Beware of spammed emails with phony news subjects
Note: Updated on July 20, 2008, with new information
There is a surge going on right now in the amount of spammed email messages being blasted out by Botnets, with ludicrous news headlines in the Subjects. The subjects try to tempt you to read the message, then click on the enclosed link to read the details about the subject, or some other alleged news story. The headlines are sucker bait, with a nasty payload at the other end of the links contained in the message bodies.
Different from any news flashes to which you may actually subscribe, these arrived unsolicited in your inbox, from unknown, forged sender names and addresses and from domains you have to relationship with. Many are sent using forged .de (German) domains in the From address, in addition to .it, .ru and others.
If you hold your mouse pointer over the links in these messages you will see a lot of domains extensions for various countries around the World. Some I have seen just today include .de, .it, .fr and .ru. The domain name is followed by a forward slash (/) and a file name. The initial spam run file name was "main.html" (e.g. example.com/main.html). Other Trojan link file names have already appeared, such as "start.html" and "news.html." If you were to go to those domains in the links, using "wannabrowser," with "follow redirects" unchecked, you would see that many of the first responding domains are hosted on hacked Microsoft IIS servers. They all contain meta redirect tags that forward normal browsers to another domain, usually a zombie PC in the Storm Botnet, or a web site hosted in China or Russia. Once you arrive there your browser gets assaulted by numerous hostile JavaScript codes and iframe exploits. Should all those fail to automatically exploit your computer they supply self-infection links!
And what method do they employ to get you to click on these links to infect your own computer? The bait is a fake, look-alike "Porntube" video player that requires a special video "codec" to play the free sample movie. They even provide fake reviews under the fake player placeholder, from make-believe happy viewers before you! These guys are professionals and very good at the Con Game they are playing.
The payload file name may vary, but so far I have seen "video.exe," "watch.exe" and "view.exe" as the name of the payload file it delivers. That file is actually the "Storm Trojan" and it is infecting unprotected computers, or gullible computer owners, all around the World.
If you know, or suspect that you have become a victim of the Storm, or any other Trojan, you should obtain legitimate anti-malware software and scan for and remove all threats, after updating the program with the latest definitions. I use Spybot Search and Destroy, which is updated weekly and is totally free, but which you must remember to update manually and scan manually. It is one of my routine tasks that I do on Wednesdays, when the Spybot S&D definition updates are released.
Most people don't want to mess with security programs that they have to micro manage every time they want to use them. For you folks a commercial application makes more sense. While I know of many security products and have ads for them I am leaning towards Trend Micro Internet Security now. Their existing program used to be called PC-cillin and is well respected in the anti virus field. But, they are venturing where no man has gone before: to the Cloud!
I'll tell you more about this new development soon. For now, if you need a really solid anti-virus | anti-spyware | anti phishing | and anti-spam solution, you will not go wrong with Trend Micro Internet Security 2008. As a favor to my readers, enter coupon code TrendIS08 during your purchase and I'll save you 10% off the going rate!
Till next time, practice safe hex !
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.