The spoofed CNN and MSNBC messages from last week have altered a bit, taking on a more generic approach. The subject of the message is still: BREAKING NEWS. Michael has been tracking these botnets for a while, his work is available here: http://www.vivtek.com/projects/despammed/stormspam.html. Like the others, this first stage is a downloader, still readching out to 66.199.240.138 to get the rest of the goodies. Unlike the previous waves, the first executable is named install.exe instead of adobe_flash.exe. So there's a little something different to search for in your proxy logs. -KL
|
Kevin Liston 292 Posts ISC Handler Aug 17th 2008 |
Thread locked Subscribe |
Aug 17th 2008 1 decade ago |
Just switched back to CNN Top 10 Video, with a new format including 16 links. The landing pages are now called "fullstory.html" (earlier today they were "1.html"). That's two major email format changes in a single day. First time I've seen that.
|
Anonymous |
Quote |
Aug 18th 2008 1 decade ago |
And they switched to the subject "Weekly top news" today, but the landing pages are essentially identical, and the payload has not changed.
|
Anonymous |
Quote |
Aug 18th 2008 1 decade ago |
Today they're linking straight from the email to a new payload watchit.exe.
|
Anonymous |
Quote |
Aug 19th 2008 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!