Login   |   Secure Purdue > News

Fraudulent CNN emails contain links to Trojan

Malicious emails purporting to contain personalized news links from CNN are being reported by campus users as well as across the Internet. These unsolicited emails contain links to supposed videos of recent or false news stories. Additionally, the emails use graphics from legitimate CNN pages to further make the messages appear genuine. When clicked, the links take the user to a fraudulent copy of the CNN video player site which is hosted on a malicious site. Instead of playing a video, the site prompts the user to download a Flash player update. This executable is a Trojan and contains code designed to compromise a user's computer.

The malicious executable itself is named something similar to “flash_player.exe” or “get_flash_update.exe”.  In tests, it appears that a user would have to have administrative access to a machine in order for the exploit to work. Additionally, this Trojan appears to only affect Windows operating systems, but both Firefox and Internet Explorer do not currently block the downloading of this executable.

Once executed, the false update installs a Trojan antivirus program titled “Antivirus XP 2008”, which is designed to con money from users by claiming a different number of viruses were detected, and that the user must purchase the full version of the program in order to remove them.  Additionally, this Trojan installs other malicious software that could potentially be used by attackers for other criminal activities. If a machine is suspected of being compromised, please report it to abuse.

As always, good security practices dictate not browsing the Internet as an administrative user, opening or clicking links in unsolicited emails, visiting untrusted sites, downloading untrusted or unknown executables, running untrusted or unknown executables, as well as maintaining up to date antivirus. Following these practices will prevent infection by this Trojan.

As of 8/7/2008, with DAT 5356.0000, McAfee VirusScan/Campus ePO service does at least detect that this Trojan is attempting to install malicious software to a machine once the fake update is executed, although it does not detect the fraudulent flash player executable as it is downloaded from these sites.

References:

Sophos: CNN Video Malware Campaign

http://www.sophos.com/security/blog/2008/08/1630.html

CIO.com: Massive Faux-CNN Spam Blitz Users Legit Sites to Deliver Fake Flash

http://www.cio.com/article/441916

SANS Internet Storm Center: The news update you never asked for

http://isc.sans.org/diary.html?storyid=4828

Posted by William Harshbarger on August 08, 2008, in Handlers Log.