Watch Free Movie - Update Every Hour!, Major malware distribution attempt. Options

[Farelf]

For several weeks I have been seeing an increasing volume of 'news' spam with curiously mismatched subject and body - like http://www.spamcop.net/sc?id=z2108631583za...48196decd4d9b1z
"Subject: Steve Jobs' vital signs show weakening"
Body "Arnold Schwarzenegger quits as Governer"

The payload URLs are unrelated to either - Googling shows the single-line webpage descriptor "Watch Free Movie - Update Every Hour!". Some of these carried one (at least) of several exploits (fake CODEC being the most common). Hokay - botnet recruiting, understood. Many returned blameless scans (LinkScanner Online). Which is a worry. (Decoy or undetected exploit?) [Incidentally - many of the spam claim to be "Using Opera's revolutionary e-mail client:" and kudos to SC for pulling the parser away from the Opera URL quite quickly - after a day or two at most the parser ignored it.]

Today's batch (larger than yesterday's) all scanned clean. Which is a real worry. What is going on? The payload URLs all seem to be different so it's not simple SEO.

Googling "Watch Free Movie - Update Every Hour!" produces pages and pages of hits with the same single line webpage descriptor (about 254 out of 537 hits and rising). So, I'm assuming these are all related. CastleCops notes a malware connection to spam in the "Free Movie" sites case - http://www.castlecops.com/p1107673-Watch_F...ur.html#1107673 (CAUTION - live links there). So, clean scans or not, it is probably still 'just' a malware distribution thing in which case the variation in exploits is a worry, as is the ability to effortlessly keep in front of/avoid LinkScanner.

Browsers (on some networks) can be redirected 'mid stream' using DNS exploits to malicious sites and maybe the utilization of that might require a whole army of different URLs (to avoid blocking) and none of those websites actually needs to be an exploit site in its own right (it would not even be seen when the redirection works), which is another possibility.

Ah well, paranoia shared is paranoia divided as many times. Or is that multiplied? I always get confused on that point. (IMG:style_emoticons/default/biggrin.gif)