the secure:channel

Click here to read more about SpamStopsHere, the e-mail security company that brings you this blog.

The news alert that you apparently receive from popular news sites such as CNN and MSNBC may be malicious messages meant to infect your computer with a virus. SpamStopsHere started seeing e-mail messages of this type on August 4, 2008, but the e-mail messages have been changing rapidly.

The anti-virus software on e-mail servers and other logistical problems for computer virus writers have caused most viruses infecting e-mails to no longer actually contain the payload. Most computer users have finally become well trained not to open e-mail attachments. Unfortunately many users have had only very specific instructions about e-mail attachments and e-mail security and anything that deviates from this can often confuse and trick a user into installing a virus. As a result, most malware spreading by e-mail that is now going around simply has links to a web site where the virus can be downloaded and the message tries to convince the reader to click on the link and accept the download.

The recent fad for viruses spreading by e-mail has been to link to a supposed video that either uses some vulnerability in the browser, flash player, or java to automatically install the virus. If that fails, the user is prompted to install the virus to supposedly upgrade the browser’s flash player. Although many users are warned against downloading random files, most still blindly accept browser plugins especially if they’re offered as upgrades to a trusted plugin.

Starting August 3, 2008 we saw the first e-mail claiming to be from CNN. It had the subject of “CNN News”, and simply had a short message that we’d been seeing spreading the typical flash.exe download using just some random phrases and a link to a compromised web site hosting the download:

Guides to be a gentleman http://example.com/index1.html

Starting August 4, 2008 we saw the first example of an e-mail message that actually looked like a valid news alert from CNN with the subject “CNN.com Daily Top 10″. The news headlines seemed to be actual news stories on CNN that day.

Starting August 8, 2008 we started seeing messages with the subject “CNN Alerts: My Custom Alert”. Messages with the subject of “CNN Alerts: Breaking news” started arriving on August 12, 2008. Different from the previous versions, these messages usually only contain one news item.

Starting today, August 13, 2008 we started seeing messages with the subject “msnbc.com - BREAKING NEWS:” along with some news story’s title. These messages just contain some text and no images.

msnbc.com: BREAKING NEWS: Wildfires hit Arizona, leave thousands
homelessFind out more at http://breakingnews.msnbc.com
=========================================
See the top news of the day at MSNBC.com, and the latest from Today
Show and NBC Nightly News.

=========================================
This e-mail is never sent unsolicited. You have received this MSNBC
Breaking News Newsletter
newsletter because you subscribed to it or, someone forwarded it to you.

To remove yourself from the list (or to add yourself to the list if this
message was forwarded to you) simply go to

http://www.msnbc.msn.com/id/07249173, select unsubscribe, enter the
email address receiving this message, and click the Go button.

Microsoft Corporation - One Microsoft Way - Redmond, WA 98052
MSN PRIVACY STATEMENT
http://privacy.msn.com (http://privacy.msn.com/>

The one thing all of these message have in common is that most of the links in the e-mail messages take you to a CNN landing page that looks like the one below.

Javascript popups then start displaying that read “Video ActiveX Object Error: Your browser cannot display this video file. You need to download new version of Video ActiveX Object to play this video file.” You’re then given three options, but two of them just keep prompting you to download the malware, and the other one downloads the malware.

If you close the popup, another popup is displayed that reads “Video ActiveX Object Error. Your browser cannot play this video file. Click ‘OK’ to download and install missing Video ActiveX Object.” You’re then given two options, one of which keeps opening additional popups, and the other one downloads the malware.

If you close the poup, another poup is displayed that reads “Please install new version of ActiveX Object.” This popup finally limits you to only one option, to download the malware. Your other options have gradually been stripped away, until you’re left doing what the virus writer wants you to do.

If you close this window, you got back to the previous popup to start over. Since this window has the focus, there’s unfortunately no way to close it’s parent window, the browser window or tab. Many users may not know how to get out of this loop, and may finally relent and click to download the malware. A better option is to open your task manager by pressing the Ctrl key, the Alt key, and the Delete key all at the same time. Once you have task manager open, click on the Applications tab, click on the Internet Explorer instance that you want to close, which will highlight it, and then click on “End Task”. You’ll then need to confirm this request by clicking on “End Now” in the next dialog poup.

If you download the malware, usually named “adobe_flash.exe” or ” “flash.exe” and run it, you’ll end up installing a Windows service that will make your computer a slave to the virus writer’s will. The virus is pretty straight forward on what it does. It usually installs a service named “CbEvtSvc” which runs from a file located at “C:\WINDOWS\system32\CbEvtSvc.exe”.

Interestingly enough, the javascript on the landing page also includes an unused function for a site titled “Antivirus XP 2008 Online protection against malicious software” that has an animation that appears that the site is scanning your computer for malware, and then supposedly warns you that your computer is infected. The site then offers to clean your system with the ”Erase infected” button, but likely installs malware if you click on it.

I hadn’t seen this page advertised in spam yet, but maybe it will come out later. Just a warning to be careful. These types of security threats are out there, and we can never guess what form the next one will take. Please be cautious.

SpamStopsHere’s Sean Vogt contributed to this article.