Virus propagation follows an evolutionary pattern – the ones we see are the survivors, that have the right balance of technical ingenuity and social psychology to get themselves installed. I therefore conclude that lots of people have clicked Continue on sight of the following dialog, which you get if you follow a link on the CNN Daily Top 10 spam email doing the rounds right now (I have had it over 20 times):
In FireFox it is even cruder – just a link to a viral executable, click OK or cancel.
What gets me is that this is such an obvious virus. Here’s several clues:
- The URL for the page is not cnn.com
- The supposed Flash placeholder image is obviously faked. It says “Flash Player 0” is installed
- The English is poor
- This doesn’t look anything like IE’s normal behaviour when installing a new ActiveX control (it isn’t of course, it is just asking you to download an EXE)
- Image missing on the dialog
- The dialog doesn’t even mention Flash
- I’ve not actually checked, but I’d be astonished if the executable is signed, so the user will have to pass further warnings unless they are running an ancient version of Windows
- Of course I already have Flash 9 installed
I also presume from the success of the virus that either lots of people don’t have current a/v software installed, or it didn’t work because it was not updated in time.
Why is this virus succeeding? I imagine because it is trading on two respected brands – CNN, and the fact that most people are happy to install Flash and know it is OK to do so (the real one, that is).
Shows what a tough job the security guys have. You have to assume people will click OK to almost anything.
Excellent points. Don’t underestimate the importance of the “brand.” I’m in the news business so the CNN livery was compelling. I was suspicious (and both avoided linking and warned all my friends) because I had never subscribed to a CNN feed, because I’d had a bad virus experience about 8 years ago and learned my lesson, and because I was skeptical enough to check the links and notice the unusual “from” address on the original email. But it looked good enough to me that I felt compelled to warn all my friends.
How do you get rid of these CNN top 10 emails? my junk email filter is not catching them and I’m getting like 5 a day. I know not to click on anything in the message but is there any way to make them stop?
Sara,
You can’t really make them stop; you should be able to set up a filter in your mail client that would send them to a junk mail folder.
If you have time on your hands, you could also check the sending IP number in each message, look up which ISP the number belongs to, and report the compromised machine to the ISP. Presuming the ISP is responsible and takes action, that will stop the mails from that particular source. Unfortunately there will be thousands of others; but the subset that have your email address may be manageable.
Tim
The percentage of people with up to date antivirus has definitely improved over time, but I can’t tell you how frequently we still see someone who has Antivirus that came with the computer (4 years ago or more) and hasn’t updated it.
I think that all things considered, this trojan is fairly good. Reasons being:
1. The Links at the top and bottom of the email do go to CNN.
2. The email is formatted to look like a CNN email.
3. The landing page does look like a video player page.
4. They made use of very strong and trusted internet brands – CNN and Flash.
5. People love to watch internet videos, and all of the video links point to the trojan landing page.
That said, your points for why it’s an easy one ot spot are just as valid.
Vi Wickam
On-Site Computer Solutions
http://www.424help.com
Evansville Virus Removal