Virus propagation follows an evolutionary pattern – the ones we see are the survivors, that have the right balance of technical ingenuity and social psychology to get themselves installed. I therefore conclude that lots of people have clicked Continue on sight of the following dialog, which you get if you follow a link on the CNN Daily Top 10 spam email doing the rounds right now (I have had it over 20 times):
In FireFox it is even cruder – just a link to a viral executable, click OK or cancel.
What gets me is that this is such an obvious virus. Here’s several clues:
- The URL for the page is not cnn.com
- The supposed Flash placeholder image is obviously faked. It says “Flash Player 0” is installed
- The English is poor
- This doesn’t look anything like IE’s normal behaviour when installing a new ActiveX control (it isn’t of course, it is just asking you to download an EXE)
- Image missing on the dialog
- The dialog doesn’t even mention Flash
- I’ve not actually checked, but I’d be astonished if the executable is signed, so the user will have to pass further warnings unless they are running an ancient version of Windows
- Of course I already have Flash 9 installed
I also presume from the success of the virus that either lots of people don’t have current a/v software installed, or it didn’t work because it was not updated in time.
Why is this virus succeeding? I imagine because it is trading on two respected brands – CNN, and the fact that most people are happy to install Flash and know it is OK to do so (the real one, that is).
Shows what a tough job the security guys have. You have to assume people will click OK to almost anything.