Beware of spam emails containing false news subjects

[Wiz Feinberg]

There is a huge spam run in progress, sent from botnetted computers, all containing phony news topics in the Subject and body. They try to peak your curiosity to see if the news in the Subject is real. All of these messages contain very brief body text and a link to a file ending in either main.html or index1.php, or variations thereof. Those links lead to Trojan downloads that will make your computer a member of a botnet and download other hostile or advertising components to it (to make commissions for the criminals behind the botnet).

When, not if, you receive such spam email messages delete them. Do not click on the links if you open them to see what they contain. Right now they do require user interaction (clicking on the links).

This is a follow-up to another Post I started a few days ago about the same topic. I feel that this information deserves its own title, to alert you to threats in the wild.

[Steinar Gregertsen]

I've received two of them within the last hour....

[Wiz Feinberg]

The ones linking to "anything/main.html" are going to a fake "Porntube" web page, where the victim is enticed to download an ActiveX Codec, to view a porn or fake news video. If you open the page in Internet Explorer 7 the object will automatically open a download dialog. If you visit in Internet Explorer 6, or certain unpatched versions of Safari browsers, it may begin downloading automatically.

These pages contain the Zlob Trojan. Should your computer accidentally become infected with this Trojan, Spybot Search and Destroy can remove it for you. The newest version, 1.6, was just released on July 8, 2008. Do not right-click scan with the current definition files (July 9), as they contain false positives in the Heuristic detections. Only run a normal "Check For Problems" from the program interface. Team Spybot is working with users like me who supply feedback in their forums to eliminate as many false positives as possible, every week.

[John Cipriano]

My favorite are the ones about World War III

[Wiz Feinberg]

I want to add that in every case I have seen - the Subject and Body news items don't match. Any legitimate news flash would have the body text absolutely matching the headline in the Subject. It is utterly obvious that the scammers behind the latest Zlob Trojan spam run have total contempt for the intelligence of their intended victims. They are making absolutely no effort to conceal the fact that these messages are false and meant to cause harm if the links are followed.

The self infection links at the 6th redirection web page present a fake YouTube-like player, with a circling asterisk in the center (imitating the waiting for file to load indicator) and the words "Click here to download movie" at the bottom of it. That "player" is actually an animated .gif. The file that one downloads by clicking on it has a variety of names, such as video.exe, view.exe, and watch.exe, so far. They are all detected as either the Zlob or Storm/Nuwar Trojans. They do not come in peace! In these cases, no news is good news!

[Steinar Gregertsen]

total contempt for the intelligence of their intended victims.

One of those I've received broke the "news" that James Brown had just died of a heart attack... They stick out like a sore thumb and are really easy to spot.

[Wiz Feinberg]

Back in mid-July, 2008, I wrote to warn you about a fake news spam campaign that was claiming to be a CNN Top 10 Alert. The spam subjects have morphed into MSNBC Breaking News, then into just Breaking News. Amazingly, they are still continuing to be spread, more than a month later, using fantastic headlines in the subject. This is meant to perk your curiosity enough to click on the enclosed links and become infected with a Trojan that will make your computer a member of a Botnet.

This tactic has all the earmarks of the infamous Storm Trojan Botnet - which was one of the first (in early 2007) to use both real and fake headline news to trick people into joining their network, by clicking links to read more details. Storm is alive and well today and is behind much of the fake news scams flooding our inboxes. Once installed it turns your computer into a spam machine, or an attack tool.

In addition to the the fake news headlines there is a long-running spam trick that uses the names of famous but quirky stars in the subject and offers to show a video of them performing sex acts, or other foolishness (which most are known to do). Names like Britney Spears, Paris Hilton and Angelina Jolie are commonly used in the subjects, with innuendos regarding their latest activities. These messages have direct links to executable files which are known malware. They try to conceal the real purpose by telling you that the link is to play a movie, or news clip, or soundbyte. All of them install either Botnet control files, making your computer a zombie soldier, or fake anti virus warnings onto your PC, goading you into purchasing the recommended anti virus program to remove the imaginary threats it claims to have found.

I have written a good article describing these ramped up Botnet attacks on my Blog. Reading it will give you insight into what is going on behind the scenes and how you can protect your computer from becoming a zombie member of a Botnet.

[Dick Wood]

Wiz,

I'm cornfused,I thought Trojans were for your protection?

[Wiz Feinberg]

Wiz,

I'm cornfused,I thought Trojans were for your protection?

Dick;
With these Trojans you get screwed, but not kissed!