For the past few weeks I suppose everyone has had a bit of email spam with this in the “From” and “Subject”:
msnbc.com: BREAKING NEWS:
There then follows a sucker headline which is obviously pants. They all have a spoofed link for http://www.msnbc.com/msn which points to somewhere else, quite often a html document on the main site page for a photographer or graphics company. There is only the one duff link. All the rest point to Microsoft sites.
A few sites I’ve contacted to let them know that they’ve been hacked – but now I don’t bother – there are too many each day with this particular format.
Here are a few I’ve had today. The links are not live. Firefox 3 or NOD32 trap all the Trojans but copy and paste the links into a browser at your own risk! (Initially there is a modal dialog box that cannot be cancelled except by Task Manager. Clicking OKAY will try to download the package to your PC. NOD32 identifies it as “a variant of Win32/Agent.ETH trojan“).
||Spoofed Link Destination (manually remove spaces from links)
||Holder from a WHOIS
|Bush ‘Troubled’ by Gay Marriages. Declares San Francisco Part of ‘Axis of Evil’
||Hacked site full of broken php and sql
Registration period: 1 year
|John Mccain Proposes Gay Marriage
||Dodgy, new or completely hacked site
Registered through: GoDaddy.com Inc.
|New Evidence Suggests That The President May Be Drinking Again
||Possible dodgy site or it has been hacked. Even the contact link is an exe file!
Address: Poststr. 9
Remarks: CID: 6581951/1020
Changed: 2006-12-31T18: 02: 3101: 00
|One Hot White Chick Injured in Tsunami Disaster
||tamarabdul hadi.com/ msn_video.html
||Iraqi-Canadian photograher apparently with a Jordanian site registration! The evil package is dumped straight on the homepage area.
Ali Zayni [email protected]
|Bush Claims He Has Supernatural Abilities
||eliteworkwear uk.co.uk/ msn_video.html
||Workwear and other clothing web shopping site. The evil package is dumped straight on the homepage area.
Bubble Design and Marketing
Bubble Design Hallcroft Indust
I use Mailwasher Pro from Firetrust to check through all my mail. I’ve been using it for several years now – since version 4 I think! It shows all mail as plain text (which I advise everyone to do anyway). This is the substance of the last email above, viewed in plain text.
Mailwasher shows all the obfuscated links nicely.
msnbc.com: BREAKING NEWS: Bush Claims He Has Supernatural Abilities
Find out more at http://www.msnbc.com/msn [links to eliteworkwearuk.co.uk/msn_video.html]
See the top news of the day at MSNBC.com, and the latest from Today Show and NBC Nightly News.
This e-mail is never sent unsolicited. You have received this MSNBC Breaking News Newsletter
newsletter because you subscribed to it or, someone forwarded it to you.
To remove yourself from the list (or to add yourself to the list if this
message was forwarded to you) simply go to
[links to www.msnbc.msn.com/id/24472415], select unsubscribe, enter the
email address receiving this message, and click the Go button.
Microsoft Corporation – One Microsoft Way – Redmond, WA 98052
MSN PRIVACY STATEMENT
; [links to privacy.msn.com/])
I’ve also had quite a few emails purporting to be Greetings eCards!
The pattern is the same as the above except usually they don’t even obfuscate the link! This one below, for example, has these properties:
You have received an eCard
To pick up your eCard, choose from any of the following options:
Click on the following link (or copy & paste it into your web browser):
Your card will be aviailable for pick-up beginning for the next 30 days.
Please be sure to view your eCard before the days are up!
We hope you enjoy you eCard.
The payload according to NOD32 is described as “a variant of Win32/TrojanDropper.Agent.NMR trojan“. The Belgian website looks okay with info, program of events etc. But the exe file is dumped straight in their front door!