Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: The news update you never asked for - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
The news update you never asked for

If you missed last week's chance to get your "airplane ticket", you currently have a second opportunity. Emails are making the rounds that claim to come from CNN, and carry a subject of "CNN.com Daily Top 10". Well, they are neither. But the emails contain click-friendly headlines with enticing subjects like "Will all Americans be obese by 2030?" Now who wouldn't want to read THAT?!

Clicking takes you to the netherworld, of course. You currently receive a file called "get_flash_update.exe" (yeah, sure!). Detection for the sample is coming on line, see http://www.virustotal.com/analisis/258fbdfb7eb6ecfedbf236533b03c945

The domain "idoo .com" seems to be up to no good. Other involved domains are too numerous to listen, but about 50 of them currently resolve to 200.46.83.233.  That's in Panama.

Daniel

367 Posts
ISC Handler
That's just the newest incarnation of the Storm botnet. The injecting domain has been hijacked -- for a list of about 1700 similar ones, <a href="http://www.vivtek.com/projects/despammed/spamstorm_full_link_list.html>see my full list</a>. It cuts off at those spammed up to 10:36 AM California time today.

Our Storm friends started the <i>new</i> email format at 10:45 California time today, according to my logs. I haven't adapted my link extraction script yet -- I just now noticed that the old script wasn't getting results any more, Googled the subject line, and lo! here you were.

But the exploit on the hijacked servers I've checked by hand is 100% identical to that they've been using for the last week. Actually, I'd been hoping they'd spring a new exploit soon; the old one's boring. Instead, pfft, they spring a new email format on me.

I'll update as soon as I've modified the script to cope with this new spam format. One dead giveaway - it's multipart/alternative, but the text part doesn't match the HTML; the text part contains actual CNN links and different headlines, while the HTML part uses their same hilarious joke headlines and all link to (apparently) the same hijacked server.

Anyway -- more later, but don't make the mistake of thinking the spammed domain is the culprit. They've been hijacked, in job lots.
Anonymous
Whoops, I guess HTML is not permitted in comments here. Sorry about that.
Anonymous
OK, the list is now updated with today's take from the new spam format. I've got 19 examples spamming the idoo.com link, but they're really not to blame, any more than the other 32 hijacked sites spammed today. (I've seen 33 sites; that doesn't mean there aren't others, because I "only" have a little over 300 examples.)
Anonymous

Sign Up for Free or Log In to start participating in the conversation!