SPAM frauds, fakes, and other MALWARE deliveries - archive

SPAM/malware fake delivery failure msgs

FYI...

SPAM/malware fake delivery failure msgs
- http://tools.cisco.com/security/center/viewAlert.x?alertId=19743
Last: August 30, 2010 - "... significant activity related to spam e-mail messages that inform the recipient about the delivery failure of a United Parcel Service (UPS) shipment. The message instructs the recipient to print a label in the attached .zip file and collect the package from a UPS office. However, the attachment actually contains a malicious .exe file that, if executed, attempts to infect the user's system with malicious code...
Subject: UPS Delivery Problem RN 26489...
Subject: UPS INVOICE NR9030102...
Subject: Fedex Item Status N7185272..."

- http://labs.m86security.com/2010/08/fedex-spam-seeding-new-asprox-binary/

:fear:

iTunes v10 - Ping SPAM...

FYI...

iTunes v10 - Ping SPAM...
- http://www.sophos.com/blogs/chetw/g/2010/09/02/apple-pingd-comment-spam-coming/
September 2nd, 2010 - "Apple launched iTunes 10 yesterday along with their updated hardware platforms. Aside from supporting the newest generation of iPod and Apple TV devices, this new version of iTunes also introduces a new social media service branded as Ping. If you use iTunes, you should definitely update to iTunes 10 as it fixes thirteen separate vulnerabilities... apparently Apple didn't consider this when designing Ping, as the service implements no spam or URL filtering. It is no big shock that less than 24 hours after launch, Ping is drowning in scams and spams."

- http://www.newsfactor.com/story.xhtml?story_id=003000C9B0YI
September 3, 2010 - "... Some Ping posts are attempting to trick users into believing they will receive a free iPhone if they complete online surveys. Sophos published research earlier this year demonstrating a 70 percent increase in the number of users reporting spam and malware being spread via social networks, a trend that continues to grow. It would appear that Apple missed that report..."

:sad::fear:

Survey SPAM on YouTube

FYI...

Survey SPAM on YouTube
- http://www.sophos.com/blogs/gc/g/2010/09/07/video-fan-scammer-survey-spam-youtube
September 7, 2010 - "... themes that has been coming through loud and clear in the security world for the last few months has been the use by scammers of revenue-generating surveys... mostly impacting Facebook users, where unsuspecting computer owners click on a link shared with them via the social networking site only to discover that they have to complete a survey before seeing some typically salacious content. The scammers, meanwhile, earn their crust by receiving a small commission for each survey that is completed. These survey scams, however, are not just limited to Facebook... It doesn't matter if you receive a message via Facebook, YouTube or traditional email - you should always be suspicious of unsolicited communications and think before you click."

:fear:

Cybercrime strikes more than 2/3 of Internet Users

FYI...

Cybercrime strikes more than 2/3 of Internet Users
- http://www.symantec.com/about/news/release/article.jsp?prid=20100908_01
September 8, 2010 – "... You might be just one click away from becoming the next cybercrime victim. A new study released today from security software maker Norton reveals the staggering prevalence of cybercrime: Two-thirds (65 percent) of Internet users globally, and almost three-quarters (73 percent) of U.S. Web surfers have fallen victim to cybercrimes, including computer viruses, online credit card fraud and identity theft. As the most victimized nations, America ranks third, after China (83 percent) and Brazil and India (tie 76 percent). The Norton Cybercrime Report: The Human Impact* shines a light on the personal toll cybercrime takes... victims’ strongest reactions are feeling angry (58 percent), annoyed (51 percent) and cheated (40 percent), and in many cases, they blame themselves for being attacked. Only 3 percent don’t think it will happen to them, and nearly 80 percent do not expect cybercriminals to be brought to justice — resulting in an ironic reluctance to take action and a sense of helplessness... Despite the emotional burden, the universal threat, and incidents of cybercrime, people still aren’t changing their behaviors - with only half (51 percent) of adults saying they would change their behavior if they became a victim. Even scarier, fewer than half (44 percent) reported the crime to the police... According to the report, it takes an average of 28 days to resolve a cybercrime, and the average cost to resolve that crime is $334. Twenty-eight percent of respondents said the biggest hassle they faced when dealing with cybercrime was the time it took to solve..."
* http://cybercrime.newslinevine.com/

Cybercrime Map:
- http://i.i.com.com/cnwk.1d/i/tim//2010/09/07/SymantecCybercrimeMap.png

:fear:

'Here you have...' SPAM/virus

FYI...

