Not-So "Breaking News"

Published: 2008-08-17. Last Updated: 2008-08-17 21:43:58 UTC
by Kevin Liston (Version: 1)
3 comment(s)

The spoofed CNN and MSNBC messages from last week have altered a bit, taking on a more generic approach.

The subject of the message is still: BREAKING NEWS.

Michael has been tracking these botnets for a while, his work is available here: http://www.vivtek.com/projects/despammed/stormspam.html.

Like the others, this first stage is a downloader, still readching out to 66.199.240.138 to get the rest of the goodies.  Unlike the previous waves, the first executable is named install.exe instead of adobe_flash.exe.  So there's a little something different to search for in your proxy logs.

-KL

 

Keywords:
3 comment(s)

Comments

Just switched back to CNN Top 10 Video, with a new format including 16 links. The landing pages are now called "fullstory.html" (earlier today they were "1.html"). That's two major email format changes in a single day. First time I've seen that.

Michael

Aug 18th 2008
1 decade ago

And they switched to the subject "Weekly top news" today, but the landing pages are essentially identical, and the payload has not changed.

Michael

Aug 18th 2008
1 decade ago

Today they're linking straight from the email to a new payload watchit.exe.

Michael

Aug 19th 2008
1 decade ago

Login here to join the discussion.


Top of page
Diary Archives