A lot of people trust CNN when it comes to news, but that’s the real CNN. This one looks believably like it’s from CNN, but it’s not:

Figure 1. Sample of the spammed email message

It’s a malicious spammed email message using the popular broadcast network in its social engineering technique. CNN has always been one of spammers’ favorite baits. Just last week, the CNN logo was used to disseminate fake news about al Qaeda.

This recent spam run looks fairly legit, it even comes with a tag line (”More videos. More news. More people saying: I just saw it in CNN.com”) in the footer area, perhaps to make it appear that the email is pushing a genuine CNN campaign.

Clicking links in the email, of course, leads to malware. Users should be wary of the following redirections that this spam’s click trail leads to:

Figure 2. Download page 1

Figure 3. Download page 2

Users are redirected to the pages above. Yesterday, we found plenty of links with the string “cnnvideo.html” tailing the ends of the download URLs (see Figure 2). Today, we’re seeing plenty ending with “/news/” (see Figure 3).

Both varieties though, appear to point to the download of the same file, get_flash_update.exe, in order to view the videos referred to in the spammed email. Trend Micro detects the file downloaded as TROJ_TIBS.CSZ. This malware downloads two other malicious files detected as TROJ_RENOS.AGU and TROJ_MUTANT.EW.

“They just keep making the pages more and more CNN-looking,” quips Threats Analyst Joey Costoya, one of the TrendLabs researchers investigating this incident. And true enough, as the spammers hone their copycat skills, more malware are probably going to be delivered elsewhere. As of this writing, we have collected more than a hundred URLs related to this attack.

The Trend Micro Content Security team has already blocked this variety of CNN spam. Users are still cautioned never to trust unsolicited email messages. Adobe has also released an advisory warning users of fake installers: the safest way to verify these is to download them directly from the site of the software vendor itself.

Related posts:

• Another al Qaeda News Spam, Now on Video
• al Qaeda News Spam: A Malware Diversionary Tactic

More than a year ago, Trend Micro threat researchers uncovered a network of over 900 rogue DNS (Domain Name System) servers related to the ZLOB Trojan family. We gave examples showing that these rogue DNS servers are part of click fraud and leakage of personal information.

Just recently, however, we discovered that this network is now targeting four of the most popular search engines. In a large scale click fraud scheme, the ZLOB gang appears to hijack search results and to replace sponsored links with DNS “tricks”.

DNS is essential for the Internet to work. DNS servers translate domain names into IP addresses (and vice versa), which are assigned to computers connected to the Internet. This translation into IP addresses makes it possible for browsers to load Web sites from the correct computers. Most Internet users automatically use the DNS servers of their ISPs (Internet Service Providers), and implicitly trust that these DNS servers give back correct results. In the event that DNS settings get changed to point to a fraudulent or malicious server, the victim may be unknowingly redirected to any (potentially malicious) computer server at anytime while browsing the Internet.

These ZLOB Trojans we found, silently change the local DNS settings of affected systems to use two out of the abovementioned 900+ rogue DNS servers. These Trojans spread by advanced social engineering tricks; an example would be professional-looking Web sites that promise Internet users access to pornographic movies after installing malware that pose as video codecs. The number of ZLOB-related infections is huge — for the last six months of 2007, Microsoft reported more than 14,000,000 infections.

It now appears that the ZLOB gang has entered the multibillion-dollar search engine market. ZLOB’s rogue DNS servers resolve several domain names of the main engines to fraudulent IP addresses. Among others, this criminal operation has even set up rogue sites of the UK and Canadian versions of one of the largest search engines. Even searches performed via the installed browser toolbar (provided by the same company) are now being hijacked by ZLOB. Another popular search engine company has been hit even harder — most, if not all, domain names of the search engine that give back search results get resolved to fraudulent Web sites by the rogue DNS servers.

The primary objective of ZLOB here appears to be stealing traffic and clicks from search engines, making money along the way. Affected users are immediately redirected to sites that are not at all related to their original search queries. All sponsored search hits of the two main search engines we analyzed were hijacked by ZLOB. Clicks on sponsored links then are not credited to big search engine companies, but to the ZLOB gang instead.

Although Trend Micro sees incidents of spoofed Web sites (like those of banking companies) regularly, the scale of ZLOB’s click fraud with search engines looks unprecedented. As mentioned above, the number of the gang’s victims is believed to be huge. Unfortunately, the rogue DNS network of ZLOB is several years old, stable, and is still expanding.

While much of the ZLOB malware is widely detected, there are occasionally new variants created to evade detection, which may temporarily slip through and victimize unwitting users. From the time this new malware is released by these criminals, until the time it is detected, however, these criminals are trying to exploit this window of opportunity.

We have taken steps to get in touch with our security contacts at each of the affected search engine companies, but alas, there is not much that they can do about the problem, since the DNS “hijacking” is being done locally on computers which are victimized by a ZLOB Trojan.

Meanwhile, Trend Micro customers are protected from being victimized by malware and malicious Web sites by the Smart Protection Network. Updates on this developing issue will be posted as soon as they are available.