'Here you have...' SPAM/virus
- http://isc.sans.edu/diary.html?storyid=9529
Last Updated: 2010-09-09 21:49:06 UTC ...(Version: 2) - "We are aware of the "Here you have" malware that is spreading via email. As we find out more, we'll update this diary.
Update: 2010-09-09 21:28 UTC (JAC) There are several good writeups on the behavior of this malware see some of the references below. The spam contains a link to a document, the link looks like it is to a PDF, but is, in fact, to a .SCR file and served from a different domain from what the link appears to point to. The original file seems to have been removed, so further infections from the initial variant should not occur, but new variants may well follow. The .SCR when executed downloads a number of additional tools, one of which appears to attempt to check in with a potential controller. The name associated the controller has been sink-holed. The malware attempts to deactivate most anti-virus packages and uses the infected user's Outlook to send out its spam.
References:
http://www.virustotal.com/file-scan...b84eb4c0b98024c7d3302039a901b04b7-1284058335#
File name: PDF_Document21_025542010_pdf.scr
Submission date: 2010-09-09 18:52:15 (UTC)
Result: 13/43 (30.2%)
http://www.threatexpert.com/report.aspx?md5=2bde56d8fb2df4438192fb46cd0cc9c9
http://www.threatexpert.com/report.aspx?md5=bd9208edf44d0ee32b974a2d9da7bc61
http://www.avertlabs.com/research/b.../widespread-reporting-of-here-you-have-virus/

- http://sunbeltblog.blogspot.com/2010/09/here-you-have-worm.html
September 10, 2010 - "... The subject line on the email was “Here you have” or “Just For you”..."

- https://kc.mcafee.com/corporate/index?page=content&id=KB69857&actp=LIST
Last Modified: September 09, 2010 - "... confirmation that some customers have received large volumes of spam containing a link to malware, a mass-mailing worm identified as VBMania. The symptom reported thus far is that the spam volume is overwhelming the email infrastructure. Static URLs in the email link to a .SCR file. McAfee recommends that customers filter for the URL on gateway and email servers, and block the creation of .SCR files on endpoint systems..."

- http://www.symantec.com/connect/blo...mail-storms-reply-all-and-here-you-have-virus
September 10, 2010 - "... the huge volume of traffic can actually take down servers...
1. Outbreak detection: Identify that an active outbreak is occurring because of the volume of traffic generated by the same malicious email
2. Internal mail filtering: Block all internal traffic of the "Here you Have" email* using Content Filtering
3. Mail store / inbox cleanup: Seek out and eliminate the "Here you Have" email from Mail Stores and end user inboxes..."
(Suggested add: "Just For you")

- http://www.symantec.com/connect/blogs/new-round-email-worm-here-you-have
September 9, 2010 - "... confirmed reports of a worm spreading through email under the subject "Here you have". The mail to the unsuspecting recipient claims to be providing a document available through a URL. The URL is spoofed and actually points to a malicious binary being hosted on a different server..."

- http://community.websense.com/blogs...paign-malicious-SCR-mascarading-as-a-PDF.aspx
10 Sep 2010 - "... When the user clicks and follows the link, a malicious file is downloaded, which further spreads the email campaign by pillaging the user's Outlook address book. This makes the attack more convincing as the source of the email could be legitimate and trusted..."

- http://www.theregister.co.uk/2010/09/10/email_worm_spreading/
10 September 2010 - "... McAfee said multiple variants of the worm appear to be spreading, so it's not yet clear that the malicious screensaver is hosted by a single source."

- http://www.symantec.com/security_response/threatconlearn.jsp
9/10/2010 - "The ThreatCon is currently at Level 3: High. The ThreatCon has been raised to Level 3 due to increased activity. Symantec is observing a new threat spread through a socially engineered email attack. The email convinces the recipient to follow a link to open a malicious binary (disguised as a PDF)..."

