Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Not-So "Breaking News" InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Not-So "Breaking News"

Published: 2008-08-17
Last Updated: 2008-08-17 21:43:58 UTC
by Kevin Liston (Version: 1)
3 comment(s)

The spoofed CNN and MSNBC messages from last week have altered a bit, taking on a more generic approach.

The subject of the message is still: BREAKING NEWS.

Michael has been tracking these botnets for a while, his work is available here: http://www.vivtek.com/projects/despammed/stormspam.html.

Like the others, this first stage is a downloader, still readching out to 66.199.240.138 to get the rest of the goodies.  Unlike the previous waves, the first executable is named install.exe instead of adobe_flash.exe.  So there's a little something different to search for in your proxy logs.

-KL

 

Keywords:
3 comment(s)
Diary Archives