SPAM frauds, fakes, and other MALWARE deliveries - archive

[AplusWebMaster]

FYI...

Zbot In Your Inbox
- http://www.marshal8e6.com/trace/i/Zb...race.1005~.asp
June 24, 2009 - "A password stealing Zbot (ZeuS bot) Trojan has been increasingly spammed throughout the previous two weeks. We believe the spam originates from the Pushdo botnet. The spam template varies from time to time, mostly using subject lines such as “You have received a Greeting ecard ”, “Statement request”, “Microsoft outlook update”, “Postal Tracking” and may come either as an attachment or a link in the message body... Zbot attempts to download a file named "djwl.bin". This file is an encrypted configuration file..."
(Screenshots available at the URL above.)

Also see: http://www.abuse.ch/?p=1192
March 20, 2009

[AplusWebMaster]

FYI...

SPAM runs exploit celebrity deaths
- http://www.theregister.co.uk/2009/06...on_death_spam/
26 June 2009 - "Spammers have wasted no time exploiting the shock death of Michael Jackson to run an email harvesting campaign. Security watchers warn that malware-laced email themed around the death of the King of Pop and Charlie's Angels star Farrah Fawcett, who also died on Thursday, are likely to follow..."

- http://securitylabs.websense.com/con...erts/3426.aspx
06.26.2009
- http://www.virustotal.com/analisis/6...ce4-1246012313
File michael_1_.gif received on 2009.06.26 10:31:53 (UTC)
...Result: 5/41 (12.20%)
- http://www.virustotal.com/analisis/d...ff9-1246029869
File Michael.Jackson.videos.scr received on 2009.06.26 15:24:29 (UTC)
...Result: 10/41 (24.39%)

- http://www.sophos.com/blogs/sophoslabs//?p=5035
June 26, 2009

[AplusWebMaster]

FYI...

MSN IM - Pushdo variant...
- http://blog.trendmicro.com/msn-bot-p...acksons-death/
June 26, 2009 - "... a slew of malicious links related to Michael Jackson’s last moments in the hospital before his death are now being proliferated in the wild via the instant messaging (IM) application, MSN... When recipients of such messages click on any of these links, they are then prompted to save a file named PIC-IMG029-www.hi5.com.exe (with the MD5 checksum of 031429fc14151f94c8651a3fb110c19b), instead of being led to an image site or gallery. Initial analysis shows that the said file is a variant of the SDBOT family...
Update - 27 June 2009: The botnet is said to push the templated messages through an IRC to the client to be spammed... The malware responsible for this is detected as WORM_IRCBOT.GAT. It opens a certain port on the affected system then listens for remote commands. Kharouni reports that commands to download certain files are received and executed by the affected system, ultimately leading to the download a PUSHDO variant. PUSHDO is a botnet responsible for a huge amount of spam activity..."

(Screenshot available at the URL above.)

[AplusWebMaster]

FYI...

More celebrity malware...
- http://www.f-secure.com/weblog/archives/00001709.html
June 29, 2009 - "There have been a couple of malware attacks that have tried to use the news coverage of the death of Michael Jackson as the lure to get people infected. Last night we saw this one: a file called Michael-www.google.com.exe. This file was distributed through a site called photos-google.com and possibly also through photo-msn.org, facebook-photo.net and orkut-images.com. Do not visit these sites. When executed, Michael-www.google.com.exe drops files called reptile.exe and winudp.exe. These are IRC bots with backdoor capability. The file also shows this fake error message..."
(Screenshot available at the F-secure URL above.)

- http://www.sophos.com/blogs/gc/g/200...-hits-inboxes/
July 1, 2009 - "... we have encountered a mass-mailing worm that spams out messages with the following characteristics:
Subject: Remembering Michael Jackson
Attached file: Michael songs and pictures.zip
The email, which claims to come from sarah @michaeljackson.com, says that the attached ZIP file contains secret songs and photos of Michael Jackson. opening the attachment exposes you to infection - and if your computer is hit you will be spreading the worm onto other internet users. Besides spreading via email, the malware is also capable of spreading as an Autorun component on USB memory sticks (an increasingly common trend for malware as use of these devices has become more and more popular). Sophos detects the malware proactively as Mal/ZipMal-B and Mal/VB-AD, and recommends that users of other anti-virus products ensure that their defences are properly updated..."

[AplusWebMaster]

FYI...

Torrentreactor site compromised
- http://securitylabs.websense.com/con...erts/3430.aspx
07.01.2009 - "Websense... has detected that Torrentreactor, one of the oldest and most reliable torrent search engines on the Web, has been compromised and injected with malicious code. The site has been injected with an IFrame leading to a site laden with exploits. The exploits on the payload site include Internet Explorer (MDAC) and Microsoft Office Snapshot Viewer, as well as Acrobat Reader and Adobe Shockwave. If the user's browser is successfully exploited, a malicious file is downloaded and run from the exploit site. The malicious file has an extremely low AV detection rate*. The file (MD5: 24bd24f8673e3985fc82edb00b24ba73) is a Trojan Downloader and connects to a Bot C&C server at IP 78.109.29.116. After connecting to the IP, the file downloads a Rootkit installer from the same IP..."
* http://www.virustotal.com/analisis/0...2b7-1246425266
File rncsys32.exe received on 2009.07.01 05:14:26 (UTC)
Result: 2/41 (4.88%)

- http://www.theregister.co.uk/2009/07...eactor_breach/
1 July 2009 - "... The malicious file in the latest compromise communicates with a server at 78.109.29.116, an IP address that web searches suggest has ties to the Russian Business Network..."

[AplusWebMaster]

FYI...

Click fraud trojan...
- http://secureworks.com/research/thre...eat=ffsearcher
June 26, 2009 - "While analyzing a slew of malware downloaded by the exploit kit used in the "Nine-Ball" web attacks, the SecureWorks Counter Threat Unit came across an interesting trojan that used a previously-unseen HTTP request pattern... After some time we came to the conclusion that the trojan was a search hijacker trojan used for click fraud. Click fraud trojans are as old as Internet advertising itself, and usually we see one of two types: browser hijackers that change one's start page and searches to redirect to a third-party search engine, or trojans that silently pull down a list of ad URLs and generate fake clicks on the ads in a hidden Internet Explorer window. This trojan however, was much more subtle and creative - in this case, every click on an ad is user-generated, and the user never notices any change in their web-surfing experience. We call this trojan search hijacker "FFSearcher", named after one of the websites used in this scheme. Detection of the dropper executable by anti-virus engines is poor at this time, with only 4 of 39 scanners* detecting it at all... As click-fraud trojans go, this is one of the more clever that we've seen, with an impressive feature set:
1. Working code to hijack both Firefox and IE
2. Difficult to spot by the average user
3. Minimally impacting to the infected machine
4. Probably difficult for fraud detection systems at the search engine sites to detect, since every ad-click that comes through is generated on purpose by a user in the course of normal web-surfing activity..."
(Screenshots available at the Secureworks URL above.)
* http://www.virustotal.com/analisis/1...c9b-1244830834
File nkavnxe.exe received on 2009.06.12 18:20:34 (UTC)
Result: 4/39 (10.26%)

[AplusWebMaster]

FYI...

Happy 4th from Waledac...
- http://securitylabs.websense.com/con...erts/3431.aspx
07.03.2009 - "Websense... has detected yet another new Waledac campaign theme in the wild. The new variant uses an Independence Day theme as a social engineering mechanism. The USA celebrates Independence Day on July 4 each year. The malicious emails that are sent use subjects and content related to Independence Day, Fourth of July and fireworks shows. The malicious Web sites in the current attack also have a July 4 or fireworks theme within the domain name. ThreatSeeker has been monitoring the registration of these domains. Should the user click on the video, which is designed to appear to be a YouTube video, an .exe is offered. When downloaded the .exe would install the latest Waledac variant onto the user's machine..."
(Screenshots available at the URL above.)

- http://www.eset.com/threat-center/blog/?p=1244
July 2, 2009
- http://www.eset.com/threat-center/blog/?p=1250
July 3, 2009

[AplusWebMaster]

FYI...

More on Waledac for the 4th...
- http://blog.trendmicro.com/waledac-c...dence-day-too/
July 4, 2009 - "... These messages contain links to a site which appears to be from Youtube... The video supposedly shows a fabulous fireworks show, but in reality attempting to play the video results in downloading a copy of WORM_WALEDAC.DU..."

(Screenshot available at the URL above)

[AplusWebMaster]

FYI...

Waledac July 4th update - New domains added
- http://www.shadowserver.org/wiki/pmw...endar/20090704
4 July 2009 - "... quick update on Waledac. We have been keeping an eye on it for a bit and it's been actively spamming and updating clients to Fake Antivirus products for the last few months. However, we also saw it start spamming itself out again starting yesterday. Actually saw a quick first post of the from sudosecure.net:
http://www.sudosecure.net/archives/583
No real need to have tons of duplicate write-ups and screen shots. You can get the same basic information from the site. It's the standard spam to a link involving a fake YouTube video that wants you to download an executable... We have updated our Waledac domain lists that you can use to block/track Waledac domains. The first URL is to the list that is updated with timestamps, ugly comments, and newest domains at the bottom:
http://www.shadowserver.org/wiki/upl...ac_domains.txt
We also have the all-time Waledac domain list that contains just the domain listing since the start. It currently has 244 domains on it and can be reached via the following URL:
http://www.shadowserver.org/wiki/upl...ledac_list.txt
These are domains you definitely want to avoid visiting and consider blocking where possible."

[AplusWebMaster]

FYI...

Twitter suspends Koobface infected computers
- http://blog.trendmicro.com/koobface-...tter-activity/
July 9, 2009 - "... Koobface has increased its Twitter activity, sending out tweets with different URL links pointing to Koobface malware. This is in contrast with previous Koobface Twitter activity wherein only three TinyURLs pointing to Koobface were used. As of writing, there are a couple of hunded Twitter users affected by Koobface in the past few hours, but dozens more are being infected as we speak. We advise Twitter users to (not click on) URLs on tweets, especially if the tweet advertises a home video.
Update: It seems this Koobface problem in Twitter is getting bigger and bigger, prompting Twitter itself to temporarily suspend* infected user accounts."
* http://status.twitter.com/post/13878...malware-attack
July 9, 2009 - "... If we suspend your account, we will send you an email notifying you of the suspension. This email also includes tips for removing the malware from your PC."

> http://www.sophos.com/blogs/gc/g/200...koobface-worm/
July 10, 2009

Preview a TinyURL
- http://tinyurl.com/preview.php
"Don't want to be instantly redirected to a TinyURL and instead want to see where it's going before going to the site? Not a problem with our preview feature..."

- http://www.threatpost.com/blogs/koob...ions-exploding
July 6, 2009 - "In June, we saw an explosive rise in the number of Koobface modifications - the number of variants we detected jumped from 324 at the end of May to nearly 1000 by the end of June. And this weekend brought another flood, bringing us up to 1049 at the time of writing... Koobface spreads via major social networking sites like Facebook and MySpace. It's now spreading via Twitter as well... the pool of potential victims is growing day by day - just take a look at the Alexa stats* for Facebook. So naturally, cybercriminals are going to be targeting these sites more and more often."
* http://www.alexa.com/siteinfo/facebook.com
"... Percent of global Internet users who visit facebook.com:
... 7 day avg: 20.01% ..."