- http://www.virustotal.com/file-scan...4b84eb4c0b98024c7d3302039a901b04b7-1284133892
File name: csrss.exe
Submission date: 2010-09-10 15:51:32 (UTC)
Result: 32 /43 (74.4%)

- http://blogs.technet.com/b/mmpc/archive/2010/09/10/update-on-the-here-you-have-worm-visal-b.aspx
10 Sep 2010 4:40 PM

- http://www.microsoft.com/security/portal/blog-images/visal-b.png
Charted - Sep. 10, 2010 18:59 GMT

:fear::fear:

FYI...

“Here you have” worm linked...

- http://www.secureworks.com/research/threats/visal-b/
September 22, 2010 - "... Prevention:
In addition to network-based monitoring and detection, CTU recommends the following steps to help protect your organization from this and future threats.
• Avoid clicking links in email messages...
• Disable AutoRun...
• Limit user privileges...
• Secure WMI...
• Update host and gateway antivirus product signatures...
• Think twice before allowing your web browser to remember your passwords for you..."

- http://pandalabs.pandasecurity.com/here-you-have-worm-linked-to-electronic-jihadists/
Sep 10

- http://www.darkreading.com/shared/printableArticle.jhtml?articleID=227400137
Sept. 10, 2010

- http://ddanchev.blogspot.com/2010/09/summarizing-3-years-of-research-into.html
September 11, 2010

- http://www.computerworld.com/s/article/9184818/Anti_US_hacker_takes_credit_for_Here_you_have_worm
September 12, 2010

- http://www.theregister.co.uk/2010/09/13/hacker_claims_credit_for_here_you_have_worm/
13 September 2010

- http://www.symantec.com/security_response/writeup.jsp?docid=2010-082013-3322-99&tabid=2

:fear:

Flood of phishing sites

FYI...

Flood of phishing sites...
- http://news.cnet.com/8301-27080_3-20016026-245.html
September 10, 2010 - "... Cybercriminals are cranking out fake Web sites branded as eBay, banks, and other financial companies to the tune of tens of thousands every week, according to new research. During a three-month study of its global malware database, Panda Security found on average 57,000 new Web sites created each week with the aim of exploiting a brand name in order to steal information that can be used to drain peoples' bank accounts. About 80 percent of those were phishing sites designed to trick people into entering their login credentials or other information on what they believed to be a legitimate bank or other Web site... America, PayPal, Internal Revenue Service, and Bendigo Bank (Australia). For the phishers, banks were obviously the most popular choice to mimic, at 65 percent of the total, followed by online stores and auction sites, investment funds and stockbrokers, government organizations and payment platforms..."
- http://i.i.com.com/cnwk.1d/i/tim//2010/09/09/PandaLabsFakeSites_610x347.png

Money-mule fakes...
- http://krebsonsecurity.com/2010/09/a-one-stop-money-mule-fraud-shop/
September 13th, 2010

:fear::fear:

More malware 4 U today...

FYI...

More malware 4 U today...

- http://www.pcworld.com/article/205338/google_exec_instant_why_worry.html
13 Sep 2010 - "... gives SEOs more opportunities to apply their expertise than ever before..."

- http://www.symantec.com/connect/blogs/hydraq-aurora-attackers-back
13 Sep 2010 - "... we were quite certain that the gang behind Trojan.Hydraq hadn't gone away. It looks like they are back..."

- http://community.websense.com/blogs/securitylabs/archive/2010/09/13/malicious-pdf-challenges.aspx
13 Sep 2010 - "... PDF obfuscation that we have recently seen in a mass injection..."

Recent SPAM / fakes ...

FYI...

Recent SPAM / fakes ...
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Threat Outbreak Alert: Fake Fax Notification E-mail Messages...
September 14, 2010
Threat Outbreak Alert: Fake Craigslist Ticket E-mail Messages...
September 14, 2010
Threat Outbreak Alert: Fake Online Poker Winner Notification E-mail Messages...
Updated! September 13, 2010
Threat Outbreak Alert: Fake Trojan Analysis E-mail Messages...
September 13, 2010
Threat Outbreak Alert: Fake Western Union Money Transfer Notification E-Mail Messages...
September 13, 2010
Threat Outbreak Alert: Fake iToken Update E-mail Messages...
Updated! September 11, 2010 ...

