Not-So "Breaking News"

Published: 2008-08-17. Last Updated: 2008-08-17 21:43:58 UTC
by Kevin Liston (Version: 1)
3 comment(s)

The spoofed CNN and MSNBC messages from last week have altered a bit, taking on a more generic approach.

The subject of the message is still: BREAKING NEWS.

Michael has been tracking these botnets for a while, his work is available here: http://www.vivtek.com/projects/despammed/stormspam.html.

Like the others, this first stage is a downloader, still readching out to 66.199.240.138 to get the rest of the goodies.  Unlike the previous waves, the first executable is named install.exe instead of adobe_flash.exe.  So there's a little something different to search for in your proxy logs.

-KL

 

Keywords:
3 comment(s)

Comments

Just switched back to CNN Top 10 Video, with a new format including 16 links. The landing pages are now called "fullstory.html" (earlier today they were "1.html"). That's two major email format changes in a single day. First time I've seen that.
And they switched to the subject "Weekly top news" today, but the landing pages are essentially identical, and the payload has not changed.
Today they're linking straight from the email to a new payload watchit.exe.

Diary Archives