Didier Stevens

Friday 8 August 2008

Fake CNN Custom Alert

Filed under: Malware — Didier Stevens @ 8:33

Here’s a new social engineering trick I hadn’t seen in my spam mail before:

The Shia link actually points to a real CNN article about the olympics & terrorism. So you might be inclined to click on the full story link.

Like the CNN Top 10 malware, it has a fake Flash update:

Which happens to be malware.


  1. Ran across this twice today alone. Both from different people, I fell for the first one. Took me over 7 hours to eradicate the malware it installed on my PC, almost had to reformat. It installed “Antivirus XP 2008” Malware, luckily I had Malwarebytes, SpybotS&D, and SuperAntiSpyware already installed, they killed most of the infection within minutes, but rooting out the tendrils it left behind was a bit of a problem. Apparently it also attempts to hijack your internet connection, and I detected another user on my PC. Possibly a Botnet user attempting to use my PC for spam purposes.

    Comment by FubarGrn — Saturday 9 August 2008 @ 20:30

  2. Can you share with us what motivated you to visit the link? Do you use CNN alerts?

    Comment by Didier Stevens — Sunday 10 August 2008 @ 2:33

  3. hey….
    i ran across this twice on one morning…… I’m from the netherlands, and i don’t even watch cnn !!!!!! lucily I didn’t fell for it and i’ve developed a habit that everytime i see something like this in my mailbox, i look it up on the internet before i open it….. that’s how this website saved me a whole lot of trouble, thanx very much !!!!!!!!

    Comment by evelien — Sunday 10 August 2008 @ 8:05

  4. The latest twist? An alternate header that reads:

    [Spam] – CNN Alerts: My Custom Alert

    Since we do a similar header modification around here to flag spam, but were handling this malware differently, it caused some serious confusion and head scratching, which was just what the bastards intended.

    These guys are Machiavellian. Its as clever as balancing a bucket of water above a door jamb in a way the intended victim can see it, but then when he carefully removes it and proudly takes it to the sink to pour it out, he discovers the real gotcha was that the undersink trap has been removed so the water pours all over his feet and the floor.

    Comment by PBCliberal — Sunday 10 August 2008 @ 20:02

  5. If I understand you correctly, your users got a mail in their inbox (not in their SPAM folder), with subject “[Spam] – CNN Alerts: My Custom Alert”?

    That’s interesting, I’ve speculated (privately) about the blending of SPAM and malware e-mails.

    Thanks for sharing this.

    Comment by Didier Stevens — Sunday 10 August 2008 @ 20:20

  6. I received this e-mail yesterday evening and thought it was iffy – BUT – it said Bank of America just announced bankruptcy and as I bank there I stupidly clicked on the link for the story.

    It came back with “you must upload the newest version of ?? player” to see video”

    I KNEW there was a problem at that point but it would not allow me to exit – kept coming back with the same window.

    Bottom line, in trying to get out of the loop I hit the “allow” button by mistake.

    I immediately did a cntrl/alt/delete and closed browser.

    I was/am running McAfee – it never said it stopped anything.

    I ran a complete McAfee scan, found nothing.
    I then ran Ad-Aware – only found normal cookies.
    Then ran SuperAntiSpyware – only found normal cookies.
    Just finishing running Trend Micro – seems to have found nothing.

    Did I get a virus/trojan/etc. in the short time before I closed the browser and none of the virus programs I have run found it??

    Any suggestions of other virus program(s) I should run as well?

    How do I know if I got infected?

    Thanks for the help.

    Comment by Racetimer — Sunday 10 August 2008 @ 20:22

  7. Are you running on Windows XP, and are you using an administrative account? If so, it’s better to do some additional checks. Do you know which version of the McAfee DAT files you used to scan? According to Virustotal the 5357 DAT files didn’t detect the Fake CNN Alert malware.

    The best thing you can do is scan your machine off-line: boot from a live CD and do a a malware scan of your disks. F-secure just released a new ISO file to do this. And to be really safe, don’t download and burn this ISO on your suspect machine, but use another one.

    Look for the F_secure ISO here, and also update the virus database:

    Comment by Didier Stevens — Sunday 10 August 2008 @ 20:36

  8. […] Sampling a Malicious Site Filed under: Malware, My Software — Didier Stevens @ 21:59 Fake CNN alerts galore! […]

    Pingback by Sampling a Malicious Site « Didier Stevens — Sunday 10 August 2008 @ 21:59

  9. Didier writes: your users got a mail in their inbox (not in their SPAM folder)

    Yes, because it came in that way which is the last thing you’d expect SPAM to say first thing out of the box. To be more precise than my earlier post, we used to do a subject: header rewrite adding [SPAM] to suspected spam, but we stopped that a few days ago. So when the CNN Alerts: style spam (that we’d previously eliminated with its unique own filter rule) started showing up with what appeared to be a header rewrite that was no longer enabled, it drove me crazy for a few minutes because I first blamed our mail server (which is Ability Mail Server*), but then realized that our spam header rewrite was typographically different than what we were seeing on the pre-labeled CNN spam.

    *Full Disclosure: I have no interest in Code-Crafters Ability Mail Server other than as a satisfied long-term user.

    Comment by PBCliberal — Sunday 10 August 2008 @ 22:08

  10. Thanks for the details!

    Comment by Didier Stevens — Sunday 10 August 2008 @ 22:10

  11. It sure would be nice if CNN’s web security people would go after these people. They are using their logo and faking their emails.

    Comment by Gregory D. Kramer — Tuesday 12 August 2008 @ 17:51

  12. Fortunately I didn’t fall for it, but I did think the email was unusual since I had never gotten one before from CNN. That fact may have saved me – I only read the headlines and deleted it.

    Comment by Charlene — Saturday 16 August 2008 @ 2:16

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.