Ah, it's a new month, and here in the U.S., we have the Labor Day holiday. Except for those whose holiday is being stolen by the Gustav hurricane, there will be lots of picnics, ball games, and end-of-summer parties. In the meantime, your email inbox is filling up with the usual crappage.

On the malware lure front, a long-running e-card scam is continuing, as the perps take over additional web sites to host their downloadable deliveries. New this morning are a couple of strange malware lure samples whose Subject: lines drop the names of—ta-da—Obama and McCain. The actual Subject: lines I've seen don't make much sense, but what else is new?

• Obama Announces for President -- In Hit Show '24'
• McCain, Obama: Cosmo Cover Also Tasteless, Offensive
• Obama Promises Change for a Nation, Change For a Twenty

The messages encourage you to follow a link to a hijacked web site, where the crooks have inserted a page named index98.html. A visit to the page automatically downloads video98.exe (for which VirusTotal shows a very high recognition rate). Whether or not the auto-download works, a visitor to the page (why are you doing that?) sees the following:

What looks like a dialog box is actually an absolute-positioned div element—a Dynamic HTML technique used by some to create content that is draggable around the browser window. Unlike a real dialog box, however, if you try to drag this one beyond the edge of the browser window, it is clipped by the browser window. In the meantime, the image of the video viewer—and that's all it is: an image—is an animated .gif image with the spinner spinning away, as if the player is "tapping its foot" waiting for the visitor to act.

What strikes me most about this page, however, is the choice of page title, which appears in the browser window's titlebar. It's either a leftover from some other campaign, or it's the final "grabber" to encourage visitors to download that malware loader...I mean, video codec.

But the email messages were about politics. As if politics and porn are somehow related....

The good folks at the SANS Internet Storm Center have reported (here and here) that domain names containing the string "gustav" are being gobbled up in anticipation of Hurricane Gustav coming ashore along the Gulf coast. A lot of these domain names blend "gustav" with words like "relief," "charity," and "donation."

It's possible that some of this domain name parking is being done by individuals or organizations who will set up legitimate web sites if this storm does a Katrina-esque number on the same region. Make that remotely possible.

My bet is that the parking spot owners will either try to resell the domains to legitimate organizations or the domains will be used directly by phony fund raising scams. Let any tragedy occur, and there will be plenty of scum out there trying to take advantage of generous folks who truly want to help.

Remember that there are safe places to find out where you can help. The first place I tend to look is at cnn.com, where a click of the IMPACT button (near the top right corner of the home page) will bring you lists of charities and other outlets where you can help.

Disasters such as tsunamis and earthquakes come with little or no warning. Hurricanes, cyclones, and typhoons, on the other hand, are known well in advance of potential catastrophe. That gives profiteers plenty of time to be in place to reap rewards from others' suffering.

Similar domain names for Hurricane Hanna are already being registered.

Phishing is pretty much all the same—luring you to a web site that looks just like the login page for a financial institution or anywhere else where a username/password combination opens the gates to goodies.

If one is wary of the overt style of phishing message—the one where there is a problem with your account, and you should log in to fix it—the shields might lower for a moment when the phishing message has a bit of indirection to it. Such is the case of one I saw this morning, which tries to lure a Capital One customer to view a message within the bank's web site messaging system. The institution with which I do online banking has a Mail section of the web site, where we can communicate with each other electronically. I believe this is fairly common. And, of course, the only way you can view such messages is by logging into the site.

The phishing message wasn't particularly professional-looking, but here it is just the same:

Note that my email client, Microsoft's Entourage for the Mac, renders hidden link addresses in plain view. Most recipients of this phishing message would just see "click here" as a clickable link, with no visible URL. Thus, even if they knew what to look for, they might not recognize that the URL is to an IP address in Poland.

Now, I've heard of outsourcing, but humongo Capital One isn't going to host its login pages at a hacked server in Warsaw.

This serves as a reminder that if you receive any type of communication purporting to come from a financial institution with whom you do business, use your established bookmark to visit the site and log in through that page.

I also go one step further—even with bookmarked pages—to make sure that the login page has the correct URL in the Address bar and the SSL certificate is in force (at least as much as the browser reveals). I perform that check for every page that requests login credentials, even accounts that seem harmless in that they don't contain much personal information. Why am I so paranoid about this? Because if a crook gets hold of any one username/password combination, there is a good chance that that combo will open doors at other sites (no, I don't have individual combinations for each freakin' site that requires a login—and it seems as though you've gotta open an account at more and more sites these days just to get basic information). It's trivial for crooks to set up robots that try your credentials at thousands of sites. All it takes is one success to expose further personal or credit card data stored on those servers associated with that username/password pairing.

It's sad that we have to concern ourselves about this stuff. But taking a What, me worry? attitude puts you directly in the line of fire from way too many Bad Guys.

Legitimate universities—including those from whom you can earn a real degree—always put their best feet forward to attract students. Fancy catalogs, professionally-done web sites—whatever it takes to exude professionalism, class, and taste.

In contrast comes the Subject: line of one of those "dial-a-degree" spam messages, which promise that one's work experience (oops, they forgot to mention the money) is good enough to obtain a degree, including a Doctorate. Professionalism, class, and taste? You decide:

Subject: FW: Is your skills about to expired?

Is you is, or is you ain't college material?

The malware lure du jour advertises security software for home or business, depending on which variant of the email you receive. Here are a few Subject: lines I've seen:

• Business Security Software
• You Computer Security. For you home.
• A new standard of Internet threat protection for your home.

The first line of the messages varies, but the balance of all the messages I've seen are identical. Here's one variant:

Anti-Virus Nero Advanced Pro. 2008. Download last update! <http://[removed].com/dhl/dhl.php>

6 month free trial!

A new standard of Internet threat protection for your home or small office.
Award-winning protection against viruses and spyware, identity theft and phishing, hackers and spam.

Anti-Virus Nero Advanced Pro. 2009 antivirus software with maximum spyware protection.
Protects against viruses, Trojans, and worms, spyware and adware, rootkits, identity theft and phishing attacks.
Advanced proactive protection, unmatched system performance,
automatic hourly updates and the fastest response to the latest threats.

All URLs of the ones I've seen (all hijacked web servers) lead to a PHP program called dhl.php, which automatically downloads name.avi.exe to a visiting PC. That Trojan downloader is recognized by most legitimate antivirus software, according to a VirusTotal scan.

Accepting an invitation to download and install unknown antivirus software from an unknown sender is about as safe as French-kissing a stranger in the influenza ward. Both lead to infections that you don't really want to experience.

Two flavors of phony Windows update notices have been arriving in the past few hours.

The first arrived with a variety of Subject: lines, such as:

• Important Microsoft Windows Update
• Critical Microsoft Windows Update

Message bodies also varied a little, but generally followed the format of this one:

Dear Microsoft Customer,

You are receiving this message because your version of Microsoft Windows is affected by a dangerous security vulnerability.

In order to prevent possible risk of system instability, Microsoft urges you to update at your earliest convenience.

We are providing a free update to all Microsoft Windows users.

You can update your system for free by visiting the offical website for this patch, at http://updatemanagement.[removed].net/?customerservice
Thank you for your understanding in this matter.

Regards,
Wilton Silver
Business Relations Rep.
Microsoft Corp.
http://updatemanagement.[removed].net/?customerservice

The domain name, which includes the words system and update, was registered today, and the supposed registrant is [get this] "Government of St. Vincent and the Grenadines."

Almost anyone in the PC biz would know that Microsoft, itself, would never publicly label any vulnerability as "dangerous." But it's a good word to get the attention of the less technically aware.

Onto the second attempt, which arrived here in rapid succession with the same Subject: and message body:

Subject: Free Update For Windows

Dear dannyg@dannyg.com, Free Update for Windows Xp,Vista
http://[IP Address Removed]/setup.exe

Each message was sent from a different botnet client, in a not atypical fire hose spray of spam. All of the messages I received pointed to the same IP address hosted in Moldova. To my surprise, the account at that address had been shut down pretty quickly—a responsible response I'm not accustomed to seeing from those environs.

At the two destinations, the techniques for infecting visitors' machines were quite different, with the first one being far more elaborate. It may be that two crooks/gangs happened upon the same email approach within hours of each other. Whether this was serendipity or an orchestrated event doesn't matter to users. Identifying bogus notices should matter a great deal.

Be it now and forever known that major operating system vendors (e.g., Microsoft and Apple) have spent oodles of money to build system updating mechanisms into their operating systems. If there were such a dire need to update an OS that it caused the companies to send emergency email messages to their customers (a near zero likelihood, BTW), both companies would direct customers to use the internal updating mechanisms, and not provide a link to visit to download the update.

There must be, however, a goodly number of Windows users out there who use pirated copies of XP and Vista. The internal Windows Update mechanism isn't available to them because their OSes fail the "genuine advantage" test. Heaven knows what else was delivered with the pirated OS already, but their users would probably be tempted to download a supposedly free update that lets them avoid Microsoft's laser-eyed stare. I don't have a lot of sympathy for the pirate users, and getting their systems pwned by a botnet might feel like Justice...except that it means that their systems will be used to flood my inbox with spam and perhaps attack my web sites. Vigilantism on the Internet usually backfires on the vigilantes.

Malware lures continue unabated, arriving as bogus e-card announcements, supermarket tabloid spam, and, today, largely idiotic and not very clever "Weekly top news," as the Subject: lines read (yesterday, the line was "BREAKING new"). Message bodies contain a couple of sentences, a link to a hijacked web site, where the crooks have planted the index1.html file in the root web directory, and a further lure: "Read All (nn) breaking news and nn shocking videos," where "nn" are numbers that vary with each message.

Some of these "hot" news items are dull; others stupid. Here are some samples for your entertainment:

• Windows 7 details to be released — Technical information about the successor to Windows Vista will be revealed at two October conferences, says Microsoft.
• Madonna and Angelina Jolie in adoption war related lesbian romp! — Race to adopt as much of Africa as they can.
• George Bush Pardons Lindsay Lohan — President George W. Bush presided over Lindsay Lohan's trial and gave her a full pardon, but left the fine intact.
• Hundreds Flock to View Image of Jesus in Vomit Puddle — Hundreds of faithful Christians have lined up around the block of a bar in Long Beach, California to pray before an image in a puddle of vomit they believe represents Jesus Christ.
• Aliens Are Gay Says Astronaut — Former Astronaut Dr. Edgar Mitchell - a veteran of the Apollo 14 mission - claims aliens are gay and that they are responsible for many of the earth's ills including global warming, war, disease and The View.
• Bigcock Discovered In Georgia — After the discovery of Bigfoot in Georgia comes another discovery - Bigcock - a giant of a man in more ways than one and a beast that certainly needs taming.

Two words: Ree diculous.

And yet, there will be enough bored or curious PC users out there to make this campaign successful enough in its desire to enroll new PCs into a botnet.