Security vendors have been warning for some time that the new gimmick among the malware and spammer communities is trying to latch on to legitimate sites and names and ride their credibility.
In the past few weeks, a spam botnet called Rustock flooded the Internet with what looked to be CNN’s Top 10 news stories and video clips. However, all of the links went to the same address, which careful observers noted were not to a CNN.com address.
Instead, they went to an off-shore site that popped up a window telling the user their version of the Flash player was obsolete and they needed to download a new one. What they got was a Trojan loader, a small application that “phones home” to a malware host server and downloads whatever the spammers want to send down, usually a keystroke logger.
MX Logic, a security firm in Denver, Colorado, estimated that at one point, Rustock was sending out 160 million fake messages in a 48 hour period while Marshal, a U.K-based security firm, estimated that at its peak, Rustock was pumping out 55 percent of all spam on the Internet.
People got smart to the CNN spam and quickly blocked it. However, spammers never stay still. Anti-spam and anti-malware provider Sophos has noted that the spammers have switched from fake CNN headlines to fake MSNBC headlines. They are, if nothing else, entertaining headlines.
- msnbc.com – BREAKING NEWS: McCain told lies to win votes
- msnbc.com – BREAKING NEWS: Anthrax case solved
- msnbc.com – BREAKING NEWS: Preliminary polls for the election
- msnbc.com – BREAKING NEWS: Google launches free music downloads in China
- msnbc.com – BREAKING NEWS: Jerry Yang relinquishes control over Yahoo
- msnbc.com – BREAKING NEWS: Europeans dislike Americans attitudes
- msnbc.com – BREAKING NEWS: Mary-Kate Olsen responsible for Heath Ledger’s death
Sophos confirmed that the MSNBC spam, like the CNN spam, is coming from the Rustock botnet, making it the biggest and most pervasive botnet on the Internet. The company said the payload is the same: a malicious software loader that will download code to your computer, which could be a key logger, a spam bot, or anything else the botnet owners want to send down.
Richard Wang, head of the virus lab at Sophos, said that as malicious code goes, the payload in the MSNBC spam is reasonably common. “At the moment, what we are seeing is fake security software that pops up a warning saying you have so many viruses and it gives a link to a Web site with the antivirus software to remove it,” he said.
Of course, it’s all a lie. There is no software, but he notes that you are prompted to give your credit card information to make the purchase, “and the potential for trouble after that is obvious,” said Wang.
The MSNBC letters do have characteristics of a spam letter, so it should be possible for other spam protectors to detect and block them, he added.