.berachahbaptist.org/up.html
http://www.bicetokyo.com/up.html
http://www.cdpc.net/up.html
http://www.complete-safety-resources.ca/up.html
http://www.cristianosecuador.com/up.html
http://www.donovanpinscherclub.com/up.html
http://www.dransfieldandross.biz/up.html
http://www.floridapottingsoils.com/up.html
http://www.greatgraphicsnow.com/up.html
http://www.lakeoconee.net/up.html
http://www.nsdcar.com/up.html
http://www.soundsrightdjs.com/up.html

On each server, a file called "adobe_flash.exe" will be downloaded to the visitors PC. I retrieved the malware successfully from 42 websites, and compared it using MD5. All 42 copies have the same MD5:

06bd0701d470475d32c6d98a0c685e4b http://01fe1e4.netsolhost.com/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://208.112.17.55/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://66.241.199.27/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://70x7riders.org/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://accara.org.ar/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://acevaleting.com/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://adultvision.contentcoders.com/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://alternativemicro.com/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://bg-buttisholz.ch/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://blocket.be/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://cirujanomonterrey.com/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://clarefoundation.org/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://criminallegalhelp.com/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://discoverpeople.co.uk/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://dmisystems.ro/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://dominostalknews.com/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://empoweringbirths.com/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://fecami.org.ar/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://foothillchristian.org/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://gallinaspuras.com.ar/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://gfranco.com.ar/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://interd.ru/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://jonathanwheat.com/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://ndcbfworshipplanning.org/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://pilotsupport.com/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://randymethven.com/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://starpt.net/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://stewsamuels.com/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://suruu.com/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://www.berachahbaptist.org/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://www.bicetokyo.com/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://www.cdpc.net/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://www.complete-safety-resources.ca/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://www.cristianosecuador.com/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://www.donovanpinscherclub.com/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://www.dransfieldandross.biz/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://www.floridapottingsoils.com/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://www.greatgraphicsnow.com/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://www.lakeoconee.net/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://www.nsdcar.com/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://www.soundsrightdjs.com/adobe_flash.exe




There have been sixty unique subjects used so far, but look for that number to grow dramatically:

msnbc.com - BREAKING NEWS: Abortion made illegal in New York
msnbc.com - BREAKING NEWS: Abortion outlawed in California
msnbc.com - BREAKING NEWS: Americans love law suits for breakfast
msnbc.com - BREAKING NEWS: Americans loves to sue people
msnbc.com - BREAKING NEWS: Anthrax case solved
msnbc.com - BREAKING NEWS: Apple September show highly anticipated
msnbc.com - BREAKING NEWS: Arsenal buys Ronaldo from Man Utd
msnbc.com - BREAKING NEWS: Bomb scare grounds thousands of flights at UK Heathrow airport
msnbc.com - BREAKING NEWS: Buy gold at lowest prices and make immediate profits
msnbc.com - BREAKING NEWS: Copycat murderer beheads woman on Greyhound bus
msnbc.com - BREAKING NEWS: Dark Knight establishes dominance with 400 million mark
msnbc.com - BREAKING NEWS: Elizabeth Taylor found murdered at home
msnbc.com - BREAKING NEWS: Elvis Presley daughter gives birth to twins
msnbc.com - BREAKING NEWS: Europeans dislike Americans attitudes
msnbc.com - BREAKING NEWS: Find out how to get top returns for your money at minimum risk
msnbc.com - BREAKING NEWS: Find out the disorders in your personality with this test
msnbc.com - BREAKING NEWS: Freddie Mac loses $1B
msnbc.com - BREAKING NEWS: Fredie Mac losses mount, loses billions every month
msnbc.com - BREAKING NEWS: GOld prices reach 25-year high, buy gold for a safe and reliable investment
msnbc.com - BREAKING NEWS: Google launches free music downloads in China
msnbc.com - BREAKING NEWS: High calorie food banned in canteens
msnbc.com - BREAKING NEWS: Hospital CEO arrested in healthcare scheme
msnbc.com - BREAKING NEWS: How to save money on gas
msnbc.com - BREAKING NEWS: I will be suing you
msnbc.com - BREAKING NEWS: Japanese Prime Minister denies World War 2 ever took place
msnbc.com - BREAKING NEWS: Jerry Yang relinquishes control over Yahoo
msnbc.com - BREAKING NEWS: Jury duties for you
msnbc.com - BREAKING NEWS: Mary-Kate Olsen guilty for Heath Ledger's death
msnbc.com - BREAKING NEWS: Mary-Kate Olsen implicated in Heath Ledger's death
msnbc.com - BREAKING NEWS: Mary-Kate Olsen responsible for Heath Ledger's death
msnbc.com - BREAKING NEWS: Mary-Kate Olsen supplied drugs
msnbc.com - BREAKING NEWS: McCain gives up fighting for presidency
msnbc.com - BREAKING NEWS: McCain told lies to win votes
msnbc.com - BREAKING NEWS: McDonald's found to breach FDA regulations, suspended from trading
msnbc.com - BREAKING NEWS: Mexican arrested on billion-dollar graft case
msnbc.com - BREAKING NEWS: Microsoft announces takeover bid for Intel, details inside
msnbc.com - BREAKING NEWS: Microsoft buys over AOL
msnbc.com - BREAKING NEWS: Millions of credit card numbers stolen from bank database, find out if you are affected
msnbc.com - BREAKING NEWS: NASDAQ index gains 720 points overnight upon war announcement
msnbc.com - BREAKING NEWS: Obama set to win presidency
msnbc.com - BREAKING NEWS: Oil prices rises due to attacks
msnbc.com - BREAKING NEWS: Plane crashes into prep school, hundreds of kids killed
msnbc.com - BREAKING NEWS: Please give your opinions for change
msnbc.com - BREAKING NEWS: Preliminary polls for the election
msnbc.com - BREAKING NEWS: Preliminary US Presidential election polls results here
msnbc.com - BREAKING NEWS: Sandwich recall amid Salmonella outbreak
msnbc.com - BREAKING NEWS: Sony announces replacement to successful PSP gaming system
msnbc.com - BREAKING NEWS: Stocks set to fall on recession
msnbc.com - BREAKING NEWS: Stupid Asians lose lawsuits against Americans
msnbc.com - BREAKING NEWS: Tiger Woods to take 2-year break from golf
msnbc.com - BREAKING NEWS: Time Warner sells AOL
msnbc.com - BREAKING NEWS: Too much freedom will destroy America
msnbc.com - BREAKING NEWS: US Dollar hits 6-year high, further gains expected
msnbc.com - BREAKING NEWS: Vitamin C shows promise in anti-cancer trials
msnbc.com - BREAKING NEWS: West Nile virus found in California
msnbc.com - BREAKING NEWS: West Nile virus spreading in USA
msnbc.com - BREAKING NEWS: West Nile virus spreads in Europe
msnbc.com - BREAKING NEWS: Wildfires hit Arizona, leave thousands homeless
msnbc.com - BREAKING NEWS: You are looking at a lawsuit
msnbc.com - BREAKING NEWS: You are selected as a jury

Visiting the webpage in question also causes the computer to receive a pop-up from the site:

http://asvoo.org/antivir/

The asvoo.org domain was created on August 1st, and claims to be hosted in Panama on the "Net2Net" hosting company. Its running the nginx webserver, favored by Russian and Ukrainian criminals, and is hosted on the IP address: 200.46.83.233

That IP address hosts more than 150 "spam-related" domains, and has been blacklisted by SpamHaus since August 1st. In the most recent SpamHaus SBL Advisory, the IP is related to "CNN" alerts, offering even more evidence that the CNN and MSNBC attacks are one and the same.





(a sample CNN spam from August 5 is listed on the Spamhaus site, click the image above for more details.)

No comments:

Post a Comment

Turning comments back on. I will censor, so please be polite! If you would like to share information privately, please leave a "Contact Me" post and I will reach out. Thank you!