- http://sunbeltblog.blogspot.com/2010/09/letting-texas-holdem-chips-fall-where.html
September 15, 2010 - "... another Facebook scam... adware-infected games and job search help..."

:fear:

Zeus malicious email msgs...

FYI...

Zeus malicious email msgs...
- http://community.websense.com/blogs...-quot-labels-and-such-quot-leads-to-zeus.aspx
15 Sep 2010 - "Websense... has detected another wave of Zeus malicious email messages. This campaign is related to the familiar "pharma" spam messages that we see everyday, with one exception. This campaign combines an HTML or ZIP attachment with a social engineering technique, similar to what we normally see in malicious email campaigns. For example, the message may state that $375 has been sent to a mail recipient's account, and include a link to view the transaction in the recipient's account. Opening the attachment results in a compromised user machine via an obfuscated JavaScript in the attached HTML file. So far, we have seen this type of email with subjects like "Labels and such" and "Greetings from Rivermark Bill Payer!"... In the case of an HTML attachment, criminals use obfuscated JavaScript. Content is encrypted with a commercially available HTML obfuscation tool... For email messages that have ZIP attachments, the ZIP file has coverage in VirusTotal - 5/43*. The "label.zip" file contains "label.exe" which is a copy of Zeus. The malware copies itself to "C:\Documents and Settings\user\Application Data\Ewca\refef.exe" and tries to access two sites located in the .ru zone..."
(There is a more up-to-date report (12/43) for this file.)
* http://www.virustotal.com/file-scan...68dfaaed4cba9d9931b16a8f7516237303-1284603849
File name: e7023277449d3df3ed1af4ff757b1f7e
Submission date: 2010-09-16 02:24:09 (UTC)
Result: 12/43 (27.9%)

Zeus: http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci1431252,00.html
"... Because a Trojan built with a Zeus toolkit is so adaptable, variations of Zeus Trojans are often missed by anti-virus software applications. According to a report by security vendor Trusteer, 77% of the PCs infected with Zeus Trojans have up-to-date anti-virus software..."

:fear:

Songlyrics.com compromised/injected...

FYI...

Songlyrics.com compromised/injected...
- http://community.websense.com/blogs/securitylabs/archive/2010/09/16/let-s-sing-malicious-song.aspx
16 Sep 2010 - "... Websense... has detected that the popular site Songlyrics.com (with approximately 200,000 daily page views and 2,000,000 unique visitors) is compromised and injected with obfuscated malicious code... Once a user accesses the main page of the song lyrics site, injected code redirects to an exploit site loaded with the Crimepack exploit kit. Attempted exploits result in a malicious binary (VT 39.5%*) file that's run on the victim's computer. Once infected, the machine becomes another zombie-bot in the wild... It appears that the majority of pages served by Songlyrics.com are compromised..."
(Screenshots and more detail available at the Websense URL above.)

(There is a more up-to-date report (21/43) for this file.)
* http://www.virustotal.com/file-scan...ba42820eed50e22636f4c4d1667391fb01-1284689796
File name: addeedd60b7be1fb234aceaf2eef824e
Submission date: 2010-09-17 02:16:36 (UTC)
Result: 21/43 (48.8%)
___

Facebook / Youtube - compromised webpages
- http://www.theinquirer.net/inquirer/news/1733750/facebook-701-compromised-webpages
Sep 17 2010- "... AVG is warning users of social notworking services to be on their guard after its research uncovered the 20,000 odd compromised pages, 11,701 of which are on the world's largest social network, Facebook. The insecurity outfit also found that Youtube has 7,163 compromised pages..."
- http://www.avg.com/us-en/press-releases-news.tpl-mcr7.ndi-232491

:fear:

Cutwail SPAM cocktail

FYI...

