-
SPAM frauds, fakes, and other MALWARE deliveries - archive
FYI...
- http://preview.tinyurl.com/3xqd9o
January 31, 2008 (Infoworld) - "...The Anti-Phishing Working Group (APWG) said in a new report* Thursday that it saw a sharp rise in November in malware that directs users to DNS servers controlled by phishers. DNS servers play a crucial role in locating Web sites. The servers translate a domain name into an IP address, enabling a Web site to be located and accessed through a browser. Often, the phishers will set up their own DNS server that works fine most of the time but can redirect to their own malicious site. Tainting a person's DNS settings is particularly dangerous since the user probably won't notice the redirection, the APWG said. "The fraudulent server replies with 'good' answers for most domains; however, when they want to direct you to a fraudulent one, they simply modify their name server responses," the report said. Phishers are also employing malware that modifies an internal PC file called the hosts, which is used to match domain names of Web sites with IP addresses. When a person visits a Web site, the browser checks the hosts to see if it has an IP address for a particular domain name. If the hosts file is corrupted or hijacked, the browser can be directed to fetch a different Web page than the one the user intended to go to. Both attacks -- also known as pharming -- are dangerous, since a user may be typing in the correct URL but be directed to the phishing site..."
* PDF file: http://www.antiphishing.org/reports/...t_nov_2007.pdf
Also see:
> http://forums.spybot.info/showpost.p...15&postcount=8
:fear::spider:
-
Malicious SPAM...
FYI...
Speed up your PC! for FREE!
- http://www.sophos.com/security/blog/2008/03/1072.html
27 March 2008 - "What’s the easiest (and cheapest) way to get a faster computer?... numerous tools and applications insist on clogging up their system drive with poorly written uninstallers, gigabytes of temporary files and those annoying startup agents that load with Windows and sit resident in memory just in case they’re needed. It’s common then, for these users to turn to third party tools to clean up their computers. For the most part, these tools work pretty well. However, these programs are not always what they seem... To the unsuspecting computer users, this software looks like the perfect thing to clean up their computer. It appears simple, easy to use, small and free. Just the sort of things we’re looking for right? Wrong! This tool will “optimise” your computer by deleting a lot of critical system files. The end result is that your computer is rendered un-bootable and you’re left hoping that you have made a full system backup recently... this malicious program is detected by Sophos as Troj/Sysdel-B..."
Fake shooting scam used in Trojan attack
- http://www.sophos.com/security/blog/2008/03/1238.html
29 March 2008 - "... SophosLabs noticed a new scam designed to fool users into viewing a web site where they would be hit with a malicious script that installs a spy Trojan. We saw several spam messages alerting users to the supposed shooting of the e-Gold founder... A variety of domains have been used in the scam. Browsing to each of the domains redirects to a malicious page on another server... The script attempts to exploit several client-side vulnerabilities in order to download and install a Trojan... Specific detection for the Trojan and the files it installs has been added as Troj/Agent-GUJ. This is yet another example of the attackers using a blend of spam and malicious web sites to infect victims..."
Swim in $$$ = Swim with Sharks!
- http://www.sophos.com/security/blog/2008/03/1237.html
28 March 2008 - “Im ************, i swim in money $$$
I want you to swim with me!!! send this file to all friends and join me!!”
If you are swimming with Troj/Nymod-A and looking at what appears to be the random picture of some person, you are definitely swimming with the sharks. Troj/Nymod-A drops a file called ^^^^^.exe (proactively detected by Sophos as Mal/Basine-C) and sets it to autostart everytime you reboot your computer. File ^^^^^.exe has process monitoring which just respawns itself if you kill the handle running ^^^^^.exe. Finally it tunnels through your firewall and contacts a remote server whose domain ends in “.ru”! This has opened your computer to the $$$ sharks who might steal information from you, or steal your computer’s resources = $$$ for them."
(Screenshots available at each URL above.)
:fear::spider:
-
SPAM, SPAM, and more SPAM... w/malware
FYI...
More fake "Hallmark ecards"...
- http://blog.trendmicro.com/greeting-...read-no-cheer/
June 9, 2008 - "Thinking that someone just remembered you and sent you a Hallmark greeting card? Think again, before you open the email attachment. Today, we received a spam allegedly from Hallmark. Once you run the file named postcard.exe, it will automatically open Notepad with some garbage characters to distract users while the malware is being installed... Trend Micro detects this malware as TROJ_INJECTOR.DD... The malware drops copies of itself and creates registry entries to ensure its automatic execution at every system startup. This is not the first time malware authors tried to trick users by exploiting their curiosity and desire to receive good tidings via greeting cards: Storm started out much the same way, including the use of eCards, and well into 2007."
---------------------------------
Phishers drop MySpace bait
- http://blog.trendmicro.com/phishers-drop-myspace-bait/
June 9, 2008 - "...new phishing attack that leads to the download of malware. However, unlike most instances where phishing baits are usually banks, credit unions or other financial institutions, this time it uses the popular social networking Web site MySpace.com. The phishing URL may be contained in spammed email messages. Once recipients of said messages click or visit the URL, it displays a spoofed MySpace login page. It also uses a popup window declaring a supposed MySpace profile object error and requires that the user download the new version of a new MySpace profile object. Therein lies the trick: When the user clicks the “continue” button, malicious files are not only downloaded but also automatically installed. The said malicious files are detected as TROJ_ZLOB.GUZ and BKDR_IRCBOT.BGY... And if the user tries to exit the page, it will not close until the said file is downloaded. To exit, a user needs to terminate the program using Task Manager... phishing URL hxxp ://{BLOCKED}ce404-error.farvista.net/myspace.php ..."
(Screenshot available at the TrendMicro URL above.)
:fear::fear:
-
Malicious spam - news on Osama...
FYI...
