I got eight copies in my work account on Friday. Since I never open anything that looks unfamiliar, I don't know what was in it.

From Slashdot:
More than a thousand hacked Web sites are serving up fake Flash Player software to users duped into clicking on links in mail that's part of a massive spam attack masquerading as CNN.com news notifications, security researchers said today. The bogus messages, which claim to be from the CNN.com news Web site, include links to what are supposedly the day's Top 10 news stories and Top 10 news video clips from the cable network. Clicking on any of those links, however, brings up a dialog that says an incorrect version of Flash Player has been detected and that tells users they needed to update to a fake newer edition, which delivers a Trojan horse — identified by multiple names, including Cbeplay.a — that 'phones home' to a malicious server to grab and install additional malware.

Sunbelt blog explains the CNN spam.

Huh, and possibly dammit.

I started getting those CNN Top Ten emails the other day. I thought I'd just been resubscribed to a list, so I hit the unsubscribe link. It took a few times but then the emails stopped.

Then again, I run Gentoo Linux, so I doubt the flash player .exe would have done much, even if I saw it (which I didn't). I guess I should just keep an eye, and watch my spamcatcher in case a lot more starts coming...

The ones we got at our university a couple of days ago led the user to download fake antivirus software.

As Michael C. says just above, it's a massive multi-platform virus distribution burst, fueled by computers already infected with the Rustock bot and driving users to cracked websites (and possibly to some run by co-conspirators and collaborators.)

Here's some analysis:

One large site reports this botnet is now accounting for about 5-6% of its inbound spam.

Sorry, dropped the URL; that should have gone here: Linking all the news spam together.

Text of it:

Title: CNN Alerts: My Custom Alert
Your E-Mail Alerts
Alert Name: My Custom Alert

Tropical Storm Edouard moving toward Texas coast
Sun, 10 Aug 2008 18:40:36 -0600

FULL STORY

You have agreed to receive this email from CNN.com as a result of your CNN.com preference settings.
To manage your settings click here.
To alter your alert criteria or frequency or to unsubscribe from receiving custom email alerts, click here.

Cable News Network. One CNN Center, Atlanta, Georgia 30303
© 2008 Cable News Network.
A Time Warner Company
All Rights Reserved.
View our privacy policy and terms.

I cleared out a boatload of them this morning; I'm not sure if there were others with different text.

ZDnet has another article on the CNN spam, which references a more technical writeup on Threatfire of a similar attack.

The description of what's going on might be vague because the attack is multifaceted: a barrage of attempts to exploit the client browser followed by "Hi, please run my trojan horse, kthxbye".

It appears that the user may be the upper bound on system security.

Well, I am answered.

I've received several hundred of these, as my work address gets submission email for several internal mailing lists forwarded to it.

I got one a few days ago. I opened it, clicked on a story, and got the Flash Player message. I then closed and deleted the whole thing without downloading anything. It was very professional-looking, none of the usual misspellings and grammar errors one usually finds with those nasty things.

My anti-virus software has been quiet. I ran Ad-Aware today and it came up with just the usual stuff, cookies and so on.

Feh.

I've got a Mac and filters set on 'decapitate" so I get very little spam email.

And the ones that do come through are often phishing from places I do not have a bank account with. ( iam with what used to be Federal Employees Credit Union) and they are wise to such assaults.

On the other hand I'm kind of glad my mom is willfully ignorant of computers in general and the Internet specifically.

I've been tracking it for two weeks. It's the Storm botnet, and it's the same group that had the funky headlines between June and July. They started using a "CNN Daily Top 10" video email on August 4, then switched to "CNN Alerts: My Custom Alert" on August 7. I kind of expected them to switch today, but I'll bet we'll be seeing something by tomorrow morning at the latest.

I have about 8000 copies of just those purporting to be from CNN, if you want, and a more or less complete analysis here. I first got interested when I saw the groovy Javascript exploits on the hijacked target servers.

I've also identified about 15,000 IPs of zombie PCs injecting the stuff. The reason for this wave lately is that they're falling behind and need new PCs. But the blitz has made it possible for me to see them -- so all in all, it's been pretty damned nice.

Fascinatingly, there's an "Internet Explorer 7" upgrade spam from a completely different botnet for the same purpose, which just started up today.

At Despammed.com, I get a lot of spam. You may think you get a lot of spam. Ha. I laugh.

It appears that the user may be the upper bound on system security.

It always has been, really.

There once was a noob on the 'net
who hadn't caught viruses, yet.
Spam from Russia, quite graphic,
made his computer quite spastic,
That foolish young noob on the 'net.

(No, I'm not happy with graphic/spastic either, but what can you do when only the first two lines spring fully-formed and demand completion?)

CNN spam? Today I got one about a politician's two-year-old affair, and a few days earlier another about an actor's car accident. Yet I haven't heard a damned thing about, for example, the DHS's laptop seizure policy, or any of the other liberties Americans have lost in the last seven years.

Boing Boing's where I get the real news.

Will - by the way, don't worry about having clicked the unsubscribe link. That actually goes to CNN; they copied it wholesale for verisimilitude.

A metric ton of them here, at least, that weren't caught in mail.app's spam filter.

For a few weeks I was trending down to 1000 spam (caught) a week, but it looks like I'm back up in the 3500 range again.

Wirelizard #15

There once was a noob on the 'net
who hadn't caught viruses, yet.
But "Hot babes and sex!"
Were just the right hex
And now his hard drive's been reset.

I gave my mother an Ubuntu Linux rebuilt system three months ago. She is no less clueless on Linux than she was on Windows, but at least the damage is a little more limited.

My company's IT department sent around a warning about this a week or so back: apparently a number of my coworkers had received it at their work email addresses, and opened it, leaving viruses on their system. I got it at my usual home address, thought "oh, spam" and deleted the two or three copies that were there right away, and have removed more since. I don't know if my coworkers are actually on some kind of CNN mailing list, as I am not, or are just a bit more gullible. (I have been online longer than most of the people at my office, and dealt with more of this crap as a result.)

Vicki @ 21

I have been online longer than most of the people at my office, and dealt with more of this crap as a result.

As the saying goes, "The pioneers are the ones with the arrows in their backs."

#9: "It appears that the user may be the upper bound on system security."

There's lots of room for bad software design (say, outdated threat models, such as assuming that every program acts on its user's behalf), and bad user interface design (such as patching the former model by asking the user for confirmation of the program's actions), to produce values well below that bound.

I just got my 2nd - both were re Obama

"CNN Alerts: My Custom Alert‏
From: CNN Alerts
Medium riskYou may not know this sender.Mark as safe|Mark as unsafe
Sent: Mon 8/11/08 7:16 PM
Reply-to:
To:
Your E-Mail Alerts
Alert Name: My Custom Alert

Obama visit Iraq, boo-ed off stage
Thu, 7 Aug 2008 21:47:46 +0200

FULL STORY

You have agreed to receive this email from CNN.com as a result of your CNN.com preference settings.
To manage your settings click here.
To alter your alert criteria or frequency or to unsubscribe from receiving custom email alerts, click here.

Cable News Network. One CNN Center, Atlanta, Georgia 30303
© 2008 Cable News Network.
A Time Warner Company
All Rights Reserved.
View our privacy policy and terms.

Lots and lots of CNN spam since it started.
Number caught increasing steadily (Postini at work and SpamCop at home are doing a good job catching these now, after some got through last week).

Neat! I just checked my spam trap and there were over 50 of these in there. I guess the botnet is warming up...

(Was "Melissa" the "I love you" virus? Whichever, I had to clean up that mess because one of my users had it sent from a woman he was, actually, desperately in love with. It doesn't even take something this well-done to get people to do dumb things. Although, now I'm wondering about one of my apps that asks me to upgrade it every time I start it... hrm...)

Ooh, I saw this! My Gmail has been catching these by the bucketload this week. It's kind of strange to see a whole page of spam subject lines, all alike. (Since that address is not signed up for any services remotely like CNN, I wouldn't have clicked anyway. I can't say I'm immune to doing stupid things online, but at least this one wasn't a temptation at all.)