Cutwail SPAM cocktail
- http://labs.m86security.com/2010/09/cutwails-spam-cocktail/
September 21, 2010 - "... we have regularly observed spam campaigns where an HTML attachment contains obfuscated JavaScript redirect code. The Pushdo botnet’s spamming component, Cutwail, has been the culprit behind these types of malicious campaigns. Many different themes and subject lines have been used, such as the following:
America’s Got Talent
Apartment for rent
Shipping Notifications
Labels and such
Invoice for Floor Replacement
Delivery Status Notification (Failure)
Welcome Letter
NFL Picks Week 2
... and other random subjects including... one that uses celebrity names... The attached HTML source code is an obfuscated JavaScript... many variations... After de-obfuscating the JavaScript, we can see the payload which, depending on the sample, varies between redirecting to Fake AV landing pages, Canadian Pharmacy or to pages that host an exploit that attempts to install the Zeus Bot... At the same time, Cutwail is also emitting other malicious spam campaigns, but with ZIP attachments. Extracting the ZIP contains an executable no other than the Sasfis/Oficla Trojan. When we ran a sample, the Trojan was tasked to download a Fake AV downloader... Despite multiple attempts to take down Pushdo’s infrastructure, the gang behind this botnet are resilient... Pushdo’s spam volume has bounced back to levels similar to that before the takedown (representing about 10% of total spam), signifying that the gang’s business is back on track. So expect more malicious spam campaigns, exploits, and social engineering to come..."
(Screenshots available at the URL above.)

- http://blog.webroot.com/2010/09/22/malicious-html-mail-attachments-flood-inboxes/
September 22, 2010

:fear:

Russian Pro-Spam Registrars

FYI...

Russian Pro-Spam Registrars
- http://labs.m86security.com/2010/09/russian-pro-spam-registrars/
September 22nd, 2010 - "Since CNNIC, China’s domain regulator, introduced stricter rules for domain registration at the end of last year, spammers have moved on to the Russian .ru TLD to register their spam domains. Similar rules that were apparently made effective on April 1st for Russian registrars do not seem to have had the same effect. Every day we see a continuous stream of newly registered .ru domains in spam email. In fact, in the last month one third of all unique domains we have seen in spam have been .ru domains. This is the highest proportion of any TLD, with .com the second highest accounting for just under one third of spammed domains. Nearly all of these .ru domains are registered though two registrars, Naunet and Reg.ru (also known as NAUNET-REG-RIPN and REGRU-REG-RIPN)... In the last month from spam alone we have seen over 4000 .ru domains registered through Naunet. These are hosting a variety of spam web sites including Ultimate replica, Dr Maxman, online casinos, Via grow and Eurosoft software. We have also seen over 1800 domains registered through Reg.ru in spam over the last month, all of which lead to Canadian pharmacy websites. Reg.ru actually has a feature to register up to 600 domains at once, pretty useful for a spammer... We have however seen domains registered with both of these registrars used as controllers for the Zeus crimeware kit. And recently, Naunet was used to register domains used as control servers for the Asprox botnet, although these were done on a much smaller scale than the spam domains. Several anti-spam groups have already pointed out these registrars as the source of Russian spam domains and that these registrars often ignore requests to suspend illegal domains. With domain blacklisting being a popular anti-spam measure, a continuous supply of fresh domains is vital for any spam operation. These sorts of registrars are making the business of spamming that much easier."

:fear:

My Opera... malicious code

FYI...

My Opera Found To Host Malware
- http://threatpost.com/en_us/blogs/my-opera-found-host-malware-092410
September 24, 2010 - "... Less than a month after Google's Code hosting service was found to be hosting and serving malicious executables, a search of Opera Software's My Opera free hosting service has also turned up malicious programs, according to a researcher at Kaspersky Lab*. My Opera, a free online hosting service for users of the Opera Web browser, played host to a PHP based IRC botnet, according to a post by Dmitry Bestuzhev, a researcher at Kaspersky Lab. The bot appears to have originated in Brazil, based on an analysis of the code, though its not clear who posted it to the My Opera hosting service or when, Bestuzhev said... he reported the malicious My.Opera .com URLs to Opera Software and that the company has removed them from its site... Like other free hosting services, My.Opera .com is an ideal resource for cyber criminals looking to host their wares on domains with legitimate reputations that are also easy to access..."
* http://www.securelist.com/en/blog/2303/Google_Mozilla_and_now_Opera_Whos_next

:fear::fear:

Orkut worm - hidden iFrame - malicious JavaScript file...

FYI...

