Email Spam Trojans Hiding on Websites as MSNBC Breaking News Items

Email Spam Trojans Hiding on Websites as MSNBC Breaking News Items

August 16, 2008 Internet 3

For the past few weeks I suppose everyone has had a bit of email spam with this in the “From” and “Subject”:

msnbc.com: BREAKING NEWS:

There then follows a sucker headline which is obviously pants.  They all have a spoofed link for https://www.msnbc.com/msn which points to somewhere else, quite often a html document on the main site page for a photographer or graphics company.  There is only the one duff link.  All the rest point to Microsoft sites.

A few sites I’ve contacted to let them know that they’ve been hacked – but now I don’t bother – there are too many each day with this particular format.

Agent_ETH_Trogan

Agent ETH Trogan as reported by NOD32

Here are a few I’ve had today.  The links are not live.  Firefox 3 or NOD32 trap all the Trojans but copy and paste the links into a browser at your own risk!  (Initially there is a modal dialog box that cannot be cancelled except by Task Manager.  Clicking OKAY will try to download the package to your PC.  NOD32 identifies it as “a variant of Win32/Agent.ETH trojan).

Nonsense HeadlineSpoofed Link Destination (manually remove spaces from links)Destination TypeHolder from a WHOIS
Bush ‘Troubled’ by Gay Marriages. Declares San Francisco Part of ‘Axis of Evil’srq.dk/ msn_video.htmlHacked site full of broken php and sqlDomain: srq.dk
DNS: srq.dk
Registered: 2006-08-30
Expires: 2008-08-31
Registration period: 1 year
VID: no
Status: Deactivated
John Mccain Proposes Gay Marriagethecaviarco.com/ msn_video.htmlDodgy, new or completely hacked siteRegistrant:
koein
Registered through: GoDaddy.com Inc.
New Evidence Suggests That The President May Be Drinking Againwww.mobilzeit-daten.de/ msn_video.htmlPossible dodgy site or it has been hacked.  Even the contact link is an exe file!Type: ORG
Name: MOBILZEIT
Address: Poststr. 9
Pcode: 29308
City: Winsen
Country: DE
Remarks: CID: 6581951/1020
Changed: 2006-12-31T18: 02: 3101: 00
One Hot White Chick Injured in Tsunami Disastertamarabdul hadi.com/ msn_video.htmlIraqi-Canadian photograher apparently with a Jordanian site registration! The evil package is dumped straight on the homepage area.Administrative Contact:
enana.com
Ali Zayni ali@enana.com

962.795602616
Fax: 962.64629597
p.o.box 940541
Amman 11194
JO

Bush Claims He Has Supernatural Abilitieseliteworkwear uk.co.uk/ msn_video.htmlWorkwear and other clothing web shopping site.  The evil package is dumped straight on the homepage area.Registrant:
Chris Peacock
Trading as:
Bubble Design and Marketing
Registrant type:
UK Individual
Registrant’s address:
Bubble Design Hallcroft Indust
Aurillac Way
Retford
Nottinghamshire
DN22 7PX
GB

I use Mailwasher Pro from Firetrust to check through all my mail.  I’ve been using it for several years now – since version 4 I think!  It shows all mail as plain text (which I advise everyone to do anyway).  This is the substance of the last email above, viewed in plain text.

Mailwasher shows all the obfuscated links nicely.

msnbc.com: BREAKING NEWS: Bush Claims He Has Supernatural Abilities

Find out more at https://www.msnbc.com/msn [links to eliteworkwearuk.co.uk/msn_video.html]
======================================================
See the top news of the day at MSNBC.com, and the latest from Today Show and NBC Nightly News.

=========================================
This e-mail is never sent unsolicited. You have received this MSNBC Breaking News Newsletter
newsletter because you subscribed to it or, someone forwarded it to you.
To remove yourself from the list (or to add yourself to the list if this
message was forwarded to you) simply go to
[links to www.msnbc.msn.com/id/24472415], select unsubscribe, enter the
email address receiving this message, and click the Go button.

Microsoft Corporation – One Microsoft Way – Redmond, WA 98052
MSN PRIVACY STATEMENT
; [links to privacy.msn.com/])

Added 17/8/8

I’ve also had quite a few emails purporting to be Greetings eCards!

The pattern is the same as the above except usually they don’t even obfuscate the link!  This one below, for example, has these properties:

Good day.
You have received an eCard

To pick up your eCard, choose from any of the following options:
Click on the following link (or copy & paste it into your web browser):

Your card will be aviailable for pick-up beginning for the next 30 days.
Please be sure to view your eCard before the days are up!

We hope you enjoy you eCard.

Thank You!

https://www.greetingcard.org

NOD32_NMR_Trojan

NOD32 warning for Win32/TrojanDropper.Agent.NMR trojan

The payload according to NOD32 is described as “a variant of Win32/TrojanDropper.Agent.NMR trojan“.  The Belgian website looks okay with info, program of events etc.  But the exe file is dumped straight in their front door!

 

Comments are closed.

© 1977, Strangely Perfect.