View Full Version : SPAM frauds, fakes, and other MALWARE deliveries - archive
Last Updated: 2011-10-21 02:06:15 UTC ...(Version: 2) - "A worm is making the round infecting JBoss application servers. JBoss is an open source Java based application server and it is currently maintained by RedHat. The worm exploits and older configuration problem in JBoss, which only authenticated GET and POST requests. It was possible to use other methods to execute arbitrary code without authentication. The problem has been fixed last year, but there are apparently still a number of vulnerable installs out there. If you do run JBoss, please make sure to read the instructions posted by RedHat here:
Analysis of the worm: http://pastebin.com/U7fPMxet "
26 October 2011 - "... The malware behind the attack is significant both because it targets servers rather than PCs and for its reliance on exploiting a vulnerability that is over a year old – a flaw in JBoss Application Server patched by Red Hat in April 2010 – in order to attack new machines. The worm's payload includes a variety of Perl scripts, one of which builds a backdoor on compromised machines... exploits with a patch available for over a year accounted for 3.2 per cent of compromises..."
Fake jobs: jobbworld .com and yourjobb .com
23 October 2011 - "Two new domains being used to recruit for fake jobs, which actually turn out to be illegal activities such as money laundering.
This is part of a long-running scam that has been going on for ages. One characteristic of the spam received is that it appears to come from your own email address..."
Fake jobs: canada-newjob .com, netherlandjobb .com and newjobrecruit .com
20 October 2011 - "Another bunch of domains being used to peddle fake jobs:
These domains form part of this long running scam. You may find that the emails appear to come from your own email address..."
Mass SQL Injection attack hits 1 million sites
Oct 19, 2011 - "A mass-injection attack similar to the highly publicized LizaMoon attacks this past spring has infected more than 1 million ASP.NET Web pages, Armorize researchers said*... According to database security experts, the SQL injection technique used in this attack depends on the same sloppy misconfiguration of website servers and back-end databases that led to LizaMoon's infiltration. "This is very similar to LizaMoon," says Wayne Huang, CEO of Armorize, who, with his team, first reported of an injected script dropped on ASP.NET websites that load an iFrame to initiate browser-based drive-by download exploits on visitor browsers to the site. Initial reports by Armorize showed that 180,000 Web pages had been hit* by the offending script, but Huang told Dark Reading that a Google search resulted in returns for more than 1 million Web pages containing the injected code..."
"... The scripts causes the visiting browser to load an iframe first from www3 .strongdefenseiz .in and then from www 2.safetosecurity .rr.nu. Multiple browser-based drive-by download exploits are served depending on the visiting browser... if they have outdated browsing platforms (browser or Adobe PDF or Adobe Flash or Java etc). This wave of mass injection incident is targeting ASP ASP.NET websites..."
File name: file-2979089_
Submission date: 2011-10-21 13:29:39 (UTC)
Result: 30/42 (71.4%)
Dissecting the Ongoing Mass SQL Injection Attack
Oct 20, 2011
- https://encrypted.google.com/ ...
Oct. 25, 2011 - "... about 1,610,000 results..."
Targeted malware attack shows how Fast Fingerprinting works
October 24, 2011 - "... technology is helping anti-virus researchers detect malicious Microsoft Office files, by examining if they fail to confirm to the OLE2 file format specification... two differences between the new malware sample and previous ones are:
- The case of the Workbook stream had been changed to workbook...
- Previous incarnations had contained the unicode string "HP LaserJet" at offset 0x638 and the new version has had the first four characters "HP L" overwritten with nulls.
At the time of analysis, detection of this malware by other vendors wasn't very good... according to VirusTotal, detection has improved*. If your computer wasn't updated with Microsoft's MS09-067** security patch, then the cybercriminal could have installed the Mal/Gyplit-A malware onto your PC."
File name: e6d3bf9d5ba93ec6444612f819029e52942100f7.bin
Submission date: 2011-10-21 11:54:37 (UTC)
Result: 17/43 (39.5%)
Microsoft Office Excel ...
Facebook spams evolved
October 25, 2011 - "... links usually redirect in two steps to a Canadian Pharmacy website where various (fake) meds are offered at unbelievable prices. We have noticed a new type of mail which at the first glance seems to be from the mentioned category . This time, there is a text:
“Please call +7 951 xyzq”.
According to its prefix, the number is from Russia... if we consider that the numbers starts with “9" then I think I can assume that it is a very expensive number... Can it be that the Canadian Pharmacy spam doesn’t bring anymore enough money to the spammers and they are searching for new methods of getting some easy money? Fortunately for us, the spam is malformed and it is quite easy to detect it as spam. But this opens a new chapter in Facebook related spam – now those who are not aware of such scams can lose some serious money. Facebook will never ask you to call any number. They will also never send you such a notification and definitely your Facebook Inbox will never get full. We strongly advise all users to never call any number present in such emails."
URL shorteners actively circumvent spam filters
Bulk Registrars, URL Shorteners, Dynamic DNS Providers
October 27th, 2011 - "We’ve been maintaining lists of Bulk Registrars, Dynamic DNS Providers, and URL Shorteners...
We just added a new list of “unverified” URL Shorteners here: http://mirror1.malwaredomains.com/files/url_shorteners-unverified.txt
We’ll be going through the URLs and adding them to the main list once they have been verified. If anyone wishes to help in this effort, please let us know."
October 25, 2011 - "According to new information from researchers at Symantec, a group of spammers have created a group of 87 spam-friendly, public URL shortening services and are actively using them to circumvent spam filters on popular sites. Using URL shortening scripts that are free and open source, the spammers are churning spam through the service..."
“ce.ms” free domains... host malicious code
October 27, 2011 - "...it appears that attackers are leveraging free “.ce.ms” domains. Likewise, we have identified a number of .ce.ms domains exploiting various known client side vulnerabilities. Here are a few of the URL’s being used:
hxxp ://27glshegbslijels .ce.ms/main.php?page=66c6ce3c7bc4b20c
hxxp ://hhhjjjjj111111 .ce.ms/main.php?page=423b262d0a1a9f70
hxxp ://00000000000000 .ce.ms/main.php?page=423b262d0a1a9f70
hxxp ://24sjegohmjosee .ce.ms/main.php?page=66c6ce3c7bc4b20c
hxxp ://44444444444444444 .ce.ms/main.php?page=423b262d0a1a9f70
October 30, 2011 - "... Late last week, our friends at Zscaler* discovered that cyberciminals have now moved to hosting their wares on "ce.ms" domains (.ms being the top-level domain for Montserrat, an island in the West Indies). A simple Google search led me to several forums and personal blog posts as early as June of this year complaining about getting fake AVs from such sites, with the Zscaler discovery looking much more complex..."
The Market for stolen credit cards data...
October 31, 2011 - "What's the average price for a stolen credit card? How are prices shaped within the cybercrime ecosystem? Can we talk about price discrimination within the underground marketplace? Just how easy is to purchase stolen credit cards known as dumps or full dumps, nowadays?... the market for stolen credit cards data... 20 currently active and responding gateways for processing of fraudulently obtained financial data.
Key summary points:
• Tens of thousands of stolen credit cards a.k.a. dumps and full dumps offered for sale in a DIY market fashion
• The majority of the carding sites are hosted in the Ukraine and the Netherlands...
• Four domains are using Yahoo accounts and one using Live.com account for domain registration...
• Several of the fraudulent gateways offered proxies-as-a-service, allowing cybercriminals to hide their real IPs by using the malware infected hosts as stepping stones.
The dynamics of the cybercrime ecosystem share the same similarities with that of a legitimate marketplace. From seller and buyers, to bargain hunters, escrow agents, resellers and vendors specializing in a specific market segment, all the market participants remains active throughout the entire purchasing process. With ZeuS and SpyEye crimeware infections proliferating, it's shouldn't be surprising that the average price for a stolen credit card is decreasing. With massive dumps of credit card details in the hands of cybercriminals, obtained through ATM skimming and crimeware botnets, the marketplace is getting over-crowded with trusted propositions for stolen credit card details..."
(More detail at the ddanchev URL above.)
October 31st, 2011
Nov. 1, 2011
New cyber attack targets chemical firms: Symantec
Oct 31, 2011 - "At least 48 chemical and defense companies were victims of a coordinated cyber attack that has been traced to a man in China, according to a new report from security firm Symantec... Computers belonging to these companies were infected with malicious software known as "PoisonIvy", which was used to steal information such as design documents, formulas and details on manufacturing processes... The cyber campaign ran from late July through mid-September..."
Duqu: status - 0-Day Exploit
Nov. 1, 2011 - "... an installer has recently been recovered due to the great work done by the team at CrySyS. The installer file is a Microsoft Word document (.doc) that exploits a previously unknown kernel vulnerability that allows code execution. We contacted Microsoft regarding the vulnerability and they're working diligently towards issuing a patch and advisory. When the file is opened, malicious code executes and installs the main Duqu binaries...
• An unpatched zero-day vulnerability is exploited through a Microsoft Word document and installs Duqu
• Attackers can spread Duqu to computers in secure zones and control them through a peer-to-peer C&C protocol
• Six possible organizations in eight countries have confirmed infections
• A new C&C server (184.108.40.206) hosted in Belgium was discovered and has been shutdown..."
(More detail at the symantec URL above.)
Webinjects - underground market
November 02, 2011 - "... cybercriminals have been busy developing webinjects for Zeus and Spyeye to orchestrate and develop malevolent attacks against certain brands. Webinjects are malware configuration directives that are used to inject rogue content in the web pages of bank websites to steal confidential information from the institution’s customers... Trusteer’s research team has discovered that these webinjects are being offered for sale on many open internet forums... developers are earning a decent income from selling the Zeus/Spyeye webinjects service to an increasingly diverse customer base... the developers have gone to the trouble of obfuscating the Zeus/Spyeye webinjects, not because they want to confuse malware researchers, but to try and prevent piracy of their software... webinjects can’t be modified by the 'customer', if they need localization for a specific country and language, this can only be carried out by the developers... for a price... resale is rife. Those that have purchased a copy of webinject are openly -reselling- their version to anyone wanting to steal the same information from victims... From the advertisements we’ve seen there are multiple targets, including British, Canadian, American, and German banks..."
(More detail at the trusteer URL above.)
December 21, 2010 - "... the Bozvanovna botnet is also using so-called Webinjects to phish credentials and steal money from the victims online bank account..."
MIT server hijacked - used by hacks to compromise other websites
November 3, 2011 - "A server belonging to the Massachusetts Institute of Technology was commandeered by hackers who used it to launch attacks against other websites as part of a larger drive-by download campaign, according to antivirus vendor BitDefender*... The rogue script hosted on the MIT server searched for vulnerable installations of phpMyAdmin, a popular Web-based database administration tool. When the script finds a server with phpMyAdmin version 2.5.6 through 2.8.2, it exploits a vulnerability in the application and injects malicious code into the underlying databases. This attack campaign started in June and resulted in over 100,000 compromised websites so far... The company's researchers believe that the attacks are related to the Blackhole Exploit Pack, one of the most popular drive-by download toolkits currently used by cybercriminals. Users visiting websites compromised in this campaign will be redirected to exploits for vulnerabilities in Java and other browser plug-ins, which try to install malware on their computers... As far as the BitDefender researchers could tell, the server is still online, but no longer attacking websites... The fact that these servers have considerable resources and bandwidth at their disposal is also appealing to cybercriminals and could cause problems for less powerful systems that find themselves attacked. The denial-of-service effect on the smaller systems can be easily mitigated by filtering traffic from the offending IP addresses. However, most of the time hackers don't care if that happens because they use a hit-and-run approach... Webmasters are advised to remove old applications from their servers or keep them updated even if they are only rarely used. They should also review the server logs regularly for unusual requests that could be an indication of an attack in progress. Drive-by download toolkits like Blackhole continue to be popular with cybercriminals because a large number of users do a poor job of keeping their operating systems, browsers and other Internet-facing software up to date."
2 November 2011
5 million new malware samples - Q3 2011
Nov 3 - PandaLabs Report – Q3 2011 - "... PandaLabs Report Q3 11 is out... In this quarter 5 million new malware samples have been created and the record of new Trojans has been broken as it the preferred category by cybercriminals to carry out their theft of information... The highlight of this third quarter is the record set in the creation of new Trojan samples. 3 out of 4 new malware samples created by cybercriminals are Trojans and this is just another proof that they are focused on stealing users information."
PDF file 2.9MB - 18 pgs.
Pirate Bay - malware for Macs
November 4, 2011 - "We recently analyzed DevilRobber.A, a Mac OS X malware that has both backdoor and trojan-like capabilities. All the samples we've collected so far were from torrents uploaded by a single user account on The Pirate Bay website... The files shared were legitimate Mac applications, but modified to include the malware's components... the malware author had varying purposes for each of his creations. One variant steals the Keychain of the infected machine and logs the number of files on the system... Graham Cluley* speculates may be referring to "pre-teen hardcore pornography". It appears as though the malware author is trying to find illegal child abuse materials, by spotting which infected machine has the most pornography and using its credentials to gain access to the materials. Other variants install applications related to Bitcoin mining. These applications use both the CPU and GPU computational power of the infected machines, which improves the mining operations at the computer owner's expense... all the variants we've seen log the number of files that match a certain set of criteria, and also steal the Terminal command history and Bitcoin wallet. All variants also perform the following:
• Opens a port where it listens for commands from a remote user.
• Installs a web proxy which can be used by remote users as a staging point for other attacks.
• Steals information from the infected machine and uploads the details to an FTP server for later retrieval..."
Phone scam targets PC users with phony virus reports
Updated 7-November with additional details - "Online con artists are targeting PC users worldwide in a brazen scam. It starts with a phone call from a “tech support specialist” who warns that your computer is infected with a virus. To fix things, all you have to do is give the caller remote access to your PC... it starts with a phone call from someone who claims to be affiliated with Microsoft or another legitimate company or government agency. The caller then asks for the primary computer user in the house, who is told: “Your computer has downloaded a virus.” And, of course, the caller is ready and willing to fix the problem. All you have to do is navigate to a web site, click a link to install some remote-control software, and allow the “technician” to get to work. [NOT] The perps are using legitimate remote-assistance software, like the Ammyy Admin program from Ammyy Software Development, which posted a warning* that included some reports the company has received from scam victims..."
(More details at the zdnet URL above.)
November 08, 2011
Fake USPS e-mail w/PDF malware...
November 10, 2011 - "... an email purporting to have come from a legitimate company with an attached Adobe .PDF file claiming that it's either a receipt, a document, or a ticket. Claims of what the attachment is supposed to be varies, but what remains consistent is that the email always instructs recipients to open it and / or save it on their computer... seeing an uptick of this particular campaign, which pose as a message from the United States Postal Service (USPS) and bears the subject "Package is was not able to be delivered please print out the attached label"... When executed, it connects to the IP address, 91(dot)221(dot)98(dot)29, and downloads the file named step.exe, which is a variant of FakeSysDef, a rogue malware. It also checks on the following websites, all of which are from Russia:
... we detect this malware as Trojan.Win32.Generic!BT. As always, steer clear from these kinds of emails..."
Fake USPS Package Delivery Notification E-mail Messages...
November 10, 2011 - "... The text in the e-mail message attempts to convince the recipient to open the attachment and view the details. However, the .zip attachment contains a malicious .exe file that, when executed, attempts to infect the system with malicious code..."
73,000 daily malware threats created...
November 11, 2011 - "... CI uses the Internet "community" - users of Panda's free CloudAntivirus, along with other companies and collaborators - to locate malware... ranging from viruses to worms, Trojans, spyware and other attacks. CI now has a database of more than 25 terabytes of cloud-based classification data... According to Panda, a third of all the malware in existence was created in the first 10 months of 2010. The average number of threats created daily rose from 55,000 in 2009 to 63,000 in 2010 to 73,000 this year..."
:mad: :mad: :mad:
Virus Outbreak In Progress
November 14, 2011
Fake Secret File Malicious Link E-mail Messages...
Fake Payment Details Spreadsheet E-mail Messages...
Fake Royal Mail Service Delivery Failure E-mail Messages...
Summary Report - (Past 24 hours)
"... by Country... by ASN..."
Htaccess redirection - malware ...
• Visits compromised site by clicking from a search engine
• Browser is redirected to sweepstakesandcontestsinfo.com/nl-in.php?nnn=555 (and variations)
• Browser is redirected to hxxp ://www4.personaltr-scaner.rr.nu/?gue5mx=i%2BrOmaqtppWomd%2FXxa.. (or www3 .bustdy .in or www3 .strongdefenseiz .in and variations)
• Browser is again redirected to hxxp ://rdr.cz.cc/ go.php?6&uid=7&isRedirected=1 (and other domains)
From there, it can be sent to online surveys
(hxxp ://www.nic.cz.cc/redir2/?hxxp ://surveyfinde.com/d/local-job-listings .net), malware web sites, fake search engines and anywhere the attackers decide.
>> If your site is compromised, check your .htaccess to see if it was modified. If you are not sure, run a scan on your site here:
... we are seeing it being used in combination with timthumb.php attacks and on outdated Joomla/WordPress sites. So you have make sure all of them are updated to avoid getting reinfected. *Also, the site is -not- blacklisted by Google (or in any major blacklist)..."
? - http://forums.spybot.info/showpost.php?p=415962&postcount=91
Bash commands to detect script injections and malware
find . -name “*.js” | xargs grep -l “eval(unescape”
find . -name “*.php” | xargs grep -l “eval(base64_decode”
Seek and destroy!"
2011-Q3 Security threat report - Trend Micro
Nov. 15, 2011 - "... Google replaced Microsoft as the software vendor with the greatest number of reported vulnerabilities for the quarter - 82. This is due to the increasing number of vulnerabilities found in Chrome, which continues to grow in popularity. Oracle came in second place, with 63 vulnerabilities, while Microsoft fell to third place with 58 vulnerabilities. Furthermore, the United States, which normally takes the top spot in the list of spam-sending countries dropped out of the top 10 list and was replaced by India and South Korea... researchers also witnessed a significant shift in terms of cybercriminal attack targets. The attacks have changed from being massive in nature - those aimed at affecting as many users as possible, to targeted, particularly those against large enterprises and government institutions... trends seen during the third quarter are already taking place halfway into the fourth quarter, with the addition of attacks leveraging the holidays. Attackers will further hone their attacks to target specific entities and will continue leveraging mobile platforms and social media..."
(More detail available at the trendmicro URL above - the complete report [PDF] here*)
Virus outbreak in Progress
November 16, 2011
... times are GMT and in 24 hour format
Troj/Agent-UBA 11/15/2011 15:25
Troj/DwnLdr-JME 11/15/2011 13:59
Mal/EncPk-ABA 11/15/2011 10:52 - http://www.threatexpert.com/reports.aspx?page=2&find=zbot *
Troj/FakeAV-ETK 11/15/2011 10:15
W32/Gamarue-C 11/15/2011 06:52
W32/Gamarue-D 11/15/2011 01:09
11/16/2011 Results 1 - 20 of 38
2011.11.16 - Malware risk - HIGH
Atlas - summary reports (Past 24 hours)
Fake Electronic Payment Cancellation E-mail Messages...
Fake Order Document E-mail Messages...
Fake UPS Shipment Error E-mail Messages...
Fake USPS Package Delivery Notification E-mail Messages...
Fake Missing Tax Document Notification E-mail Messages...
Fake Royal Mail Service Delivery Failure E-mail Messages...
Fake DHL Shipment E-mail Messages...
Malicious UPS Delivery Notification E-mail Messages...
Fake Facebook Profile Image E-mail Messages...
(Yet another) Virus Outbreak In Progress
November 21, 2011
Fake USPS Package Delivery Notification E-mail Messages...
"... sample of the e-mail message that is associated with this threat outbreak:
Subject: USPS service. Get your parcel ID92082..."
5 Top malicious spam subjects
17 Nov 2011 - "... campaigns are sent in a short period of time, and then disappear for a while. Usually, campaigns will last for about one hour or less, therefore some companies might struggle with blocking these emails. Below are the top 5 campaigns that we've seen over the last several days.
Order N21560 (numbers vary)...
FW: Re: UNIFORM TRAFFIC TICKET (ID: 239127922) (numbers vary and subject might appear without FW: or RE: )
Fwd: Your Flight Order N125-9487755 (numbers vary)...
3. DELIVERY COMPANIES:
USPS Invoice copy ID46298 (numbers vary)
FedEx: New Agent File Form, trackid: 1V6ZFZ7FEOHUQ (numbers vary)
DHL Express Notification for shipment 90176712199 (numbers vary)...
... Emails with "test" in the Subject line are commonly used by criminals to spread their malicious software. Users are used to seeing legitimate emails with "test" in the Subject line when an email system is being checked, and also spammers use such techniques to validate an email address.
5. Payment/TAX systems:
FRAUD ALERT for ACH, Your Wire Transfer, Wire transfer rejected, IRS requires new EIN, IRS Tax report..."
(Screenshots and more detail available at the websense URL above.)
Fake FBI email threatens recipients with jail
23 November 2011 - "An e-mail purportedly coming from the FBI Anti-Terrorist and Monetary Crimes Division has been hitting inboxes and threatening recipients with jail time if they don't respond, reports Cyberwarzone*.
"We have warned you so many times and you have decided to ignore our e-mails or because you believe we have not been instructed to get you arrested and today if you fail to respond back to us with the payment then we would first send a letter to the mayor of the city where you reside and direct them to close your bank account until you have been jailed and all your properties will be confiscated by the fbi," says in the email. "We would also send a letter to the company/agency that you are working for so that they could get you fired until we are through with our investigations because a suspect is not suppose to be working for the government or any private organization."
The crooks continue with the threats, accusing the recipient of being an "internet fraudster"... there is no way that the email is legitimate..."
Java attack rolled into Exploit Kits
November 28, 2011 - "A new exploit that takes advantage of a recently-patched critical security flaw in Java is making the rounds in the criminal underground. The exploit, which appears to work against all but the latest versions of Java, is being slowly folded into automated attack tools. The exploit attacks a vulnerability* that exists in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier. If you are using Java 6 Update 29, or Java 7 Update 1, then you have the latest version that is patched against this and 19 other security threats. If you are using a vulnerable version of Java, it’s time to update... a discussion in an exclusive cybercrime forum about an exploit that appears to have been weaponized... the hacker principally responsible for maintaining and selling BlackHole said the new Java exploit was being rolled out for free to existing "license" holders..."
CVSS v2 Base Score: 10.0 (HIGH)
"... Java SE JDK and JRE 7 and 6 Update 27 and earlier..."
Check your version here: https://www.java.com/en/download/installed.jsp
28 Nov 2011 - "... the most commonly observed type of exploits in the first half of 2011 were those targeting vulnerabilities in the Oracle (formerly Sun Microsystems) Java Runtime Environment (JRE), Java Virtual Machine (JVM), and Java SE in the Java Development Kit (JDK). During the one year period starting in the third quarter of 2010 (3Q10) and ending in the second quarter of 2011 (2Q11), between one-third and one-half of all exploits observed in each quarter were Java exploits..."
Charted: * https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-50-43-metablogapi/3252.clip_5F00_image004_5F00_5E607283.png
Dec 01, 2011 - "... Metasploit... added a new module for the latest Java attack that abuses a recently patched vulnerability... then was quickly "productized" into a crimeware kit in the underground... the attack also was getting rolled into the BlackHole crimeware kit..."
... and of course, we have the obligatory Monday:
Virus Outbreak In Progress
Nov. 28, 2011
Fake Invoice Document E-mail Msgs... updated November 23, 2011
Fake United Parcel Service Invoice Notification E-mail Msgs... updated November 23
Fake Electronic Payment Cancellation E-mail Msgs... updated November 23
Fake iTunes Gift Certificate E-mail Msgs... updated November 23, 2011
November 28, 2011
November 27, 2011
Fake -Intuit- online payroll E-mail...
Last updated 11/28/2011 - "Customers have reported receiving a fake Intuit Online Payroll Free Trial email... copy of the fake email:
Thank you for choosing the Intuit Online Payroll Free Trial.
Please refer to attached file for detailed information.
During your free trial, you'll discover just how quick and easy it is to run payroll online:
Easy to set up and use
Run payroll anywhere, anytime - 24 hours a day, 7 days a week.
Includes everything from instant paycheck calculations and free direct deposit to electronic tax filing and payments and W-2 forms
Free support by phone or online
Let's set up your account.
Setting up your Intuit Online Payroll account is easy. All you need is your User ID and password to sign in and get started. To make signing in easier in the future, be sure to bookmark this page.
If you have your current payroll information handy, you can even run your payroll today. We're here to help...":
HELP steal your "User ID and password", that is.
Facebook worm in the Wild...
November 29, 2011 - "... the worm is said to be "a classic" one in terms of how it infects Internet users: uses stolen credentials to log in to Facebook accounts and then spam contacts. The message is said to contain a link to a file purporting to be an image—Screenshot* of the file shows it has a .JPG extension—but it's actually a malicious screensaver. Once run, it drops a cocktail of malicious files onto the system, including ZeuS, a popular Trojan spyware capable of stealing user information from infected systems. The worm is also found to have anti-VM capabilities, making it useless to execute and test in a virtual environment, such as Oracle VM VirtualBox and VMWare. Please keep in mind that securing your information, including your social network credentials, is a must..."
Cybercrime svcs ramp up - demand from fraudsters ...