Orkut worm - hidden iFrame - malicious JavaScript file...
- http://www.symantec.com/connect/blogs/mau-sabado-orkut-users
Sep. 28, 2010 - "Over the past weekend, it was reported that a new worm was spreading amongst the Orkut user community. As a result, some of the Scrapbooks in Orkut had a hidden iframe inserted, which points to a malicious JavaScript file. This JavaScript does several things including sending a message “Bom Sabado”, meaning Good Saturday in Portuguese, with a hidden iframe to everyone on the infected user’s list of friends. The infected Orkut user is also made to join fake communities. These actions will surely turn “Bom Sabado” to “Mau Sabado ” (bad Saturday in Portuguese). Symantec Security Response detects this malicious JavaScript file as JS.Woorkut. At the end of the day, this worm doesn’t do much harm. If the attacker behind this mischief is maliciously motivated, the worm could potentially cause serious damage. We are quite sure this won’t be the last of this attack and are closely monitoring the situation. In the mean time make sure you keep your antivirus definitions up to date."

:fear::fear:

Facebook - flood of scams...

FYI...

Facebook - flood of scams...
- http://www.symantec.com/connect/blogs/social-network-flooded-scam-messages
Sep. 28, 2010 - "Facebook now has over 500 million registered users, which makes this social network (like many other social networks) a very attractive “fishing pool” for attackers. There are so many potential victims that could easily fall for any of the scattered bait. So, it does not come as a surprise that we see another scam campaign launched nearly every week... Always be wary of enticing messages, even when they appear on friends’ profiles. When you are asked to install additional applications or fill out premium surveys just to see a video or picture, it is most likely a scam and it should be fully ignored..."

:fear::fear:

ZeuS bypasses 2-factor authentication...

FYI...

ZeuS bypasses 2-factor authentication...
- http://blog.trendmicro.com/zeus-now-bypasses-two-factor-authentication/
Sep. 29 2010 - "... certain ZeuS/ZBOT variants are now able to break into users’ bank accounts in spite of two-factor authentication systems. These are frequently used to enhance bank security. These ZeuS variants can specifically use mobile malware to defeat systems that rely on text messages sent via mobile phones on Symbian OS's. The technique behind these attacks is simple. A ZBOT variant modifies target bank sites in such a way that whenever the bank asks for an authentication code to be sent to the mobile phone or not, the user is prompted to enter that phone’s number first. The user then receives a text message containing a link to a rogue Symbian application. This piece of mobile malware, once installed, intercepts all text messages from the specific senders (e.g., banks) and forwards them to a separate number under the control of the attacker. Because the attacker has both the victim’s user name, password, and any authentication code sent over the mobile phone, he/she can conduct malicious business as if the two-factor authentication never took place. While two-factor authentication is definitely a good thing in terms of security, this attack is a reminder that it is not a cure-all that protects against all forms of information theft..."

- http://blog.fortinet.com/zeus-in-th...-bankings-two-factor-authentication-defeated/
Sep 27, 2010

- http://www.securityweek.com/zeus-goes-mobile-targets-online-banking-two-factor-authentication
Sep 27, 2010

- http://securityblog.s21sec.com/2010/09/zeus-mitmo-man-in-mobile-iii.html
Sep 25, 2010

:fear:

LinkedIn SPAM campaigns continue...

FYI...

LinkedIn SPAM campaigns continue...
- http://labs.m86security.com/2010/09/malicious-linkedin-campaigns-continue/
September 30, 2010 - "The malicious LinkedIn spam campaigns of the last few days are continuing in force. The source is the Pushdo botnet, which is back in full force following disruption to its operations last month. The campaigns mimic a LinkedIn update notification... The malicious web page displays code that includes an iframe that loads the Phoenix exploit kit, which attempts to exploit the victim’s browser... And, just in case the auto-exploit doesn’t work, the user is prompted to manually download flash_player_07.78.exe, which is none other than the Zeus (Zbot) data stealing trojan... This campaign is slicker than normal. The LinkedIn email and the Flash Player download image look convincing, signifying that these cybercriminals have taken it up a notch. Going by the number of URL hits we intercepted with our TRACEnet system, some users are falling for it too. Don’t be one of them."
(Screenshots available at the URL above.)