- http://securitylabs.websense.com/con...erts/3130.aspx
07.04.2008 - "Websense® Security Labs™ ThreatSeeker™ Network has discovered a substantial number of spam messages utilizing a social engineering tactic that lures users to download malicious software... The recent media coverage discussing Osama Bin Laden seem to have prompted spammers to quickly recycle an old spam campaign... We have seen the same malicious executable used throughout different spam campaigns bearing following email subjects lines:
Jennifer Aniston Interesting mp3!!!
Clara Morgane Shocking photo!!!
Kylie Minogue Interesting video without cowards!!!
Demi Moore New sexy songs!!!
Avril Lavigne Shocking porno dvd!!!
Nicole Richie Kick-up cd!!!
Beyonce Shocking sexy songs!!!
Keira Knightley Gallery photo!!!
Britney Spears Interesting cd!!! ..."
(Screenshots available at the URL above.)
:fear::spider::sad:
-
Airlines - infected ticket invoices...
FYI...
Attachment contains same Trojan horse that stole 1.6M records from Monster.com last year
- http://preview.tinyurl.com/66ayhz
July 28, 2008 (Computerworld) - "Several airlines, including Delta Air Lines Inc. and Northwest Airlines Corp., have warned customers that bogus e-mails posing as ticket invoices contain malware and urged them to immediately delete the messages. A researcher at McAfee Inc. confirmed the campaign in a post to the company's blog*. The e-mails, which purport to be from an airline, thank the recipient for using a new "Buy flight ticket Online" service on the airline's site, provide a log-in username and password, and say the person's credit card has been charged an amount usually in the $400 range. An attachment claims to be the invoice for the ticket and credit card charge..."
* http://www.avertlabs.com/research/bl...-takes-flight/
:fear:
-
Airlines - infected ticket invoices... SPAM
More of same...
- http://www.f-secure.com/weblog/archives/00001477.html
July 30, 2008 - "... Today when we saw a large spam run sending out fake JetBlue etickets... The mail contains a ZIP file that contains the file eTicket#1721.exe which we detect as Trojan-Spy:W32/Zbot.QO. The malware itself tries to steal usernames and passwords to online banks..."
(Screenshot available at the F-secure URL above.)
- http://www.us-cert.gov/current/#airl...t_email_attack
July 31, 2008
:fear:
-
News update emails - CNN.com Daily Top 10
FYI...
- http://isc.sans.org/diary.html?storyid=4828
Last Updated: 2008-08-05 00:45:33 UTC - "If you missed last week's chance to get your "airplane ticket", you currently have a second opportunity. Emails are making the rounds that claim to come from CNN, and carry a subject of "CNN.com Daily Top 10". Well, they are neither. But the emails contain click-friendly headlines with enticing subjects like "Will all Americans be obese by 2030?" Now who wouldn't want to read THAT?!
Clicking takes you to the netherworld, of course. You currently receive a file called "get_flash_update.exe" (yeah, sure!). Detection for the sample is coming on line, see http://www.virustotal.com/analisis/2...f236533b03c945
[Result: 10/35 (28.57%)]
The domain "idoo .com" seems to be up to no good. Other involved domains are too numerous to list, but about 50 of them currently resolve to 200.46.83.233. That's in Panama."
:fear:
-
Phishers play the Olympics
FYI...
Phishers play the Olympics
- http://blog.trendmicro.com/phishers-play-the-olympics/
08.04.2008 - "Olympic tickets anyone? They are available in the Internet of course, but users beware: the bad guys are still working hard to steal from online users as the 2008 Beijing Olympic approaches... fake Beijing Olympics Web site supposedly selling tickets. The Los Angeles Times reports* that Olympics officials have already asked federal courts to shut down certain Web sites that pose as sellers of tickets but actually are stealing credit card numbers and other confidential information..."
* http://www.latimes.com/technology/la...,7568966.story
- http://securitylabs.websense.com/con...erts/3152.aspx
08.05.2008 - "Websense... has discovered a rogue Beijing Olympics ticket lottery Web site. The Web site uses the hostname beij***2008.cn, a clear typo-squat to the official Olympic Games Web site at http://www.beijing2008.cn/. Benefiting from the hype around the purchasing of tickets for the Games, the social engineering tactic behind this scam is to lure users into dialling a toll number to retrieve an access code for an available ticket. The toll number is likely an additional revenue generator for the scammers as callers would then be charged a premium rate for making that phone call. Users who input the supplied access code are forwarded to a further Web page designed to collect personal information. They then have the incentive to enter credit card details, to pay a relatively small sum of RMB600 for the ticket (approximately 87 USD). This phishing Web site goes a step further than most phishing sites by employing a phone-call "verification" step. This higher level of interactivity and supposed verification garners more trust from unsuspecting users..."
(Screenshots available at the TrendMicro and Websense URLs above.)
:fear::mad::sad:
-
FAKE Adobe Flash Player
FYI...
FAKE Adobe Flash Player
- http://www.us-cert.gov/current/#malw...e_flash_player
August 5, 2008 - "Adobe has issued a Security Bulletin* warning of malware spreading via a fraudulent Flash Player installer. Adobe warns that a worm is making fraudulent posts on social networking sites. These posts include links that lead to fake sites that prompt users to update their versions of Flash Player. If users attempt to use the installer to make the update, malware may be downloaded and installed onto their systems..."
* http://blogs.adobe.com/psirt/2008/08...nstallers.html
"...do -not- download Flash Player from a site other than adobe.com... If the download is from an unfamiliar URL or an IP address, you should be suspicious..."
:fear::mad:
-
FAKE Adobe Flash Player - more...
More...