November 30, 2011 - "... recent Trusteer Research has indicated changes in service scope and price due to service convergence and demanding buyers... One-stop-shop - Trusteer Research came across a new group that besides offering infection services (for prices between 0.5 and 4.5 cents for each upload, depending on geography) also provides polymorphic encryption and AV checkers... For Polymorphic encryption of malware instances they charge from $25 to $50 and for prevention of malware detection by anti-virus systems (AV checking) they charge $20 for one week and $100 for one month of service... final paid price depends on percentage of infections... Some malware services like AV checking and Encryption are becoming a commodity, driving cybercriminals to consolidate services to stay competitive and introduce new offerings like the Phone Service... advise banks and their online banking users to maintain constant vigilance, apply software updates, maintain an awareness of new threats... complement desktop hygiene solutions like Anti Virus with security controls specifically designed to protect against Financial Malware... Some fraudster groups specialize in infecting hosts with malware, either by creating a botnet of hosts that could be infected at will, or by inserting exploit code to sites and routing victims to these sites to infect them using drive-by-downloads."
November 30, 2011 - "The FBI* is warning that computer crooks have begun launching debilitating cyber attacks against banks and their customers as part of a smoke screen to detract attention away from simultaneous high-dollar cyber heists. The bureau says the attacks coincide with corporate account takeovers perpetrated by thieves..."
:fear: :mad: :mad:
Cutwail SPAM campaigns lure users to Blackhole Exploit Kit
December 1st, 2011 - "Over the past few days the Cutwail botnet has been sending out malicious spam campaigns with a variety of themes such as airline ticket orders, Automated Clearing House (ACH), Facebook notification, and scanned document. These campaigns do -not- have malware attachments, instead the payload is delivered via links to malicious code hosted on the web... The message body may look like a legitimate Facebook notification*. However, further inspection reveals the underlying link redirecting to a malicious webpage...
Another campaign spammed out by Cutwail claims to be a flight ticket order. The spam can be easily spotted by its subject lines. It looks seemingly like a “forwarded” or “reply” email and uses the subject format shown in the image**...
... example of the message***
... There are two things you should notice about this particular spam campaign. Firstly, the visible URL shown does not conform to the URI naming scheme of not having a top level domain, a clumsy mistake from the spammers. Other similar messages use “www.airlines.com” which is a parked domain. Secondly, “Airlines America” in the signature block is not a real airline company unless the spammers meant to imply American Airlines.
> Two other spam campaigns resurfaced this week, namely the “Automated Clearing House (ACH)” and the “scanned document”...
... The URL link in these campaigns points to a compromised web server that serves a small HTML file. The HTML file then contains a malicious iframe that opens up a Blackhole exploit kit landing page. This is the same exploit kit used in previous spam campaigns such as the Steve Jobs is Alive and fake LinkedIn notifications... If you are a system administrator, you may want to block the following exploit kit landing pages.
At the time of analysis, loading the exploit kit webpage downloaded SpyEye and the Bobax spambot on to our vulnerable hosts."
SSH password brute forcing... on the rise
Last Updated: 2011-12-04 23:26:51 UTC
"... received a report of ongoing SSH account brute forcing against root. This activity has been ongoing for about a week now from various IPs... A review of the DShield data*, shows a spike can easily be observed starting 15 Nov and has been up/down ever since...
Some Defensive Tips...
- Never allow root to log in, no matter what: always login in as a regular user and then use su/sudo as needed.
- Change port number: why go stand in the line of fire ?
- Disallow password authentication (use keys)
In addition to the above, you should also consider using TCP Wrappers with the SSH service to limit access to only those addresses that need access..."
(More at the first isc URL above.)
C|Net Download.Com is now bundling Nmap with malware...
5 Dec 2011 - "... C|Net's Download.Com site has started wrapping their Nmap downloads (as well as other free software like VLC) in a trojan installer which does things like installing a sketchy "StartNow" toolbar, changing the user's default search engine to Microsoft Bing, and changing their home page to Microsoft's MSN. The way it works is that C|Net's download page (screenshot attached) offers what they claim to be Nmap's Windows installer. They even provide the correct file size for our official installer. But users actually get a Cnet-created trojan installer. That program does the dirty work before downloading and executing Nmap's real installer. Of course the problem is that users often just click through installer screens, trusting that download.com gave them the real installer and knowing that the Nmap project wouldn't put malicious code in our installer. Then the next time the user opens their browser, they find that their computer is hosed with crappy toolbars, Bing searches, Microsoft as their home page, and whatever other shenanigans the software performs..."
File name: 29d0ca5df3dd63a69630a1bbdbfbcfdad6271702
Submission date: 2011-12-07 06:34:59 (UTC)
Result: 7/43 (16.3%)
Last Updated: 2011-12-06 06:40:53 UTC
Caution: downloads can be hazardous to your PC's health...
8 December 2011 - "... much of the proprietary freeware and trial software on Download .com will retain its Download .com Installer packaging. Initial reactions on the net also noted that a number of popular open source programs still had an installer wrapping them and there appears to have been no apology for specifically bundling GPL, or enhanced GPL in the case of Nmap, software with closed source installers."
August 22, 2011
Urgent Block: BlackHole Exploit Kit redret Spam Domains
December 6th, 2011 - "From the Internet Storm Center*... IP addresses to block are also in the article*. Also see this article**. Will be added here but you shouldn’t wait."
Last Updated: 2011-12-06 03:04:51 UTC - "... all domains still active/resolving that host BlackHole exploit kit, the actual one and not the links on the spams...
czredret .ru, curedret .ru, ctredret .ru, crredret .ru, bzredret .ru, byredret .ru, bxredret .ru, bwredret .ru, bvredret .ru, bsredret .ru, bpredret .ru, boredret .ru, blredret .ru, bkredret .ru, biredret .ru, bhredret .ru, bgredret .ru, bfredret .ru, beredret .ru, bdredret .ru, bcredret .ru, bbredret .ru, aredret .ru, apredret .ru, amredret .ru, alredret .ru, akredret .ru, ajredret .ru, airedret .ru, ahredret .ru, agredret .ru, afredret .ru, aeredret .ru, adredret .ru, acredret .ru, abredret .ru, aaredret .ru
... they are resolving to:
220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11
In recent past, the following IPs were also observed hosting them:
18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52...
Comments (12.06.2011, 19:21 UTC): 184.108.40.206 is hosting these domains crredret .ru, ctredret .ru, curedret .ru, czredret .ru"
"... malware that connects using an IP address instead of a domain name will -not- be blocked when you use just domain name lists..."
23 November 2011
Affected and abused domains ...
Last Updated: 2011-12-10 17:42:46 UTC - "... covered the emergence of hacked DNS zones ("What's In A Name") a couple weeks ago*... domains affected have been abused for the past several days to push copies of the BlackHole Exploit Kit. The IP range used changes about every three, four days:
220.127.116.11 in use until Dec 2, AS34714, Opticnet, Romania
18.104.22.168 in use until Dec 5, AS43215, Monyson Group, Russia
... exploit code politely checks which version of Java is present, and only launches the exploit on Java installations that are not running the very latest update. Unfortunately, this seems to be the case for the majority of Java deployments out there. Today, almost two weeks after this latest wave of exploits started, the exploit code for CVE-2011-3544 is still only detected by roughly half the anti-virus companies on VirusTotal**... by far the most successful for the bad guys at the moment..."
File name: v1.class
Submission date: 2011-12-10 16:30:47 (UTC)
Result: 19/43 (44.2%)
Last revised: 11/24/2011
CVSS v2 Base Score: 10.0 (HIGH)
100$ or a free iPad! - scam
Last Updated: 2011-12-12 23:21:39 UTC ...Version: -3- "... several misspellings of wikipedia are used in this scam, in addition to many other domains. wikipeida-org, wikepedia-org, wictionary-org, wikpedia-com, wikispaces-cm are all domains with a typo that redirect visitors to a "you won a prize" page... to claim the prize lots of personal information must be entered...
Update: Other prominent typo domains affected include youtrube-com, youotube-com, youzube-com..."
CA incident report...
Last Updated: 2011-12-14 17:39:34 UTC - "GlobalSign released a press release today to address concerns that they may have had a compromise of their CA infrastructure.
They did a good job of stating what they did find and what they didn’t. They also address new measures put in place to improve their overall security posture.
“We didn't find any evidence of
* Rogue Certificates issued.
* Customer data exposed.
* Compromised GlobalSign Root Certificate keys and associated Hardware Security Modules (HSM).
* Compromised GlobalSign Certificate Authority (CA) infrastructure.
* Compromised GlobalSign Issuing Authorities and associated HSMs.
* Compromised GlobalSign Registration Authority (RA) services.
What did happen
* Peripheral web server, not part of the Certificate issuance infrastructure, hosting a public facing web property was breached.
* What could have been exposed? Publicly available HTML pages, publicly available PDFs, the SSL Certificate and key issued to www .globalsign .com.
* SSL Certificate and key for www .globalsign .com were deemed compromised and revoked. “
Phish campaign targets users - timed with breach...
December 14, 2011 - "A phishing campaign targeting customers of Telstra Bigpond, Australia's largest ISP, is urging users to confirm their billing information or risk the suspension of their account... All pretty run-of-the-mill - an access your account now by clicking on a link in this email or else spam - but neatly timed given that Telstra suffered a data breach last Friday. Personal information... was downloaded from an insecure Telstra customer portal last Friday (I have read numbers from 60,000 to 70,000), forcing Telstra to take down some of its services, including webmail, over the weekend. Ironically, the forced outage also prevented access to the Bigpond account management pages, making it hard for concerned users to change their passwords as a precaution against abuse, or, indeed, to check their account and billing information... an unpatched version of WordPress allowed the phishers to "borrow" services from an Aussie blogger... this email was obviously a phish:
- Bigpond doesn't send out access your account now by clicking on a link emails.
- The email contains numerous errors of orthography, spelling and grammar. Official Bigpond emails are professionally written.
- The link you are asked to click on has no obvious connection with Telstra or Bigpond.
- Official Bigpond emails to you aren't addressed to someone called "Duchess" with a competitor's webmail account (unless your name is Duchess, of course).
... if you run a WordPress blog, make sure you've applied the latest patches. Vulnerable blog sites can be a gold mine for cybercrooks."
Ransomware impersonates the police
19 Dec 2011 - "... several samples of a ransomware family localized into different languages... We've so far seen variants localized into four languages: English, Spanish, German, and Dutch... Upon execution, the ransomware locks the computer, displays the localized screen.. and demands the payment of a "fine" for the supposed possession of illicit material. In order to make the computer functional again, the user is asked to transfer money via a legitimate online payment service, such as Paysafecard or Ukash, to the supposed authorities. These services are -not- involved in any way with the scammers' scheme; instead, they are being used for malicious purposes... In the case of Trojan:Win32/Ransom.DU... that impersonates the German Federal Police, 91.59% of the samples we received from July to November this year were found in Germany... this localized ransomware family can be distributed through drive-by downloads and that the Blackhole Exploit Kit is involved... nowadays Blackhole distributes many widespread malware families... PS: Just today we encountered a sample targeting residents of France..."
Dec. 4, 2011 - "... Based on the statistics obtained from one of the nodes hosting an active Black Hole exploit pack, the most frequently exploited vulnerabilities leading to system infection with malware are found in Java software... The exploited vulnerabilities aren’t really new: some of them are more than a year old... To prevent antivirus software detecting the dropper the Black Hole exploit kit includes functionality for measuring dropper detections by the most widely used antivirus software. When the number of detections reaches a defined value the dropper is repacked by the service responsible for it..."
Email Bank Deposit Scam
12/19/2011 - "USAA's Enterprise Security Group has found an aggressive email phishing scam directed at USAA Members. The email has a subject line "Deposit Posted." What makes this particular phishing email different is there is a randomly generated four-digit number placed in the USAA Security Zone section... While this email* does not ask the recipient to click on a link, it does ask the member to open an attached file. When this file is opened it launches a malicious banking virus that if successfully launched could provide access to your personal information and may require a complete reinstall of your computers operating system.
What Members Should Do:
USAA Members are encouraged to take the following action if they receive this email:
Make certain the four digits in the Security Zone section match the last four digits of your USAA member number.
If the numbers do not match your member information you can delete it..."
December 20, 2011
... They might take it, but they won't give it away...
December 21, 2011 - "... No matter how realistic it seems..."
Fake browser addons spread SCAMS
22 December 2011 - "... spreading scams on Facebook. Instead of using status updates as a lure, the latest generation of Facebook scams attempt to trick marks into installing malicious browser extensions. The plug-ins are supposedly needed to view non-existent video clips supposedly posted by an earlier victim. Once installed, these malign browser ad-ons spread the scam from one user's profile to another... The bogus extensions come as add-ons for both Firefox and Chrome. More details of the scam, including screenshots, can be found in a blog post by Websense*..."
"... The code checks which browser is installed and serves the compatible malicious plugin..."
Amnesty Int'l site serving Java exploits...
December 22, 2011 - "Amnesty International‘s homepage in the United Kingdom is currently serving malware that exploits a recently-patched vulnerability in Java. Security experts say the attack appears to be part of a nefarious scheme to target human rights workers... The site’s home page has been booby trapped with code that pulls a malicious script from an apparently hacked automobile site in Brazil. The car site serves a malicious Java applet that uses a public exploit to attack a dangerous Java flaw*... The site remains compromised..."
Comment: Emerson Povey @ amnesty.org.uk - December 23, 2011 - "... we have been working with our hosting service to resolve the issue. They have cleaned our servers, rebooted the system and removed the script from the default page. At 2pm today they confirmed that the problem is now fixed."
December 22, 2011 - "... compromised on or before Friday, December 16... Amnesty International UK has been notified... Java content (stolen from the Metasploit project), which targets CVE-2011-3544. If the exploit is successful, malware is installed on the visitor’s system..."
VirusTotal Detections for Exploit
... a more up-to-date report (24/43) for this file:
File name: 542b24f1da13f0b1d647f3865b09e026bf00d4ef.bin
Submission date: 2011-12-22 10:47:27 (UTC)
Current status: finished
Result: 24/43 (55.8%)
VirusTotal Detections for Exploit Payload
... a more up-to-date report (22/43) for this file:
File name: f91dd927fd78a36176a68998304d70c8
Submission date: 2011-12-20 16:19:51 (UTC)
Result: 22/43 (51.2%)
Last revised: 11/24/2011
CVSS v2 Base Score: 10.0 (HIGH)
Current versions of Java here*:
Last Updated: 2011-12-28 00:51:54 UTC - "Now .. where is nl.ai ?? Dot-ai is Anguilla, a speck of land in the Caribbean, to the east of Puerto Rico. And probably has nothing at all to do with what follows. Dot-nl-dot-ai, on the other hand, appears to be a free domain name registrar.
If you're into malware analysis, you've probably seen your fair share of .nl.ai domains recently. And not just these. Feeding "nl.ai" into RUS-CERTs Passive DNS collector http://www.bfk.de/bfk_dnslogger.html?query=ns1.cd.am#result gives us the name server for .nl.ai (one ns1.cd.am), which in turn shows a couple of other domains that are currently very familiar to the malware analyst. Like .c0m.li, and .cc.ai.
If you are blocking domains on your gateway or DNS server, blackholing these few:
... might be a reasonable move, at least until someone in your business can show that they have a legitimate need to access one of the sub domains of these pseudo top level domains. Mind you, chances are that not all domains hosted there in fact are bad. But all the ones that I've seen in my logs so far: were."
QR code malware ...
Dec 29, 2011 - "... QR codes, hackers are starting to take advantage of these square, scannable bar codes as a new way to distribute malware. Like all mobile attack vectors, it is a new frontier that security researchers say is not extremely prevalent but which has a lot of potential to wreak havoc if mobile developers and users stand by unaware... Just point your mobile device's camera on the code, scan it and the reading will take you to the website or mobile app download that its promoter promises to provide... There are a number of ways they are already using malicious codes to perpetrate their scams. On iOS devices, for example, hackers are re-purposing jail-break exploits to send users to websites that will jailbreak the device and install additional malicious malware... attackers are using QR codes to redirect users to fake websites for phishing..."
9 Jan 2012
Web hijacks with AJAX
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0249 - 9.3 (HIGH)
MS10-002 - IE "... as exploited in the wild..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0806 - 9.3 (HIGH)
MS10-018 - IE "... as exploited in the wild..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1297 - 9.3 (HIGH)
Adobe Flash Player, Reader, and Acrobat "... as exploited in the wild..."
Post Transaction fraud schemes erase evidence of account theft ...
January 04, 2012 - "... During the final few weeks of 2011, we saw fraudsters take advantage of this trend with their latest fraud scheme... we’ve typically seen man-in-the-browser attacks take place at one of the three possible online banking phases... There is another, less discussed, form of man-in-the-browser attack – the post transaction attack... as the name implies, occur after the evil deed has already been done and the account holder has closed the online banking session. These are designed to conceal illegitimate activity for as long as possible to either allow money to transfer to its final destination – uninterrupted, or continue to control the account and perform further transactions... Just before the recent holiday season, we came across a SpyEye configuration which attacks banks in the USA and UK. Instead of intercepting, or diverting, email messages... the attack automatically manipulates the bank account transaction webpage the customer views... a post transaction attack is launched that hides fraudulent transactions from the victim..."
(More detail at the trusteer URL above.)
Worm on Facebook steals 45,000 logins ...
January 5, 2012 - "... Seculert's research lab has discovered that Ramnit recently started targeting Facebook accounts with considerable success, stealing over 45,000 Facebook login credentials worldwide, mostly from people in the UK and France... Recently, our research lab identified a completely new 'financial' Ramnit variant aimed at stealing Facebook login credentials. Since the Ramnit Facebook C&C URL is visible and accessible it was fairly straightforward to detect that over 45,000 Facebook login credentials have been stolen worldwide, mostly from users* in the United Kingdom and France...
... We suspect that the attackers behind Ramnit are using the stolen credentials to log-in to victims' Facebook accounts and to transmit malicious links to their friends, thereby magnifying the malware's spread even further. In addition, cybercriminals are taking advantage of the fact that users tend to use the same password in various web-based services (Facebook, Gmail, Corporate SSL VPN, Outlook Web Access, etc.) to gain remote access to corporate networks... With the recent ZeuS Facebook worm and this latest Ramnit variant, it appears that sophisticated hackers are now experimenting with replacing the old-school email worms with more up-to-date social network worms. As demonstrated by the 45,000 compromised Facebook subscribers, the viral power of social networks can be manipulated to cause considerable damage to individuals and institutions when it is in the wrong hands..."
MS11-100 exploit released
Jan 9, 2012 - "A few days after MIcrosoft released a patch to fix a vulnerability in ASP.NET that could enable a denial-of-service attack, someone has released exploit code for the vulnerability. The proof-of-concept exploit code was posted to the Full Disclosure mailing list.. the code is designed to exploit a recently discovered vulnerability in ASP.NET that's related to the way that the software handles certain HTTP post requests... The problem isn't actually specific to ASP.NET, but affects a variety of languages and applications. Microsoft shipped an emergency patch* for the flaw on Dec. 29, recommending that users install it as quickly as possible... The base cause of the problem is that when ASP.NET comes across a form submission with some specific characteristics, it will need to perform a huge amount of computations that could consume all of the server's rresources."
Last Updated: 2012-01-09 19:21:27 UTC
BBB SPAM leads to 'Blackhole'...
12 Jan 2012 - "... BBB is aware of the spam and posted an alert on their site, and also offer the following suggestions:
'To verify the legitimacy of BBB complaints, contact Better Business Bureau locally. Consumers or businesses who have received the fraudulent emails are asked to report them to http://bbb.org/scam/report-a-scam ...'
NY banks and Online Theft ...
Jan. 10, 2012 - "... initiatives are designed to encourage banks to work together to better protect against hackers, whose efforts to shut down electronic operations and steal money or customer data pose a growing concern for the industry... Online attacks have increased sharply over the past two years and financial institutions are among the most likely targets, according to a new survey by PricewaterhouseCoopers LLP, the consulting firm. Avivah Litan, an analyst with Gartner Research, expects financial companies to increase spending on fraud detection and customer authentication systems by as much as 12%, to $1 billion, over the next two years — a record... While many bank officials agree with the information-sharing in principle, some are concerned that doing so could provide rivals with too much insight into their operations... Sharing might be discouraged in other parts of banking, because of possible antitrust implications...
the chief technology officer of a large bank said "phishing" attacks used by cyber criminals to extract personal information were not a threat... 'If they are -not- a threat, why are you spending $2 million on software to protect against them?'... The executive's answer: "We don't want to talk about fraud in front of anyone."
Search: online bank frauds
... about 109,000,000 results.
IP's to block...
Last Updated: 2012-01-14 21:40:30 UTC - "Antony Elmar owns quite a few domain names... lives in a lovely city called "Kansas, US"... with a phone number that is a tad odd for "Kansas, US" and has a dial prefix that looks more like Italy... Registrant Phone:+3.976639877...
His new domains currently point to 22.214.171.124, in Moldova... The IP used seems to change about once per week, until past Thursday, Antony's virtual HQ was at the neighboring IP, 126.96.36.199.
His latest new domains include:
... and provide a generous helping of malware to users unlucky enough to get redirected there via what appears to be poisoned ads on legitimate web pages..."
Zbot spreads thru fake email ...
January 13, 2012 - "... malicious SPAM campaign that is actively sent out by the Cutwail spam botnet. The suspicious email claims to be a bill summary from the New York-based energy company Con Edison, Inc. It may use the subject line “ConEdison Billing Summary as of <DATE>” and the attachment uses the filename format Billing-Summary-ConEdison-<random numbers>-<Date>.zip... The attached zip file contains an executable file, which unsurprisingly is a Zbot malware variant. When extracted, the malicious executable uses no disguise. It uses no fake icons of Adobe Reader or Microsft Word, no double file extensions, or excessive use of space in the file name to hide the .EXE extension... bill notifications do -not- usually arrive with an executable file - so emails like this should be treated with extreme suspicion. When you see these obvious signs of malware, just stop and delete the email..."
Zappos breach - 24M affected...
January 16, 2012 - "... Zappos.com is advising over 24 million customers to change their passwords following a data breach... Zappos employees received an email from CEO Tony Hsieh on Sunday*, alerting them about a security breach that involved the online shop's customer database... Even though he assured everyone that no credit card details had been compromised, Hsieh revealed that the attacker had accessed customer records including names; email, billing and shipping addresses; phone numbers, and the last four digits of their credit card numbers. The hacker also gained access to password hashes for the accounts registered on the website, prompting the company to reset everyone's access codes. Zappos is currently in the process of emailing its 24 million customers in order to notify them about the security breach and advise them to change their passwords..."
Last Updated: 2012-01-16 16:56:49 UTC
Jan 17, 2012 - "... hackers had not been able to access servers that held customers critical credit card and other payment data... Zappos... was recommending that customers change their passwords including on any other website where they use the same or similar password..."
Jan 17, 2012 - "... Although the goal would be to never have a breach in the first place, if it happens, there is a crisis of confidence among the customers. Acting quickly and decisively can work wonders toward restoring that confidence, as customers sense they are receiving current, relevant, and honest communication about the incident..."
(Yet -another- hAcK...) T-Mobile USA hacked
17 January 2012
Zeus variant - Gameover...
January 17, 2012 - "A recent FBI warning* on the Zeus variant called Gameover reveals that high detection accuracy of fraudulent transactions is not enough to prevent cybercrime. This new attack is specifically designed to circumvent post transaction fraud prevention measures... Some Post-Transaction Attacks are not targeted at the bank but rather at the user. One example uses SpyEye to execute man in the browser (MitB) attacks that hide confirmation emails in web email services or fraudulent transactions on the online banking site... these attacks can bring the entire fraud assessment process to a grinding halt..."
(More detail at the trusteer URL above.)
"... The SPAM campaign is pretending to be legitimate e-mails from the National Automated Clearing House Association (NACHA), advising the user there was problem with the ACH transaction at their bank and it was not processed. Once they click on the link they are infected with the Zeus or Gameover malware, which is able to key log as well as steal their online banking credentials, defeating several forms of two factor authentication. After the accounts are compromised, the perpetrators conduct a Distributed Denial of Service (DDoS) attack on the financial institution. The belief is the DDoS is used to deflect attention from the wire transfers as well to make them unable to reverse the transactions (if found)..."
Jan 17, 2012 - "... on January 18, 2012, dozens of popular websites covering a diverse range of subjects will be blacking out their home pages in protest of the U.S. Stop Online Piracy Act (SOPA). Some of these websites are well-known... While we cannot be certain exactly what sort of scams may appear, keep in mind that the websites listed above will resume normal activity around their announced times. It is unlikely they will resume much earlier, and some may even be slightly delayed in returning to normal activity. If you see any pronouncements about sites returning to operation early or an option to bypass the blackout by visiting a new web site, ignore them and wait for the site to return at its preannounced time: The “new” site being promoted may have far more malicious actions in mind than pictures of kittens, discussions about ents, bacon and narwhals or jokes about arrows to the knee..."
Malicious SPAM scam "Re: Scan from a Xerox..."
18 Jan 2012 - "... malicious email scam with the subject "Re: Scan from a Xerox W. Pro #XXXXXXX" went wild. This scam has returned – this time, with a new face! Instead of making you attach a .zip file, as it did in the past, it now prompts you to click a download link - DON'T... This redirects the link to a malicious site that hosts a Blackhole exploit kit. Once the iframe is loaded, content from the Blackhole exploit kit (which contains a highly obfuscated script ) site is also loaded... Successful exploitation executes a shellcode that triggers the download and execution of malware... there is an administration option for this kit to use underground audio and video scanners for malware. This lets attackers tweak their malware samples to make them undetectable prior to launching their attack live... detected more than 3,000 messages in this campaign..."
SPAM / phish leads to malware...
"... The City of Seattle does not have its own Department of Motor Vehicles nor does the Seattle Police Department send email notifications of a traffic violations..."
Search for "QuickTime" Leads to Phishing Site...
19 Jan 2012 - "... if you were to search for the term "QuickTime" today, the 31st resulting entry would lead to a typosquatted URL, which pulls content from a phishing URL... Clicking this Google search entry sends you to a fake QuickTime download site... The "Download Now" button doesn't take you to the download page for QuickTime software. It directs you to a phishing site instead. This alleged music download site phishes your credit card information on the membership fee payment page. Be aware of the risks of using your credit card on random websites to avoid such phishing attacks."
Top 50 Bad Hosts... Q4 2011
24 January 2012 - "There is one common denominator in cybercrime – it is hosted, served, or trafficked by some host or network operator somewhere. It could be assumed that such a succinct, yet true, statement should yield, in return, an equally concise solution. In fact, it provides only a place to start... The aim is to encourage service providers to "clean up" and to be proactive in stopping the cybercriminal activities found on their servers... Some things have changed since our early reports. There is now more cooperation between the security industry, law enforcement and service providers and some pleasing results against some of the worst activities found on the net. Sadly, some things have -not- changed. Cybercriminals are still too easily making financial gain from the lax procedures by service providers, security vulnerabilities of organizations large or small and Internet users’ lack of awareness. 2011 showcased some data breaches of truly epic proportions with the year ending in the same vein in which it began..."
(Full report links @ the hostexploit URL above.)
Typosquatting back in use... 7,000+ sites
22 Jan 2012 - "... Typosquatting of social web sites that lead visitors to spam survey sites with a high Alexa ranking. With our on-going research, we discovered that cyber-criminals are carrying out even more work, and the campaign is more widespread than we originally thought. Their targets are not limited to social web, but also include popular and frequently-visited registered typosquatting domains in all areas ranging from Google to Victoria's Secret, or Wikipedia to Craigslist; the list goes on. The attacker registers a network of typosquatting domains and redirects visitors of these mistyped sites to a spam survey site... discovered over 7,000 typosquatting sites within this single network... These typosquatting sites redirect visitors to a suspicious URL via a URL shortening service. From there, they take them to a spam survey site... After visitors complete the spam survey, they are then taken to spam advertisement distributed sites where spam advertisements are displayed... An example of such advertisment is a free movie downloader... Currently, these spam advertisements are not -spreading- maliciously..."
23 Jan 2012 - "... unofficial Google Chrome plugin forum Web page which is pulling in content from two malicious Web sites. We believe this Web page was compromised... The fake AdSense show_ads.js links to a typo-squatted URL where the whois record shows that it's clearly -not- a site owned by Google Inc... Notice the details*..."
Top 10 web security threats...
2012.01.25 - "The compromised website is still the most effective attack vector for hackers to install malware on your computer with 47.6 percent of all malware installs occurring in that manner, says security firm AVG*. Another 10.6 percent are tricked into downloading exploit code - many times, without their knowledge - by clicking on links on pages to sites hosting malware. The Chelmsford, Mass. company announced its findings as part of a broader study of threats detected by its software... AVG warns that the security issues plaguing desktops are migrating to mobile devices..."
MS12-004 exploit in-the-wild
Last revised: 02/01/2012
CVSS v2 Base Score: 9.3 (HIGH)
MS12-004 - Critical || Vulnerabilities in Windows Media Could Allow Remote Code Execution (2636391)
Updated: Wednesday, January 11, 2012
Updated: Jan 27 2012
"... Reports indicate this issue is actively being exploited in the wild."
30 January 2012
Jan 31, 2012
Cybercriminals moving from TLD .ru to .su
Jan 29, 2012 - "... The Top Level Domain .ru is managed by the Coordination Center for TLD RU (cctld.ru). CCTLD.ru finally did their job well and addressed the reputation problem TLD.ru had by setting up new terms and conditions for domain name registration of .ru domains... .su is (... was) the Top Level Domain for the Soviet Union, which we all know doesn’t exist any more. Nevertheless, TLD .su (... operated by RIPN) is still active today which means that people can still register domain names with that TLD. As of today I’m seeing an increasing number of malicious .su domains being used by botnet herders. In fact this means that the criminals seem to be switching from .ru to .su ... If you don’t see any legit .su domains being hit/used in your company just simply -block- it."
Thanks for the link go to:
Jan 29, 2012
* Update 2012/02/06: After obtaining access to logs and PHP files from compromised Web servers, further analysis indicates that most of the compromised Web sites were running older versions of WordPress, but they were not all running 3.2.1. The attackers’ exact point of entry is uncertain. At first, we suspected vulnerable WordPress plugins, because a subset of analyzed sites were running vulnerable versions of the same WordPress plugins. Now that we have access to data from several compromised Web servers, the logs show us that, in some cases, the point of entry was compromised FTP credentials. In several instances, once attackers had access, they scanned WordPress directories and injected specific files (e.g., index.php and wp-blog-header.php) with malicious PHP code.
WordPress exploit in-the-wild for v3.2.1 sites ...
30 Jan 2012 - "... site was compromised because it was running an old version of Wordpress (3.2.1) that is vulnerable to publicly available exploits... more interesting is the redirection chain and resulting exploit site... From our analysis the number of infections is growing steadily (100+)... The Java exploit being served is CVE-2011-3544* (Oracle Java Applet Rhino Script Engine Remote Code Execution), which most Exploit Kits adopted in December 2011 because it is cross-platform and exploits a design flaw. Normally, kits use a variety of exploits... regardless of what OS or browser we used for testing, this Exploit Kit attempted to exploit ONLY our Java Runtime Environment (JRE). It did not attempt -any- other exploit... Websense... has found 100+ compromised Web sites, all with similar infection characteristics. The compromised Web sites all share these traits:
> Running WordPress 3.2.1
> Force a drive by download via iframe to the same malicious set of domains hosting a PHP Web page in the form of: [subdomain] .osa .pl/showthread.php?t=.*
> Attempt exploitation using CVE-2011-3544
If exploitation is successful, ( the Tdss rootkit will be installed ) on the user's machine.
If you're running WordPress 3.2.1, we recommend that:
You upgrade to the latest stable version of WordPress**.
Check the source code of all your Web pages to see if you've been infected (see the code above). If you have been infected, be sure to upgrade WordPress while simultaneously removing the injected code so that your Web pages aren't simply being reinfected after being cleaned.
January 3, 2012 - "The latest stable release of WordPress (Version 3.3.1) is available..."
Massive Compromise of WordPress-based sites...
Jan 30, 2012 - "... hundreds of websites, based on WordPress 3.2.1... The attacker uploaded an HTML page to the standard Uploads folder and that page redirects the user to the Phoenix Exploit Kit... logs show that users from at least -400- compromised sites were -redirected- to Phoenix exploit pages..."
Last revised: 01/27/2012
"... vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier..."
CVSS v2 Base Score: 10.0 (HIGH)
Latest Java versions available here:
JRE 6u30: http://www.oracle.com/technetwork/java/javase/downloads/jre-6u30-download-1377142.html
JRE 7u2: http://www.oracle.com/technetwork/java/javase/downloads/jre-7u2-download-1377135.html
File name: file-3486436_jar
Detection ratio: 12/41
Analysis date: 2012-01-31
File name: 39301c3e4ae8ed0e4faf0c3c18cf54a0
Detection ratio: 10/43
Analysis date: 2012-01-30
File name: oleda0.027112496150291654.exe
Detection ratio: 9/43
Analysis date: 2012-01-28
Malware redirects bank phone calls to Attackers
Feb 01, 2012 - "... some new Ice IX configurations that are targeting online banking customers in the UK and US. Ice IX is a modified variant of the ZeuS financial malware platform. In addition to stealing bank account data, these Ice IX configurations are capturing information on telephone accounts belonging to the victims. This allows attackers to divert calls from the bank intended for their customer to attacker controlled phone numbers. We believe the fraudsters are executing fraudulent transactions using the stolen credentials and redirecting the bank’s post-transaction verification phone calls to professional criminal caller services (discussed in a previous Trusteer blog*) that approve the transactions. In one attack captured by Trusteer researchers, at login the malware steals the victim’s user id and password, memorable information/secret question answer, date of birth and account balance. Next, the victim is asked to update their phone numbers of record (home, mobile and work) and select the name of their service provider from a drop-down list. In this particular attack, the three most popular phone service providers in the UK are presented: British Telecommunications, TalkTalk and Sky... To enable the attacker to modify the victim’s phone service settings, the victim is then asked by the malware to submit their telephone account number. This is very private data typically only known to the phone subscriber and the phone company. It is used by the phone company to verify the identity of the subscriber and authorize sensitive account modifications such as call forwarding. The fraudsters justify this request by stating this information is required as a part of verification process caused by "a malfunction of the bank’s anti-fraud system with its landline phone service provider"... As we discussed in a recent blog**, fraudsters are increasingly turning to these post-transaction attack methods to hide fraudulent activity from the victim and block email and phone communication from the bank. This allows attackers to circumvent security mechanisms that look for anomalies once transactions have already been executed by the user..."
Feb 01, 2012
Facebook malware scam ...
Feb 3, 2012 - "... worrying number of Facebook users posting the same status messages today, claiming that the United States has attacked Iran and Saudi Arabia... If you visit the link mentioned in the status update, you are taken to a -fake- CNN news webpage which claims to contain video footage of conflict... clicking on the video thumbnail prompts the webpage to ask you to install an update to Adobe Flash... Of course, it's not a real Flash update, but malware instead. Remember, you should only ever download a Flash update from the genuine Adobe website. The malware - which Sophos is adding detection for as Troj/Rootkit-KK - drops a rootkit called Troj/Rootkit-JV onto your Windows computer. In addition, Sophos detects the behaviour of the malware as HPsus/FakeAV-J..."
"... Part of this site was listed for suspicious activity 436 time(s) over the past 90 days... Of the 102194 pages we tested on the site over the past 90 days, 172 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-02-07, and the last time suspicious content was found on this site was on 2012-02-07... Malicious software includes 76 trojan(s), 60 scripting exploit(s). Successful infection resulted in an average of 7 new process(es) on the target machine. Malicious software is hosted on 147 domain(s)... 28 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site... This site was hosted on 74 network(s) including AS32934 (FACEBOOK), AS209 (QWEST), AS2914 (NTT).... Over the past 90 days, facebook.com appeared to function as an intermediary for the infection of 31 site(s)... It infected 6 domain(s)..."
"... over the past 90 days, 151 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2012-02-07, and the last time suspicious content was found was on 2012-02-07... Over the past 90 days, we found 24 site(s) on this network... that appeared to function as intermediaries for the infection of 29 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 2 site(s)... that infected 6 other site(s)..."
Mobile malware from German svr... 1,351 sites
Feb 7, 2012 - "... recently found a server that hosts a great number of sites that are used to launch mobile malware, targeting Android OS and Symbian (specifically the J2ME platform). The server, located in Germany, is managed by a hosting provider known as a haven for cyber criminals. We found a total of 1,351 websites hosted on the said server and categorize the sites into five segments based on the type of guise they use for the distributed malware:
Android Market apps
Opera Mini/ Phone Optimizer apps
Pornographic apps (sites were unavailable during time of checking)
App storage sites
Others (sites that were inaccessible during time of checking)...
... the hosted Apps were still up thus making them available for download through the Android Market App and the Opera Mini/Photo Optimizer App sites. The sites under Android Market apps displayed a website very much similar to the legitimate one. They feature popular applications like WhatsApp, Facebook, Facebook Messenger, Barcode Scanner, Skype, Google Maps, Gmail, YouTube, and others. The files downloaded from such sites are now detected as ANDROIDOS_FAKENOTIFY.A... the sites that feature download links for Opera Mini and Phone Optimizer lead to J2ME_SMSSEND.E - a malware that can run on devices that support MIDlets... Among all the categories mentioned, most of sites promoted Opera Mini updates and Photo Optimizer Apps compared with others.. the attackers are not necessarily targeting only one platform... we also saw that cybercriminals use different social engineering lures. Also, despite the emergence and prevalence of platforms such as Android and iOS, the Symbian platform still seems to be targeted as well..."
Malware -redirects- to enormousw1illa .com
2012-02-08 - "Site is listed as suspicious... the last time suspicious content was found on this site was on 2012-02-08. Malicious software includes 8 trojan(s). This site was hosted on 2 network(s) including AS48691* (SPECIALIST), AS17937 (NDMC)... Over the past 90 days, enormousw1illa .com appeared to function as an intermediary for the infection of 177 site(s)... this site has hosted malicious software over the past 90 days. It infected 1090 domain(s)..."
Feb 2, 2012 - "... seeing a large number of sites compromised with a conditional redirection to the domain http ://enormousw1illa .com/ (188.8.131.52). On all the sites we analyzed, the .htaccess file was modified so that if anyone visited the site from Google, Bing, Yahoo, or any major search engine (by checking the referer), it would get -redirected- to that malicious domain (http ://enormousw1illa com/nl-in .php?nnn=556)... this malware is hosted at the same IP address as other domains that were used in .htaccess attacks in the past**, so we think it is all done by the same group..."
Free Microsoft Points? Game Over ...
Feb 8, 2012 - "There’s an Xbox code generator floating around on Youtube and other sites right now, and a pretty popular one at that. How popular?... 20,000+ views so far. The program promises all sorts of Xbox freebies – 1 month of Xbox Live, 12 months if you’re feeling particularly greedy and 1600 to 4000 free Microsoft points*. Of course, everything goes without a hitch in the Youtube video: we see the program boot up, the user selects his target – 1600 MS points – and hits the “Generate Code” button. After a short while, we see a “Hooray, it worked” type message and the person in the video is presented with a code.... [and]... Another survey. Does the creator of this program expect you to fill in a survey / sign up to a ringtone service not once but twice? Absolutely. Is it worth downloading this program, filling in some of those offers and trying it out? Absolutely - not."
"... currency of the Xbox Live Marketplace, Games for Windows - Live Marketplace, Windows Live Gallery, and Zune online stores..."
Cybercrime "factory outlets" – fraudsters selling bulk Facebook, Twitter and Web Site Admin credentials
Feb 08, 2012 - "... discovered two cybercrime rings that are advertising what we refer to as a “Factory Outlet” of login credentials for different web sites including Facebook, Twitter and a leading website administration software called cPanel. Financial malware, like Zeus, SpyEye and others, once it infects a machine, is configured to attack specific online banking web sites. In addition to online banking credentials, the malware also captures login credentials used by the victim’s machine to access other web sites and web applications. To monetize the login credentials that pile up, fraudsters have started setting up “Factory Outlets” to sell them off... cybercriminals are offering to sell login credentials to social network sites such as Facebook and Twitter belonging to users all over the world. These can be purchased in bulk, from specific countries (e.g. USA, UK, and Germany) and even coupled with additional personal information such as email addresses... the fraudsters claim that they have 80GB of stolen data from victims. In another so called “Credential Factory Outlet Sale” advertisement, a botnet operator offers to sell login and URL information that would allow a fraudster to take control of certain web sites. Specifically, the advertiser is offering cPanel credentials..."
(More detail at the trusteer URL above.)
Know your enemies Online (graphic)
How web threats spread (graphic)
Source: Sophos Security Threat Report
Top 10 threats for January 2012
Feb 08, 2012 - "... Report for January 2012, a collection of the 10 most prevalent threat detections encountered during the month. Last month saw malware attacks targeting a wide range of potential victims, including gamers looking for a Pro Evolution Soccer 2012 game crack, small business owners concerned about the reputation of their business, and government organizations receiving spoofed messages from the United States Computer Emergency Readiness Team (US-CERT)... malware writers installing rootkits on the systems of gamers who were looking for a pirated release of Pro Evolution Soccer 2012... scammers also latched onto the buzz surrounding the upcoming fourth installment of the Halo® video game series... by offering bogus beta invites in return for filling out surveys and recommending links on Facebook and Google+. These attacks leverage the popularity of these titles among the gaming community and are meant to take advantage of the mistakes some users might make when acting out of excitement about a favorite game franchise... phishing emails posing as notices from the Better Business Bureau, claiming that a customer had filed a complaint against the recipient. The messages contained links to malware created using the Blackhole exploit kit. Government body US-CERT served as another disguise for cybercriminals attempting to bait unwitting victims into opening a file that contained a variant of the Zeus/Zbot Trojan. Meanwhile, Tumblr users were baited with “free Southwest Airlines tickets” in exchange for taking surveys and submitting personal information by a phony “Tumblr Staff Blog.” Malware writers and internet scammers also sought to attack a wider cross-section of the population when opportunities presented themselves to creatively piggyback on hot news topics and highly trafficked websites. This past month, the shutdown of popular file hosting website Megaupload led to a domain typo scam targeting both the regular users of the website as well as visitors who were interested in seeing the FBI notice posted on the site. Once the victims reached the misspelled URL, they were -redirected- to various sites promising fake prizes and asking for personal information..."
(See "Top 10 Threat Detections for January" list at the gfi URL above.)
Bad news brings SCAMS ...
Feb 13, 2012 - "... cybercriminals are naturally out there taking advantage of this unfortunate incident... A fake video was seen spreading via the social networking site Facebook was found... which have the subject “I Cried watching this video. RIP Whitney Houston“, come in the form of a wall post with a link to the supposed video. Once users click on the video, it leads them to a Facebook page that contains a link to the video. However, clicking the said link only leads to several other redirections until users are lead to the usual survey scam site... we also found -101- more survey scam domains registered on the same IP where the domains are hosted.... also found tweets with malicious links that also took advantage of the tag RIP Whitney Houston, which was trending worldwide on Twitter... tweets contain a link to a particular blog dedicated to Whitney Houston. Users viewing this page are then -redirected- to another web site, even without them having to click on anything. The succeeding page is a site that supposedly features several Whitney Houston wallpapers, which users can download. Once users decide to download a wallpaper, a pop up window appear that asks users to donwload some “Whitney Houston ringtones”. Whatever users choose... they will be -redirected- to the a survey site that asks for mobile numbers... Using newsworthy events... is a common bait of cybercriminals to lure users into their schemes... always be cautious before clicking any -news- items in their Facebook or Twitter feeds..."
(Screenshots available at the trendmicro URL above.)
Greyware fog ...
Feb 13, 2012 - "... it was more than a little bit surprising when we observed downloads from Download.com behaving like spyware... Download.com had begun delivering freeware downloads in a wrapper that enticed users to click during the install in order to receive special offers and deals... When a user clicked on this option, the application took several steps that lowered the security of the user’s system, such as making changes to the security settings in the browser, changing proxy settings and also installed a service that leaked user information over HTTP POSTs. As it turns out, Download.com was under new management and had then intentionally developed this wrapper with those functions as a method to collect shopping data from their users. This led to a miniature scandal as antivirus vendors began rightly classifying the code as spyware, and Download.com then quickly reversed course. However, this is an example of a very broad problem... there are tons of applications and code out there that are not overtly malicious, yet do very spyware-like things without the user’s knowledge. Changes to security settings, browser settings, listening on backdoor ports, changing personal firewall settings. This is dangerous because it is -unlikely- that this type of behavior is going to be flagged as malicious, and yet it is materially reducing the security posture of the client machine. These things don’t compromise the host directly, but it certainly softens up the target for more malicious code or attackers... we will need to the ability to quickly determine which sorts of downloads and applets are safe for users to download in just the same way we are safely enabling applications today, applications such as webmail, SharePoint and other collaborative apps. Anything that affects the security posture of the client or the network needs to be seen by IT, and IT needs the policies in place that clearly define what sorts of behavior are allowed and which are not. The lesson here is that until we gain a credible level of control here in the grey end of the spectrum, we are simply trusting the Internet to provide reasonably safe code that doesn’t endanger users..."
Fake AICPA e-mail - Blackholes and Rootkits ...
Feb 20, 2012 - "Be wary of emails claiming to be from AICPA – as per their alert here*, these are not real and any mention of “unlawful tax return fraud” is just a -bait- to convince the end-user to open up a malicious attachment (in this case, a .doc file** although there are rogue PDF files in circulation too). As with many of the malicious spam campaigns doing the rounds at the moment, this one will use the Blackhole exploit kit to serve up zbot from multiple compromised domains. Worse, a Sakura kit (typical example here***) will download Sirefef / ZeroAccess , which as we’ve seen elsewhere**** is not a good thing to have on your system. One of the more unpleasant spam campaigns we’ve seen recently."
Feb 17, 2012
ASERT Security Intelligence: Threat Briefings
- http://atlas.arbor.net/briefs/ - 2012.02.21
"Summary: A variety of security patches are released for Cisco NX-OS, Adobe Flash Player, and Java. Such third party software is often the vector used by attackers to compromise systems and install malware. Database systems are also compromised and recent data leaks point to the importance of protecting databases with basic security measures and encryption... The threat of a DNS attack on March 31st* may not be as deadly as it seems, and the trend of users bringing their own devices to work can pose grave risks to security."
TL;DR: ICS ASLR = FUBAR ...
22 Feb 2012 - "Jon Oberheid has found the ASLR (Address Space Layout Randomisation) in Google's Android 4, Ice Cream Sandwich (ICS), somewhat wanting. In a detailed posting on the Duo Security blog*, one commenter eloquently concluded that "TL;DR: ICS ASLR = FUBAR". Specifically, he found that the lack of randomisation in executable and linker memory regions meant that it would be "largely ineffective for mitigating real-world attacks"... The Android Security Team responded to Oberheid's posting noting that they will, in 4.0.3, randomise the heap and future Android releases will randomise the linker and executable mappings."
McAfee Q4 Threats Report...
Feb 21, 2012 - "... The overall growth of PC-based malware actually declined throughout Q4 2011, and is significantly lower than Q4 2010. The -cumulative- number of unique malware samples in the collection still exceeds the 75 million mark. In total, both 2011 and the fourth quarter were by far the busiest periods for mobile malware that McAfee has seen yet, with -Android- firmly fixed as the largest target for writers of mobile malware. Contributing to the rise in malware were rootkits, or stealth malware. Though rootkits are some of the most sophisticated classifications of malware, designed to evade detection and “live” on a system for a prolonged period, they showed a slight decline in Q4. Fake AV dropped considerably from Q3, while AutoRun and password-stealing Trojan malware show modest declines. In a sharp contrast to Q2 2011, Mac OS malware has remained at very low levels the last two quarters.
Web Threats: In the third quarter McAfee Labs recorded an average of 6,500 -new- bad sites per day; this figure shot up to -9,300- sites in Q4. Approximately one in every 400 URLs were malicious on average, and at their highest levels, approximately one in every 200 URLs were -malicious-. This brings the total of active malicious URLs to more than 700,000..."
Mac Trojan spreading in-the-wild...
Exploits Java vulns and packs fake certificate
24 Feb 2012 - "... a new variant of a Mac-specific password-snatching Trojan horse is spreading in the wild. Flashback-G initially attempts to install itself via one of two Java vulnerabilities. Failing that, the malicious applet displays a self-signed certificate (claiming to be from Apple) in the hope users just install the malware. Once snugly in place, the malware attempts to capture the login credentials users enter on bank websites, PayPal, and many others. OS X Lion did not come with Java preinstalled, but Snow Leopard does, so users of Mac's latest OS are more at risk of attack. Mac security specialist Intego warns that the variant is infecting Mac users and spreading in the wild. Symptoms of infection can include the crashing of browsers and web applications, such as Safari and Skype. Intego, which has added detection for the malware, has a write-up* of the attack with a screenshot of the self-signed certificate used by the malware in action..."
"... essential that anyone running OS X 10.6 update Java immediately. To do this, run Software Update, from the Apple menu; if you do not have the latest version of Java, an update will be available... Macs are (also) getting infected by the social engineering trick of the bogus certificate purporting to be signed by Apple... If you see this, don’t trust it, and cancel the process..."
24 Feb 2012 - "... If an up-to-date version of Java is in use, to become infected the user has to approve a certificate clearly marked as not trusted..."
“Chat-in-the-Middle” phishing attack fraud...
Cybercriminals target phones - Android 'most exposed'
Feb 28, 2012 AFP - "Cybercriminals are sneaking a fast-increasing amount of malware into smartphones to steal data or even money, with those running on Google's Android most exposed to security threats, analysts said... Anyone can create or install an application on an Android phone... as opposed to the Apple controlled Appstore which imposes a layer of screening... Trend Micro surveyed independent analysts about security features on the four main mobile operating systems - Apple's iOS, RIM's BlackBerry, Microsoft's Windows and Google's Android - and found that Blackberry was ranked most secure and Android the least. BlackBerry benefitted from the fact that it was originally designed more as a platform than a device, while iOS, ranked second most secure, was tightly controlled by Apple... Technology company Juniper Networks compiled a "record number of mobile malware attacks" in 2011, particularly on Android phones. In 2010, just 11,138 mobile malware samples were recorded, but they soared 155 percent to 28,472 in 2011, the company said. Just under half - 46.7 percent - occurred on Android phones, said Juniper, whose study did -not- look into Apple breaches... Some criminals are hiding "malicious code in legitimate applications" that consumers are downloading unwittingly. Once they have gained access to data on the phone, they are stealing information that could be used in identity theft or in illegal transactions. A further incentive for cybercriminals to breach smartphone security is that unlike computers, each phone "has a direct link to money" through the SIM card... Criminals are able, for instance, to implant so-called trojan horses that prompt phones to send SMSes to premium numbers..."
Olympic phishing messages...
01 Mar 2012 - "... Websense... detected and tracked a significant number of these kinds of Olympic phishing messages whose goal is to entice users to submit their personal information... the well-known "National Lottery"-type scam, where the targeted users are tricked into believing they are winners of some sort of local lottery... Once the user opens the Microsoft Word document, the sender informs the user that he or she is the lucky "winner" of £200,00.00 GBP, and then requests that the user provide personal information, such as full name, address, nationality, occupation, and mobile number to help process the claim... Although this email attachment is not malicious, it is clear that the sender has some other questionable activity in mind by asking for and collecting personal information. This could range from email spam using the victim's email address and mobile phone number to other rogue promotional messages that could potentially have web links leading to malicious websites. Threats like these Olympics scams are also known as advanced-fee fraud in which victims are asked to contact a claims agent. They may then be asked to pay "processing fees" to receive their money, which never happens... This is also a good way to collect, with social engineering techniques, mobile phone numbers and to start other kinds of fraudulent activities like asking for details about mobile banking accounts..."
Employees disabling security controls
29 Feb 2012 - "Corporate mobile devices and the bring-your-own-device (BYOD) phenomenon are rapidly circumventing enterprise security and policies, say the results of a new global study sponsored by Websense... 77 percent of more than 4,000 respondents in 12 countries agree that the use of mobile devices in the workplace is important to achieving business objectives, but only 39 percent have the necessary security controls to address the risk their use entails. According to a previous Ponemon Institute survey, IT respondents said 63 percent of breaches occurred as a result of mobile devices, and only 28 percent said employee desktop computers were the cause. This latest research shows that organizations often don't know how and what data is leaving their networks through non-secure mobile devices, and that traditional static security solutions are not effective at stopping advanced malware and data theft threats from malicious or negligent insiders... More than 4,600 IT and IT security practitioners in Australia, Brazil, Canada, France, Germany, Hong Kong, India, Italy, Mexico, Singapore, United Kingdom, and the United States were surveyed. With an average of 10 years' experience in the field, fifty-four percent are supervisors (or above) and 42 percent are from organizations with more than 5,000 employees. This survey defines mobile devices as laptops, USB drives, smartphones, and tablets."
US SEC SPAM leads to exploit and stealer
March 2, 2012 - "... received an email** in his GMail inbox that purports to originate from the U.S. Securities and Exchange Commission (SEC)... Clicking the link leads users to ftp(dot)psimpresores(dot)com(dot)ar/QH1r1tTd/index(dot)html, which then -redirects- them to trucktumble(dot)com/search(dot)php?page=d44175c6da768b70... This page contains a Blackhole exploit kit that targets the following vulnerabilities:
CVE-2010-0188, an old Adobe Reader and Acrobat vulnerability (patch already available)
CVE-2010-1885, an old Microsoft Windows Help and Support vulnerability (patch already available)
Based on the deobfuscated script, this exploit can also target other vulnerabilities on Java, Adobe Flash, and Windows Media Player. Once vulnerabilities of these software were successfully exploited, users are then led to the website, trucktumble(dot)com/content/ap2(dot)php?f=e0c3a, where the file about.exe can be downloaded... about.exe was found to be a variant of ZBOT, that infamous information stealer, and we detect it as Win32.Malware!Drop. Only 12 AV vendors* detect the variant as of this writing..."
File name: about.vxe
Detection ratio: 12/43
Analysis date: 2012-03-02 05:19:43 UTC
Flashback Mac -malware- using Twitter as C&C center
Mar 5, 2012 - "... Flashback... uses an interesting method of getting commands: it uses Twitter. And rather than use a specific Twitter account, which can be removed, it queries Twitter for tweets containing specific hashtags. These hashtags aren’t as simple as, say, #Flashback or #MacMalwareMaster, but are seemingly random strings of characters that change each day. Intego’s malware research team cracked the 128-bit RC4 encryption used for Flashback’s code and discovered the keys to this system. The hashtags are made up of twelve characters. There are four characters for the day, four characters for the month, and four characters for the year... In addition, in order to ensure that people checking logs don’t spot the malware, it uses a number of different user agents... It’s worth noting that the people behind the Flashback malware most likely to not send commands every day, and certainly delete their tweets, as Intego has found no past tweets in its searches. However, the malware clearly sends these HTTP requests, looking for such tweets..."
Mar 8, 2012 - "Ransomware attacks are growing in popularity these days. French users were a recent target of an attack that impersonated the Gendarmerie nationale. A few months ago, Japanese users were also hit by ransomware in a one-click billing fraud scheme targeted for Android smartphones... the more recent ransomware variants appear to be targeting other European countries. They are disguised as notifications from country-specific law enforcement agencies such as eCops of Belgium and Bundespolizei of Germany... a majority of the top eight countries infected with ransomware are from Europe:
... While ransomware are also being distributed through affiliate networks like FAKEAVs, these attacks operate using payments outside of traditional credit card payments, specifically via Ukash and Paysafecard vouchers. Ukash and Paysafecard are widely used online payment methods that do not require personal details. Such level of anonymity has naturally earned the attention of cybercriminals and, as we can see, is now being abused for the ransomware business... based on feedback taken from the past 30 days."
March 9, 2012 - "... reports of Finns being targeted by ransomware which is localized in Finnish language and claims to be from Finnish police..."
Police Themed Ransomware continues
April 4, 2012 - "Over the last several weeks, we've been monitoring a rash of ransomware campaigns across Europe, in which messages, supposedly from the local police, are displayed demanding that a fine must be paid in order to unlock the computer... easiest way to manually disable it is as follows:
1 – Press Ctrl-O (that's the letter O, not the number zero).
2 – Select "Browse", go to c:\windows\system32 and open cmd.exe.
3 – Type "explorer.exe" into the newly opened window. You should now be able to use the desktop again.
4 – Browse to your Startup folder. The path will vary depending on the language settings and Windows version. The screenshot below shows the path on the English version of Windows XP. You will also have to replace "Administrator" with your user name in the path (unless you're already using the Administrator account, but lets not get started on that…).
5 – Delete any entries you don't recognize. The names of the malicious entries may be different than the ones shown in the screenshot. If you are unsure, you can remove all entries, but at the risk of disabling other valid applications from automatically starting.
6 – Reboot the computer.
After this the threat is disabled but malicious files still remain on the computer. Scanning the computer with an antivirus product is highly recommended.
The steps may vary slightly depending on the variant... Microsoft provides information in their description*.
Updated to add on April 5th: Our description for Trojan:W32/Reveton includes removal instructions."
Bogus prescription drug trade...
Mar 12, 2012 - "Half of all “rogue” online pharmacies - sites that sell prescription drugs without requiring a prescription — got their Web site names from just two domain name registrars... but at least one-third of all active rogue pharmacy sites are registered at Internet.bs, a relatively small registrar that purports to operate out of the Bahamas and aggressively markets itself as an “offshore” registrar. That’s according to LegitScript*, a verification and monitoring service for online pharmacies... Anti-spam and registrar watchdog Knujon (“nojunk” spelled backwards) also released a report (PDF**) on rogue Internet pharmacies today, calling attention to Internet.bs, AB Systems and a host of other registrars with large volumes of pharma sites..."
Mobile phones - weak link in Online Bank Fraud scheme
March 13, 2012 - "... two online banking fraud schemes designed to defeat one time password (OTP) authorization systems used by many banks... in these -new- scams the criminals are stealing the actual mobile device SIM (subscriber identity module) card...
> In the first attack, the Gozi Trojan is used to steal IMEI (international mobile equipment identity) numbers from account holders when they login to their online banking application. The bank is using a OTP system to authorize large transactions. Once they have acquired the IMEI number, the criminals contact the victim’s wireless service provider, report the mobile device as lost or stolen, and request a new SIM card. With this new SIM card, all OTPs intended for the victim’s phone are sent to the fraudster-controlled device...
> The second attack combines online and physical fraud to achieve the same goal. We discovered this scheme in an underground forum. First, the fraudster uses a Man in the Browser (MitB) or phishing attack to obtain the victim’s bank account details, including credentials, name, phone number, etc. Next, the criminal goes to the local police department to report the victim’s mobile phone as lost or stolen. The criminal impersonates the victim using their stolen personal information (e.g., name, address, phone number, etc.). This allows the fraudster to acquire a police report that lists the mobile device as lost or stolen. The criminal then calls the victim to notify them that their mobile phone service will be interrupted for the next 12 hours. In the meantime, the criminal presents the police report at one of the wireless service provider’s retail outlets. The SIM card reported as lost or stolen is -deactivated- by the mobile network operator, and the criminal gets a new SIM card that receives all incoming calls and OTPs sent to the victim’s phone number. This allows the fraudster authorize the fraudulent transactions he/she executes...
Since accounts protected by OTP systems typically have higher transfer limits and are less scrutinized, they are more lucrative. This explains why criminals are willing to go to great lengths to gain access to them. The one common thread in both schemes is that they are made possible by compromising the web browser with a MitB attack to steal the victim’s credentials. By combining stolen personally identifiable information with clever social engineering techniques, criminals using these attacks don’t need to trick users into verifying fraudulent transactions. They are able to bypass out of band authentication mechanisms like SMS-delivered OTPs by authorizing these transactions themselves."
Unsolicited support calls - iYogi ...
March 14, 2012 - "The makers of Avast antivirus software are warning users about a new scam involving phone calls from people posing as customer service reps for the company and requesting remote access to user systems. Avast is still investigating the incidents, but a number of users are reporting that the incidents followed experiences with iYogi, the company in India that is handling Avast's customer support. A follow-up investigation by KrebsOnSecurity indicates that Avast (among other security companies) is outsourcing its customer support to a third-party firm that appears engineered to do little else but sell expensive and unnecessary support... Unfortunately, Avast is not the only security and antivirus firm that has outsourced its support to this company. iYogi also is the support service for AVG, probably Avast’s closest competitor."
Mar 12, 2012 - "... we -never- phone our customers (unless they specifically ask us to of course) and none of the partners we work with do either..."
Unsolicited support calls
... About 7,230,000 results...
Avast Antivirus drops iYogi support
March 15, 2012
March 15, 2012 - "... we have removed the iYogi support service from our website and shortly it will be removed from our products... users can receive support via the other support options provided on our website. We will also work to ensure that any users that feel they have been misled into purchasing a premium support receive a full refund..."
Brute force attacks - WordPress sites...
Mar 15, 2012 - "... Lately we have been seeing many WordPress sites being attacked and hacked through the use of brute force. The administrator leaves the default “admin” user name and chooses a simple password, and -never- changes it... There is a technique known as brute-force attack... access is gained to your environment through brute force. Often conducted by bots, these attacks will run through a compiled list of common passwords and their permutations (i.e., password, Pa$$w0rd, p@ssw0rd, etc..)... the attackers know that you substitute ‘A’ for an ‘@’ and ‘S’ for a ‘$’. Using this method the attackers are gaining access to your wp-admin, this then allows them to serve spam via your posts, deface your home page like we recently saw with ServerPro, and inject any one of the other types of malware... in the last few days we detected more than 30 IP addresses trying to guess the admin password on our test WordPress sites (wp-login.php). Each one of those tried from 30 to 300 password combinations at each time. Sometimes they would mix that with a few spam comments as well. Example:
184.108.40.206 – 32 attempts
220.127.116.11 – 47 attempts
18.104.22.168 – 211 attempts
22.214.171.124 – 39 attempts
126.96.36.199 – 105 attempts
188.8.131.52 – 40 attempts
And many more IP addresses. We will adding all of them to our IP blacklist* and Global Malware view**..."
WordPress Page is Loading... an Exploit
March 15, 2012 - "... Spam appears to be the driver of these campaigns. Various websites have already been identified to be redirecting to Blackhole exploit kit... Currently, these sites redirect to the following domains that host Blackhole exploit kit:
• themeparkoupons.net ..."
iPhone malware - CrossTalk ...
Tue, 13 Mar 2012 18:54:02 +0000
Those tasked with the defense of smartphones could benefit from this detailed document.
Attempts to Spread Mobile Malware in Tweets ...
Tue, 13 Mar 2012 18:54:02 +0000
Yet more attempts to spread mobile malware are being seen, this time Twitter is the spreading platform of choice.
Android Malware Stealing Online Banking Credentials
Friday, March 16, 2012 01:36
... Android malware continues with multi-factor financial credential theft and remote update capabilities.
Analysis: As mobile devices proliferate, cybercrime goes where the money is. While the style of this attack is not new, extra capabilities are being seen and it is likely just a matter of time before very sophisticated malware targeted towards mobile devices becomes a larger problem. Additionally, malware awareness and safe browsing on handhelds may not be as common as on dekstop or notebook systems in enterprises with security policies. If mobile devices are not yet part of the organizational security policy, such threats may quicken this change.
Fake Linkedin e-mails lead To Cridex
March 16, 2012 - "... there are fake Linkedin invitation reminders in circulation sending users to a BlackHole exploit which attempts to drop Cridex* onto the PC. Cridex is a rather nasty piece of work that does everything from target banks and social networking accounts to a little bit of CAPTCHA cracking... This particular run shares the IP address 41(dot)64(dot)21(dot)71 with various BBB and Intuit spam runs from recent weeks. If in doubt, go directly to Linkedin and check your invites from there."
March 1, 2012
2012 Data Breach Investigations Report - Verizon
March 22, 2012 - "... The report combines data from 855 incidents that involved more than 174 million compromised records, an explosion of data loss compared to last year’s 4 million records stolen. The increase is due largely to the massive breaches perpetrated by activists... Most breaches Verizon tracked were opportunistic intrusions rather than targeted ones, occurring simply because the victim had an easily exploitable weakness rather than because they were specifically chosen by the attacker. And, as with previous years, most breaches — 96 percent — were not difficult to accomplish, suggesting they would have been avoidable if companies had implemented basic security measures. Verizon noticed a difference between how large and small organizations are breached. Smaller organizations tend to be breached through active hacking, involving vulnerabilities in websites and other systems and brute force attacks. Larger companies are more often breached through social engineering and phishing attacks — sending e-mail to employees to trick them into clicking on malicious attachments and links so that the intruders can install malware that steals employee credentials. Verizon surmises that this is because larger organizations tend to have better perimeter protections, forcing intruders to use human vulnerabilities to breach these networks instead."
SPAM - IRS themed e-mails w/malicious attachment
March 22, 2012 - "Cybercriminals are currently spamvertising with IRS themed emails, enticing end -and- corporate users into downloading and viewing a malicious .htm attachment.
More details: Spamvertised subject: Your tax return appeal is declined...
Malicious attachment: IRS_H11832502.htm *
Malicious iFrame URL found in the attachment...
Upon downloading and viewing the malicious attachment, an iFrame tag attempts to load, ultimately serving client-side exploits such as the Libtiff integer overflow in Adobe Reader and Acrobat (CVE-2010-0188), and Trusted method chaining remote code execution (CVE-2010-0840)... the malicious iFrame is hosted within a fast-flux botnet, and is therefore currently responding to multiple IPs, in an attempt by cybercriminals to make it harder for security researchers to take it down. End users are advised to ensure that they’re not running outdated versions of their third-party software and browser plugins, as well as to avoid interacting with the malicious emails..."
File name: IRS_U774510.htm0
Detection ratio: 13/43
Analysis date: 2012-03-23 09:17:40 UTC
1x1 pixel drive-by-malware...
Last Updated: 2012-03-25 17:04:16 UTC - "Exploit authors sometimes like to be cute... A Java archive called "fun.jar" containing an "evilcode.class" file that runs as an applet of 1x1 pixels size ... well, this can't be anything good. And it indeed isn't. This code snippet was lurking on quite a few web sites over the past days. Sending fun.jar to Virustotal shows* that only 10 of 43 anti-virus tools actually recognize the exploit code, whereas 27/43 recognize the d.exe malware file** that the exploit currently downloads and runs. Evilcode.class exploits the Java Rhino Engine vulnerability (CVE-2011-3544), published back in October 2011 and affecting -all- Java Runtime Engines up to JRE 1.6_27. The exploit still seems to work well enough for the bad guys that they don't see any need to re-tool to newer exploits. In slight modification of Oracle's own words (https://www.java.com/en/download/faq/other_jreversions.xml): 'We highly recommend users remove all older versions of Java from your system. Keeping old and unsupported versions of Java on your system presents a serious security risk...' ..."
* Latest: https://www.virustotal.com/file/a4252d3fe50650c0c96927a8560cf292d52d22fd51d954d26157ceea330a2a38/analysis/
File name: kr.jar
Detection ratio: 11/43
Analysis date: 2012-03-26 12:09:54 UTC
** Latest: https://www.virustotal.com/file/b7e06b275fd546c3d0cc2b5e80dfd3ddac647f68ccb5f6963173db11fa0a0cf6/analysis/
File name: 60685cf9afc3e4f95097aa219ecb6da0
Detection ratio: 28/40
Analysis date: 2012-03-27 16:01:57 UTC
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3544 - 10.0 (HIGH)
Critical Java hole being exploited on a large scale ...
Severity: High Severity
Published: Wednesday, March 28, 2012 19:20
Java security vulnerability patched in February is now being used widely by criminals to install malware.
Analysis: Patch! Watch for outdated Java on the network as the presence of old Java User-Agents is often a sign that a system has been exploited and Java is now doing the attackers bidding, typically downloading something evil.
MacOS X targeted w/MS Office exploit in the wild...
March 27, 2012 - "... The doc files seem to exploit MS09-027 and target Microsoft Office for Mac. This is one of the few times that we have seen a malicious Office file used to deliver malware on Mac OS X... An attacker who successfully exploits this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
> When the victim opens the malicious Word file using Office for Mac, the shellcode writes the malicious payload on disk and executes it, and then opens a benign office file... The C&C server this time is:
- 2012 .slyip .net: 184.108.40.206
220.127.116.11 – 18.104.22.168
Black Oak Computers Inc – New York – 75 Broad Street...
> The second trojan found is a new one never seen. We have found several versions compiled for different architectures (ppc, i386..). We have also found a version that has paths to debugging symbols... The C&C domain resolves to:
- freetibet2012 .xicp .net: 22.214.171.124
126.96.36.199 – 188.8.131.52
China Unicom Beijing province network...
All the samples we have found have 0/0 rate antivirus detection, it includes the malicious doc files..."
March 29, 2012 - "... These Word documents exploit a Word vulnerability that was corrected in June, 2009, but also take advantage of the fact that many users don’t update such software. Word 2004 and 2008 are vulnerable, but the latest version, Word 2011 is not. Also, this vulnerability only works with .doc files, and not the newer .docx format..."
Blackhole exploits ...
April 2, 2012 - "... an exploit for CVE-2011-0559*, which is one of the two Flash exploits being used by Blackhole currently. Compared to other exploits, this one has been used by Blackhole for quite some time and yet the coverage using different security products is very low**.
With very -low- antivirus coverage, -no- Metasploit module, and PoCs being extremely difficult to find, this increases the chances of exploitation. Blackhole targets to exploit Adobe Flash 10.0 and earlier versions, 10.1, and 10.0.x (where x is later than 40). The vulnerability has been patched since March 2011. Detection has been added to F-Secure Anti-Virus as Exploit:W32/CVE-2011-0559.A..."
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0559 - 9.3 (HIGH)
Last revised: 01/27/2012
March 29, 2012 - "... over the past 12-18 months we have seen Blackhole become the most prevalent and notorious of the exploit kits used to infect people with malware..."
Android bot attacks rooted smartphones
3 April 2012 - "Antivirus company NQ Mobile has discovered a variant of the DroidKungFu Android malware called DKFBootKit* that targets users who have rooted their smartphones. The malware piggybacks on apps that would otherwise ask for root privileges anyway – and, once the user has agreed, sets up camp deep in the smartphone's boot sequence and replaces commands such as ifconfig and mount to help ensure it is started early in the boot sequence..."
"... DKFBootKit makes use of the granted root privilege for other malicious purposes, namely comprising the system integrity... the malware itself contains a bot payload that phones home to several remote C&C servers and waits for further commands...
1) Only download applications from trusted sources...
2) Never accept application requests from unknown sources...
3) Be alert for unusual behavior on the part of mobile phones and be sure to download a trusted security application that can scan the applications being downloaded onto your mobile device..."
(More detail at the URLs above.)
Apr 04, 2012
... About 29,400,000 results
Credit Card fraud/malware attacks Facebook users
April 03, 2012 - "... new configuration of the Ice IX malware that attacks Facebook users after they have logged in to their account and steals credit card and other personal information... discovered a “marketing” video used by the creators of the malware to demonstrate how the web injection works. The global reach and scale of the Facebook service has made it a favorite target of fraudsters... This latest attack uses a web injection to present a fake web page in the victim’s browser. The form requests the user provide their cardholder name, credit/debit card number, expiry date, CID and billing address. The attackers claim the information is needed to verify the victim’s identity and provide additional security for their Facebook account... This pop up* presents virtually the same message used in the Ice IX configuration our researchers discovered and analyzed. The only difference is the version in the video requests a social security number and date of birth, in addition to the information mentioned earlier... We contacted Facebook to advise them that they would be mentioned in this blog. Facebook requested that we pass on some information about their site’s security measures. Here’s a summary of their response:
i) Facebook actively detects known malware on users' devices to provide Facebook users with a self-remediation procedure including the Scan-And-Repair malware scan. To self-enroll in this check point please visit – on.fb.me/AVCheckpoint
ii) Please advise your readers to report to Facebook any spam they find on the Facebook site, and remember Facebook will never ask for your credit card, social security, or any other sensitive information other than your username and password while logging in."
"... Part of this site was listed for suspicious activity 336 time(s) over the past 90 days... Of the 113053 pages we tested on the site over the past 90 days, 186 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-04-03, and the last time suspicious content was found on this site was on 2012-04-03. Malicious software includes 63 trojan(s), 62 exploit(s), 60 scripting exploit(s). Successful infection resulted in an average of 7 new process(es) on the target machine... Malicious software is hosted on 138 domain(s)... 28 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site... Over the past 90 days, facebook.com appeared to function as an intermediary for the infection of 56 site(s)... It infected 8 domain(s)..."
Olympic SPAM arrives...
Apr 5, 2012 - "... Users dreaming of watching the closing ceremonies of the London 2012 Olympics live may find the said offer hard to resist as Visa Golden Space is supposedly inviting users to join a lottery for a chance to win a travel package for the said event. Note that the said offer is non-existent. We also spotted a malware that arrives as a file named Early Check-In 2012 London Olympics.doc. This file, detected as TROJ_ARTIEF.XPL, exploits the RTF Stack Buffer Overflow Vulnerability found in several versions of Microsoft Office components. If it’s successful, it drops several other -malware- on your system, which Trend Micro detects as TROJ_DROPHIN.A and TROJ_PHINDOLP.A. This is not the first scam that uses this event to get users clicking. As early as 2008, Trend Micro has spotted a spammed message purporting to be a lottery drawn by the London 2012 Olympics committee. In May 2011, we also reported on a -spam- campaign that used London 2012 Olympics as bait. In addition, our social engineering e-guide mentions seasons and events as jump off points used by crooks. Online deals that look like they’re too good to be true, suspicious email messages promoting great but non-existent offers are also some of the tools used to lure users. All these tactics may lead to you inadvertently giving out your personal information, or for malware to be downloaded on your computer. Your personal information is not worth the risk of a chance to win a non-existent chance to win a lottery. Before clicking on that email link, investigate."
Fake AT&T wireless bill links to malware
Apr 5, 2012 - "Large outbreaks of phony AT&T wireless emails* have been distributed in the last 2 days. The emails describe very large balances ($943 in example), that are sure to get aggravated customers clicking on the included links... Every link in the email leads to a different compromised site that has malware hidden inside. In the example below** this means -9- (!) different URLS – most emails with links to email limit themselves to one or two links.
The index.html file tries to exploit at least the following known vulnerabilities:
Libtiff integer overflow in Adobe Reader and Acrobat – CVE-2010-0188
Help Center URL Validation Vulnerability – CVE-2010-1885
Recipients who are unsure whether the email they have received is genuine or not (the malicious version is a very accurate copy) should mouse-over the links. Genuine emails from AT&T will include AT&T website links. For example the “att.com” link will be the same in both places that it appears in the email – unlike the malicious version which uses 2 very different URLs. The fully functional homepage of one of the compromised sites is shown below. For more information about compromised websites see Commtouch’s report*** compiled in association with StopBadware."
Verizon-themed SPAM emails lead to ZeuS
March 29, 2012
Fake HP scan SPAM email leads to malware
6 April 2012 - "Another fake HP scan spam email leading to malware. This one follows the new technique of putting a malicious HTML (HP_Scan.htm) file inside a ZIP file to reduce the risk of it being blocked, and then it has multiple payload sites to try to get a higher infection rate. Nasty.
'Date: Fri, 6 Apr 2012 08:29:34 +0200
From: "Hewlett-Packard Officejet 70419A" [JaysonGritten@ estout .com]
Subject: Scan from a Hewlett-Packard ScanJet #02437326
Attached document was scanned and sent
to you using a Hewlett-Packard HP Officejet 45211A.'
The payload can be found at:
hxxp :// 184.108.40.206 :8080/navigator/jueoaritjuir.php
hxxp :// 220.127.116.11 :8080/navigator/jueoaritjuir.php
hxxp :// 18.104.22.168 :8080/navigator/jueoaritjuir.php
hxxp :// 22.214.171.124 :8080/navigator/jueoaritjuir.php
... Anti-virus detection* is pretty poor at the moment...."
File name: HP_Scan.htm
Detection ratio: 10/42
Analysis date: 2012-04-06 10:24:37 UTC
March 31, 2012
File name: Invoice_NO_Mailen.htm
Detection ratio: 21/42
Analysis date: 2012-04-02 05:40:03 UTC
EU tax invoice trojan...
April 8, 2012 - "... started to intercept a new trojan distribution campaign by email with the subject “invioce” and is sent from the spoofed address “European Commissions’s Office<firstname.lastname@example.org>” and has the following body:
Please open the attached file for your income tax invoice.From the European
Commission’s office .This message is for all the European Union citizens.
Note: European Union citizens Tax invoices are provided Once a year.
please refer to your tax Confirmation email. Attachment: Tax Invoice.
For Better Understanding.
Mr Jeff Black
The attached file is named invoice.exe and is approx. 170 kB large. The trojan is known as a variant of Win32/Injector.PWG (NOD32), W32/Obfuscated.D!genr (Norman), Trojan.Win32.Generic.pak!cobra ( VIPRE). At the time of writing, only 6 of the 42 AV engines did detect the trojan at Virus Total*..."
File name: invoice.exe
Detection ratio: 9/41
Analysis date: 2012-04-08 12:05:55 UTC
Dutch phishing emails target domains in Belgium/Netherlands
April 10, 2012 - "... increase of phishing emails, compared to the previous days, weeks and month, in the Dutch language that is sent to domains .be and .nl in Belgium and the Netherlands. The phishing emails are sent on behalf of ABN Amro and ING.
Here are some subjects for ING phishing emails:
- Mijn ING Breidt
- Belangerijk Mijn ING Nieuws
- Je hebt 1 ongelezen beveiligd Alert.
Here are some subjects for the ABN AMRO Bank:
- Beveiliging Message Alert van ABN AMRO Bank
- 2012 ABN AMRO VERIFICATIE ..."
(Examples of complete phish text at the URL above.)
Android "GoldDream" malware server still alive
12 Apr 2012 - "Many anti-virus vendors have reported on and dissected the suspicious and malicious Android "GoldDream" malware threat. The C&C server (lebar .gicp. net)... hosts this -malware-... this C&C server is still alive after several months and is still serving users with "GoldDream" malware... Websense... has blocked the malware server sites, out of the 19 vendors listed by VirusTotal*... The malware site mainly targets users in China, masquerading as a normal Android apps distribution site. The site makes use of a fake certificate and registration... information to lure more customers, and is placed at the bottom of the listed app sites in a bid to advertise itself as a good reputation site... We have analyzed all the available free Android apps on the site (23 in total). 18 of these apps contain "GoldDream" malware. These are normal game apps which are re-packaged to include malicious code... We strongly suggest that users refrain from downloading and installing apps from untrusted 3rd party sources..."
Normalized URL: http ://lebar .gicp .net/
Detection ratio: 1/25
Analysis date: 2012-04-12 09:32:49 UTC
"... 222 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-04-12, and the last time suspicious content was found on this site was on 2012-04-12. Malicious software includes 206 scripting exploit(s), 121 exploit(s), 30 trojan(s). Successful infection resulted in an average of 2 new process(es) on the target machine. Malicious software is hosted on 90 domain(s)... 92 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site... This site was hosted on 15 network(s) including AS32475 (SINGLEHOP), AS4134 (China Telecom backbone), AS4837 (CNC)... Over the past 90 days, gicp.net appeared to function as an intermediary for the infection of 13 site(s)... It infected 9 domain(s)..."
... canonical name - gicp .net
Recommended add to BLACKLIST
Ransomware - multiple types/discoveries
Apr 12, 2012 - "We have encountered a ransomware unlike other variants that we have seen previously. A typical ransomware encrypts files or restricts user access to the infected system. However, we found that this particular variant infects the Master Boot Record (MBR), preventing the operating system from loading. Based on our analysis, this malware copies the original MBR and overwrites it with its own malicious code. Right after performing this routine, it automatically restarts the system for the infection take effect..."
(More detail at trendmicro URL above.)
April 12, 2012 - "We are receiving reports of a ransom trojan, it's been circulating during the last two days. When first run on the system, the ransomware will iterate all folders on the system. Every document, image, and shortcut (.lnk) file found will be encrypted and appended with an extension of .EnCiPhErEd. In each folder it will drop a text file called "HOW TO DECRYPT.TXT" which contains instructions on how to proceed. The bandit is demanding 50€. It drops a copy of itself in the system's temp folder with a random name. It creates registry entries to associate the .EnCiPhErEd extension with itself, so that the temp folder copy will be launched whenever those files are run, in order to demand the decryption password. After five attempts it will no longer accept passwords. And it then deletes itself, leaving your data encrypted. Our threat hunters think that the source of this ransomware may be from inserted malicious tags in sites, particularly in forums..."
(More detail at f-secure URL above.)
Android malware poses as Angry Birds...
April 12, 2012 - "Android malware authors have seized an opportunity to infect unsuspecting smartphone users with the launch of the latest addition to the immensely popular "Angry Birds" series of games. SophosLabs recently encountered malware-infected editions of the "Angry Birds Space" game which have been placed in -unofficial- Android app stores. Please note: The version of "Angry Birds Space" in the official Android market (recently renamed "Google Play") is *not* affected... With the malware in place, cybercriminals can now send compromised Android devices instructions to download further code or push URLs to be displayed in the smartphone's browser. Effectively, your Android phone is now part of a botnet, under the control of malicious hackers..."
Fake Verizon emails follow fake AT&T emails ...
April 16, 2012 - "Less than 2 weeks ago we reported* the use of perfectly formatted AT&T Wireless emails that included multiple links to malware infested sites. These have now been followed up with similar emails – but the “carrier” has switched to Verizon Wireless...
... The Verizon emails also lead to sites hosting malware – although there are far fewer links in the email – and the same compromised site is used repeatedly in each email (in the AT&T attack, up to 9 different sites were used). The same gang appears to be behind both attacks since the link structure is identical:
<compromised domain>/<8 random numbers and letters>/index.html.
The same vulnerabilities are once again exploited via the scripts on the sites. The fully functional homepage of the compromised site is shown below."
Trojan pilfers Hotel credit cards...
April 18, 2012 - "Our intelligence center researchers recently uncovered a fraud “package” being sold in underground forums that uses a remote access Trojan to steal credit card information from a hotel point of sale (PoS) application. This scheme, which is focused on the hospitality industry, illustrates how criminals are planting malware on enterprise machines to collect financial information instead of targeting end users devices. In this particular scenario, a remote access Trojan program is used to infect hotel front desk computers. It then installs spyware that is able to steal credit card and other customer information by capturing screenshots from the PoS application. According the seller, the Trojan is guaranteed not to be detected by anti-virus programs... This fraud package is being offered for $280. The purchase price includes instructions on how to set-up the Trojan. The sellers even offer advice on how to use telephone social engineering techniques via VoIP software to trick front desk managers into installing the Trojan... criminals are increasingly expanding the focus of their attacks from online banking targets to enterprises..."
Fake LinkedIn reminders connect with malware...
April 19th, 2012 - "Phony LinkedIn invitations are not a new phenomenon. What tends to change is the underlying delivery method used for the malware distribution – In this case compromised websites that unknowingly host malicious scripts. The LinkedIn reminders that are included in the attack include several variables such as names, relationships, and the number of messages awaiting response. As usual the giveaway that something strange is occurring is the link...
Recipients that click on the link reach a rather bland looking “notification” page that provides no further links or instructions...
... In the background, several scripts seek out software with vulnerabilities that can be exploited including:
> Adobe reader and Acrobat:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0188 - 9.3 (HIGH)
> Microsoft Windows Help and Support Center in Windows XP:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1885 - 9.3 (HIGH) ..."
Fake Skype encryption software cloaks DarkComet Trojan
Apr 20, 2012 - "... We discovered a webpage that advertises a software that purports to provide encryption for Skype. This page is hosted in Syria... the same server that acted as a command-and-control (C&C) server for previous attacks. The webpage features an embedded YouTube video that claims to be from “IT Security Lab” and to encrypt voice communications... The downloaded file skype.exe, detected as BKDR_ZAPCHAST.HVN, is actually DarkComet version 3.3.... We were able to redirect the traffic in our test environment to confirm that it is indeed DarkComet... Note that Skype uses AES encryption on calls and instant messages, as well as its video conversations..."
Bogus Olympics email w/malware
Apr 22, 2012 - "... recently, we found an Olympics scam in the form of a lottery that promises a free travel package to the event. Some online crooks, however, played it differently this time. Instead of the typical Olympic-related scams wherein users supposedly won tickets to the event, this scam arrives as spam disguised as an email advisory... this scam comes in the form of email messages that warn recipients of fake websites and organizations selling tickets to the London Olympics 2012. The mail contains the official logo of the event to possibly deceive users of its legitimacy. Included in the message is an attached .DOC file that lists these bogus ticket sellers. The attachment, however, is actually a malicious file detected by Trend Micro as TROJ_ARTIEF.ZIGS. The malware takes advantage of the RTF Stack Buffer Overflow Vulnerability (CVE-2010-3333) to drop the backdoor BKDR_CYSXL.A. This backdoor may perform several malicious routines that include deleting and creating files and shutting down the infected system... As London Olympics 2012 draws near, we are expecting this type of threats to proliferate. Thus, users should make it a habit to check the legitimacy of -any- message before downloading the attachment or clicking links included in it..."
Facebook emails with malware attachments...
April 23rd, 2012 - "A series of emails with malware attachments have been widely distributed in the last few days. The emails alert the recipient about a picture of themselves (or an ex-girlfriend) that has been circulated online. The text from three of the messages is shown below:
> Sorry to disturb you , – I have a question- have you seen this picture of yours in attachment?? Three facebook friends sent it to me today… why did you put it online? wouldn’t it harm your job? what if parents see it? you must be way cooler than I thought about you man
> Hi there ,But I really need to ask you – is it you at this picture in attachment? I can’t tell you where I got this picture it doesn’t actually matter…The question is is it really you???.
> Sorry to disturb you , – I got to show you this picture in attachment. I can’t tell who gave it to me sorry but this chick looks a lot like your ex-gf. But who’s that dude??.
... The “image” is attached to the emails for convenience and the filename in all samples was identical: “IMG0962.zip”. The unzipped file displays a PDF icon – which may confuse recipients whose computers do not display file extensions (the extension in this case is .exe)... detected attached malware within seconds of the start of the outbreak... the scale of the attack on Saturday – from 4am (Pacific Time) till 3am on Sunday morning... At its peak the attack averaged around 100,000 messages per second..."
Phishing and malware meet Check Fraud
April 24, 2012 - "... a SCAM in an underground forum that shows how data obtained through phishing and malware attacks can be used to make one of the oldest forms of fraud – check forging... The scam involves a criminal selling pre-printed checks linked to corporate bank accounts in the USA, UK and China. The criminal is selling falsified bank checks made with specialized printing equipment, ink and paper. For $5 each, he/she will supply checks that use stolen credentials (e.g. bank account) provided by the buyer. However, to purchase checks that use stolen credentials supplied by the counterfeiter the cost is $50 – a tenfold increase. This is a clear indicator that stolen credentials are a key enabler of check fraud. Check data fields include personal information (e.g. name, address and phone) and financial information (e.g. bank account, routing code and check number). To obtain all the required data fraudsters typically need to get their hands on a physical or scanned version of a real check in circulation. Many banking web sites provide access to scanned versions of paid and received checks. Online banking login credentials obtained through malware and phishing attacks can easily be used by fraudsters to access a victim’s account and collect all the required information to commit check fraud. In addition, before using the checks, fraudsters could potentially ensure account balance is sufficient to approve the transaction... Buyers are also encouraged to carry fake identification cards that match the stolen credentials on the check. The check counterfeiter offers to provide these as well. This is the latest example of the how criminals can use malware and phishing techniques to make traditional physical fraud schemes more effective..."
SPAM Scams spoof Social Networking sites - peddle Malicious sites
Appr 25, 2012 - "... email messages disguised as notifications from popular networking sites, in particular LinkedIn, foursquare, MySpace, and Pinterest. These spam contain links that direct users to -bogus- pharmaceutical or -fraud- sites. They also use legitimate-looking email addresses to appear credible to recipients. Using famous brands like these sites are effective in luring users to the scheme as this gives credence to an otherwise obvious scam... We uncovered spammed messages masked as notifications from Foursquare, a popular location-based social networking site... The first sample we found pretends to be an email alert, stating that someone has left a message for the recipient. The second message is in the guise of a friend confirmation notification... Both messages use the address noreply @foursquare .com in the ‘From’ field and bear a legitimate-looking MessageID. Similar to previous spam campaign using popular social networking sites, attackers here also disguised the -malicious- URLs... also spotted sample messages that are purportedly from LinkedIn and Myspace... we have identified that the senders’ info were forged. We also did not find any pertinent details that could identify these messages as legitimate LinkedIn and MySpace email notifications. These mails also used cloaked URLs that redirect to the fake site 'Wiki Pharmacy'... we found fake Pinterest email notifications that contain a URL, a purported online article on weight-loss. Users who click this link are instead lead to sites that were previously found to engage in fraud activities... Users are advised to always be cautious of dubious-looking messages and avoid clicking links or downloading the attachment included in these."
File name: b.js
Detection ratio: 14/41
Analysis date: 2012-04-25 10:19:47 UTC
Yahoo phishing via compromised WordPress sites
April 25, 2012 - "Yahoo users have been targeted in a phishing attack that starts with an “avoid account deactivation” email. Mousing over the link shows the non-Yahoo link – an easy way to know that something is amiss*...
... The phishing pages are very authentic looking. Once users have entered their login details (which are collected by the phisher), they are redirected to Yahoo Mail. A large number of compromised sites have been used to hide the phishing pages – all the samples collected by Commtouch Labs were based on WordPress**. In such cases the phishers seek out a particular plugin with a known vulnerability that can be repeatedly exploited on many sites..."
April 20, 2012 - WordPress v3.3.2 released
:sad: :fear: :spider:
Brazilian banking malware ...
26 April 2012 - "... part of a Brazilian phishing attack... VirusTotal reports... the sample as being detected by 5/42*... the malware is a straightforward PE executable that is made to look like a word document. In addition to being named boleto.doc.exe, the file also comes with a Microsoft Word icon
... This was actually one of the few instances where Google Translate failed... knowing the file size (1.5 MB) alone told me it was going to be packed with "goodies"... the malware is ensuring persistence by setting itself in the 'Run' registry key. This will cause the malware the run every time that user logs into their machine... look forward to the (hopefully) increased detection by antivirus in the coming days."
File name: 188477e8f2a9523b0a001040982942ff9c5ba13c88b823d3b6a0b9f1d8b0c5be
Detection ratio: 5/42
Analysis date: 2012-04-26 15:31:50 UTC
BlackHole SPAM runs underway
Apr 30, 2012 - "... high-volume spam runs that sent users to websites compromised with the BlackHole exploit kit... spam runs that were part of this investigation used the name of Facebook, and US Airways. Other spam runs involved LinkedIn, as well as USPS. The most recent campaign we’ve seen that was part of this wave of attacks used the name of CareerBuilder:
... conclusions about these each of these attacks are broadly similar:
• Phishing messages using the names of various organizations spread via email to targets predominantly in the United States. The content of these phishing e-mails were practically indistinguishable from legitimate messages.
• Links in these messages led to multiple compromised websites that redirected the user to various malicious sites. Collectively, these compromised sites numbered in the thousands.
• Users were eventually directed to sites containing the Black Hole exploit kit.
... more than 2,000 distinct URLs used in this attack, distributed over 374 domains. On average, each compromised domain hosted 5 separate malicious landing pages... The goal of these attacks is to install ZeuS variants onto user systems..."
Service automates boobytrapping of Hacked Sites
May 1, 2012 - "Hardly a week goes by without news of some widespread compromise in which thousands of Web sites that share a common vulnerability are hacked and seeded with malware... one aspect of these crimes that’s seldom examined is the method by which attackers automate the booby-trapping and maintenance of their hijacked sites... another aspect of the cybercriminal economy that can be outsourced to third-party services. Often known as “iFramers,” such services can simplify the task of managing large numbers of hacked sites that are used to drive traffic to sites that serve up malware and browser exploits... A huge percentage of malware in the wild today has the built-in ability to steal FTP credentials from infected PCs. This is possible because people who administer Web sites often use FTP software to upload files and images, and allow those programs to store their FTP passwords. Thus, many modern malware variants will simply search for popular FTP programs on the victim’s system and extract any stored credentials... Just as PC infections can result in the theft of FTP credentials, malware infestations also often lead to the compromise of any HTML pages stored locally on the victim’s computer. Huge families of malware have traditionally included the ability to inject malicious scripts into any and all Web pages stored on host machine. In this way, PC infections can spread to any Web sites that the victim manages when the victim unknowingly uploads boobytrapped pages to his Web site... the best way to avoid these troubles is to ensure that your system doesn’t get compromised in the first place. But if your computer does suffer a malware infection and you manage a Web site from that machine, it’s good idea to double check any HTML pages you may have stored locally and/or updated on your site since the compromise, and to change the password used to administer your Web site (using a strong password...)."
Ransomware - Fake G-Men attack Hijacks computers ...
May 01, 2012 - "... new use of the Citadel malware platform (a descendent of the Zeus Trojan) to deliver code ransomware that poses as the US Department of Justice and highjacks victims’ computers. This ransomware, named Reveton, freezes the compromised machine’s operating system and demands a $100 payment to unlock it. Reveton was observed a few weeks ago being used as a standalone attack, but has now been coupled with the Citadel platform... Citadel is able to target employees to steal enterprise credentials, and in this example targets victims directly to steal money from them, instead of their financial institution. The attack begins with the victim being lured to a drive-by download website. Here a dropper installs the Citadel malware on the target machine which retrieves the ransomware DLL from its command and control server. Once installed on the victim’s computer, the ransomware locks-up the targeted machine and displays a warning message notifying the user that they have violated United States Federal Law. The web inject screen* claims the IP address belonging to the infected machine was identified by the Computer Crime & Intellectual Property Section as having visited websites that contain child pornography and other illegal content.
In order to unlock their computer, the victim is instructed to pay a $100 fine to the US Department of Justice using prepaid money card services. The payment service options presented to the victim are based on the geographic location of their IP address. For example, users with US IP addresses must pay using MoneyPak or Paysafecard... Independent of the Reveton ransomware secondary payload, Citadel continues to operate on the compromised machine on its own. Therefore it can be used by fraudsters to commit online banking and credit card fraud by enabling the platform’s man-in-the-browser, key-logging and other malicious techniques. It is clear from this and similar attacks we have discovered recently that financial malware has achieved a technological level of sophistication which enables it to be used to carry out virtually any type of cyber-attack. Through a combination of social engineering, data capturing and communication tampering these attacks are being used by criminals to target applications, systems and networks belonging to financial institutions, enterprises, and government agencies in order to commit fraud or steal sensitive information... cyber-crime and cyber-security protection begins with the endpoint now more than ever."
Multi-Layer malware attack uses same exploit as Flashback
Severity: Elevated Severity
Published: Monday, April 30, 2012 16:24
Yet another malware is using the recent Java flaw to exploit both OSX and Windows systems.
Analysis: The malware determines which OS is being attacked and then delivers the proper payload... case in point that there are many copycat attacks that take place when a serious flaw emerges and organizations must anticipate multiple threats rather than the threats that get the most media attention.
> Python-based malware attack targets Macs - Windows PCs also under fire
April 27, 2012 - "... there may still be some users whose computers are not patched against the Java vulnerability - and are at risk of attack. The malicious Java code downloads further code onto the victim's computer - depending on what operating system they are using... The downloaded programs will then install further malicious code... This Python script acts as a Mac OS X backdoor, allowing remote hackers to secretly send commands, uploading code to the computer, stealing files and running commands without the user's knowledge... The backdoor Python script allows remote hackers to steal information... We have a free Mac anti-virus for home users*, if you think it's time to take your computer's security more seriously..."
OSX.Flashback.K – motivation behind the malware - $$$
Apr 30, 2012
:sad: :fear: :mad:
Bogus invoices set virus trap
3 May 2012 - "Criminals are currently sending out a large number of bogus order confirmations that are designed to make recipients open the attached malware. The attackers appear to be using stolen online store customer data to address email recipients by their real names. The criminals pretend that the email recipient has placed an order worth several hundred euros at an online store. To make things difficult for spam filters, they vary the store names... Users who receive an order confirmation or invoice that they can't associate with a purchase should -not- open these file attachments under any circumstances. Unfortunately, virus scanners don't offer reliable protection in this case... it isn't just invoices in ZIP or EXE format that should make users suspicious: attackers have also been circulating bogus Deutsche Telekom and Vodafone invoices as PDF attachments that try to infect computers via an old security hole in Adobe Reader. This attack scenario is also possible using Office documents."
File name: Rechnungsdaten.zip
Detection ratio: 9/42
Analysis date: 2012-05-03 10:55:17 UTC
Mapping cybercrime by country
3 May 2012 - "All cybercrime is hosted and served from somewhere. A simple enough truism and yet little research, or even initiatives, emerge from this area. A new interactive web-based tool aims to provide deeper insights into this domain in search of solutions to a global problem. How much cybercrime is served by the hosting providers registered to, or routing through, an individual country? An interesting question that can now begin to be quantifiably answered thanks to a collaborative association between HostExploit, Russian Group-IB1 and CSIS2 in Denmark. The Global Security Map* displays global hot spots for cybercriminal activities based on geographic location... The Global Security Map* is the outcome of extensive research on Autonomous Systems (ASNs) – servers, ISPs, and networks routed publically via their respective IP (Internet Protocol) addresses. It has been the long-held vision of HostExploit, heading a group of respected independent community researchers, to be able to provide a tool to aid hosts, registrars, Internet Service Providers (ISPs), researchers, law enforcement, academics and other parties, interested in tracking Internet security-related issues worldwide. HostExploit established a method of rating levels of malicious activity on all ASes worldwide (currently 40,909), known as the HE Index, which is used to compile data for its widely respected quarterly reports. The statistics used for the ‘Top 50 Bad Hosts & Networks’ reports and tables are applied now to countries as a whole (based on registration information and routing locations) to create a ranking order by level of malicious activity (1,000 = highest). At the time of the report, Lithuania ranks at #1 with the highest levels of malicious activities in the world while Finland at #219 has the cleanest servers and networks. With this information in place, the next step is to consider realistic mitigation methods or plans that can help reduce levels of malicious activity..."
(More info at the hostexploit URL above.)
> English report (PDF) here: http://hostexploit.com/downloads/viewdownload/7-public-reports/39-global-security-report-april-2012.html
Fake Facebook emails...
May 4 2012 - "The pictured emails (below) are not real Facebook emails – look at the URLs that are exposed when you hover your mouse cursor over the “sign in” and “reactivate” links..."
-13- million US Facebook users not using, or oblivious to, privacy controls
May 4, 2012
SPAM - BBB assistance e-mails w/malware...
May 4, 2012 - "Once again, cybercriminals have spammed out emails claiming to come from the Better Business Bureau (BBB), with the intention of infecting Windows computers with malware... widespread malware attack that is being spammed out as an attachment to an email claiming to come from the BBB. The emails vary in their wording, but -all- claim that a consumer has complained about the company receiving the email. The details of the complaint, naturally, are contained inside the attached "BBB Report.zip" file (which, of course, contains malware)..."
Recent badware stats
April 27, 2012 - "... Enterprise users experienced an average of 339 Web malware encounters per month in 4Q11 (205% year over year).
• Avg. 20,141 unique Web malware hosts per month in 2011 (vs. 14,217 in 2010)...
• Approx. 30,000 new malicious URLs each day in 2H11; 80% of those are legitimate. 85% of malware comes from the web.
• Malicious sites up 240 percent in 2011...
• 40% of malnet entry points are via search engines/portals...
• 23% of malicious domain registrations could be blocked with basic validation of contact info
• Rogue AV campaign infected 200,000 Web pages, 30,000 unique hosts... geographically dispersed visitors.
• On average, -two- popular websites (among the Alexa top 25,000) serve drive-by downloads each -day-. An estimated 1.6 million vulnerable users were exposed to drive-by downloads in one month across 58 popular (Alexa top 25,000) sites."
(Links to sources available at the stopbadware URL above.)
Malware attacks on hotel net surfers...
May 8, 2012 - "Recent analysis from the FBI and other government agencies demonstrates that malicious actors are targeting travelers abroad through pop-up windows while establishing an Internet connection in their hotel rooms. Recently, there have been instances of travelers' laptops being infected with malicious software while using hotel Internet connections. In these instances, the traveler was attempting to setup the hotel room Internet connection and was presented with a pop-up window notifying the user to update a widely-used software product. If the user clicked to accept and install the update, malicious software was installed on the laptop. The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available. The FBI recommends that all government, private industry, and academic personnel who travel abroad take extra caution before updating software products on their hotel Internet connection. Checking the author or digital certificate of any prompted update to see if it corresponds to the software vendor may reveal an attempted attack. The FBI also recommends that travelers perform software updates on laptops immediately before traveling, and that they download software updates directly from the software vendor’s Web site if updates are necessary while abroad..."
May 11, 2012 - "... avoid updating software while using hotel or other public Internet connections... There are a number of free attack tools that can be used to spoof software update prompts, and these are especially effective against users on small local networks. Bear in mind that false update prompts don’t have to involve pop-ups..."
Bogus emails: Amazon.com - Your Cancellation
Last Updated: 2012-05-09 17:49:29 UTC - "There are bogus order cancellation emails going around claiming to be from Amazon... copy I received linked to the URL... which contains this is in the body:
(More detail at the ISC URL above.)
:fear: :sad: :mad:
Gh0st RAT served on compromised Amnesty International UK website...
11 May 2012 - "Between May 8 and 9, 2012... Websense... detected that the Amnesty International United Kingdom website was compromised. The website was apparently injected with malicious code for these 2 days. During that time, website users risked having sensitive data stolen and perhaps infecting other users in their network. However, the website owners rectified this issue after we advised them about the injection. In early 2009, we discovered this same site was compromised, and in 2010, we reported another injection of an Amnesty International website, this time the Hong Kong site. In the most recent case, we noticed that the exploit vector used was the same Java exploit (detailed in CVE-2012-0507) that has been used worldwide, and which has become somewhat infamous as the cause of the recent massive Mac OS X infection with Flashback... screen shot of the detected code injection:
... we can see the similarities between this injection and the INSS injection* we reported last week. This clearly shows the use of the Metasploit framework and the precise name of the Java class used. In addition, the associated JAR file is a well-known vector exploit for the CVE-2012-0507... we recognize that this is a variant of the well-known Remote Administration Tool Gh0st RAT**, which is used mainly in targeted attacks to gain complete control of infected systems... The Remote Administration Center commands to the compromised system originate from this address: shell .xhhow4 .com. At the time of this writing, the address is still active."
Fake Flash Player for Android = Malware
May 10, 2012 - "... social engineering tactic using Adobe‘s name...
... This webpage is also found to be hosted on Russian domains, similar to the fake Instagram and Angry Birds Space apps that we previously reported. To further entice users into downloading the fake Adobe Flash Player app, the text on the webpage claims that it is fully compatible with any Android OS version... When users opt to download and install the said fake app, the site connects to another URL to download malicious .APK file, which Trend Micro detects as ANDROIDOS_BOXER.A. ANDROIDOS_BOXER.A is a premium service abuser, which means it sends messages to premium numbers without the user’s permission, thus leading to unwanted charges. This type of Android malware is just one of the types we were able to identify in our infographic, A Snapshot of Android Threats*. Upon further investigation, we have seen a bunch of URLs that are hosted on the same IP as this particular website. Based on the naming alone used in these URLs, it appears that Android is a favorite target for cybercriminals behind this scheme..."
:mad: :fear: :sad:
Spamvertised ‘Pizzeria Order Details’ ...
May 11, 2012 - "... Cybercriminals are currently spamvertising hundreds of thousands of emails, impersonating FLORENTINO`s Pizzeria, and enticing users into clicking on a client-side exploits and malware serving link in order to cancel a $169.90 order that they never really made. Once the user clicks on the link, they will be -redirected- to a compromised site serving client-side exploits and ultimately dropping multiple malicious binaries on their hosts upon a successful infection.
Malicious URL: hxxp ://oldsoccer .it/page1 .htm?RANDOM_STRINGS
... The Russian domains are -fast-fluxed- by the cybercriminals in an attempt to make it harder for security researchers and vendors to take down their campaign. We’ve seen a similar fast-flux technique applied in the following campaign – "Spamvertised ‘Your tax return appeal is declined’ emails* serving client-side exploits and malware..."
(More detail at the webroot URL above.)
Global Fast Flux
spamalysis - VALERIO Pizza Order Confirmation
IC3 2011 Internet Crime Report released
May 10, 2012 - "The Internet Crime Complaint Center (IC3) today released the 2011 Internet Crime Report* — an overview of the latest data and trends of online criminal activity. According to the report, 2011 marked the third year in a row that the IC3 received more than 300,000 complaints. The 314,246 complaints represent a 3.4 percent increase over 2010. The reported dollar loss was $485.3 million ...
In 2011, IC3 received and processed, on average, more than 26,000 complaints per month. The most common complaints received in 2011 included FBI-related scams — schemes in which a criminal poses as the FBI to defraud victims — identity theft, and advance-fee fraud. The report also lists states with the top complaints, and provides loss and complaint statistics organized by state..."
:mad: :mad: :mad:
Gh0st RAT served on compromised Amnesty International Hong Kong website...
May 14, 2012 - "... Update: Websense... detected that the Amnesty International Hong Kong sister website was also compromised to serve Gh0st RAT over the weekend, and the malicious codes are still live and active. Below are some of the pages infected redirecting to the exploits. Websense Security Labs will continue to monitor and update any new changes to this attack..."
Zeus P2P variant exploits... steal Debit Card Data
May 15, 2012 - "... recently discovered a series of attacks being carried out by a P2P variant of the Zeus platform against some of the internet’s leading online services and websites. The attacks are targeting users of Facebook, Google Mail, Hotmail and Yahoo – offering rebates and new security measures. The scams exploit the trust relationship between users and these well-known service providers, as well as the Visa and MasterCard brands, to steal users’ debit card data. In the first attack against Facebook, the malware uses a web inject to present the victim with a fraudulent 20% cash back offer by linking their Visa or MasterCard debit card to their Facebook account. The scam claims that after registering their card information, the victim will earn cash back when they purchase Facebook points. The fake web form prompts the victim to enter their debit card number, expiration date, security code, and PIN...
Malware web inject presented to Facebook users ^
... In the attacks against Google Mail, Hotmail and Yahoo users, Zeus offers an allegedly new way of authenticating to the 3D Secure service offered by the Verified by Visa and MasterCard SecureCode programs. To complete an online transaction many merchants require cardholders to authenticate using their personal 3D Secure password... The scam that targets Google Mail and Yahoo users claims that by linking their debit card to their web mail accounts all future 3D Secure authentication will be performed through Google Checkout and Yahoo Checkout respectively... The victim is prompted to enter their debit card number, expiration date, security code, and PIN... leveraging the Verified by Visa and MasterCard SecureCode brands to make the scam more credible.
Malware web inject presented to Gmail users ^
Malware web inject presented to Yahoo users ^
... The attack against Hotmail users is similar to the Google Mail and Yahoo scam... The offer states that the service will prevent purchases from being made on the internet with the card unless the Hotmail account information and additional password are provided. The webinject requests the same information (debit card number, expiration date, security code, and PIN) as in the previous two scams.
Malware web inject presented to Microsoft Hotmail users ^
... These webinjects* are well crafted both from a visual and content perspective, making it difficult to identify them as a fraud... the fraudsters are using the fear of the very cybercrime they are committing to prey on their victims."
If you see ads on Wikipedia, your computer is probably -infected- with malware
May 14, 2012 - "We -never- run ads on Wikipedia. Wikipedia is funded by more than a million donors, who give an average donation of less than 30 dollars. We run fundraising appeals, usually at the end of the year. If you’re seeing advertisements for a for-profit industry... or anything but our fundraiser, then your web browser has likely been infected with malware ...
One example that we have seen installs itself as a browser extension. The extension is called “I want this” and installs itself in Google Chrome. To remove it:
- Open the options menu via the “pipe-wrench” icon on the top right, and choose Settings.
- Open the Extensions panel and there is the list of extensions installed.
- Remove an Extension by clicking the Remove button next to an item.
There is likely other similar malware that injects ads into Chrome, Firefox, Internet Explorer and other popular browsers... Ads injected in this manner may be confined to some sites, even just to Wikipedia, or they may show up on -all- sites you visit. Browsing through a secure (HTTPS) connection (which you can automate using the HTTPS everywhere extension**) may cause the ads to disappear, but will -not- fix the underlying problem. Disabling browser add-ins is a good starting point to determine the source of these types of ads. This does not necessarily fix the source of the problem either, as malware may make deep changes to your operating system. If you’re comfortable attempting a malware scan and removal yourself, there are various spyware/malware removal tools. Popular and well-reviewed solutions include Ad-Aware and Malwarebytes... If in doubt, have your computer evaluated for malware by a competent and qualified computer repair center. There is one other reason you might be seeing advertisements: Your Internet provider may be injecting them into web pages. This is most likely the case with Internet cafes or “free” wireless connections. This New York Times blog post by Brian Chen gives an example*. But rest assured: you won’t be seeing legitimate advertisements on Wikipedia. We’re here to distribute the sum of human knowledge to everyone on the planet — ad-free, forever..."
May 21, 2012
621 "Most Visited" sites are on Google's Black List
May 15, 2012 - "Legitimate Web sites that have been -hijacked- and used to serve malicious content greatly -outnumber- malicious sites on a list of the most-trafficked sites on Google's blacklist, according to analysis by security firm Zscaler*..."
... Most of the blacklisted sites are hosted in the US. Western Europe (especially Germany, France and the Netherlands) is number two, followed by China (8%)... Windows users with Internet Explorer 6 and 7 users get the old "iepeers.dll" exploit (a different version for each browser). No site is safe from hijacking. Personal websites and top-10,000 sites are all likely to be infected at some point."
Facebook worm spreads via Private Messages, Instant Messengers
May 17, 2012 - "... recently received reports about private messages found on Facebook and distributing a link, which is a shortened URL pointing to an archive file “May09-Picture18.JPG_www .facebook .com.zip”. This archive contains a malicious file named “May09-Picture18.JPG_www .facebook .com” and uses the extension “.COM”. Another noteworthy routine is that this worm downloads and executes another worm, one detected as WORM_EBOOM.AC. Based on our analysis, WORM_EBOOM.AC is capable of monitoring an affected user’s browsing activity such as message posting, deleted posted messages and private messages sent on the following websites such as Facebook, Myspace, Twitter, WordPress, and Meebo. It is also capable of spreading through the mentioned sites by posting messages containing a link to a copy of itself. Facebook and IM applications are tools to share and connect. Cybercriminals’ use of these tools is nothing new, but there are users who fall prey to these schemes. We recommend users to be conscious with their online behavior, in particular on social media sites*..."
Bogus Pinterest pins lead to Survey Scams
May 18, 2012 - "The continuing increase in visitors to the Pinterest site may be a primary cause why it’s becoming a hit for cybercriminals’ scams and schemes. In March, we spotted scammers using popular brands to lure users into “pinning” fake posts that led to surveys scams... new wave of survey scams found came from search using “pinterest” as keyword... Upon clicking the link, users are -redirected- to a Pinterest-like webpage offering prizes, vouchers, gift cards and others... Made to resemble like a typical Pinterest webpage, the fake site features a search field, add+, an about. However, these are mere images and are -not- clickable... After a user fills out the fields required in the scam page, users are also required to enter their mobile numbers. Users who do provide their numbers will receive a code on their mobile phones and will continue to receive unwanted messages, charges and other scams via text message... the fake site requires an email address...
Users entering their email addresses are brought to complete several steps to get the supposed offer. Users receive an email claiming to be from Pinterest. The email urges the user to click on the link found in the message body to confirm the subscription. Clicking on the link redirects the user to a Pinterest-like scam page. Again, all the clickable links lead to the same scam pages..."
ZeuS ransomware feature: win_unlock
May 21, 2012 - "... new variant of ZeuS 2.x. It includes a new backdoor command called: win_unlock... this slightly modified ZeuS 2.x includes a ransomware feature. When this particular variant is executed, it opens Internet Explorer with a specific page (lex.creativesandboxs .com/locker /lock.php) and prevents the user from doing anything else with the infected system. The webpage that was opened presumably showed some type of extortion message, but it's currently unavailable because the site is offline. The most straightforward way to unlock the system is to simply delete the trojan. This can be a bit tricky since the trojan prevents doing anything with the infected system, luckily the locking itself can be easily disabled first. Looking at the code that corresponds with a received win_unlock command, it's clear the unlock information is stored to the registry. Unlocking can therefore be performed quite easily with a registry editor:
1. boot the system in safe mode
2. add a new key named syscheck under HKEY_CURRENT_USER
3. create a new DWORD value under the syscheck key
4. set the name of the new DWORD value to Checked
5. set the data for the Checked value to 1
SHA1: 03f0c26c6ba77c05152a1e0cc8bc5657f0c83119 ..."
Facebook cancellation malware poses as Flash update
May 21, 2012 - "Have you received an email asking you to confirm that you wish to cancel your account? Be on your guard... reader was in touch with us earlier today, after his suspicions were aroused by an email he had received - seemingly from Facebook. Malicious email claiming to come from Facebook
Hi [email address]
We are sending you this email to inform you that we have received an account cancellation request from you. Please follow the link below to confirm or cancel this request
The Facebook Team
To confirm or cancel this request, follow the link below:
... The link doesn't point to an official Facebook page, but a third-party application running on the Facebook platform. Of course, that means that the link -does- go to a facebook .com address - something might fool those who are not cautious. The first thing you're likely to encounter if you did click on the link is a message asking you if you want to allow an unknown Java applet to run on your computer... they're pretty insistent that you allow it.. If you hit the "No thanks" button they'll just carry on pestering you to allow the Java applet to run... They know that people value their Facebook accounts highly, and many would be upset to lose access to them and the digital connections they have built up with friends and family... If you do allow the applet to run, you will see a message telling you that Adobe Flash must be updated... the code that is downloaded is not really Adobe Flash at all. Instead, the program drops additional files into your /WIN32 folder, which have the intention of allowing remote hackers to spy on your activities and take control of your computer..."
'LinkedIn Invitation’ SPAM serving exploits and malware
May 22, 2012 - "... another round of malicious emails to millions of end and corporate users.
Once the user clicks on the link (hxxp ://hseclub .net/main.php?page=d72ac4be16dd8476), a client-side exploit, CVE-2010-1885 in particular, will attempt to drop the following MD5 on the affected host, MD5: 66dfb48ddc624064d21d371507191ff0
Upon execution the sample attempts to connect to the following hosts:
• janisjhnbdaklsjsad .ru:443 with user janisjhnbdaklsjsad .ru and password janisjhnbdaklsjsad .ru – 126.96.36.199, AS50939, SPACE-AS
• sllflfjsnd784982ncbmvbjh434554b3 .ru – 188.8.131.52, AS29568, COMTEL-AS
• kamperazonsjdnjhffaaaae38 .ru – 184.108.40.206, AS29568, COMTEL-AS
• iiioioiiiiooii2iio1oi .ru – 220.127.116.11, AS29568, COMTEL-AS
Another malware with MD5: 4b1fce0f9a8abdcb7ac515d382c55013 is known to have used one of these C&C domains in the past, janisjhnbdaklsjsad .ru in particular..."
"... this network has hosted sites that have distributed malicious software in the past 90 days. We found 26 site(s)... that infected 42 other site(s)..."
"... this network has hosted sites that have distributed malicious software in the past 90 days. We found 668 site(s)... that infected 544 other site(s)..."
Trojan bypasses mobile security to steal from Online Banking users ...
May 22, 2012 - "... a complex new criminal scheme involving the Tatanga Trojan that conducts an elaborate Man in the Browser (MitB) attack to bypass SMS based transaction authorization to commit online banking fraud. The scam targets online banking customers of several German banks. When the victim logs on to the online banking application, Tatanga uses a MitB webinject that alleges the bank is performing a security check on their computer and ability to receive a Transaction Authorization Number (TAN) on their mobile device. In the background, Tatanga initiates a fraudulent money transfer to a mule account. It even checks the victim’s account balance, and will transfer funds from the account with the highest balance if there is more than one to choose from. The victim is asked to enter the SMS-delivered TAN they receive from the bank into the fake web form, as a way to complete this security process. By entering the TAN in the injected HTML page the victim is in fact approving the fraudulent transaction originated by Tatanga against their account. Even though the victim is presented with the fund transfer amount and the destination account information in the SMS message that contains the TAN, the injected HTML page claims that the process uses “experimental” data and that no money will leave their account... Once the victim enters the TAN in the fake form and hits submit, the funds are transferred to the fraudster’s account. Meanwhile, Tatanga modifies the account balance reports in the online banking application to hide the fraudulent transaction... By combining a MitB attack and social engineering, Tatanga is able to circumvent out-of-band authentication used by many banks. Then it goes one step further by hiding evidence of the fraudulent transaction from the victim using a post transaction attack mechanism. Fortunately, the text in the injected HTML page is littered with grammar and spelling mistakes and appears not to have been written by a German speaker... they are blending multiple attack methods in a single fraud scam... However, they still need to compromise the endpoint with malware, which can be prevented."
Flame: Questions and Answers
May 28, 2012 - "... Flame shares many characteristics with notorious cyber weapons Duqu and Stuxnet: while its features are different, the geography and careful targeting of attacks coupled with the usage of specific software vulnerabilities seems to put it alongside those familiar ‘super-weapons’ currently deployed in the Middle East by unknown perpetrators. Flame can easily be described as one of the most complex threats ever discovered. It’s big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyberespionage..."
(More detail at the kaspersky URL above.)
May 28 2012 - "... Several component files have been identified. These are:
• nteps32.ocx ..."
May 28, 2012
29 May 2012
30 May 2012 - "... Full understanding of W32.Flamer requires analyzing each of the approximately 60 embedded Lua scripts, reversing each of the sub-components, and then building this all back together..."
UN to warn member nations on risk of Flame virus
Severity: Elevated Severity
May 30, 2012
Analysis: ... the threat from this malware or any other malware with the same types of capabilities can be significant, depending upon the motives of those driving the attack campaigns. Nation states may be involved and using this toolkit for spying purposes, but there is no clear attribution at this stage.
CareerBuilder fake SPAM serves exploits and malware
May 30, 2012 - "... Cybercriminals are currently spamvertising millions of emails impersonating the popular jobs portal CareerBuilder in an attempt to trick users into clicking on client-side exploits serving links... they’re spamvertising a binary that’s largely detected by the security community...
Spamvertised URL: hxxp ://karigar .in/car.html
Client-side exploits served: CVE-2010-0188 and CVE-2010-1885
Malicious client-side exploitation chain: hxxp ://karigar .in/car.html -> hxxp ://masterisland .net/main.php?page=975982764ed58ec3 -> hxxp ://masterisland .net/data/ap2.php -sometimes- hxxp ://strazdini.net/main.php?page=c6c26a0d2a755294 is also included in the redirection.
Upon successful exploitation drops the following MD5: 518648694d3cb7000db916d930adeaaf
Upon execution it phones back to the following URLs/domains:
zorberzorberzu .ru/mev/in/ (18.104.22.168)
prakticalcex .ru – 22.214.171.124
Thanks to the overall availability of malware crypting on demand services, we believe that it’s only a matter of time before the cybercriminals behind this campaign realize that they’re spamvertising an already detected executable, crypt it and spamvertise it once again this time successfully slipping it through signatures-based antivirus scanning solutions..."
Pharma SPAM on Dropbox
May 31, 2012 - "Pharma Spam pages sometimes pop up on Dropbox accounts (along with more dubious content*, if you’re really unlucky), and it seems we have another one lining up to sell you some pills.
Clicking through will take the end-user to a typically generic pills website:
... the best advice would be “don’t bother” (especially if it involves random spam in your mailbox)..."
Small 20K trojan does damage
1 June 2012 - "Security experts at CSIS* say that they have discovered the smallest online banking trojan yet. Called Tiny Banker (Tinba), the malware is just barely 20KB in size, including its configuration files. Like Zeus, Tinba uses man-in-the-browser techniques and easily extendable configuration files to manipulate bank web sites via webinjects. Webinjects can be used, for example, to create additional fields for numerical single-use passwords that the attackers can then leverage to authorise fraudulent payments. Tinba can also uncover standard passwords and monitor network traffic. Tinba is a bot in the classical sense; it uses an encoded connection to deliver data it has collected to a command and control server, which in turn gives the bot new orders. According to CSIS, Tinba has only been used on a very small number of banking web sites so far, but its modular structure means that the perpetrators should not have any problems adding other sites to that list."
Fake Facebook SPAM e-mails...
June 4, 2012 - "Using phony Facebook emails to draw recipients to pharmacy websites is not a new trick... this is no ordinary Viagra shop – it’s the WikiPharmacy! The phony Facebook emails and the pharmacy destination are shown below...
... the links in the emails above lead to compromised websites. These unknowingly host -redirects- to the WikiPharmacy...
'You recently requested a new password for your Facebook account. It looks like we sent you an email with a link to reset your password 3 ago. This is a reminder that you need to complete this action by clicking this link and Confirm or Cancel your request.
If you have any other questions, please visit our Help Center.
The Facebook Team ...' "
Facebook privacy notice chain letter - hoax
June 5, 2012 - "... messages are simply another chain letter type hoax pinned upon wishful thinking. If you are uncomfortable with Facebook monetizing your content or making your content available to the US government you either need to avoid posting the content to Facebook, or more carefully control your privacy settings and hope the authorities don't seek a court order for your information. If you receive one of these messages from a friend, kindly notify them that it is not legally valid. You might also suggest they check with Snopes* or the Naked Security Facebook page** before propagating myths."
284,000 WordPress sites hacked? Probably not.
June 6, 2012 - "This Amazon order confirmation email is a fake:
Every link leads to malware. Every link leads to a different compromised WordPress site. And they all seem to be using one of the most common WordPress theme directory – check out the links:
http ://maximconsulting .us/wp-content/themes/twentyten/—e.html
http ://hampsteadelectrician .com/wp-content/themes/twentyten/—e.html
http ://mormonwomenvoices .com/wp-content/themes/twentyten/—e.html
http ://steppingstones-online .co.uk/wp-content/themes/twentyten/—e.html ... etc.
Notice a trend? – The evil redirect html file (—e.html) is located in the “twentyten” theme directory of all of these sites – and all of the sites we checked in every other version of the phony Amazon order. A Google search tells us that there are 284,000 sites with a similar structure:
... this does not indicate an issue with the theme itself. Chances are that the exploit that has allowed hackers to take over these sites is in a plugin or maybe (less likely) the CMS itself. Using the “twentyten” directory is a safe bet for a hacking script since almost every WordPress installation will have it. The malware targets known Adobe Reader and Acrobat exploits."
Flame self-destruct cmd sent ...
6 Jun 2012 - "Late last week, some Flamer command-and-control (C&C) servers sent an updated command to several compromised computers. This command was designed to completely remove Flamer from the compromised computer. The Flamer attackers were still in control of at least a few C&C servers, which allowed them to communicate with a specific set of compromised computers. They had retained control of their domain registration accounts, which allowed them to host these domains with a new hosting provider. Compromised computers regularly contact their pre-configured control server to acquire additional commands. Following the request, the C&C server shipped them a file named browse32.ocx. This file can be summarized as the module responsible for removing Flamer from the compromised computer. One could also call it the "uninstaller".
The browse32.ocx module has two exports:
1. EnableBrowser — This is the initializer, which sets up the environment (mutex, events, shared memory, etc.) before any actions can be taken.
2. StartBrowse — This is the part of the code that does the actual removal of the Flamer components.
The module contains a long list of files and folders that are used by Flamer. It locates every file on disk, removes it, and subsequently overwrites the disk with random characters to prevent anyone from obtaining information about the infection..."
Spoofed Xanga malicious emails ...
7 Jun 2012 - "Hot on the trail of yesterday's spoofed Craigslist malicious emails* comes another variant, spotted today. This one spoofs a Xanga blog notification about a comment on your blog. So far we have seen about 140,000 of these in our Cloud Email Security portal... a sample:
Subject: New Weblog comment on your post!
... the "Click here to reply" link goes to this URL:
hxxp ://www.1000sovetov .kiev.ua/wp-content/themes/esp/wp-local.htm
hxxp ://pushkidamki .ru:8080/forum/showthread .php?page=5fa58bce769e5c2c
Those are the sites that host the exploit kit.
Basically, the lure has changed, but the URLs suggest this is all part of the same malicious campaign. We can probably expect a few more themes in the coming weeks, as the cybercriminals try to broaden their victim base..."
Pharmacy SPAM - Facebook/Digg app
June 14th, 2012 - "... a “Facebook Social Reader” for Digg – but “Facebook Social” is a neatly confusing invention of pharmacy spammers... The email welcomes users to the new service and invites them to “view profile details”:
The links in the email lead to compromised websites ... Scripts hidden on these sites redirect users to the destination pharmacy site – the “Toronto Drug Store” which apparently is an “essential part of the Canadian RX Network”:
Thank you for registering with us at Facebook Social. We look forward to seeing you around the site.
Your profile has two different views reachable through clickable tabs:
• View My Profile: see your profile as your network does
• Edit My Profile: edit the different elements of your profile
View profile details.
What is Facebook Social Share?
Enable Facebook social sharing, and share your Digg experience with your Facebook friends. Let your friends see what you’re reading as you discover the best news around the web. Click the Social button to turn this off.
FAKE Classmates.com email
June 13th, 2012 - "Classmates.com has become the latest in a series of well-known brands to be abused by a particular gang of malware distributors. The similarities to other outbreaks include:
• Linking to multiple compromised sites which then redirect to the malware hosting sites
• Favoring WordPress sites (that can be exploited)
• Hosting the malware on various .ru domains
• Showing simple messages on the malware page such as “Please Wait – Loading” (black text on white)
• Using the same Flash exploits in the malware
Previous attacks use well known brands such as Amazon.com, LinkedIn, Verizon Wireless and AT&T Wireless. The Classmates.com email thanks the recipient for joining and provides links to confirm the user or make corrections:
Once again the initial link is to a compromised WordPress site. A script hidden on this site dynamically builds a redirect to a forum site. Here, a second script embedded in a forum post directs to the final .ru domain which displays the expected “Loading” message. This “double-hop” is a slight change from previous similar attacks:
The malware on the final site checks for PDF and Flash versions on the target PC.
• If an appropriate version is found it then redirects to a malicious SWF flash file.
• If not it redirects to google .de"
LinkedIn SPAM serving Adobe and Java exploits
06/14/12 - "... email that appeared to come from LinkedIn. The email was inviting you to check your LinkedIn Inbox. As you know, LinkedIn was hacked some time ago and passwords were compromised in the attack... If we verify the “To” and “CC” fields of this email, we see about -100- other recipients.... email in question:
Subjects of this email might be: 'Relationship LinkedIn Mail, 'Communication LinkedIn Mail', 'Link LinkedIn Mail' or 'Urgent LinkedIn Mail'. No doubt the subjects of this email will vary, and are not limited to these four.
