Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Not-So "Breaking News" - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Not-So "Breaking News"

The spoofed CNN and MSNBC messages from last week have altered a bit, taking on a more generic approach.

The subject of the message is still: BREAKING NEWS.

Michael has been tracking these botnets for a while, his work is available here: http://www.vivtek.com/projects/despammed/stormspam.html.

Like the others, this first stage is a downloader, still readching out to 66.199.240.138 to get the rest of the goodies.  Unlike the previous waves, the first executable is named install.exe instead of adobe_flash.exe.  So there's a little something different to search for in your proxy logs.

-KL

 

Kevin Liston

292 Posts
ISC Handler
Just switched back to CNN Top 10 Video, with a new format including 16 links. The landing pages are now called "fullstory.html" (earlier today they were "1.html"). That's two major email format changes in a single day. First time I've seen that.
Anonymous
And they switched to the subject "Weekly top news" today, but the landing pages are essentially identical, and the payload has not changed.
Anonymous
Today they're linking straight from the email to a new payload watchit.exe.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!