Compromised Web Servers Serving Fake Flash Players
- http://ddanchev.blogspot.com/2008/08...ving-fake.html
August 05, 2008 - "...This campaign serving fake flash players is getting so prevalent these days due to the multiple spamming approaches used, that it's hard not to notice it - and expose it... As far as the owner's are concerned, it appears that some of them are already seeing the malware page popping-up on the top of their daily traffic stats, and have taken measures to remove it... The structure of the malware campaign is pretty static, with several exceptions where they also take advange of client-side vulnerabilities (Real player exploit) attempting to automatically deliver the fake flash update or player depending on the campaign. On each and every site, there are dnd.js and master.js scripts shich serve the rogue download window, and another .html file, where an IFRAME attempts to access the traffic management command and control, in a random URL it was 207.10.234.217/cgi-bin/index.cgi?user200. A sample list of participating URLs, most of which are still active and running... (the list is way too long to post here - see ddanchev.blogspot URL above.)...
Sample detection rate : flashupdate.exe
Scanners Result: 35/36 (97.23%)
Trojan-Downloader.Win32.Exchanger.hk; Troj/Cbeplay-A
File size: 78848 bytes
MD5...: c81b29a3662b6083e3590939b6793bb8
SHA1..: d513275c276840cb528ce11dd228eae46a74b4b4
The downloader then "phones back home" at 72.9.98.234 port 443 which is responding to the rogue security software AntiSpy Spider...
Sample detection rate : antispyspider.msi
Scanners Result: 11/35 (31.43%)
FraudTool.Win32.AntiSpySpider.b;
File size: 1851904 bytes
MD5...: 2f1389e445f65e8a9c1a648b42a23827
SHA1..: e32aa6aa791e98fe6fdef451bd3b8a45bad0acd8
The bottom line - over a thousand domains are participating, with many other apparently joining the party proportionally with the web site owner's actions to get rid of the malware campaign hosted on their servers."
---
* http://www.adobe.com/go/getflashplayer
Current Adobe Flash Player version 9.0.124.0
:fear::fear:
-
Bogus CNN custom alerts...
FYI...
Bogus CNN Custom Alerts
- http://securitylabs.websense.com/con...erts/3154.aspx
08.08.2008 - " Websense... has discovered replica CNN Custom Email Alerts being sent out via spam emails. These emails contain links to a legitimate news page, but have been designed to encourage users to download a malicious application posing as a video codec. Over the last few days, the ThreatSeeker Network has seen huge volumes of spam wrapped up in CNN-themed templates - most recently email alerts listing the Daily Top 10 Stories and Videos, which also encouraged users to download a video codec (again a malicious file)... The malicious payload is only accessed when the user clicks on the ‘FULL STORY’ link - the first link behind the story title leads to a legitimate news page hosted on CNN. The news story is a recent article centered around the Beijing Olympics. The ‘FULL STORY’ link takes users to a Web page by the name of cnn****.html. This issues a pop-up encouraging users to download a ‘missing’ video codec, a file called adobe_flash.exe... Our Security Labs have also seen evidence of this campaign and recent others being distributed via blog spam to further increase the chance of success..."
(Screenshots available at the URL above.)
:fear::mad::fear:
-
Yahoo! Messenger fraud...
FYI...
IM: Instant Malware... Yahoo! Messenger fraud
- http://blog.trendmicro.com/instant-malware/
08.10.2008 - "Instant messaging (IM) applications are popular infection vectors — malware authors are known to use instant messaging platforms to spread malware by sending either malicious files or URLs. Trend Micro researchers have recently witnessed spammed email messages that use the popular IM application Yahoo! Messenger in propagating malware, but in a very different way than previosuly mentioned... Clicking the Download now link downloads the file msgr8.5us.exe into the affected system. When executed, it drops the following files:
* mirc.ini - detected by Trend Micro as Mal_Zap
* csrss.exe - detected by Trend Micro as BKDR_ZAPCHAST.AX
* sup.exe - detected by Trend Micro as BKDR_MIRCHACK.CE
For targeted victims which do, in fact, use Yahoo! Messenger, the promised update may prove hard to resist. The same email message even instructs users to pass the news to friends by sending them the source - not very friendly if the supposed update would lead one’s contacts to malware... Downloading from the software vendors themselves still is the safest way to go."
(Screenshot available at the URL above.)
:fear:
-
Bogus CNN/MSNBC news...
FYI...
Bogus CNN/MSNBC news...
- http://securitylabs.websense.com/con...erts/3159.aspx
08.13.2008 - "Websense.... has discovered a new replica wave of 'msnbc.com - BREAKING NEWS' alerts that are being sent out via spam emails. Similar to previous attacks related to 'Bogus CNN Custom Alerts', these emails contain links to a legitimate news page, but are designed to encourage users to download a malicious application posing as a video codec... Over the last few days, the ThreatSeeker Network has seen huge volumes of spam wrapped up in CNN-themed templates - most recently email alerts listing the different popular events and news articles, which also encouraged users to download a video codec, which was actually a malicious file. (The malicious payload is only accessed when the user clicks on the ‘breakingnews.msnbc.com’ link, which takes users to a Web page named up.html. This page issues a pop-up encouraging users to download a ‘missing’ video codec, a file called adobe_flash.exe.)
Here are a few examples of the varied subjects we have seen in this campaign:
msnbc.com - BREAKING NEWS: Michael Phelps wins 10th career gold, making him the winningest Olympian in history
msnbc.com - BREAKING NEWS: China beats out U.S. for gold in women's team gymnastics
msnbc.com - BREAKING NEWS: Dark Knight establishes dominance with 400 million mark
msnbc.com - BREAKING NEWS: How to save money on gas
msnbc.com - BREAKING NEWS: Preliminary polls for the election
msnbc.com - BREAKING NEWS: McDonald's found to breach FDA regulations, suspended from trading
msnbc.com - BREAKING NEWS: Jury duties for you
msnbc.com - BREAKING NEWS: Find out how to get top returns for your money at minimum risk
msnbc.com - BREAKING NEWS: Abortion outlawed in California
msnbc.com - BREAKING NEWS: Buy gold at lowest prices and make immediate profits
msnbc.com - BREAKING NEWS: Anthrax case solved
msnbc.com - BREAKING NEWS: Arsenal buys Ronaldo from Man Utd
msnbc.com - BREAKING NEWS: Too much freedom will destroy America
msnbc.com - BREAKING NEWS: Copycat murderer beheads woman on Greyhound bus
msnbc.com - BREAKING NEWS: NASDAQ index gains 720 points overnight upon war announcement
msnbc.com - BREAKING NEWS: Sony announces replacement to successful PSP gaming system
msnbc.com - BREAKING NEWS: Americans loves to sue people
msnbc.com - BREAKING NEWS: Please give your opinions for change
msnbc.com - BREAKING NEWS: Sandwich recall amid Salmonella outbreak ..."
(Screenshots available at the Websense URL above.)
- http://www.f-secure.com/weblog/archives/00001485.html
August 13, 2008 - "...Apparently people stopped clicking on -fake- CNN links as today the attackers switched the mails to look like they are now coming from MSNBC..."
CNN and MSNBC Olympic spoof emails - 5 million spam messages per hour
- http://securitylabs.websense.com/con...logs/3160.aspx
08.14.2008
:fear::mad:
-
Trojan CME-711 - new -drive-by- wave on the web...
FYI...
- http://preview.tinyurl.com/5wqxqt
08-14-2008 (Symantec Security Response Blog) - "...With infections dating back to January 2007 and a P2P structure largely unchanged in about a year, Peacomm continues to evolve and infect new hosts. In early August our honeypots began capturing a new version of Peacomm. This iteration has been relatively low key as it propagates via users visiting infected Web sites, rather than by spam. Although Peacomm has been distributed via infected Web sites in the past, they were usually Web sites that were spammed to users as opposed to relying on drive-by downloading to gather its new recruits. The attack toolkit used to install Peacomm in these drive-by attacks has changed as well. The infection begins with a user visiting an infectious Web site, which silently -redirects- the user to hostile content on a set of registered domains via an IFRAME. At this point, Kallisto TDS will serve a set of exploits against the victim. These include Acrobat PDF CollectEmailInfo*, ANI Header Size**, and MDAC***..."
* http://www.securityfocus.com/bid/27641/solution
** http://www.securityfocus.com/bid/23194/info - MS07-017
*** http://www.securityfocus.com/bid/17462 - MS06-014
> AKA CME-711 - http://cme.mitre.org/data/list.html#711
:fear::fear:
-
More "Breaking News..." SPAM and MALWARE...
FYI...
- http://isc.sans.org/diary.html?storyid=4913
Last Updated: 2008-08-17 21:43:58 UTC - "The spoofed CNN and MSNBC messages from last week have altered a bit, taking on a more generic approach. The subject of the message is still: BREAKING NEWS. Michael has been tracking these botnets for a while, his work is available here: http://www.vivtek.com/projects/despammed/stormspam.html .
Like the others, this first stage is a downloader, still reaching out to 66.199.240.138* to get the rest of the goodies. Unlike the previous waves, the first executable is named install.exe instead of adobe_flash.exe..."
* http://centralops.net/co/DomainDossier.aspx
canonical name: 66-199-240-138.reverse.ezzi.net.
Registrant: EZZI.net
A Service of AccessIT
75 Broad Street
Suite 1902
New York, NY 10004 US
Domain Name: EZZI.NET
:fear::fear:
-
Fake FedEx emails
FYI...
Fake FedEx emails
- http://securitylabs.websense.com/con...erts/3161.aspx
08.18.2008 - "...The notifications claim to be from FedEx and explain that a package sent by the recipient in the past month was not delivered. The message has an attachment claimed to be a copy of the invoice. The attachment is in a zip file but is actually a Trojan Downloader. This spam wave is a continuation of an ongoing theme used in recent months of using a parcel service invoice as the social engineering attack vector..."
(Screenshot available at the URL above.)
:fear::mad:
-
Facebook - Viral SPAM...
FYI...
Facebook - Viral SPAM
- http://securitylabs.websense.com/con...logs/3162.aspx
08.18.2008 - "... We've had to create numerous tools and methods to detect these types of attacks because most Web 2.0 social networking sites are difficult to track due to limited public access to most accounts. Most social networking accounts can only be viewed if the account holder explicitly accepts or requests another account to be added as a "friend". A generic Web crawler and even a search engine Web crawler would not be able to mine the pages on a social networking site due to lack of permission... attacks on Facebook and MySpace are nothing new. There have been continual, targeted Facebook attacks for some time now... A very enticing email was sent to one of our test accounts, letting us know that something had been written about us, and that we'd probably want to read more about it. An average user would probably want to know what was written about them, especially because it's on a public blog such as blogspot. Most users have an enormous amount of trust in their fellow Facebook friends. So, the chances of a user clicking on one of these emails is tremendously high. The attackers in this case were able to legitimately have Facebook send a spam email by compromising an account that the test user was "friends" with, and writing a comment on the test user's wall. Writing on the wall triggered an automatic email to the test user's email account with the message that was written on the wall. So, in this case Facebook wall writing is being used as a mechanism to send spam... this particular attack has been going on for over six months. The phishing URL... was registered in July 2008, but several domains have been used in this ongoing attack. It's nameserver is responsible for a load of other phishing domains, including numerous MySpace phishing pages. Users are clicking on these links manually, either when they receive them in email or read them on their walls. They click on the link, get redirected to a phishing page, and manually input their credentials. Attackers are then using their credentials to post manually and perhaps automatically to their wall, as well as their friends' walls, allowing them to spread within the walls of the social networking world. As social networking sites become the place where the majority of Web users are spending the majority of their Internet time, we're going to see more and more MySpace, Facebook, and other social networking attacks. Web 2.0 Web sites open up a huge attack vector to exploit transitive trust. Attackers know it, and are actively taking advantage of it.
References:
http://pi3141.wordpress.com/2008/08/...shing-warning/
http://www.matthewbigelow.com/2008/0...ebook-forgery/
http://thenextweb.org/2008/08/10/fac...ck-from-china/ "
(Screenshots available at the Websense URL above.)