- Step 1 and step 2 of the cybercrook’s scheme are already fulfilled. Now he just has to wait until someone clicks on one of the links. Which brings us to point 3.
- Suppose someone clicks on the link. What will happen exactly ? This depends on the version of these programs that may be installed on your computer: Adobe Reader / Java
In some cases, your browser will crash. In other cases, the page will just appear to sit there and nothing happens... the exploit will begin doing its work... seems to spawn a .dll file, which in turn spawns another file.. Your machine is executing malware and is in the process of being infected... a malicious executable which will start every time the computer boots. The exploits’ source is probably the Blackhole exploit kit. The exploits in question are: CVE-2006-0003 / CVE-2010-0840
Unknown (at this point) Adobe Reader exploit
- Step 3 and 4 have also been accomplished now. The user clicked on the link, the exploit(s) got loaded and the user is now infected. The malware will try to phone home or connect to the following IP addresses: 126.96.36.199 / 188.8.131.52 . The IPs (184.108.40.206 in particular) are part of a known botnet. The IPs are used to receive new instructions from the botherder or to download additional malware... lesson is a very important one and is one of the basics of security... Keep ALL of your software up-to-date! This means Adobe, Java, but don’t forget other software, for example VLC, Windows Media Player...This also includes installing your Windows patches, keeping your browser up-to-date as well as any plugins or add-ons you might have installed..."
person: Octave Klaba
address: OVH SAS
address: 2 rue Kellermann
address: 59100 Roubaix
address: France ...
9500 malicious sites a day found by Google
20 June 2012 - "Google's Safe Browsing programme, which searches for malicious sites and warns browser users when they attempt to visit them, is now five years old, and the problem of malicious sites is still as bad as ever with the system finding more than nine thousand dangerous sites a day. In a post* marking the five year anniversary, Google shared statistics on how effective the system has been... the problem of malicious sites is still growing. Google's own statistics show they are currently discovering over 300,000 phishing sites a month, the highest detection rate ever. These sites may be online for only an hour as they attempt to avoid being detected by services like Safe Browsing, and they have become more targeted both through spear phishing attacks which target particular groups of individuals and through attacks aimed at companies and banks. Phishing sites are also likely to try and get the user to install some malware. Malware distribution through compromised innocent sites is still commonplace, but according to Google, attack web sites built specifically to deliver malware to victims are being used in increasing numbers. While these attacks have used drive-by downloads and other technical mechanisms to deploy the malware, Google notes that social engineering attacks, while still behind drive-by attacks in frequency, are a rapidly growing category. Google asks that people don't ignore their warnings when they see them in the browser..."
Zeus-SpyEye ATS module masks online Banking Theft
Automated attack bypasses two-factor authentication
Jun 18, 2012 - "A newly discovered online banking fraud tool cheats two-factor authentication, automates the attack, and hides out so that victims can't see losses or traces of the theft until long after the money is gone. Security researchers at Trend Micro during the past few months have studied a dangerous new module for Zeus and SpyEye that automatically withdraws funds from a victim's account without the attacker having to monitor the process, even if it includes strong authentication. So far, the so-called automatic transfer systems (ATS) attacks are targeting banking customers in Europe, namely in Germany, England, and Italy, where two-factor authentication is used via SMS..."
June 21, 2012 - "... it is possible to detect various active ATSs in the wild that based on a common framework used by cybercriminals to conduct automated fraud. Typically the schemes use phishing emails with links to tainted pages, malware attachments or drive-by download attacks from malicious or even compromised legitimate sites..."
AutoCAD malware - targeted for Industrial Espionage
Last Updated: 2012-06-25 04:19:38 UTC - "A number of sites have published an analysis of relatively new malware, ACAD/Medre.A*... somewhat unique in that it seems to be highly targeted and specialized. The current version of ACAD/Medre.A seems to be targeted at AutoCAD files hosted at IP addresses in Peru. ACAD/Medre.A is not just thrown together, low quality malware. Analysis reveals it is well written; at a level that suggests an experienced malware writer wrote it... Either it is a limited test of a new malware concept that will be unleashed on the general world in the future. The malware is written using AutoLISP, the AutoCAD built in scripting language. To the best of my knowledge the first malware written in this language. Another possibility is that it is a targeted intellectual property attack by one of the organized malware groups..."
June 25, 2012
June 22, 2012
Removal tool here: http://download.eset.com/special/EACADMedreCleaner.exe
UPS delivery tracking SPAM emails serving client-side exploits and malware
June 25, 2012 - "Cybercriminals are currently spamvertising millions of emails impersonating United Parcel Service (UPS) in an attempt to trick end and corporate users into clicking on exploits and malware serving links found in the malicious emails... Upon clicking on the link, the campaign is serving client-side exploits using the Black Hole web malware exploitation kit, and in this particular campaign it’s attempting to exploit CVE-2010-1885 and CVE-2012-0507...
File name: Shipping, Freight, Logistics and Supply Chain Management from UPS.htm
Detection ratio: 2/42
Analysis date: 2012-06-14 20:49:04 UTC
... Upon successful client-side exploitation the second malicious URL drops MD5: 5e187c293a563968dd026fae02194cfa, detected by 3 out of 42 antivirus scanners as PAK_Generic.001. Upon execution it creates the following file:
%AppData%\KB00121600.exe – MD5: 5E187C293A563968DD026FAE02194CFA - detected by 3 out of 42 antivirus scanners as PAK_Generic.001
Upon execution, the sample phones back to 220.127.116.11 /zb/v_01_b/in on port 8080. Another sample is known to have phoned back to the same URL, namely, MD5: 108F10F0921F2B4FCA87FE6E620D21EF which phones back..."
(More detail at the webroot URL above.)
Fake PayPal account confirmation emails lead to phishing sites
June 26, 2012 - "... Phishers have just started spamvertising hundreds of thousands of legitimately-looking PayPal themed emails, in an attempt to trick users into entering their accounting data on the fraudulent web site linked in the emails...
Screenshot of the spamvertised PayPal themed campaign:
... Sample spamvertised text:
Dear PayPal Costumer, It has come to our attention that your PayPal® account information needs to be updated as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website. If you could please take 5-10 minutes out of your online experience and update your personal records you will not run into any future problems with the online service. However, failure to update your records will result in account suspension. Please update your records before June 12, 2012. Once you have updated your account records, your PayPal® account activity will not be interrupted and will continue as normal.
Upon clicking on the link found in the phishing emails, users are presented with the following legitimately-looking PayPal login page:
Users are advised to avoid interacting with the emails, and to report them as fraudulent/malicious as soon as they receive them."
Red - Virus Outbreak In Progress
Real-time Outbreak Details
June 29, 2012
Bogus online casino themed emails serving W32/Casonline
June 28, 2012
Fake Delta email leads to Sirefef, Fake AV
June 27, 2012
Fake DHL emails serving malware
June 26, 2012
Garbage print jobs...
July 2, 2012 - "...we have received several customer issues about garbage being printed on their network printers... we came across a new -worm- that causes the garbage print jobs. Symantec detects this worm as W32.Printlove. W32.Printlove uses the Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability (CVE 2010-2729)* discovered in 2010 to spread across networks. We have created a video..."
MS10-061 - Critical
Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2729 - 9.3 (HIGH)
Last revised: 07/19/2011 - "... as exploited in the wild in September 2010, aka 'Print Spooler Service Impersonation Vulnerability'."
Last Updated: 2012-06-21
5 July 2012
GoPro is compromised serving malicious code
4 Jul 2012 - "... Websense... has detected that the official website of GoPro (at gopro.com), the popular brand for "wearable" cameras, has been compromised and injected with malicious code. We have contacted GoPro and let them know about the compromise but to date, we have not heard back from them... The injected code is resident in multiple locations on the main page. This injection is part of mass injection that is known to us and that is doing its rounds over the web at the moment... Once a user visits gopro .com the injected code gets translated to an Iframe that leads the user automatically and without any interaction to a malicious redirector at ad.fourtytwo.proadvertise .net ... The malicious redirector at ad.fourtytwo.proadvertise .net further redirects the user to an exploit Website loaded with the Blackhole exploit kit located at ad.banchoath .com. On the exploit website several exploits are sent to the user's browser and on successful exploitation the user's machine is infected with malware, at the time of the post... according to virustotal...
File name: !r033PlxM.exe
Detection ratio: 4/42
Analysis date: 2012-07-04 17:44:13 UTC
... The injected code translates to an Iframe that takes without user interaction the visitor to an exploit Website..."
Site is listed as suspicious - visiting this web site may harm your computer... the last time suspicious content was found on this site was on 2012-07-04. Malicious software includes 1 trojan...
Site is listed as suspicious - visiting this web site may harm your computer... the last time suspicious content was found on this site was on 2012-07-04. Malicious software includes 7 trojan(s)...
Java exploit-in-the-wild ...
July 5, 2012 - "... more than 3 billion devices run Java and many these installations are months out of date... a malicious “.jar” file that — when scanned at Virustotal.com — was detected by just -one- antivirus product (Avira), which flagged it as Java/Dldr.Lamar.BD*. The description of that threat says it targets a Java vulnerability tagged as CVE-2012-1723, a critical bug fixed in Java 6 Update 33 and Java 7 Update 5**..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1723 - 10.0 (HIGH)
11 July 2012
July 16, 2012 - "... Websense* said that they've seen the Black Hole exploit kit targeting this vulnerability and using a series of freshly registered domains... The vulnerability could evade the JRE (Java Runtime Environment) sandbox and load additional Java classes in order to perform malicious actions..."
15 Jul 2012
Phishing campaign targeting Gmail, Yahoo, AOL and Hotmail ...
July 9, 2012 - "... intercepted a currently active phishing campaign that’s a good example of a popular tactic used by cybercriminal known as ‘campaign optimization’. The reason this campaign is well optimized it due to the fact that as it simultaneously targets Gmail, Yahoo, AOL and Windows Hotmail email users... Sample screenshot of the spamvertised phishing email:
Spamvertised URL hosted on a compromised Web server: tanitechnology .com/fb/includes/examples/properties/index .htm - the URL is currently -not- detected by any of the 28 phishing URL scanning services used by the VirusTotal service. Sample screenshot of the landing phishing page affecting multiple free email service providers:
What makes an impression is the poor level of English applied to the campaign’s marketing creative. Moreover, it’s rather awkward to see that the landing phishing page is themed using the Online Real Estate brand Remax, a brand that has nothing to do with the enforcement of a particular marketing message related to the phishing campaign. Users are advised to avoid interacting with similar pages, and to always ensure that they’re on the right login page before entering their accounting data."
Red - Virus Outbreak In Progress
July 11, 2012
Fake Personal Photos E-mail Messages... Updated July 11, 2012
Fake Portuguese Contract Confirmation Email Messages... New July 11, 2012
Fake Hotel Reservation Confirmation Details E-mail Messages... Updated July 11, 2012
Fake DHL Express Tracking Notification E-mail Messages... Updated July 11, 2012
Unknown Malicious Files Distributed in E-mail Messages... New July 11, 2012
Fake USPS Parcel Delivery Failure Notification E-mail Messages... Updated July 11, 2012
Fake Warning Notification E-mail Messages... Updated July 11, 2012
Fake DHL Express Tracking Notification E-mail Messages... Updated July 11, 2012 ...
Blended attacks in Q2 2012
July 12, 2012 - "Commtouch’s quarterly Internet Threats Trend Report covers Web threats, phishing, malware, and spam. The July 2012 report describes how distributors of malware, spam and phishing attacks are relying more and more on compromised websites. This tactic is designed to outwit email security and Web security systems that consider a site’s reputation before blocking it. Legitimate websites with positive online reputations but with deficient plugins and known vulnerabilities were harvested en masse in the second quarter of 2012 to host redirects, malware, pharmacy sites and phony login pages. The hacked websites were combined with effective social engineering that exploited multiple well-known brands to draw in victims. Similar branding tricks were used to distributed malware via email attachments. The popular file synchronization and sharing site Dropbox was also used as a malware distribution point in an attack promising free movie tickets..."
(More detail in slideshow at the URL above.)
July 12, 2012 - Infographic
2012 June Symantec Intelligence Report - slideshow:
Jul 06, 2012
Fake UPS emails - client-side exploits and malware ...
July 18, 2012 - "... cybercriminals systematically abuse popular brands and online services. Next to periodically rotating the brands, they also produce professional looking email templates, in an attempt to successfully brand-jack these companies, and trick their customers into interacting with the malicious emails... currently spamvertised client-side exploits and malware serving campaign impersonating UPS (United Parcel Service). Once users click on the links found in the malicious email, they’re automatically redirected to a Black Hole exploit kit landing page serving client-side exploits, and ultimately dropping malware on the exploited hosts... Upon successful client-side exploitation, the campaign drops MD5: 4462c5b3556c5cab5d90955b3faa19a8 on the exploited hosts. Detection rate: the sample is detected by 29 out of 41 antivirus scanners** as Trojan.Injector.AFR; Worm.Win32.Cridex.fb... This is the -third- UPS-themed malware serving campaign that we’ve intercepted over the past two months. Next to the malware serving campaigns impersonating DHL, we expect that we’re going to see more malicious activity abusing these highly popular courier service brands. UPS has acknowledged this threat and offered its perspective here*..."
File name: 20120710_221334_4462C5B3556C5CAB5D90955B3FAA19A8_CAE93.VIR
Detection ratio: 29/41
Analysis date: 2012-07-14
Fake SpamCop E-mail Account Alert Notification E-mail Messages - New July 19, 2012
Fake FedEx Shipment Notification E-mail Messages- Updated July 19, 2012
Fake Hotel Reservation Confirmation Details E-mail Messages- Updated July 19, 2012
Fake Product Order Notification E-mail Messages - New July 19, 2012
Fake Contract Notification E-mail Messages - Updated July 19, 2012
Fake DHL Express Tracking Notification E-mail Messages - Updated July 19, 2012
Fake USPS Package Delivery Notification E-mail Messages- Updated July 19, 2012
Fake Airline Ticket Confirmation Attachment E-mail Messages - Updated July 19, 2012 ...
Fake Facebook email leads to malware ...
July 17, 2012 - "Be wary of emails claiming to be from Facebook, and saying that you have been tagged in a photograph. Because it might be that you're the next potential victim of a malware attack. SophosLabs has intercepted a spammed-out email campaign, designed to infect recipients' computers with malware...
... (Did you notice what was odd about the email? The 'from' address misspells Facebook as "Faceboook" with three "o"s) If you click on the link in the email, you are -not- taken immediately to the real Facebook website. Instead, your browser is taken to a website hosting some malicious iFrame script (which takes advantage of the Blackhole exploit kit)..."
The Rise of the “Blackhole” Exploit Kit:
The Importance of Keeping All Software Up To Date
19 Jul 2012
Top 10 locations with the most detections of Blacole - second half 2011 (2H11)
Olympic malware on the Web ...
20 Jul 2012 - "... Websense... researchers are already seeing data-stealing malware that aims to capitalize on the Games. Malware piggybacks on the buzz surrounding current, high profile events like the Olympics in order to steal personal data. Olympics-themed content armed with malware is introduced mainly through social engineering-based attacks. The cyber criminals behind the themed attacks know that they have a better chance of enticing potential victims by appearing current and relevant to a hot topic. That gets clicks, and the chance to spread their data-stealing creations... the Polish Computing Emerging Response Team (CERT)... analyzed an interesting sample of data-stealing malware*. This malware, once executed, has the ability to interact with social channels like Facebook, Skype, and Microsoft Live Messenger. This particular variant spreads malicious URLs through those channels and the victim's contact list... it employs a socially engineered attack accompanied by a malicious URL that ultimately leads to a malware file that is part of a bot network... analysis is based on a sample (MD5: 3E50B76C0066C314D224F4FD4CBF14D5 ) of the same malware family reported by the CERT.PL advisory. It is also detected as Pushbot, which is known to be a data-stealing malware variant... the malware looks in memory for these processes: opera.exe, firefox.exe, iexplore.exe, skype.exe, and msnmsgr.exe. When it uses a web browser, the malware changes the starting page to redirect user HTTP sessions to malicious websites. In the case of Skype or Microsoft Live Messenger, the malicious process is able to forge HTTP requests with malicious payloads to users in the victim's contacts list. We have also detected a Facebook URL forger used to build proper HTTP requests and send them to the Facebook server. In this way, if there is an active Facebook session, the malware can send malicious messages to the victim's Facebook friends list... The IP addresses so far are: 18.104.22.168, 22.214.171.124, and 126.96.36.199... The URL hxxp ://lokralbumsgens. com/pictures.php?pic=google is still active, and the domain was registered 20 days ago..."
Fake Intuit emails lead to BlackHole exploit kit
July 20, 2012 - "Cybercriminals are currently spamvertising millions of emails impersonating Intuit, in an attempt to trick end and corporate users into clicking on the malicious links found in the emails. The emails pretend to be coming from Intuit’s PaymentNetwork and acknowledge the arrival of an incoming payment. In reality though, they -redirect- users to Black Hole exploit kit landing URLs where client-side exploits are served, and ultimately malware is dropped on the infected hosts.
Screenshot of the spamvertised Intuit themed malicious email:
... Upon clicking on the links found in the email, users are exposed to the following -bogus- “Page loading…” page:
- Spamvertised URLs: hxxp ://sklep.kosmetyki-nel .pl/intpmt.html; hxxp ://kuzeybebe .com/o3whbp0G/index.html; hxxp ://senzor .rs/prolintu.html
- Client-side exploits serving URLs: hxxp ://188.8.131.52/view.php?s=2acc7093df3a2945;
hxxp ://proamd-inc .com/main.php?page=8cb1f95c85bce71b;
hxxp ://thaidescribed .com/main.php?page=8cb1f95c85bce71b
- Client-side exploits served:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1885 - 9.3 (HIGH)
... Upon successful client-side exploitation, the campaign drops MD5: 4462c5b3556c5cab5d90955b3faa19a8* on the exploited hosts.
File name: file
Detection ratio: 33/42
Analysis date: 2012-07-20 10:47:57 UTC
... Worm.Win32.Cridex.fb; Worm:Win32/Cridex.B. Upon execution, the sample phones back to renderingoptimization .info – 184.108.40.206, Email: pauletta_carbonneau2120 @quiklinks .com on port 443. Here is information on Intuit’s Online Security Center about this threat:
> http://security.intuit.com/alert.php?a=49 ..."
The Rise of the “Blackhole” Exploit Kit:
... The Importance of Keeping All Software Up To Date
19 Jul 2012
Malware targets Facebook users with Children’s Charity SCAM
July 24, 2012 - "We recently discovered a configuration of the Citadel malware that targets Facebook users with a fake request for donations to children’s charities in order to steal credit card data. After users have logged into their Facebook account, the Citadel injection mechanism displays a pop up that encourages the victim to donate $1 to children who “desperately” need humanitarian aid. Then, it asks users to fill in their credit card details. The malware is configured to deliver the attack based on the user's country/language settings, with web-injection pages in five different languages: English, Italian, Spanish, German and Dutch. In an interesting twist, the criminals do not reuse the same text for every language. Instead, they have customized each attack based on the victim’s country and/or region... This attack illustrates the continuing customization of financial malware and harvesting of credit card data from the global base of Facebook users. Using children’s charities as a scam makes this attack believable and effective. Meanwhile, the one dollar donation amount is low enough that virtually anyone can contribute if they choose. This is a well-designed method for stealing credit and debit card data on a massive scale."
(More detail at the URL above.)
Malware served using bogus ‘Hotel Reservation Confirmation’ emails...
July 23, 2012 - "... Cybercriminals are currently spamvertising millions of emails impersonating Booking.com, in an attempt to trick end and corporate users into downloading and executing the malicious archive attached to the emails...
Screenshot of a sample spamvertised email:
... The malicious Hotel-Reservation-Confirmation_from_Booking.exe (MD5: 7b60d5b4af4b1612cd2be56cfc4c1b92 ) executable is detected... as Backdoor.Win32.Androm.cp; Mal/Katusha-F ..."
File name: file
Detection ratio: 34/41
Analysis date: 2012-07-24
Threat Outbreak Alerts
Fake Airline Ticket Confirmation Attachment E-mail Message - Updated July 24, 2012
Fake FedEx Shipment Notification E-mail Messages - Updated July 24, 2012
Fake Product Details Attachment E-mail Messages - New July 24, 2012 ...
Malware-laced traffic ticket SPAM coming to an Inbox near you
July 25, 2012 - "Not fearing prosecution, cybercriminals regularly impersonate law enforcement online in an attempt to socially engineer end users and corporate users into interacting with their malicious campaigns. From 419 scams, police ransomware, to law enforcement themed malware-serving email campaigns, cybercriminals continue abusing the international branches of various law enforcement agencies... a currently spamvertised malware-serving campaign, indicating that the user has “violated red light traffic signal” and that he should download the -fake- camera recording of his vehicle attached to the email...
Screenshot of the spamvertised email:
... The attached malware*... is detected... as Trojan:W32/Agent.DTYU; Backdoor.Win32.Androm.dc..."
File name: file
Detection ratio: 34/41
Analysis date: 2012-07-25
25 July 2012
‘Download your USPS Label’ emails serve malware
July 26, 2012
Twitter targeted to spread exploits/malware serving tweets
July 27, 2012 - "Over the past several days, cybercriminals have been persistently spamvertising thousands of exploits and malware serving links across the most popular micro blogging service. Upon clicking on the [links], users are exposed to the exploits served by the Black Hole web malware exploitation kit...
Screenshot of a sample automatically registered account spamvertising malicious links to thousands of Twitter users:
... an automatically generated subdomain is spamvertised with an .html link consisting of the name of the prospective victim. The cybercriminals behind the campaign are harvesting Twitter user names, then automatically generating the username.html files. For the time being, they’re only relying on two static propagation messages, namely, “It’s about уou?” and “It’s уou оn photo?“... the redirection also takes place through the following domains
hxxp ://traffichouse .ru/?2 – 220.127.116.11
hxxp ://traffichouse .ru/?5 – 18.104.22.168
Responding to the same 22.214.171.124 IP are also the following domains:
Client-side exploits serving domain: hxxp ://oomatsu.veta .su/main.php?page=afaf1d234c788e63
Upon successful client-side exploitation, the campaign drops MD5: 5d1e7ea86bee432ec1e5b3ad9ac43cfa* on the affected hosts. Upon execution, the sample phones back to the following URLs, where it downloads additional malware on the affected hosts:
hxxp ://126.96.36.199 /api/urls/?ts=1f737428&affid=35000
hxxp ://thanosactpetitioned .cu.cc/f/notepad.exe?ts=1f737428&affid=35000 ..."
File name: 5d1e7ea86bee432ec1e5b3ad9ac43cfa.exe
Detection ratio: 16/41
Analysis date: 2012-07-27 19:21:48 UTC
July 27, 2012
Blackhole malware attack spreading on Twitter ...
Severity: Elevated Severity
July 27, 2012
Another attack by the BlackHole exploit kit reminds us that patching is most important.
Analysis: If a user clicks on these links posted to various twitter feeds, they will be redirected to a Black Hole exploit kit website that will attempt to exploit vulnerabilities on their system that can be reached through the web browser. Unpatched Java is one of the most popular attack methods these days, however a batch of other issues in technologies such as Adobe Reader, Flash and various browsers are also part of the attack strategy. Robust patching for home and enterprise users will greatly reduce the pain of such exploit kits that are based on "drive-by" exploits. The enticement tactic is always going to change, but the intent is the same - to trick the user into clicking on something and getting infected.
Source: Outbreak: http://nakedsecurity.sophos.com/2012/07/27/outbreak-blackhole-malware-attack-spreading-on-twitter-using-its-you-on-photo-disguise/
More Olympic malware ...
Relay Race To Ruin: Cybercrime in the Olympics
Illegal TV Cards Allowing Free Olympic Viewing Sold Online
Bogus London Olympics 2012 Ticket Site Spotted
Countdown to the Olympics: Are You Safe?
Spammed Messages* Attempt to Cash In on London 2012 Olympics
More Olympics-related threats - Blackhat Search Engine Optimization (BHSEO)
July 29, 2012
July 28, 2012
Fake Roxy Palace Casino Promotional Code Notification E-mail Messages - Updated July 30, 2012
Fake UPS Payment Document Attachment E-mail Messages - Updated July 30, 2012
Fake Financial Transaction Scanned Document - New July 30, 2012
Fake Bank Transfer Receipt E-mail Messages - New July 30, 2012
Fake Picture Link E-mail Messages - Updated July 30, 2012
Fake Coupon Offer E-mail Messages - Updated July 30, 2012
Fake German E-mail Billing Requests - New July 30, 2012
Fake Blocked Credit Card Notification E-mail Messages - Updated July 30, 2012
Malicious Personal Pictures Attachment E-mail Messages - Updated July 30, 2012 ...
Fake CPA/AICPA emails lead to BlackHole exploit kit
August 1, 2012 - "Certified public accountants, beware... Cybercriminals are currently spamvertising millions of emails impersonating AICPA (American Institute of Certified Public Accountants) in an attempt to trick users into clicking on the client-side exploits and malware serving links found in the emails...