I feel a bit left out. No CNN spam here; most of mine is either Russian, Chinese, German, or in character sets my email reader isn't set up to interpret correctly.

#28: Don't feel bad. I only get the CNN mail at my work address.

I've gotten a bunch of these. I was somewhat perplexed because the headlines looked real and the links at the bottom were actually to cnn.com. But I've never signed up with cnn.com, and when I typed in the url of the `unsubscribe' link, it had no record of any account of mine.

I got one at my home ISP and a couple in G-mail. Never opened them. I read the news where I want to and I ignore solicitations.

All y'all following the story, they switched landing pages again. About time, too! It had been four days since they did anything worthy of analysis.

The new one pops up a window at asvoo.org, but I'm positive it's also been hijacked, as I see no reason for a consulting company in Germany to be actively aiding and abetting the botnet. I emailed them to tell them they've been featured. We'll see if it has any effect.

My CEO just sent a pleading note to the rest of the company to get him off of CNN's mailing list, as he was getting 50 or so alerts a day.

Our COO just accused the SVP of Biz Dev of signing us all up for the alerts.

Guess what sort of company I work for.

Yes, a technnology company!

Cat Meadors @26:
yep, "I Love You" was the "Melissa" virus. My sister's still kinda peeved about it (guess her name :)

I've been seeing the "CNN" spam increasing over the past few days; my Cyrus sieve scripts have been catching it on my home and work accounts, and the other accounts haven't been used enough to show up on anyone's radar (although, hm, they should have harvested the GMail one by now). I still need to rewrite my home Sieve script: I used two different kinds of whitelists to see which one would work better, and the one on my work account is much more reliable (fewer false positives, very very few false negatives; home accunt is so-so on both.

Yeah, my spam filter's been catching a lot of these of late. Since I don't subscribe to anything CNNish, I figured it was some sort of weird spam and cleared it without looking.

(and I've very, very happy to have an ISP with a reasonable spam filter that I can check on a daily basis with a minimum of fuss. For some reason the Tor newsletters get stuck there, no matter how often I whitelist them)

Wirelizard, #15, the third & fourth lines have too many syllables, too. It's Da dada Da or da Da dada Da.

I haven't had any. Most of my spam either comes with all ?????s or are from people pretending to be banks with which I don't have accounts. Oh, and I still get the occasional lottery.

So I'm not the only one getting "CNN Alert: My Custom Alert" spam - I'm deleting about 10 or so a day at present.

Over the last week, these messages have become a *majority* of the spam caught by my work postini account!

Just to join in the general. I've been getting them too. Gmail sends them straight to the Spam box. Sometimes it's a relief to hear from old Denis Enlargement again. Nothing in blueyonder, though.

Thanks -- yeah, these weren't ringing my "spam alert" bells, but I blocked the "top 10" anyway because it was annoying. I got one of the "custom alerts" today and thought it might actually BE one of my custom alerts, but now I know to look closely at the topic (it COULD have been -- MAYBE Iceland had won a medal in the summer Olympics...)

At last, oh, at last! My long, dark desolation of rejection is over! I've finally received my very own precious copy of the CNN Spam. I've kept it undeleted in my Junk email shrine so that I may partake (with rhino-hide gloves and thick goggles) of its awe-inspiring perfection. It completes me.

Earl, we're all happy for you.

Ha! I thought to look at the bitbucket mail from my domain and I have batches there! You know how when you look at Usenet on Google, they ellipse the end of the name in the edress? Well, that's what mine are all directed to.

msnbc.com - BREAKING NEWS: Botnet changes spam subjects again.

One of our employees recently downloaded or opened one of these emails and it turned his computer into a zombie. Consequently inundating the web with thousands of the SMTP CNN emails.

Does anybody have any idea how to get rid of this.

I've run Spybot S & D, CA, and Avg, but all came back clean.

Help please.

Michael Roberts@44

Also BBC

I just saw this spam mentioned on a college mailing list I subscribe to. I redirected them here as this thread has the best collection of links on it I've seen.

(Don't worry about the n00bs: many of them are fen and the others are just as cool)

#33: Been there, done that, same business.

You really wonder, sometimes.

May I suggest that all Windows users pick up Grr!

It blocks things from installing themselves on your computer without your explicit permission(and can be centrally managed on large networks).

Jon: don't worry about the n00bs, we like them. (They're so crunchy after proper frying.)

Michael I: huh? Can you give me a couple of subjects? Because I'm not seeing any faux-BBC coming in over the botnet IPs I'm monitoring.

Oh! I see: "BBC NEWS" -- but that's not the same people. That one's redirecting to news.avi.exe; goodness, but there are a lot of bad guys these days.

Phil: I'm trying to find the removal instructions I ran across yesterday. If I do, I'll post them.

Phil: I'd recommend getting a shareware spyware removal tool like Spyware Sweeper for about $30.

There's some technical details about what gets installed - Trojan-Downloader.Agent.EL - and how to remove it at Enigma Software, but since the spam is a moving target you're better off with a tool. The Enigma site (naturally) recommends their own software.

Also naturally, I screwed up the main link I was trying to post.

What was I saying about the user being the upper bound? Oh well. That has always been the case, but the lower bound was sufficiently far away from the upper that it wasn't obvious.

Just for info, the CNN spams have morphed into MSNBC headline spams, and a different spammer has decided they like this approach enough to start using BBC headline spams.

Oh, and I see Michael beat me to it way upthread. 's what I get for being in a later timezone.

The BBC News IP pool doesn't coincide with the IE 7 update spam from a couple of days ago, either. That makes at least three botnets, unless they use different segments of their pool for different applications. (That theory doesn't hold up, though, because the CNN/news headline group has spammed on other topics, and is still doing so, although at lower intensity.)

The more I look, the more there is to see...

#45, #51: Also try this link.

No guarantees; I haven't needed to get rid of the virus myself. I hope the user has been backing up because it looks like the easiest thing to do might be to reformat, reinstall, and restore.

Got my first MSNBC spam just this morning! The lead story link goes to somesite in Japan.

A prevention utility that might help in future recovery from viruses like this one:

Most backup programs that I know of do not back up the Windows registry. I have on my computers ERUNT, a freeware utility that automatically backs up the registry every day. The only "flaw" is that every so often I have to go to ERUNT's storage directory and clean out the clutter. But that's trivial.

This has saved me a couple of times. It's not just viruses one has to worry about; a power failure at the right time can trash one's registry.

Phil @ 45:
Serious answer here: The virus and malware developers have developed very sophisticated hooks to selectively hide their software from the antivirus software or to disable it from really removing all their hooks. Once it's on the computer, you can't be really sure of cleaning it all out, because you can no longer trust anything the computer sees. That's what they mean by "owned" - you only see what the malware wants you to see. The only way to be sure is start from scratch.

At this point with the current virus state-of-the-art, I'd recommend backing up all data files (documents, databases, address books, etc.) to offline media, wiping the hard disk, and reinstalling Windows from scratch. That's the same as I'd do for a cracked Linux or Unix server. It's a harsh road, but it's the only way to be sure you've got it all.

(One advantage you do have with Linux is that you can boot the computer from a standalone CD and then use tools on the CD to check and disinfect the system; but it's been a long time since you could boot into Windows from a floppy or CD, other than to install.)

Here's a good article from last fall on what I'm talking about:
Security researcher Peter Gutmann's The Commercial Malware Industry
(5 second summary: the bad guys are winning, by miles.)

update:

It turns out the user downloaded something thats looks similar to XP Antivirus. Which he got from a link in an email. He tells me that he thought it was one of his friends emailing it to him. WRONG!

BTW, XP anitvirus looks like this;

http://amiworks.co.in/talk/how-to-remove-antivirus-xp-2008/

But I'm guessing he really got the CNN Virus/worm/trojan whatever you want to label it.

thanks #52 and #56
I will try those programs today

There are several flavors of viruses and malware which masquerade as antivirus software. They're usually hard to remove. Good luck.

I think my previous advice still stands, but hope you manage to truly remove it without having to wipe.