:fear::fear:
-
Photobucket phish...
FYI... (Screenshot available at the URL below.)
- http://blog.trendmicro.com/photobucket-gets-phished/
August 19, 2008 - "Photobucket is, by far, one of the largest photo-sharing sites in the world. It is generally used for personal photographic albums, remote storage of avatars displayed on Internet forums, and storage of videos. Lots of people may like to keep their albums private, allowing password-protected guest access, or open them up to the public. And now this photo-sharing site is being attacked by phishers... The login page above looks exactly like the original site that lures the users to enter their user name and password. Once victims enter their credentials, phishers can use them to obtain full access to their Photobucket account, and may use their albums to insert malicious code... popular image hosting sites have become the targets of several different attacks:
Turkish Hackers Relive Memories in Photobucket
- http://blog.trendmicro.com/turkish-h...in-photobucket
06.25.2008
Two New Yahoo Phish Sites
- http://blog.trendmicro.com/two-new-yahoo-phish-sites ..."
07.31.2008
:fear::fear:
-
Malware SPAM - Russia-Georgia conflict...
FYI...
Russia-Georgia conflict - malware SPAM
- http://www.us-cert.gov/current/#malw...russia_georgia
August 21, 2008 - " US-CERT is aware of public reports* of malware circulating via spam email messages related to the Russia/Georgia conflict. These messages contain factual information about the conflict. The messages also contain download instructions for the user to watch a video that is attached to the message. If a user opens the attachment, malware may be downloaded and installed onto their system..."
* http://preview.tinyurl.com/58u83x
08-21-2008 (Symantec Security Response Blog)
Russia/Georgia Conflict News Used to Hide Malicious Code in Spam
"...The messages themselves contain an attachment, along with instructions and passwords for the download of the attachment... One subject line that has been seen reads:
“Subject: Journalists Shot in Georgia”... The attachment contains no videos; rather, the attachment redirects to a link that delivers a payload identified as Trojan.Popwin... We have observed several -million- instances of this particular spam attack delivering malicious code..."
:fear::spider::fear:
-
Angelina Jolie... again.
FYI...
- http://sunbeltblog.blogspot.com/2008...in-trojan.html
August 21, 2008 - "We’ve seen the same trojan being sent to inboxes in all kinds of ways — and seemingly obsessively on the subject of Angelina Jolie. Minor shift, now they’re putting the fake codec window right in the spam. Pushes video.avi.exe, a fake alert trojan which invariably installs Antivirus XP 2008 or some such rogue security program."
(Screenshot available at the URL above.)
:fear:
-
Spoofs, forgeries, and the like...
FYI...
- http://isc.sans.org/diary.html?storyid=4927
Last Updated: 2008-08-24 18:15:34 UTC - "I received an email today from a reader (thank you) who reported that they received a piece of spam today that came from the address: monitoring @isp.com. (Notice the domain name.) Now, we have seen this type of spam before, you know, perpetrating like it comes from your ISP while just having a malicious link in it, etc. Except this time the spam was signed "ISC monitoring team" (Notice the first three letters, and how they differ from the domain name). So I am guessing that someone is trying to imitate us. And while we recognize that imitation is the most sincerest form of flattery, this kind could be actually damaging. Rest assured our faithful readers, this is not from us. First of all our email addresses are not "isp.com", nor "monitoring". We don't sign our emails "ISC monitoring team". Nor do we spell the word "Consortium" -- "Consorcium" (misspelling from the email)..."
- http://www.f-secure.com/weblog/archives/00001488.html
August 26, 2008 - "This morning we saw several spam runs in the country of Denmark. The messages are in Danish and they are sent to Danish e-mail addresses. The e-mail claims to be from us. It's not. Here's what the email looks like:
From: supportupdate@f-secure.com
Date: 26. August 2008 08:31
Subject: Data er tillagt og sendt med denne meddelelse.
Käre kunder!
Regning
Data er tillagt og sendt med denne meddelelse.
Jeg bruger gratis F-secure antispamversion, som allerede har fjernet 338 spambreve.
Antispam er helt gratis for private brugere.
Attachment: f-secure.rar
The attachment contains a file called update26.08.2008.exe, which, when run, drops a file called dcbcg.exe (Unker-related trojan) that connects to a server in Ukraine. We detect this trojan as Trojan:W32/Agent.FVO... The spam run must have been fairly large, as we've received more than 13,000 bounces to supportupdate @f-secure.com from non-existant email addresses alone..."
:fear:
-
Who Deleted You on MSN Live?
FYI...
‘Want to Know Who Deleted You on MSN Live?’
- http://blog.trendmicro.com/want-to-k...u-on-msn-live/
Aug. 26, 2008 - "While monitoring countless sites as part of our current Web threat strategy, we have stumbled upon a legitimate-looking prompt from MSN Live Messenger... or so it would appear (at first). As shown from the screen captures below, this prompt bears a close resemblance to the actual prompt being displayed by the MSN Live Messenger instant messaging application (also known as Windows Live Messenger) whenever a friend from the user’s friends list logs in. Potential victims who unfortunately encounter the site (Borradito.com) via spam or spammed IM is first enticed by the Web site’s description, which promises the capability to view which of their friends have removed them from their friends list, provided they are logged in, of course—a pretty convincing trick to lure users to key in their user names and passwords. As the Web site is accessed, a message prompt from MSN Live Messenger appears at the lower-right part of the screen, just below the system tray... Once users click on the prompt, they are diverted to a Flash-based window which also resembles an actual MSN group chat window... This routine is used to attract the users, as well as to build credibility. If the user goes back to the main site and enters their credentials, the site displays a list of users who have allegedly removed the affected user from their contact lists... What happens under the radar, however, is that the site captures the entered credentials and the accounts are then opened by a remote malicious user and IM messages containing a link to the Borradito phishing site are sent to all contacts on the affected account’s buddy list... This ensures further propagation of this threat. Directly at risk are MSN users and their contacts. The account information harvested in this account may be used to access various Windows Live services such as Windows Live Call (PC-to-phone calls), SkyDrive (file-sharing services), Spaces, and even Hotmail accounts under the same account. Today, your email accounts hold many important tidbits on different aspects of your life, job, and personal details many people would prefer not to be divulged to others. Letting your guard down can be be very costly and can lead to exploitation. The worst possible scenarios include identity theft and financial loss..."
(Screenshots available at the URL above.)
:fear:
-
Critical Update: Please Patch Windows with Malware
FYI...
Critical Update: Please Patch Windows with Malware
- http://blog.trendmicro.com/critical-...-with-malware/
Aug, 27, 2008 - "After patching 11 vulnerabilities for this month’s Patch Tuesday, spam is being sent that falsely claims that the recipient should immediately install another critical Microsoft update... Patching one’s system using this spam as a guidance, however, downloads a multitude of badness, and one particular malicious piece of malware which is detected as EXPL_ANICMOO.GEN... Malware writers are counting on the urgency of the email’s tone to trick recipients into applying the “patch”..."
(Screenshot available at the URL above.)
:fear:
-
Treasury Optimizer - malware update...
FYI...
Treasury Optimizer - malware update
- http://blog.trendmicro.com/treasury-...-with-malware/
Aug. 30, 2008 - "Treasury Optimizer is an online banking tool offered by Capital One Bank which aims to provide secure access to business accounts on the Web, 24/7. Posed to replace electronic money or more popularly known as eCash, it offers to protect customers’ accounts through security features such as multifactor authentication. Unfortunately, their security offerings come short, as we receive bulks of phishing emails that “promote” the Treasury Optimizer. The phishing mail instructs the client to update their account due to a potential security risk that affects all of Capital One Bank products, including the Treasury Optimizer... The conventional phishing attack aims to capture users’ credentials through fake login pages spammed through email. For this attack however, the phishing link given in the phishing email leads to a page that does not ask for credentials, but tells the user to download a file instead. When the user clicks the link contained in the phishing email, the following spoofed Treasury Optimizer Web page is displayed... The page explains that the bank had to fix (the) vulnerability; and in order to fix it, the client MUST download the update. It even displays different download links for different operating systems. It will then download an .EXE file that poses as an installation setup... The downloaded file is detected by Trend Micro as TROJ_SMALL.MAT. This malware-enhanced phishing attack is neither the typical type of phishing attack, nor is it less dangerous. The scope of a phishing attack is usually limited; one account from a target organization compromised in every successful attack. But this phishing attack installs a malware on the affected user’s system instead, and then uses it to monitor users’ online activities, thus possibly disclosing more information..."
(Screenshots available at the URL above.)
:fear::mad:
-
Fake celebrity news SPAM - Malicious Code...
FYI...
Fake celebrity news SPAM - Malicious Code
- http://securitylabs.websense.com/con...erts/3172.aspx
9.03.2008 - "...ThreatSeeker Network has seen huge volumes of spam wrapped up in CNN and MSNBC themed templates. Recently, email alerts listing different popular events and news articles also encouraged users to download a video codec, which was actually a malicious file... The malicious payload is only accessed when the user clicks on the 'READ FULL STORY' link, which takes them to a Web page on a compromised site named index97.html, which issues a pop-up encouraging users to download a ‘missing’ video codec, a file called video98.exe... Here are a few examples of the varied subjects we have seen in this campaign:
Sensational news. Check the message.
Breaking news! Be the first to know.
Very important news.
Astonishing Please take a look.
Sensational information inside.
Check this out. This is a bomb
This is really great news. Please check. ..."
(Screenshots available at the Websense URL above.)
:fear:
-
Free Online Services attacked...
FYI...
Misleading Application Targets Free Online Services
- http://www.securityfocus.com/blogs/1018
2008-09-03 (Symantec Security Response) - "...we have found that attackers have begun targeting free online service sites and our example is based on Google Notebook, although these attacks are not unique to this site. Attackers have started to use Google Notebook as a new social engineering attack vector to spread misleading applications. Misleading applications attempt to convince the user that he or she must remove potentially unwanted programs or security risks (usually nonexistent or fake) from the computer. Google Notebook is a free online service that provides a way to save and share information in a single location. This free service offers a feature to save search results, notes, or images online and allow users to share these artifacts with others. Users can create notes with headings and within each note they can add more content, such as links etc. Attackers are now taking advantage of this free service to create an attack vector to push misleading applications onto the victims' machines. While researching this problem we found cases where victims were invited to click on a malicious link. We found one author's notebook with more than 50 notes, including fake information and more malicious links... Clicking on the associated links lead to author's notebook pages, where the pages contain fake information and malicious links... Based on the contents, the victim is invited to click on the links to get additional information, but ends up getting fake pop-up messages generated by fake Web sites hosting misleading applications... When the victim clicks the OK button, a fake antivirus installer is downloaded to the victim's machine. The link on the "Microsoft Windows History" page contains a link to "hxxp ://anitspy .com". This link will redirect the page to "hxxp ://llab .com". If it is a user's first visit to the site, then the site will redirect that Web page to a malicious Web site (hxxp ://pc .com), which serves up a misleading application. In other instances the page will be redirected to a search site called "hxxp ://searcher .com," where the user will see an advertisement to download fake antivirus software. The complete scenario makes it seem as if attackers are running underground affiliate networks to promote misleading applications.
Social engineering attacks that involve victims who are tricked into clicking on malicious links are not new; however, now the attackers have started using free service sites as a new attack vector to push their misleading applications..."
(Screenshots available at the SecurityFocus URL above.)
:fear::mad:
-
SPAM targeting US Presidential Election
FYI...
SPAM campaign targeting US Presidential Election... Malicious Code
- http://securitylabs.websense.com/con...erts/3177.aspx
09.09.2008 - "Websense... has discovered an emerging email campaign which uses the US presidential election as a social engineering mechanism to install information-stealing code on a victim's machine. With less than 2 months before the start of the election, emails are circulating with fake news of a sex scandal affecting one of the candidates. Recipients of the email are encouraged to view a video supposedly involving the Democratic candidate Barack Obama. Users who click the link are shown a pornographic video taken from hxxp ://homemade*snip*.com/ . While the video plays for 14 seconds, malicious applications are installed on the victim's machine... The dropper installs 809.exe in the user's Temporary Internet Files folder. Also a Browser Helper Object (BHO) named Siemens32.dll is registered. This is an information-stealing application that posts data to a compromised Finnish travel site, hxxp ://*snip*-hotel.com/ ..."
(Screenshots available at the URL above.)
- http://www.f-secure.com/weblog/archives/00001497.html
September 10, 2008 - "...Interestingly, there is no Medved Hotel in Finland... we have reported this to local authorities and they are working on getting the site shut down."
(More screenshots...)
:fear::mad:
-
DHS email Scam
FYI...
DHS email Scam
- http://www.us-cert.gov/current/index...dhs_email_scam
September 11, 2008 at 04:42 pm - "US-CERT is aware that spam email messages are being sent that appear to come from high-level DHS officials, some of which attempt to entice the user into an advance fee fraud scam. In some cases, the sender's address has been spoofed so that the email appears to come from a legitimate dhs.gov address..."
:fear::mad:
-
Fake Postcards... Fake Hurricane Relief Web Site
FYI...
Fake Postcards... Fake Hurricane Relief Web Site
- http://blog.trendmicro.com/fake-post...lief-web-site/
Sep. 14, 2008 - "... The Hurricane Gustav connection is not really that apparent in the following spammed email message... It informs recipients that they received a postcard, and if they desire to view it, they should click any of the two links in the message body. Recipients who are lured into believing that some family member actually have sent them a postcard are redirected to the following Web page when they click either link... The nameless family member (one would immediately notice that this is so impersonal) who sent the postcard also wants the recipient to donate to Gustav victims. A well-crafted “postcard” and a chance to help people in need, how heartwarming! But only if there indeed was a legitimate card, and only if the money actually went to those affected by the hurricane. Even if the Web site says so, donations through this dubious channel do not go to Red Cross. The criminals behind this scam are the only ones who get to keep the money..."
(Screenshots available at the URL above.)
:fear: :mad:
-
UPS tracking invoice trojan..
FYI...
UPS tracking invoice trojan...
- http://isc.sans.org/diary.html?storyid=5051
Last Updated: 2008-09-16 20:15:52 UTC - "We received two reports of fake UPS invoice tracking Trojan zip files. This is similar to other invoice Trojans we have seen... notice that while this appears to be a two way conversation it was really just the spammer who created the whole thing. The victim did -not- send UPS an email..."
(More detail at the URL above.)
- http://www.ups.com/content/us/en/abo.../virus_us.html
:fear:
-
Fake Careerbuilder sites/phish...
FYI...
Fake Careerbuilder sites/phish...
- http://asert.arbornetworks.com/2008/...ran-and-burma/
September 19, 2008 - "...new fast flux phishing malcode delivery scheme targeting CareerBuilder. Lures bring you in to a number of sites and launch malcode onto your system. Pretty classic technique these days, been used heavily for banks in the past couple of weeks... It’s a fast flux botnet, apparently doing double flux too... Much of that list comes from Gary Warner’s always excellent blog*. So, as many of you may be in the job market, keep in mind that not everything from CareerBuilder is really from them..."
* http://garwarner.blogspot.com/2008/0...t-digital.html
(Screenshots available at both URLs above.)
:fear::mad:
-
Facebook malicious SPAM...
FYI...
Facebook "add friend" Malicious SPAM
- http://securitylabs.websense.com/con...erts/3185.aspx
09.22.2008 - "Websense... has discovered a new malicious social-engineering spam campaign masquerading as official emails sent by the popular Web 2.0 social-networking site, Facebook. The email is spoofed to appear from the domain facebookmail.com, an official domain used by Facebook for their outbound emails when notifying their users of an event. It is common for Facebook to send an email to notify their users when another Facebook user adds them as a friend on the social network. However, the spammers included a zip attachment that purports to contain a picture in order to entice the recipient to double-click on it. The attached file is actually a Trojan horse..."
(Screenshot avaliable at the URL above.)
:fear:
-
Wachovia... spy-phishing rootkit...
FYI...
Wachovia... spy-phishing rootkit
- http://blog.trendmicro.com/wachovia-...talls-rootkit/
Sep. 22, 2008 - "... spy-phishing scheme targeting the Fortune 500 company and 4th largest banking chain in the US, Wachovia Bank. This attack ends in the execution of a rootkit, TROJ_ROOTKIT.FX, which is a file that hides files and processes, allowing malicious attacks to run entirely beneath the radar.
Macalintal warns that he has seen the following subject headings used in this attack:
* Wachovia Connection Update Alert.
* Wachovia Connection Customer Support - Security Updates.
* Wachovia Connection upgrade warning.
* Wachovia Connection Emergency Alert System...
The malicious links download a file named SPlusWachoviadigicert.exe. Trend Micro Smart Protection Network detects this as TROJ_AGENT.AINZ. It accesses a certain URL to download another malware that in turn drops and installs TROJ_ROOTKIT.FX. This infection chain can be cut off at various points by the Smart Protection Network as we already detect the spam, the malicious links therein, and the files that are downloaded and executed on the system...
The legitimate Wachovia Security Plus link can be accessed here*, where the company discusses several security issues and precautionary methods to avoid being tricked by these types of attacks..."
* http://www.wachovia.com/securityplus/0,,,00.html
(Screenshot available at the TrendMicro URL above.)
:fear: :mad:
-
American Airlines phish...
FYI...
American Airlines phish...
