4chan.org Malware .gif files...
FYI...
- http://isc.sans.org/diary.html?storyid=5821
Last Updated: 2009-02-07 21:51:03 UTC - "A Storm Center subscriber has just submitted malware embedded in .gif image files, downloaded from the image site 4chan.org. For the sake of expediency, and because this person did such a good write up, here is the analysis provided:
"The *.gif files were found (on) the "random" board of the image board site 4chan. The files contain a large picture with instructions to save the file with a .jse extension and run it. The *.out files are the result of applying scrdec to the gifs to reveal the encoded script. It appears to:
1) copy itself somewhere as 'sys.jse'
2) add itself to a Run key in the registry
3) a) fetch the index to 4chan's /b forum
b) download the first image
c) save it as 'j.jse'
d) attempt to run 'j.jse'
4) construct a POST request containing the image as payload
5) upload itself as a new post on 4chan
6) point an instance of IE at site it came from
(3)-(6) are in an infinite loop."
To the subscriber who did the legwork on this one, my thanx for the excellent work... will provide more data as it develops."
:fear::mad::fear:
Waledac new variant - Valentine's Day Theme
FYI...
Waledac new variant - Valentine's Day Theme
- http://securitylabs.websense.com/con...erts/3299.aspx
02.09.2009 - "... new spammed variant continues to use the Valentines theme. Once a user opens the URL in the spammed message, he is redirected to a site with 2 puppies and a love heart to give a Valentines theme. The user is then enticed to download a Valentines kit to prepare a present for a loved one, which is a new Waledac variant. This variant has a very low AV detection rate..."
- http://www.trustedsource.org/blog/18...m-on-the-Loose
(Screenshot of spammed email available at both URLs above.)
Waledac Domain (Block) List - Updated 02-10-2009 - 4:21 UTC
- http://www.shadowserver.org/wiki/upl...ac_domains.txt
- https://forums.symantec.com/t5/blogs...article-id/239
02-09-2009 - "Up until recently, Waledac’s main purpose had been to peddle performance-enhancing pharmaceuticals by sending large runs of unsolicited mail to thousands of unwilling recipients. Today we noticed a shift in this trend. In addition to sending large volumes of spam, Waledac is now distributing misleading applications. In our testing we noticed that the misleading application that is installed this time around is MS AntiSpyware 2009..."
:fear::mad:
Skype Valentine SPAM lure
FYI...
Skype Valentine SPAM lure
- http://securitylabs.websense.com/con...erts/3305.aspx
02.12.2009 - "Websense... has spotted an emerging malicious spam lure, masquerading as a message from Skype. The spammed message uses Skype's logos and themes, posing as a Valentine promotion. With two days to go before Valentine's day, the fake promotion entices the user into sending a free Valentine video message to a loved one. The proposed video link in the message leads to a malicious compressed archive file named valentine.exe... Earlier today we noticed that the same group were sending out spoofed-Hallmark e-greetings and now they have recently switched to this spoofed-Skype video card campaign..."
(Screenshots of a spammed email available at the URL above.)
:fear::mad:
WALEDAC Valentine SPAM variants on the rise...
FYI...
- http://blog.trendmicro.com/waledac-s...-malware-love/
Feb. 13, 2009 - "... A recently reported case of malware-related SPAM contains a short Valentine’s message — and with an embedded URL that leads to malicious content... The malicious file is actually a WALEDAC variant detected... WALEDAC variants* have been previously served through e-card spam..."
(Screenshots available at the URL above.)
Search Results for 'WALEDAC' - MALWARE and GRAYWARE List
* http://preview.tinyurl.com/akubv6
...42 records match your query
Waledac Tracker Summary Data
- http://www.sudosecure.net/waledac/index.php
2009-02-14
:fear::mad:
eBay auction tool website infects with Malware
FYI...
eBay Auction Tool Web Site Infected With Malware
- http://preview.tinyurl.com/d6a9xm
Feb. 23, 2009 PC World - "A Trojan horse lurking on servers belonging to Auctiva.com, a Web site offering eBay auction tools, infected people's PCs last week. The problem became very public when Google's malware warning system kicked in as people tried to browse the site, saying Auctiva was infected with malware. Google will display an interstitial page warning people of certain Web sites known to contain malware. "It appears the reason these virus alert warnings started showing up on our site is because some of our machines were injected with malware originating in China," according to a post on Auctiva's community forum... It appears that the malware targeted Microsoft's Internet Explorer browser... "Found eight Trojans on my system that seemed to have snuck through my on-access protection, or maybe because, like a fool, I clicked 'ignore the warning' to get to Auctiva's front page," wrote one user on Auctiva's forum. If Google displays a warning about a dangerous Web site, it still gives people the option of browsing to the site. Auctiva said it was working with Google to ensure the warning is not displayed now that it has cleaned up its servers. However, people who browsed Auctiva between Thursday and Saturday afternoon until 2 p.m. Pacific time should ensure their machines are not infected..."
:fear::lip:
New Koobface worm variant spreading on Facebook
FYI...
- http://blog.trendmicro.com/new-varia...g-on-facebook/
March 1, 2009 - "I just received a Facebook message from a friend; it was a pretty standard one that is beginning to look familiar to a lot of us I am sure. What surprised me though, was the page that the link led to. On the face of it is a very familiar looking spoofed version of YouTube, complete with bogus comments from “viewers”... Take a second look though, the link had taken me to a site supposedly hosting a video posted by the same person that I had received the Facebook message from. In fact not only was the malicious landing page displaying his name, it had also pulled the photo from his Facebook profile.... Clicking the Install button redirects to a download site for the file setup.exe which is the new Koobface variant detected as WORM_KOOBFACE.AZ. It is hosted on an IP address in another part of the world, and in the last hour, we’ve seen 300+ different unique IP addresses hosting setup.exe and we’re expecting more. All seen IP addresses hosting the said malicious file are now detected as HTML_KOOBFACE.BA. Analysis by our engineers reveal that WORM_KOOBFACE.AZ propagates through other social networking sites as well..."
(Screenshots available at the URL above.)
- http://www.us-cert.gov/current/index...ial_networking
March 4, 2009 - "...malicious code spreading via popular social networking sites including myspace.com, facebook.com, hi5.com, friendster.com, myyearbook.com, bebo.com, and livejournal.com. The reports indicate that the malware, named Koobface, is spreading through invitations from a user's contact that include a link to view a video. If the users click on the link in this invitation, they are prompted to update Adobe Flash Player. This update is not a legitimate Adobe Flash Player update, it is malicious code..."
:fear::mad:
YouTube criminal online trade
FYI...
- http://www.f-secure.com/weblog/archives/00001619.html
March 4, 2009 - "Online criminals regularly post their ads on YouTube, looking for buyers for their products. Some recent examples... (Screenshots at the URL above.) No big surprises there. A bit more surprisingly, when you want to report such videos to YouTube admins, they actually don't have an option for reporting criminal use..."
- http://www.internetnews.com/security/print.php/3808326
March 3, 2009 - "... In both the Digg and YouTube attacks, links claim to take visitors to a video. Instead, they redirect them to one of several sites that then download malware like the Adware/Videoplay worm. The worm steals cookies, passwords, user profiles and e-mail account information and sends these to a remote site over the Internet. It can also make copies of itself in removable media to spread further. The links can also direct users to download fake antivirus software..."
- http://pandalabs.pandasecurity.com/a...-websites.aspx
:fear::mad::fear: