SPAM frauds, fakes, and other MALWARE deliveries - archive

[AplusWebMaster]

FYI...

Zeus Campaign Targeted Government Departments
- http://securitylabs.websense.com/con...?cmpid=slalert
02.08.2010 - "Websense... has discovered a new Zeus campaign (a banking data stealing Trojan) which is now targeting government departments. Our research shows that the campaign has especially targeted workers from government and military departments in the UK and US: we found most victims' email addresses end with .gov... thousands of emails which pretend to be from the National Intelligence Council. The email subjects include:
"National Intelligence Council"
"RE: National Intelligence Council"
"Report of the National Intelligence Council"
The spoofed emails lure victims to download a document about the "2020 project"; this is actually a Zeus bot. The Web sites which host the bot look very trustworthy: one of them is a compromised organization Web site and the other is located on a popular file hosting service. The bot has rootkit capabilities and connects to C&C servers at update*snip* .com and pack*snip* .com to report back on a successful infection and to download some archives with DLLs, it also modifies the hosts file to prevent updates from popular anti-virus vendors... the anti-virus detection rate for this bot is currently at 26/40*."
* http://www.virustotal.com/analisis/8...4c4-1265615954
File 2020.exe_ received on 2010.02.08 07:59:14 (UTC)
Result: 26/40 (65.00%)
(Screenshots available at the Websense URL above.)

- http://www.krebsonsecurity.com/2010/...s-gov-and-mil/
February 6, 2010 - "... The scam e-mails may seem legitimate because the name of the booby-trapped file mimics a legitimate 2020 Project report*** published by the NIC, which has a stated goal of providing US policymakers “with a view of how the world developments could evolve, identifying opportunities and potentially negative developments that might warrant policy action.” Only 16 of the 39 anti-virus scanners used by Virustotal.com detect the file** as malicious, and those that do mostly label it as a variant of the Zeus/Zbot Trojan..."
** http://www.virustotal.com/analisis/3...610-1265331501
File 2020.zip.txt received on 2010.02.05 00:58:21 (UTC)
Result: 16/39 (41.03%)
*** http://www.dni.gov/nic/NIC_2020_project.html

- http://www.threatexpert.com/report.a...ecd4ba7054e138
7 February 2010

- http://www.m86security.com/labs/i/In...race.1233~.asp
February 7, 2010 M86 Security - "... another Zeus campaign that we observed last week..."

[AplusWebMaster]

FYI...

Zeus targeted attacks continue
- http://securitylabs.websense.com/con...rts/3550.aspx?
02.11.2010 - "Websense... has discovered a follow up attack on Zeus campaign targeting government departments. Its research shows that once again the campaign is targeting workers from government and military departments globally... The Websense ThreatSeeker Network has seen thousands of emails pretending to be from a reputable figure within the Central Intelligence Agency... The email subject is:
"Russian spear phishing attack against .mil and .gov employees"...
The spoofed emails capitalize on the last Zeus attack, and claim that installing the Windows update via the links provided will aid protection against Zeus attacks. The binary file downloaded from these links is identified as a Zeus bot and holds 35% AV detection rate*. Once again URLs in the email messages lead to a malicious file hosted on a compromised host, and also on a popular file hosting service. Once installed, the bot has identical functionality to the one mentioned in the previous alert. After The Zeus Rootkit component is installed the C&C server at update[removed].com is contacted to download an encrypted configuration file. Another data stealing component gets downloaded and installed from the same C&C in the shape of a Win32 Perl script compiled with Perl2Exe - this data-stealing component has only a 5% AV detection rate**. Then the bot starts to connect with a credential-based FTP server at pack[removed].com to upload stolen data. The Zeus bot is normally designed to steal banking credentials; however it has also been seen in targeted attacks to steal other sensitive data..."
* http://www.virustotal.com/analisis/6...476-1265856371
File KB823988.exe received on 2010.02.11 02:46:11 (UTC)
Result: 14/41 (34.15%)
** http://www.virustotal.com/analisis/1...723-1265905508
File stat.exe received on 2010.02.11 16:25:08 (UTC)
Result: 2/41 (4.88%)

(Screenshots available at the Websense URL above.)

[AplusWebMaster]

FYI...

Spammers already using Google Buzz
- http://securitylabs.websense.com/con...rts/3551.aspx?
02.11.2010 - "... Today we saw the first spam using Google Buzz to spread a message about smoking.. The spammer is already following 237 people, and we can only imagine that he or she has sent similar messages to all of them. This particular message leads to a site hosted on a free Web hosting service talking about how to quit smoking. When Twitter was launched, it took a while before it was used to send spam and other malicious messages. In this case, it only took two days. It's clear that the bad guys have learned from their experience using social networks to distribute these type of messages. We hope that Google is geared up for dealing with the volume of spam it's bound to see on the new service. Until then, we advise users to be careful, as usual, when clicking on unknown links."
(Screenshot available at the URL above.)

The Buzz is getting LOUDER
- http://www.sophos.com/blogs/sophoslabs/post/8641
February 11, 2010

- http://www.eset.com/threat-center/bl...-gmail-spyware
February 12, 2010 - "... If you have a Gmail account and don’t want to broadcast to the world who you chat with and email the most, then when you log into Gmail, immediate scroll to the bottom of the page and turn off Buzz..."

[AplusWebMaster]

FYI...

Dear taxpayer – don’t
- http://sunbeltblog.blogspot.com/2010...yer-dont.html?
February 11, 2010 - "‘Tis the season for Zbot spam."

(Screenshot available at the URL above.)

[AplusWebMaster]

FYI...

IRS themed Zeus exploits...
- http://ddanchev.blogspot.com/2010/02...ient-side.html
February 15, 2010 - "As anticipated, the botnet masters behind the systematically rotated campaigns dissected in previous posts, kick off the week with multiple campaigns parked on the newly introduced fast-fluxed domains. In a typical multitasking fashion, two campaigns are currently active on different sub domains introduced at the typosquatted fast-flux ones, impersonating the U.S IRS with "Unreported/Underreported Income (Fraud Application) theme", as well as a variation of the already profiled PhotoArchive campaign, using a well known "You don't have the latest version of Macromedia Flash Player" error message... researchers from M86 Security* gained access to the web malware exploitation kit..."
(More detail at the URL above.)

* http://www.m86security.com/trace/tra...p?article=1233
February 7, 2010 - "... It has been up and running and serving exploits for nearly a day. In this time almost 40,000 unique users have been exposed to these exploits, and the Zeus file has been downloaded over 5000 times..."

[AplusWebMaster]

FYI...

The Wizard of Buzz
- http://securitylabs.websense.com/con...logs/3553.aspx
02.16.2010 - "Buzz is just a new wizard in the kingdom of Google. However, it is not hard to foresee through the crystal ball that Dorothy's journey along the yellow brick road will be full of constant attacks from the Witch of malware and her spamming monkeys. The biggest problem with Google Buzz is privacy. You can read lots of blogs and articles on this already, and this blog does not intend to examine this subject. It's enough to know that with Buzz, it is too easy to follow and read other people's messages... What is worrying for us is that it's now much easier to spread spam and malicious messages than before, thanks to this super-network. Google has reacted to these issues quickly and has changed the default settings of its social network. Unfortunately there is no change for existing users, so if you have already subscribed, you still need to tweak the settings for yourself to make it secure..."

- http://www.eset.com/threat-center/bl...-gmail-spyware
February 12, 2010 - "... If you have a Gmail account and don’t want to broadcast to the world who you chat with and email the most, then when you log into Gmail, immediate scroll to the bottom of the page and turn off Buzz..."

- http://www.pcworld.com/article/18938...evil_twin.html

- http://www.f-secure.com/weblog/archives/00001886.html
February 18, 2010 - "... You don't get to use free services and expect to get absolute privacy. Either you offer up some of your information for enhanced services, or you don't. Remember, Google isn't your friend. It's a business..."

[AplusWebMaster]

FYI...

Symantec ThreatCon...
- http://www.changedetection.com/log/s...learn_log.html
... changes: 2010-02-19 05:28 "... Symantec is aware of several reports of a strain of Zeus dubbed 'Kneber'. The Zeus exploit toolkit is often used in campaigns that have no specific target. The goal is often to infect as many systems as possible. This strain is reported to harvest personal information from the victim that attackers can use for financial gain. Customers are advised to ensure that antivirus products are up to date. Symantec detects this threat as Trojan.Zbot.
Trojan.Zbot
http://securityresponse.symantec.com...011016-3514-99
Zeus Toolkits...
> http://www.symantec.com/connect/blog...eware-toolkits
August 25, 2009

- http://blog.threatfire.com/2010/02/a...ed-kneber.html
February 18, 2010

- http://www.netwitness.com/resources/...feb182010.aspx
February 18, 2010

- http://www.f-secure.com/weblog/archives/00001887.html
February 19, 2010

- http://www.krebsonsecurity.com/2010/...own-as-botnet/
February 19, 2010

[AplusWebMaster]

FYI...

Zeus exploit svr morphs in the Wild...
- http://ddanchev.blogspot.com/2010/02...ient-side.html
UPDATED: Saturday, February 20, 2010 - "The client-side exploit serving iFrame directory has been changed to 91.201.196.101 /usasp11/in.php, with another typosquatted portfolio of domains currently being spamvertised.

Detection rates: update.exe - Trojan.Zbot - Result: 25/40 (62.5%) (phones back to trollar.ru /cnf/trl.jpg - 109.95.114.133 - Email: bernardo_pr @inbox .ru ); file.exe - Trojan.Spy.ZBot.12544.1 - Result: 26/41 (63.42%); ie.js - JS:CVE-2008-0015-G - Result: 14/40 (35%); ie2.js - Exploit:JS/CVE-2008-0015 - Result: 17/40 (42.5%); nowTrue.swf - Trojan.SWF.Dropper.E - Result: 24/41 (58.54%); pdf.pdf - Exploit.JS.Pdfka.bln - Result: 11/41 (26.83%); swf.swf - SWF/Exploit.Agent.BS - Result: 8/40 (20%)..."

(More detail at the ddanchev URL above.)

[AplusWebMaster]

FYI...

New Twitter Worm making the rounds
- http://blog.trendmicro.com/twitter-worm/
Feb. 24, 2010 - "A new Twitter worm is making the rounds. If you receive a direct message from a “friend” that contains the following message:
“This you????”
It is likely malicious. Clicking the link, http: //twitter.login.{BLOCKED}home.org/login/, will -redirect- you to a sub page of the said domain. You will then be prompted to log in to your Twitter account... Once you log in, your credentials will be stolen and all of your followers will receive a direct message from you with a link to the same site, allowing the worm to further propagate. Doubtlessly, at some point in the future, the cybercriminals behind this attack will use the same stolen credentials to send out other malicious content from a huge number of compromised Twitter accounts. So remember, think before you click!..."

(Screenshots available at the URL above.)

- http://www.f-secure.com/weblog/archives/00001893.html
February 25, 2010 - "... phrases such as "This you??" or "LOL is this you" are linking victims towards a Twitter login phishing page. If the bait is taken and victim enters their password, Twitter's infamous "fail whale" is displayed and the user is returned to their account. They might not even realize that their account details have been compromised..."

- http://sunbeltblog.blogspot.com/2010...es-thanks.html
February 25, 2010

[AplusWebMaster]

FYI...

More-Zeus-client-side-exploits-serving-iFrame ...in the Wild...
- http://ddanchev.blogspot.com/2010/02...ient-side.html
SECOND UPDATE for Wednesday, February 24, 2010 - Another portfolio of new domains is being spamvertised, using the old PhotoArchive theme. The client-side exploits serving iFrame directory has been changed to 91.201.196.101 /usasp33/in.php currently serving CVE-2007-5659; CVE-2008-2992;CVE-2008-0015; CVE-2009-0927 and CVE-2009-4324.
Sample detection rates: update.exe - Trojan-Spy.Win32.Zbot.gen - Result: 10/42 (23.81%); file.exe - Trojan-Spy.Win32.Zbot.gen - Result: 10/42 (23.81%). Samples phone back to the same C&C where samples from previous campaigns were also phoning back to - trollar.ru /cnf/trl.jpg..."

(More detail at the URL above.)

- http://web.nvd.nist.gov/view/vuln/de...=CVE-2007-5659
"... Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier allow remote attackers to execute arbitrary code via a PDF file..."
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2008-2992
"... Stack-based buffer overflow in Adobe Acrobat and Reader 8.1.2 and earlier allows remote attackers to execute arbitrary code via a PDF file..."
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2008-0015
"... MS09-032... MS09-037..."
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-0927
"... Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to execute arbitrary code..."
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-4324
"... Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code..."

- http://blog.trendmicro.com/whats-the-juice-on-zeus/
Mar. 4, 2010 - "... ZeuS has been entrenched in the cybercriminal business for a long time now and has continuously evolved and improved. Given the vast number of toolkit versions readily available in the underground, the features ZeuS possesses to thwart both antivirus and other security solutions, as well as efforts by the security industry, ZeuS will continue to be used by cybercriminals to steal personal information and even people’s identities..."