israel’s war on hamas: a dozen thoughts
hamas goads israel into war
israel vows war on hamas in gaza
hamas launching rocket war after gaza evacuation

The body of the email contains:

Israel offers short respite from strikes.
Israel will halt its bombardment of Gaza for three hours  every day to allow residents of the Hamas-ruled Palestinian territory to obtain much-needed supplies, a military spokesman says.
The images broadcast here where graphic and striking.
The Al Jazeera English report below captures the extent of the devastation caused by the initial strikes.

Proceed to view details:

hxxp://edition.cnn.2009.completeserv.*****-******.israelgazaconflict.com/israel-gaza.htm?/****

2009 Cable News Network. A Time Warner Company. All Rights Reserved.

The included URL will lead  visitors to a web site that looks like the CNN site. Download screens promts appear, to update your Adobe Acrobat or Flash player software,  when you click on a link to view the video. Getting out of the loop can only done by closing your browser session. If the download is accepted, a Trojan is installed which opens communication for the download of further malware from a remote location.

A similar campaign has been done in the past with the CNN Daily top 10 and the CNN Alerts. These previous campaigns caused several new infections because the receivers of these emails thought this was a legit email because of the CNN look-and-feel that was used to mislead readers.

The current campaign isn’t having a CNN branding at the moment so it should look supsicious right away to anyone. Be carefull.

CNN’s Behind the Scenes blog warns their readers not to download any software pertaining to the Gaza conflict.

Again, the email itself is very nice CNN branded but contains a link that leads you directly to the malware. The senders address is spoofed and is not coming from cnn.com but this is not guaranteed for the future.

The link behind Full Story - so don’t click on this one – brings you to a, in this case, Russian web site where you need to download the proper Flash player to view the video. When you accept the malware file adobe_flash.exe is downloaded.

The trojan has the same specs of the CNN Daily Top 10: Trojan-Downloader.Agent.EL. This trojan will create a new process on an infected machine: %System%\cbevtsvc.exe and creates a new service CbEvtSvc in the system. Quite some registry modifications are being made as well as a direct IP address connection to a remote host on TCP/IP port 443.

Malware authors are abusing CNN by using the logo, the lay out and the concept of the CNN Daily Top 10 to distribute emails with URLs that point to sites that host malware.

The messages itself is sent from a random generated user email address not on the cnn.com domain. The links behind the top 10 directs you to a web site that should show you the video but instead gives you an error that an incorrect Flash player is installed.

A pop up window will ask you to download the correct video codec, an executable called get_flash_update.exe, but this is in fact the Trojan-Downloader.Agent.EL. This trojan ca an download and installs other malware onto infected machine.

This trojan will in fact create a new process on an infected machine: %System%\cbevtsvc.exe and creates a new service CbEvtSvc in the system. Quite some registry modifications are being made as well as a direct IP address connection to a remote host on TCP/IP port 443.

Virus Total permalink and MD5: dabb5a9b431c88c77281bcf1158a9879.

Remark: CNN is not responsible for the CNN Daily Top 10 that contained URLs to sites that host malware in the form of a downloadable Flash codec.