I started getting those CNN Top Ten emails the other day. I thought I'd just been resubscribed to a list, so I hit the unsubscribe link. It took a few times but then the emails stopped.

Then again, I run Gentoo Linux, so I doubt the flash player .exe would have done much, even if I saw it (which I didn't). I guess I should just keep an eye, and watch my spamcatcher in case a lot more starts coming...

Here's some analysis:

One large site reports this botnet is now accounting for about 5-6% of its inbound spam.

Title: CNN Alerts: My Custom Alert
Your E-Mail Alerts
Alert Name: My Custom Alert

Tropical Storm Edouard moving toward Texas coast
Sun, 10 Aug 2008 18:40:36 -0600

FULL STORY

You have agreed to receive this email from CNN.com as a result of your CNN.com preference settings.
To manage your settings click here.
To alter your alert criteria or frequency or to unsubscribe from receiving custom email alerts, click here.

Cable News Network. One CNN Center, Atlanta, Georgia 30303
© 2008 Cable News Network.
A Time Warner Company
All Rights Reserved.
View our privacy policy and terms.

I cleared out a boatload of them this morning; I'm not sure if there were others with different text.

The description of what's going on might be vague because the attack is multifaceted: a barrage of attempts to exploit the client browser followed by "Hi, please run my trojan horse, kthxbye".

It appears that the user may be the upper bound on system security.

My anti-virus software has been quiet. I ran Ad-Aware today and it came up with just the usual stuff, cookies and so on.

Feh.

And the ones that do come through are often phishing from places I do not have a bank account with. ( iam with what used to be Federal Employees Credit Union) and they are wise to such assaults.

On the other hand I'm kind of glad my mom is willfully ignorant of computers in general and the Internet specifically.

I have about 8000 copies of just those purporting to be from CNN, if you want, and a more or less complete analysis here. I first got interested when I saw the groovy Javascript exploits on the hijacked target servers.

I've also identified about 15,000 IPs of zombie PCs injecting the stuff. The reason for this wave lately is that they're falling behind and need new PCs. But the blitz has made it possible for me to see them -- so all in all, it's been pretty damned nice.

Fascinatingly, there's an "Internet Explorer 7" upgrade spam from a completely different botnet for the same purpose, which just started up today.

At Despammed.com, I get a lot of spam. You may think you get a lot of spam. Ha. I laugh.

It always has been, really.

There once was a noob on the 'net
who hadn't caught viruses, yet.
Spam from Russia, quite graphic,
made his computer quite spastic,
That foolish young noob on the 'net.

(No, I'm not happy with graphic/spastic either, but what can you do when only the first two lines spring fully-formed and demand completion?)

Boing Boing's where I get the real news.

For a few weeks I was trending down to 1000 spam (caught) a week, but it looks like I'm back up in the 3500 range again.

There once was a noob on the 'net
who hadn't caught viruses, yet.
But "Hot babes and sex!"
Were just the right hex
And now his hard drive's been reset.

I have been online longer than most of the people at my office, and dealt with more of this crap as a result.

As the saying goes, "The pioneers are the ones with the arrows in their backs."

There's lots of room for bad software design (say, outdated threat models, such as assuming that every program acts on its user's behalf), and bad user interface design (such as patching the former model by asking the user for confirmation of the program's actions), to produce values well below that bound.

"CNN Alerts: My Custom Alert‏
From: CNN Alerts
Medium riskYou may not know this sender.Mark as safe|Mark as unsafe
Sent: Mon 8/11/08 7:16 PM
Reply-to:
To:
Your E-Mail Alerts
Alert Name: My Custom Alert

Obama visit Iraq, boo-ed off stage
Thu, 7 Aug 2008 21:47:46 +0200

FULL STORY

You have agreed to receive this email from CNN.com as a result of your CNN.com preference settings.
To manage your settings click here.
To alter your alert criteria or frequency or to unsubscribe from receiving custom email alerts, click here.

Cable News Network. One CNN Center, Atlanta, Georgia 30303
© 2008 Cable News Network.
A Time Warner Company
All Rights Reserved.
View our privacy policy and terms.

(Was "Melissa" the "I love you" virus? Whichever, I had to clean up that mess because one of my users had it sent from a woman he was, actually, desperately in love with. It doesn't even take something this well-done to get people to do dumb things. Although, now I'm wondering about one of my apps that asks me to upgrade it every time I start it... hrm...)

The new one pops up a window at asvoo.org, but I'm positive it's also been hijacked, as I see no reason for a consulting company in Germany to be actively aiding and abetting the botnet. I emailed them to tell them they've been featured. We'll see if it has any effect.

Our COO just accused the SVP of Biz Dev of signing us all up for the alerts.

Guess what sort of company I work for.

Yes, a technnology company!

I've been seeing the "CNN" spam increasing over the past few days; my Cyrus sieve scripts have been catching it on my home and work accounts, and the other accounts haven't been used enough to show up on anyone's radar (although, hm, they should have harvested the GMail one by now). I still need to rewrite my home Sieve script: I used two different kinds of whitelists to see which one would work better, and the one on my work account is much more reliable (fewer false positives, very very few false negatives; home accunt is so-so on both.

(and I've very, very happy to have an ISP with a reasonable spam filter that I can check on a daily basis with a minimum of fuss. For some reason the Tor newsletters get stuck there, no matter how often I whitelist them)

I haven't had any. Most of my spam either comes with all ?????s or are from people pretending to be banks with which I don't have accounts. Oh, and I still get the occasional lottery.

Does anybody have any idea how to get rid of this.

I've run Spybot S & D, CA, and Avg, but all came back clean.

Help please.

Also BBC

(Don't worry about the n00bs: many of them are fen and the others are just as cool)

You really wonder, sometimes.

It blocks things from installing themselves on your computer without your explicit permission(and can be centrally managed on large networks).

Michael I: huh? Can you give me a couple of subjects? Because I'm not seeing any faux-BBC coming in over the botnet IPs I'm monitoring.

Oh! I see: "BBC NEWS" -- but that's not the same people. That one's redirecting to news.avi.exe; goodness, but there are a lot of bad guys these days.

Phil: I'm trying to find the removal instructions I ran across yesterday. If I do, I'll post them.

There's some technical details about what gets installed - Trojan-Downloader.Agent.EL - and how to remove it at Enigma Software, but since the spam is a moving target you're better off with a tool. The Enigma site (naturally) recommends their own software.

What was I saying about the user being the upper bound? Oh well. That has always been the case, but the lower bound was sufficiently far away from the upper that it wasn't obvious.

The more I look, the more there is to see...

No guarantees; I haven't needed to get rid of the virus myself. I hope the user has been backing up because it looks like the easiest thing to do might be to reformat, reinstall, and restore.

Most backup programs that I know of do not back up the Windows registry. I have on my computers ERUNT, a freeware utility that automatically backs up the registry every day. The only "flaw" is that every so often I have to go to ERUNT's storage directory and clean out the clutter. But that's trivial.

This has saved me a couple of times. It's not just viruses one has to worry about; a power failure at the right time can trash one's registry.

At this point with the current virus state-of-the-art, I'd recommend backing up all data files (documents, databases, address books, etc.) to offline media, wiping the hard disk, and reinstalling Windows from scratch. That's the same as I'd do for a cracked Linux or Unix server. It's a harsh road, but it's the only way to be sure you've got it all.

(One advantage you do have with Linux is that you can boot the computer from a standalone CD and then use tools on the CD to check and disinfect the system; but it's been a long time since you could boot into Windows from a floppy or CD, other than to install.)

Here's a good article from last fall on what I'm talking about:
Security researcher Peter Gutmann's The Commercial Malware Industry
(5 second summary: the bad guys are winning, by miles.)

It turns out the user downloaded something thats looks similar to XP Antivirus. Which he got from a link in an email. He tells me that he thought it was one of his friends emailing it to him. WRONG!

BTW, XP anitvirus looks like this;

http://amiworks.co.in/talk/how-to-remove-antivirus-xp-2008/

But I'm guessing he really got the CNN Virus/worm/trojan whatever you want to label it.

thanks #52 and #56
I will try those programs today

I think my previous advice still stands, but hope you manage to truly remove it without having to wipe.