This Just In: Malware Mimics Breaking News Bulletin

In a clever twist on mass-mailed malware, a new worm masquerades as a CNNbreaking news bulletin complete with updated headlines to mimic the storiesappearing on CNN.com.

The content of the e-mail also comes directly from the news site. Astutee-mail users will note, however, that the bogus e-mail contains an attachment,the worm known as Crowt-A, while real CNN news bulletins have noattachments.

Innovative Use of Content

“The innovative thing about this worm is in its use of real-time, thirdparty content in the construction of the e-mail subject and text,” Ed Moyleof SecurityCurve told TechNewsWorld.

“Malware authors have historicallytried to make their attachment enticing to the recipient by using a subjectline and e-mail body that have a broad appeal. In general, the more appealingthe subject line and content, the greater the chance that a recipient willexecute the attachment.”

If executed, it displays typical worm behavior, scanning theinfected computer for contact lists and mailing itself to the foundaddresses. It may delete files from the computer, and it also contains abackdoor Trojan function, which logs keystrokes and sends a report back tothe worm author, who can then harvest passwords and other personalinformation.

Slow Spread

Anti-malware company Sophos first reported the worm and said there have onlybeen a few sightings of it.

“The content from CNN that is used isn’t particularly targeted to therecipient in question, so it’s not necessarily likely to spread quickly; inother words, the recipient may or may not be interestedin the content that the worm happens to select when it acquires theheadlines,” Moyle said.

“However, this worm shouldput the AV community on the alert that the use of third-party content in thedistribution vector is something that we’ll see more of,” he said. “Between this andSanty, worms are starting to make use of things outside their immediateenvironment to aid in spreading.”

Santy, which hit in December, used Google’s search function to find anddeface sites using phpBB, an open-source bulletin board program.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Susan B. Shor
More in Malware

TechNewsWorld Channels