Screenshot of the spamvertised email:
... Spamvertised URL: hxxp://thewebloan .com/wp-includes/notice.html
Client-side exploits serving URLs parked on the same IP (188.8.131.52) - hxxp ://jeffknitwear .org/main.php?page=8614d3f3a69b5162;
hxxp ://lefttorightproductservice .org/main.php?page=4bf5d331b53d6f15
Client-side exploits serving domains responding to the same IP:
toeplunge .org; teloexpressions .org; historyalmostany .org
Client-side exploits served:
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1885 9.3 (HIGH)
Detection rate for a sample redirection script with MD5: fa9daec70af9ae2f23403e3d2adb1484 *
... Trojan.Script!IK; JS/Iframe.W!tr
Upon successful client-side exploitation, the campaign drops
MD5: b00af54e5907d57c913c7b3d166e6a5a ** on the affected hosts...
Trojan.PWS.YWO; Trojan-Dropper.Win32.Dapato.bmtv ..."
File name: AICPA.html
Detection ratio: 4/42
Analysis date: 2012-07-19
File name: b00af54e5907d57c913c7b3d166e6a5a.exe
Detection ratio: 30/39
Analysis date: 2012-07-27
Tech Support Phone Scams surge
August 2nd, 2012 - "... horror stories from readers who reported being harassed by unsolicited phone calls from people with Indian accents posing as Microsoft employees and pushing dodgy PC security services. These telemarketing scams are nothing new, of course, but they seem to come and go in waves, and right now it’s definitely high tide..."
(More detail at the URL above.)
Fake AT&T email installs malware
2 Aug 2012 - "Websense... detected a massive phishing campaign targeting AT&T customers... fake emails are masquerading as billing information... Each message claims that there is a bill of a few hundreds US dollars. In itself, the amount of money could be big enough to raise suspicion in most of us. Also, it is easy to see when the mouse cursor hovers over the link that the target Web address is different from the one displayed in the text of the message...
(Screenshot of phish/fake email):
... the link in the bogus message sends the user to a compromised Web server that redirects the browser to a Blackhole exploit kit. As a result, malware is downloaded onto the computer that is currently not detected by most antivirus products, according to VirusTotal*..."
File name: readme.exe
Detection ratio: 10/39
Analysis date: 2012-08-03 06:21:20 UTC
Fake PayPal emails lead to BlackHole exploit kit
August 2, 2012 - "... cybercriminals are currently spamvertising millions of emails impersonating PayPal, in an attempt to trick end and corporate users into interacting with the malicious campaign. Once the interaction takes place, users are exposed to the client-side exploits served by the Black Hole exploit kit, currently the market share leader within the cybercrime ecosystem...
Screenshot of the spamvertised email:
... Upon clicking on the link, users are exposed to a bogus “Page loading…” page:
... Client-side exploits served: CVE-2010-0188; CVE-2010-1885
Detection rate for a sample redirection script: MD5: 2276947d2f3a7abc88e89089e65dce23*
Upon successful client-side exploitation, the campaign drops MD5: 05e0958ef184a27377044655d7b23cb0** on the affected hosts... cybercriminals behind these persistent and massive spam campaigns will simply continue rotating the impersonated brands in an attempt to target millions of users across multiple Web properties. PayPal has information (1) on their website to help users identify legitimate emails..."
File name: PayPal.html
Detection ratio: 3/40
Analysis date: 2012-07-24 14:10:59 UTC
File name: file
Detection ratio: 32/41
Analysis date: 2012-08-03 10:30:40 UTC
Phishing for Payroll with unpatched Java
Last Updated: 2012-08-05 - "... companies that offer outsourced payroll management services have seen their name being abused for phishing scams. One prominent example is ADP, whose website  currently alerts their customers to four different samples of phishing emails that make the rounds and claim to be from ADP. The average recipient of such a phish would have no idea who or what ADP is, and would be highly unlikely to "click". But a HR/Payroll employee of a company that actually uses ADP services would certainly be alarmed to read, for example, that his/her access to ADP is about to be cut off:
... the odds are pretty high that someone who clicks on the link in the email is actually a HR/Payroll person. Combine the link with a nice fresh set of exploits that have near-zero detection in anti-virus, and you have a Get-Rich-Quick scheme for the crooks that's hard to beat...
... Those who clicked nonetheless, have likely been "had" though. The shown marottamare link redirected via three other web sites, and then ended up on 184.108.40.206, a very temporary home on what looks like a rented Linux VServer. From there, the exploits were delivered, and at least one of them, Java CVE-2012-1723, is currently netting the bad guys a lot of illicit system access. Antivirus detection rate is and stays low, three days later, it is still only at -8/41- on Virustotal*. The main reason for this seems to be that the exploit packs are encoded... which means that the original attack code and payload are split up into five byte blocks, and each of these individual five bytes is encoded by XOR with a different static value... Some of the AV tools are getting better at providing generic detection for encoded CVE-2012-1723, but don't hold your breath... As for defenses:
1. PATCH your Java JRE. CVE-2012-1723** is deadly, and is widely being exploited in the wild at the moment. Even better, uninstall Java JRE completely from your computers if you can get away with it.
2. Make sure your HR and Payroll folks are treated to another round of "DONT CLICK ON THIS LINK" training. They are your first line of defense, and - given Antivirus' ineffectiveness - usually even your ONLY line of defense.
3. If you have an outsourced payroll provider, acquaint yourself with the email logs, so that you know how REAL email coming from this provider looks like. This knowledge is priceless during an incident, and might even help you to automatically -block- some of the more egregious phishes..."
File name: Rooh.jar
Detection ratio: 8/41
Analysis date: 2012-08-05
** http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1723 - 10.0 (HIGH)
Fake LinkedIn emails serve exploits and malware
August 8, 2012 - "... cybercriminals launched the most recent spam campaign impersonating LinkedIn, in an attempt to trick LinkedIn’s users into clicking on the client-side exploits and malware serving links found in the emails...
Screenshot of the spamvertised email:
... Spamvertised URL: hxxp ://glqzc .com/linkzane.html
Client-side exploits serving URL: hxxp ://headtoheadblaster .org/main.php?page=f6857febef53e332
Client-side exploits served: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1885 - 9.3 (HIGH)
Upon successful client-side exploitation, the campaign drops MD5: 6c59e90d9c3931c900cfd2672f64aec3 *
... PWS-Zbot.gen.ajm; W32/Kryptik.BRK..."
File name: 6c59e90d9c3931c900cfd2672f64aec3
Detection ratio: 24/42
Analysis date: 2012-08-09 02:17:01 UTC
Last Updated: 2012-08-09 10:20:41 UTC
... Ref (1): http://blog.fox-it.com/2012/08/09/xdoccryptdorifel-document-encrypting-and-network-spreading-virus/
XDocCrypt/Dorifel – Document encrypting and network spreading virus
August 9, 2012 - "... apparently none of your IT security defenses has removed it, has blocked it and neither has signaled you that there was something wrong on that system. If you were hit, you will likely start asking yourself some questions now… A properly configured IDS would have picked up the attack earlier and you would have been notified of the event. Communication to the following IP addresses might indicate malicious behavior on your system:
... Ref (2): http://www.damnthoseproblems.com/?p=599&lang=en
Latest reference 09-08-2012 Update 18:05...
... 2x IPs to block: 220.127.116.11... 18.104.22.168
Fake Groupon email malware coupon
Aug 9, 2012 - "A recent collection of malware emails borrows heavily from authentic mailings sent out by Groupon and LinkedIn. The outbreak is different from the blended attacks that have featured regularly in the last few months since it relies on attached malware as opposed to a link to drive-by malware. Using email templates modeled on Groupon and LinkedIn increases the chances that recipients will consider the attachment genuine and worth opening. The example below shows a Groupon “deal” found by a friend. Recipients are invited to open the attachment to view the gift details and also to forward it on to friends. All the links within the “offer” point to genuine Groupon sites.
The attached zip file unpacks to a file named “Coupon gift.exe”. Commtouch’s Antivirus identifies the malware as W32/Trojan3.DWY. The malware attempts to download and install files from several remote servers. Only 30% of the 41 engines on VirusTotal detected the malware within a few hours of the attack...
You’re going to love it
We are glad to inform you that one of your friends has found a great deal on Groupon.com!
And even shared it with you!
Yeah! Now Groupon.com gives an opportunity to share a discount gift with a friend!
Enjoy your discount gift in the attachement and share it with one of your friend as well.
All the details in the file attached. be in a hurry this weekend special is due in 2 days!"
Fake AT&T email billing - serves exploits and malware
August 10, 2012 - "... yet another massive spam campaign, this time impersonating AT&T’s Billing Center, in an attempt to trick end and corporate users into downloading a bogus Online Bill. Once gullible and socially engineered users click on any of the links found in the malicious emails, they’re automatically redirected to a Black Hole exploit kit landing URL, where they’re exposed to client-side exploits, which ultimately drop a piece of malicious software on the affected hosts...
Screenshot of the spamvertised email:
... Client-side exploits serving URL:
hxxp ://advancementwowcom .org/main.php?page=19152be46559e39d
Client-side exploits served: CVE-2010-1885
Upon successful client-side exploitation, the campaigns drops MD5: c497b4d6dfadd4609918282cf91c6f4e* on the infected hosts... as Trojan.Generic.KD.687203; W32/Cridex-Q. Once executed, the sample phones back to hxxp :// 22.214.171.124 :8080 /mx5/B/in/. We’ve already seen the same command and control served used in several malware-serving campaigns, namely, the Craigslist spam campaign, the PayPal spam campaign, the eBay spam campaign, and the American Airlines themed spam campaign... cybercriminals will continue rotating popular brands, introduce new email templates, and newly undetected pieces of malware..."
File name: C497B4D6DFADD4609918282CF91C6F4E_100-about.exe
Detection ratio: 19/41
Analysis date: 2012-08-05
Olympic malware spread continues ...
10 Aug 2012 - "... Websense... analyzed Twitter traffic based on popular Olympics-related terms, events, and athletes starting two days before the Opening Ceremony through August 8th... Looking more closely at the data, we found that a handful of Twitter feeds from certain athletes and teams were posting shortened URLs which redirected to Objectionable or Security categories, including Malicious Web Sites and Malicious Embedded Links:
... We took a sample set of 3600 of these, unshortened them, and analyzed the category breakdown:
Fake Intuit emails ...
8/10/2012 - "People are receiving emails purportedly from Classmates.com with the title "Download your Intuit.com invoice." There is an attachment to the email. Below is the text of the email people are receiving, including the errors in the email:
"Dear Customer: Thank you for ordering from Intuit Market. We are processing and will message you when your order ships. If you ordered multiple items, we may sned them in more than one delivery (at no extra cost to you) to ensure quicker delivery. If you have questions about your order please call 1-900-040-6988 ($3.19/min).
Please download your complete order id#6269722 from the attachment.(Open with Internet Explorer)"
This is the end of the fake email... Steps to Take Now:
. Do not click on the link in the email...
. Spoofed email address. Don't reply to unsolicited email and don't open email attachments...
. Fake link. When in doubt, never click on a link in an unsolicited or suspicious email..."
Phishing emails from "Nationwide" in circulation
August 13, 2012 - "There’s some Emails floating around right now claiming to be from Nationwide*. The first wants customers to “validate your internet banking profile”, with the aid of the following missive:
The second tries a different approach, claiming that they have “identified an unusual conflict between the customer number and profile details associated with your account”.
The emails lead to various URLs which appear to have been compromised (including a Belarus human rights website and what appears to be an Indonesian news portal) playing host to pages asking for security information. Of the two, the human rights site appears to have been fixed but the dubious pages are still live on the Indonesian portal at time of writing.
Customers of Nationwide should treat -any- Emails asking to validate and/or confirm security information with the utmost suspicion and make a safety deposit in their spam folder."
"Nationwide Building Society is a British mutual financial institution..."
Insecure WordPress blogs... host Blackhole malware attack
August 10, 2012 - "... a major malware campaign, spread via spam email and compromised self-hosted WordPress blogs, which attempts to infect computers using the notorious Blackhole exploit kit. Be on your guard if you have received an email entitled "Verify your order", as links contained within the email could take you to a poisoned webpage, designed to install malware onto your PC.
Here's what a typical email looks like:
Subject: Verify your order
please verify your order #[random number] at [LINK]
We hope to see you again soon!
The websites that are being linked to aren't ones that have been created by the malicious hackers. They are legitimate websites that are running a self-hosted installation of the popular WordPress blogging platform. (Note, this does not include the many millions of bloggers who use the WordPress.com service - the vulnerable sites are those where people have installed their own WordPress software). Unfortunately, some people haven't properly secured their sites - which has allowed malicious hackers to plant malicious code from the Blackhole exploit kit, and means that malware is now downloading onto innocent users' computers. Sophos products detect the malware as Troj/PDFEx-GD, Troj/SWFExp-AI, Mal/ExpJS-N and Troj/Agent-XDM. More and more of the attacks that we are intercepting involve the Blackhole exploit kit - recent examples include emails posing as traffic tickets from NYC, rejected wire transfer notifications and fake Facebook photo tag notifications. Remember to not just keep your anti-virus software up-to-date, but also to ensure that any software you run on your web server is also properly secured, and kept patched and current (that includes blogging software like WordPress and any plugins* that it might use)."
"WordPress Plugin" search results ...
Found: 407 Secunia Security Advisories ...
Aug 13, 2012
IRS SPAM campaign leads to BlackHole exploit kit
August 13, 2012 - "... cybercriminals launched yet another massive spam campaign, this time impersonating the Internal Revenue Service (IRS) in an attempt to trick tax payers into clicking on a link pointing to a bogus Microsoft Word Document. Once the user clicks on it, they are redirected to a BlackHole exploit kit landing URL, where they’re exposed to the client-side exploits served by the kit...
Screenshot of the spamvertised IRS themed email:
Once the user clicks on the link pointing to a Black Hole landing URL, he’s exposed to the following bogus “Page loading…” page:
Client-side exploits served: CVE-2010-0188; CVE-2010-1885
... as you can see in the first screenshot, the cybercriminals behind the campaign didn’t bother to use the services of a “cultural diversity on demand” underground market proposition offering the ability to localize a message or a web site to the native language of the prospective victim, hence they failed to properly formulate their sentence, thereby raising suspicion in the eyes of the prospective victim..."
File name: IRS.html
Detection ratio: 2/41
Analysis date: 2012-07-26
File name: 6d7b7d2409626f2c8c166373e5ef76a5.exe
Detection ratio: 30/41
Analysis date: 2012-08-04
Another Fake Intuit email: "Your order was shipped today"
[Last updated 8/14/2012 - "Fake email: "Your order was shipped today"
People are receiving emails with the title "Your order was shipped today." There are numerous messages in the email, including an offer to talk to a QuickBooks expert, the request to add a fake Intuit email to the user's address book, and the possibility to win a $30,000 small business grant. DO NOT click on any of these links. Below is the text portion of the email people are receiving. We have not included the graphic portion of the email which includes the fake links.
Great News! Your order, SBL46150408, was shipped today (see details below) and will arrive shortly. We hope that you will find that it exceeds your expectations. If you ordered multiple products, we may ship them in separate boxes (at no extra cost to you) to ensure the fastest possible delivery. We will Also provide you with the ability to track your shipments via the directions below.
Thank you for your order and we look forward to serving you again in the near future.
This is the end of the fake email. We have not included the graphics with the fake links in the information above. Steps to Take Now: Do not click..."]
JUST DELETE THE EMAIL if you get one, or 2 or 3... The only reason the hacks keep doing this is:
PDF reader exploits-in-the-wild ...
August 21, 2012
Fake UPS Payment Document Attachment E-mail Messages - August 21, 2012
Fake Payment Notification E-mail Messages - August 21, 2012
Fake DHL Express Tracking Notification E-mail Messages - August 21, 2012
Fake Tax Refund Statement E-mail Messages - August 20, 2012
Malicious Personal Pictures Attachment E-mail Messages - August 20, 2012
Fake Criminal Complaint E-mail Messages - August 20, 2012
Fake Product Photo Attachment E-mail Message - August 20, 2012
Fake Money Transfer Notification E-mail Messages - August 20, 2012
Fake Private Photo Disclosure E-mail Messages - August 20, 2012 ...
Fake Microsoft Security Update E-mail Messages- August 17, 2012 ...
F-secure Threat Report H1 2012
August 21, 2012 - "... criminals were still as busy as ever. Our report includes the following case studies:
• ZeuS & Spyeye
• Mobile Threats
You can download the report from:
"One of the most pervasive trends we saw in the computer threat landscape in the first half of 2012 was the expanding usage of vulnerability exploitation for malware distribution. This phenomenon is directly tied to the recent improvement in exploit kits - toolkits that allow malware operators to automatically create exploit code."
Fake Flash Player App is an SMS Trojan ...
August 22, 2012 - "Adobe marked August 15, 2012—exactly a week ago—as the last day when users could download and install Flash Player on their Android devices if they didn’t have it yet. The company made this announcement so they can focus on Flash on the PC browser and mobile apps bundled with Adobe AIR. This change in focus also meant that Adobe will no longer develop and support Flash on mobile browsers. Of course, it’s possible that some Android users have missed that deadline, so they venture on to other parts of the Internet in search of alternative download sites. It’s no surprise to see that Russian scammers have, indeed, set up websites to lure users into downloading a fake Flash Player onto their Android devices... As of this writing, we’ve seen -eight- sites using Adobe’s logos and icons—all are linking to the same variant of OpFake Trojan disguised as the legit Flash Player for Android. All the Russian sites used different file names for their .APK files but they’re the same malicious variant... You may come across other websites claiming to host the latest version of Flash Player. In that case, better to steer clear from them and download only from Google Play*."
August 23, 2012
Fake BlackBerry ID emails...
22 Aug 2012 - "Websense... intercepted a malware campaign targeting Blackberry customers. These fake emails state that the recipient has successfully created a Blackberry ID. The messages then continue, "To enjoy the full benefits of your BlackBerry ID, please follow the instructions in the attached file." That, of course, is an attempt to lure victims into running the attached malware.
... The malicious email itself is a copy and paste of a legitimate email from Blackberry. And though the attachment indeed raises suspicion, there's no malicious or compromised URL in it. 17/36 AV engines identify the malware in VirusTotal*..."
File name: Hotel-Booking_Confirmation.exe
Detection ratio: 27/42
Analysis date: 2012-08-23 10:54:21 UTC
Bogus greeting cards serve exploits and malware
August 21, 2012 - "Think you’ve received an online greeting card from 123greetings.com? Think twice! Over the past couple of days, cybercriminals have spamvertised millions of emails impersonating the popular e-card service 123greetings.com in an attempt to trick end and corporate users into clicking on client-side exploits and malware serving links, courtesy of the Black Hole web malware exploitation kit...
Screenshot of the spamvertised email:
... Upon clicking on -any- of the links found in the malicious emails, users are exposed to the following bogus “Page loading…” page:
... Client-side exploits served: CVE-2010-1885
Upon sucessful exploitation, the campaign drops MD5: 42307705ad637c615a6ed5fbf1e755d1 *...
Upon successful execution, the sample phones back to 126.96.36.199 :8080/mx5/B/in
More MD5s are known to have phoned back to the same command and control server... 188.8.131.52 is actually a name server offering DNS resolving services to related malicious and command and control servers... The second sample phones back to 184.108.40.206 :8080/mx5/B/in/ not surprisingly, we’ve already seen this command and control server used in numerous profiled campaigns..."
File name: 42307705ad637c615a6ed5fbf1e755d1
Detection ratio: 34/42
Analysis date: 2012-08-23 01:27:36 UTC
Java 0-Day exploit-in-the-wild
Last Update: 2012-08-28
Criticality level: Extremely critical
Impact: System access
Where: From remote ...
Solution Status: Unpatched
Software: Oracle Java JRE 1.7.x / 7.x
CVE Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4681 - 6.8
... vulnerability is confirmed in version 7 update 6 build 1.7.0_06-b24. Other versions may also be affected.
Solution: No official solution is currently available...
Reported as a 0-day.
Last Updated: 2012-08-27 20:29:15 UTC - "... targets Java 1.7 update 6, there is currently no patch available, the exploit has been integrated into the metasploit framework..."
August 27, 2012
August 27, 2012 - "... currently being used in targeted attacks..."
August 27, 2012 - "... On the analyzed sample the payload is downloaded from ok.aa24 .net/meeting /hi.exe... The payload drops C:\WINDOWS\system32\mspmsnsv.dll (replace the file if present) and starts the Portable Media Serial Number Service. The malware connects to hello.icon .pk port 80. It seems to be a Poison Ivy variant. hello.icon .pk resolvs to:
220.127.116.11 – 18.104.22.168
8 to Infinity Pte Ltd ..."
File name: hi.exe
Detection ratio: 32/42
Analysis date: 2012-08-28 12:59:25 UTC
File name: hi.exe
Detection ratio: 36/42
Analysis date: 2012-08-29 10:55:45 UTC
Last revised: 28 Aug 2012 - "... Disabling the Java browser plugin may prevent a malicious webpage from exploiting this vulnerability..."
8.28.2012 - "... attackers have been using this zero-day vulnerability for at least five days, since August 22... we have confirmed that the zero-day vulnerability works on the latest version of Java (JRE 1.7), but it does -not- work on the older version JRE 1.6*..."
Java 0-day added to Blackhole Exploit Kit
28 Aug 2012 - "... exploit code for the Java vulnerability has been added to the most prevalent exploit kit out there; Blackhole... The Pre.jar file (VirusTotal link*) will use the new vulnerability to install the malware (VirusTotal link**) itself. In this particular attack it was a banking trojan as can be seen from our ThreatScope report(1)... A technical analysis of these two vulnerabilities is available at the blog Immunity Products in this post(2)."
File name: Pre.jar
Detection ratio: 17/42
Analysis date: 2012-08-29 10:43:59 UTC
File name: about.exe
Detection ratio: 18/42
Analysis date: 2012-08-29 04:32:07 UTC
29 August 2012 - "... Users who have a vulnerable version installed on their systems are advised to disable the browser plugin that provides Java support..."
August 29, 2012 - "... If you want to test whether you’ve successfully disabled Java, check out Rapid7's page, http://www.isjavaexploitable.com/ ."
Fake QuickBooks update email ...
8/28/2012 - "People are receiving emails with one of the following titles: "Important QuickBooks Update, "QuickBooks Security Update," "Urgent: QuickBooks Update," and "QuickBooks Update: Urgent." There is a link in the email. DO NOT click on the link.
Below is the text of the email people are receiving, including the errors in the email.
'You will not be able to access your Intuit QuickBooks without updated Intuit Security Tool (IST) after 31th of August, 2012.
You can update Intuit Security Tool here.
After a successful download please run the setup for an automatic installation, then login to Intuit Quickbooks online to check that it is working properly.'
This is the end of the -fake- email..."
August 29, 2012 - "... millions of emails impersonating Intuit Market, in an attempt to trick end and corporate users into clicking on the malicious links found in the emails. Upon clicking on them, users are exposed to the client-side exploits served by the Black Hole web malware exploitation kit..."
Java v7u7 / v6u35 released
August 30, 2012
Update August 30, 2012 - "... using a Java zero-day, hosted as a .jar file on websites, to infect victims... attackers have been using this zero-day for several days since August 22... resolves to 22.214.171.124. That same IP was used by the Nitro attackers back in 2011..."
Aug 30, 2012
August 30, 2012
August 30, 2012
Java 0-day exploit on 100+ sites serving malware
August 29, 2012 - "... Websense... had found more than 100 unique domains serving the Java exploit. "The number is definitely growing...and because Blackhole has an updatable framework and already has a foothold on thousands of sites, we anticipate that the number of sites compromised with this new zero-day will escalate rapidly in the coming days"... Yesterday, Michael Coates, Mozilla's director of security assurance, urged Firefox users to disable the browser's Java plug-in because Oracle has not issued fixes... Mozilla has the ability to add extensions or plug-ins to the Firefox add-on blocklist if they cause significant security or performance issues. Firefox automatically queries the blocklist and notifies users before disabling the targeted add-ons..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4681 - 10.0 (HIGH)
Last revised: 08/31/2012 - "... as exploited in the wild in August 2012..."
29 August 2012 - "... Users who have a vulnerable version installed on their systems are advised to disable the browser plugin that provides Java support..."
August 29, 2012 - "... If you want to test whether you’ve successfully disabled Java, check out Rapid7's page, http://www.isjavaexploitable.com/ ."
Aug 29, 2012
Fake UPS SPAM links to malware
August 31, 2012 - "Cybercriminals are currently mass mailing millions of emails impersonating the United Parcel Service (UPS) in an attempt to trick users into downloading and executing the malicious file hosted on a compromised web site...
Sample screenshot of the spamvertised email:
... location of the malicious archive: buzzstar .co .uk/Label_Copy_UPS.zip
The malware has a MD5: b702590c01f76f02e2d8d98833d1c95f * ...
File name: file-4438621_exe
Detection ratio: 20/25
Analysis date: 2012-08-31 02:25:37 UTC
Fake Paypal SPAM links to malware
August 30, 2012 - "Cybercriminals are currently spamvertising millions of emails impersonating PayPal, in an attempt to trick PayPal users into executing the malicious attachment found in the emails. Using ‘Notification of payment received‘ subjects, the campaign is relying on the end user’s gullibility in an attempt to infect them with malware. Once executed, it grants a malicious attacker complete control over the victim’s PC...
Sample screenshot of the spamvertised email:
... The malware has a MD5: 9c2f2cabf00bde87de47405b80ef83c1 * ...
File name: smona_1f5f4cb69a892d0bc2e8d6bf17de2087517a7a336523b44536c9b7385c07d67a.bin
Detection ratio: 37/42
Analysis date: 2012-08-29 08:33:11 UTC