- http://krebsonsecurity.com/2010/09/fake-linkedin-invite-leads-to-zeus-trojan/
Sept 28, 2010
- http://www.virustotal.com/file-scan...61114bec79ae48564b27724b0613407e65-1285599788
File name: 655823
Submission date: 2010-09-27 15:03:08 (UTC)
Result: 4/43 (9.3%)
[There is a more up-to-date report (29/43) for this file.]
- http://www.virustotal.com/file-scan...61114bec79ae48564b27724b0613407e65-1285857284
File name: ZeuS_binary_4f56196d437be7e1bfecefb92b83872d.exe
Submission date: 2010-09-30 14:34:44 (UTC)
Result: 29/43 (67.4%)

:fear:

Zeus thieves charged ...

FYI...

Zeus thieves charged ...
Feds accuse 37 of being Zeus 'money mules'...
- http://www.theregister.co.uk/2010/09/30/zeus_money_mules_charged/
30 September 2010 - "Federal prosecutors in New York City have charged 37 people with participating in a scheme that defrauded banks out of millions of dollars using the Zeus Trojan. Many of the charges were filed against Russian nationals accused of opening bank accounts to launder money transferred from from people who had been infected by the crimeware. The so-called money mules allegedly kept a small percentage and wired the remainder to associates in Eastern Europe. The charges were unsealed on Thursday, a day after UK prosecutors filed charges against 11 alleged Zeus money mules* from Eastern Europe..."
* http://www.theregister.co.uk/2010/09/30/zeus_e_crime_charges/

- http://krebsonsecurity.com/2010/09/u-s-charges-37-alleged-money-mules/
Sept 30, 2010 - "... charged more than 60 individuals — and arrested 20..."
- http://www.fbi.gov/wanted/alert/newyork2.htm

- http://www.theinquirer.net/inquirer/news/1736699/more-arrests-zeus-botnot-crimes
Oct 01 2010 - "Over 80 arrested ... 55 people have already been charged and a further 37 people have been indicted for a raft of fraud and money laundering charges..."

- http://www.theregister.co.uk/2010/10/01/zeus_kingpin_arrest/
1 October 2010 - "Ukrainian police on Thursday arrested five people suspected of orchestrating an international fraud ring that siphoned more than $70m out of bank accounts by infecting computers with the Zeus trojan. The action by Ukraine's SBU was part of an unprecedented partnership among law enforcement agencies in the US, the UK, the Netherlands, and Ukraine, the FBI said in a press release* issued on Friday..."
* http://www.fbi.gov/pressrel/pressrel10/tridentbreach100110.htm

- http://www.fbi.gov/page2/oct10/cyber_100110.html

olice:

ZeuS trojan still a threat...

FYI...

ZeuS trojan still a threat...
- http://www.pcworld.com/article/206841/despite_busts_zeus_trojan_still_threatens.html
Oct 3, 2010 - "Despite high-profile busts in the U.S., U.K. and Ukraine of cybercriminals using ZeuS malware to steal from online accounts, ZeuS will evolve and remain an effective theft tool for a long time... It's available; it's affordable; it works; its toolkit makes modifying it simple. And the core people who do the major development work have managed to elude capture, hiding behind layers of shifting command and control servers, ISPs, domain registrars and international borders... researchers recently discovered that a ZeuS add-on helps defeat attempts by banks to thwart access by thieves who have used ZeuS to steal usernames and passwords of online banking customers. After users login, the banks send SMS messages to their cell phones containing one-time codes that the customers enter. This two-factor authentication makes it more difficult for criminals to break into accounts, but the developers of ZeuS found a way. A mobile ZeuS Trojan grabs the one-time code and sends it to a ZeuS command and control server where criminals can use it to break into accounts... The people behind ZeuS are good at hiding, says Manky. They use multiple ISPs, multiple command-and-control servers, multiple domains and base this infrastructure in multiple countries, all of which makes it difficult to trace their whereabouts. Compounding the problem, they frequently shift their infrastructure to new providers and new locations to start over... the flexibility of ZeuS make it certain its attacks will keep coming..."

More Arrests...
- http://www.symantec.com/connect/de/blogs/zeus-explosion-leads-more-arrests
Oct 4, 2010

Charted - ZeuS infections
- http://www.symantec.com/connect/sites/default/files/images/Zbot infections.PNG

:fear: