Today we noticed that the CNN malspam e-mail (first discovered here) that has been going around has slightly changed. The e-mail now arrives with the subject line, “CNN Alerts: My Custom Alert”. The body also has changed to reflect an authentic looking CNN alert e-mail. The strange thing about this e-mail is that the trigger string actually points to a legitimate CNN story (Chinese Islamic group threatens Olympics) rather than pointing to the traditional infectious target. The malicious link still exists in the e-mail but you must click the FULL STORY link to get there. This might change in future e-mails so it’s best to just avoid these e-mails all together.
Update: 8/12/08 – The CNN malspam e-mails have been adjusting slightly. Julie from The University of Kansas was kind enough to provide us with this update. You may read her full post here.
After researching this specific threat further we found that the malspam campaign has passed over to blogspot pages. We found related malicious links here: *Warning* Live malicious sites. Proceed at your own risk! *These results are just based from our preliminary google search.
hxxp://informasya.blogspot.com/2008/07/cnn-alerts-my-custom-alert_20.html
hxxp://http://enewsflash.blogspot.com/2008/08/cnn-alerts-my-custom-alert_08.html
hxxp://informasya.blogspot.com/2008/07/cnn-alerts-my-custom-alert-etc_21.html
hxxp://informasya.blogspot.com/2008/07/cnn-alerts-my-custom-alert_1031.html
hxxp://cnga-ca.blogspot.com/2008/08/cnn-alerts-my-custom-alert.html
hxxp://zujarcuevas.blogspot.com/2008/08/cnn-alerts-my-custom-alert.html
hxxp://sistemastolerantes2.blogspot.com/2008/08/cnn-alerts-my-custom-alert.html
hxxp://rjbblog040405.blogspot.com/2008/08/cnn-alerts-my-custom-alert.html
hxxp://bastien12.blogspot.com/2008/08/cnn-alerts-my-custom-alert.html
This specific e-mail’s (malicious) full story link points to hxxp://biogazrhonealpes.org/cnnplus.html
If you actually click on the full story link you are taken to the same “Install missing ActiveX” page but this time the file is named adobe_flash.exe. This is a malicious file do not download it!
VirusTotal Result: 17/36 (47.23%)
-MDB-
We have started to see these with a new subject line: “CNN Alerts: Breaking news” Similar format, similar payload to the custom alert malspams.