- http://securitylabs.websense.com/con...erts/3187.aspx
09.23.2008 - "Websense... has discovered a new phishing campaign targeting American Airlines AAdvantage(R) Program customers. Users receive an email, which is spoofed, that tries to convince the user that, if they log in and fill out a 5-question survey, they will get a $50 reward. The email provides a link that takes visitors to the phishing Web site. The email also provides a fake code which is meant to entice the user even more..."
(Screenshot available at the URL above.)
:fear::mad:
-
World War 3 SPAM...
FYI...
World War 3 SPAM
- http://sunbeltblog.blogspot.com/2008...ar-3-spam.html
September 25, 2008 - "This is particularly nasty spam pushing a fake codec trojan... If you go to that link, you get to a very convincing site pushing a fake codec. That CNNWorld was created yesterday, hosted in Iran..."
(Screenshots available at the URL above.)
:mad:
-
Bank fraud emails...
FYI...
Bank fraud emails
- http://www.firstcybersecurity.com/main/news.asp#news1
25 September 2008 - "An increase in fraudulent activity is likely to follow the recent events in the banking sector... Customers with internet banking accounts are urged to take care if asked to respond to emails from banks which have been named as being involved in the recent takeovers and mergers. According to Director David Holman, “This is just the sort of confusion on which the fraudsters thrive. As these mergers and acquisitions continue in the banking sector, the consumer will expect to receive communications from their banks detailing name changes and giving them different websites to gain access to their internet bank accounts. Unless this is handled carefully it is a real opportunity for fraudsters to steal private information”. While many of us are wary of emails purporting to be from our banks, the latest APACs figures show that 18% of people who receive them still click through to links included in these (e)mails..."
- http://news.cnet.com/8301-1009_3-10051688-83.html
September 25, 2008
:fear:
-
Same WW3 SPAM... more detail
FYI...
Same WW3 SPAM... more detail
- http://blog.trendmicro.com/world-war-iii-malware-spam/
Sep. 29, 2008 - "...SPAM announcing the declaration of World War III. The link provided points to a legitimate-looking CNN page with a video. However, users wishing to view this video are prompted to install an ActiveX Object... The supposed ActiveX Object is actually malware, which Trend Micro detects as TSPY_BANCOS.JN. TSPY_BANCOS.JN, like all BANCOS variants, is an info stealer that monitors the browser of the affected system. It waits for the user to access certain banking-related Web sites, then spoofs the login pages of the bank Web site to steal sensitive account information. The request to install an ActiveX Object is a popular ploy to spread malware these days, and this bogus ActiveX Object is yet another one designed to deceive the user to believe that he’s installing something useful..."
(Screenshots available at the URL above.)
:fear:
-
SPAMmers - new tricks...
FYI...
- http://preview.tinyurl.com/4tksdr
Sep. 30, 2008 (TrendLabs) - "...recent report of -spammers- using a feature called ‘delivery receipt request’ to verify if a certain email address exists. Delivery receipts are messages sent to the original sender of an email message to verify that the sent message has been delivered to the intended recipient. While message delivery receipt acknowledgment is indeed available in popular desktop mail clients (such as Microsoft Outlook), and can be selectively ignored, most Web email platforms automatically send a delivery receipt when requested to do so if the targeted account exists. A Microsoft page stating instructions on how to enable & use this feature in various releases of Outlook can be seen here*. In enabling this function, spammers can now send spam to a large number of addresses and subsequently filter out the legitimate ones easily — that is, if the recipient chooses to selectively acknowledge each delivery request, or simply chooses to acknowledge all messages which have this request embedded. This unwillingly places a recipient on the spammer’s list of future victims just by acknowledging receipt of the initially sent spam. The delivery receipt function is ideally a useful feature especially for people who want to be absolutely sure that there message has been received. Unfortunately, this function, like so many other supposedly reputable functions, has been used for malicious intent instead..."
* http://support.microsoft.com/kb/192929
(In Outlook: >Tools >E-mail Options >Tracking Options - choose: "Never send a response")
:fear: :mad:
-
New YouTube malware tool
FYI...
- http://blog.trendmicro.com/a-new-youtube-malware-tool/
Oct. 5, 2008 - "A new hacking tool circulating in the Internet now allows malicious users to create fake -YouTube- pages designed to deliver malware. The said tool, detected by Trend Micro as HKTL_FAKEYOUT, features a user-friendly console in Spanish that a hacker may use to create a pair of Web pages that look eerily identical to legitimate -YouTube- pages.
With a little crafty social engineering, unsuspecting users may be led into the first of the fake pages, INDEX.HTML. Here, users may be disappointed to see that they cannot view their video as they need a new version of Adobe Flash Player or some plugin or codec. A link is handily provided, and clicking the link leads users to the hacker’s file of choice, which could very possibly be something malicious. A second fake page informing users that the video they were trying to view cannot be shown is then displayed. This is to make users think that nothing’s really happened, when in fact by downloading the plugin, malware may already be running in their systems.
Fake codecs remain popular masks for malware. The popularity of -YouTube- also makes it a preferred target for malware users who want to infect more users... HKTL_FAKEYOUT could be very dangerous because it is very accessible to script kiddies who could use it for their malware and hacking operations. Users are advised to always check the URLs of pages they are viewing. Also, product updates should be downloaded from the vendors themselves to ensure that these are legitimate and not malicious."
Also see:
- http://voices.washingtonpost.com/sec...ker_helps.html
September 12, 2008
(Screenshots available at both URLs above.)
:fear: :mad:
-
Blogspot under push by malware authors...
FYI...
Blogspot under push by malware authors
- http://sunbeltblog.blogspot.com/2008...e-authors.html
October 13, 2008 - "We’ve seen a number of new blogs on Blogspot today that push malware, pushing various search keywords...
Examples:
buzzwocdco. blogspot. com
iberianiceaande. blogspot. com
semtmbmshmenf. blogspot. com
These sites push fake codecs which generally make ones life quite miserable."
(Screenshot available at the URL above.)
:fear: :mad: