SPAM frauds, fakes, and other MALWARE deliveries - archive

[AplusWebMaster]

FYI...

Mass compromise ongoing, spreads fake antivirus
- http://blog.armorize.com/2011/08/k98...irus-mass.html
8.17.2011 - "On August 14, we started to see mass compromise of websites to inject malicious iframes that spread fake antivirus malware. The attack is ongoing... We estimate at least 22,400 unique DOMAINS. The attackers' first attempt was not successful and therefore google indexed more than 536,000 infected pages. However, since then the attackers have fixed the injected pattern and therefore the injected script is executed rather than displayed. Google therefore does not index infected websites any longer...
4. Browser Exploitation: Drive-by download script served by a modified version of the BlackHole exploit pack.
5. Malware: Fake antivirus, different names in different OS: "XP Security 2012" under Windows XP, "Vista Antivirus 2012" under Windows Vista, and "Win 7 Antivirus 2012" under Windows 7.
6. Injection method: Primarily via stolen FTP credentials, and then use automated program to FTP, retrieve files, inject iframe, and upload back. FTP credentials are stolen from personal Windows computers that have been infected with malware. Malware searches stored password files of FTP clients and also sniffs the FTP traffic. Stolen credentials are sent back to the attackers.
7. Malicious domains and IPs... (shown/listed at the armorize.com URL above.)
8. Antivirus detection rate: Currently 5 out of 43 on VirusTotal*..."
* https://www.virustotal.com/file-scan...061-1313382824
File name: contacts.exe_
Submission date: 2011-08-15 04:33:44 (UTC)
Result: 5/43 (11.6%)

[AplusWebMaster]

FYI...

Google report - 4 years of experience in malware detection
- http://h-online.com/-1325798
18 August 2011 - "Google has announced* the publication of a technical report entitled "Trends in Circumventing Web-Malware Detection". This report describes the results of analysing four years of data – from 160 million web pages hosted on approximately eight million sites – collected through the company's Safe Browsing initiative. The report comments that "Like other service providers, we are engaged in an arms race with malware distributors", and that each day Google issues around three million malware warnings to over four hundred million users that use browsers supporting the Safe Browsing API. The report looks into the four most commonly employed methods for detecting malware: virtual machine client honeypots, browser emulator client honeypots, classification based on domain reputation, and anti-virus engines and trends in how well they work in practice..."
* http://googleonlinesecurity.blogspot...b-malware.html

See also:
- http://h-online.com/-1155534

- http://h-online.com/-986087
___

- http://www.darkreading.com/taxonomy/...e/id/231500264
Aug 18, 2011

[AplusWebMaster]

FYI...

SPAM - Virus Outbreak In Progress
- http://www.ironport.com/toc/
August 20, 2011

- http://tools.cisco.com/security/cent...o=1&sortType=d

Fake Security Update Notification E-mail Msgs...
- http://tools.cisco.com/security/cent...?alertId=23971
Malicious Images Attachment E-mail Msgs...
- http://tools.cisco.com/security/cent...?alertId=23970
Fake Personal Photo Attachment E-mail Msgs...
- http://tools.cisco.com/security/cent...?alertId=23881
August 19, 2011
___

Malware-laden spam jumps to 24 percent of all spam this week
- http://www.darkreading.com/taxonomy/...e/id/231500190
Aug 18, 2011

- http://labs.m86security.com/2011/08/...alicious-spam/
August 16, 2011 - "... The majority of the malicious spam comes from the Cutwail botnet, although Festi and Asprox are among the other contributors..."
- http://labs.m86security.com/wp-conte...dmalware31.png

[AplusWebMaster]

FYI...

SPAM - Virus Outbreak In Progress
- http://www.ironport.com/toc/
Updated: August 26, 2011

- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake Facebook Photo Notification E-mail Msgs...
- http://tools.cisco.com/security/cent...?alertId=23974
Fake Traffic Violation Ticket E-mail Msgs...
- http://tools.cisco.com/security/cent...?alertId=23982
Malicious Changelog Attachment E-mail Msgs...
- http://tools.cisco.com/security/cent...?alertId=23588
___

m86 Spam Volume Index
- https://www.m86security.com/images/t...6-SVI_time.gif
"... representative sample of the honeypot domains that we monitor."

[AplusWebMaster]

FYI...

RSA hack file found...
- http://www.f-secure.com/weblog/archives/00002226.html
August 26, 2011 - "... the hackers broke into RSA with a targeted email attack. They planted a backdoor and eventually were able to gain access to SecurID information that enabled them to go back to their original targets and succesfully break into there... we knew that the attack was launched with a targeted email to EMC employees (EMC owns RSA), and that the email contained an attachment called "2011 Recruitment plan.xls". RSA disclosed this information in their blog post... we had the original email. Turns out somebody (most likely an EMC/RSA employee) had uploaded the email and attachment to the Virustotal online scanning service on 19th of March. And, as stated in the Virustotal terms, the uploaded files will be shared to relevant parties in the anti-malware and security industry. So, we all had the file already. We just didn't know we did, and we couldn't find it amongst the millions of other samples... It was an email that was spoofed to look like it was coming from recruiting website Beyond.com. It had the subject "2011 Recruitment plan" and one line of content:
"I forward this file to you for review. Please open and view it".
The message** was sent to one EMC employee and cc'd to three others... The embedded flash object shows up as a [X] symbol in the spreadsheet. The Flash object is executed by Excel (why the heck does Excel support embedded Flash is a great question). Flash object then uses the CVE-2011-0609*** vulnerability to execute code and to drop a Poison Ivy backdoor to the system. The exploit code then closes Excel and the infection is over. After this, Poison Ivy connects back to it's server at good.mincesur .com. The domain mincesur .com has been used in similar espionage attacks over an extended period of time... Once the connection is made, the attacker has full remote access to the infected workstation. Even worse, it has full access to network drives that the user can access. Apparently the attackers were able to leverage this vector further until they gained access to the critical SecurID data they were looking for. The attack email does not look too complicated. In fact, it's very simple. However, the exploit -inside- Excel was a zero-day at the time and RSA could not have protected against it by patching their systems..."
* http://blogs.rsa.com/rivner/anatomy-of-an-attack/

** http://www.f-secure.com/weblog/archives/sra2011_1.png

*** http://web.nvd.nist.gov/view/vuln/de...=CVE-2011-0609
Last revised: 04/21/2011
CVSS v2 Base Score: 9.3 (HIGH)
(-before- Flash Player 10.2.153.1 - see:
- https://www.adobe.com/support/securi...apsa11-01.html March 14, 2011)

[AplusWebMaster]

FYI...

Apple iCloud phishing attacks ...
- http://nakedsecurity.sophos.com/2011...shing-attacks/
August 26, 2011 - "... The email claims to come from Apple, and appears to have targeted our correspondent because he is a user of Apple's MobileMe service. Apple is planning to shut down its MobileMe service in mid-2012, as it is readying its new iCloud service (which will store music, photos, calendars, documents etc in 'the cloud' and wirelessly push them to all of your devices). Understandably, a lot of MobileMe users are interested in how they will migrate to iCloud and this is the issue that the phishing email uses as bait... Yes, it's a phishing website. And just look what it's asking for: your credit card details, your address, your social security number, your full date of birth, your mother's maiden name and your Apple ID credentials... Imagine the harm a fraudster could cause with all that information. Make sure you have your eyes peeled for phishing attacks, and be on your guard regarding unsolicited messages you receive in your inbox..."
(Screenshots and more detail available at the Sophos URL above.)

[AplusWebMaster]

FYI...

Hurricanes prompt phishing scams...
- https://www.computerworld.com/s/arti...phishing_scams
August 26, 2011 - "... cybercriminals go into -overdrive- during highly publicized physical events such as hurricanes and earthquakes... The DHS is responsible for protecting critical infrastructure targets in the U.S. Until relatively recently, phishing -was- considered mostly a consumer problem. But the use of phishing emails to successfully breach the Oak Ridge National Laboratory, EMC's RSA security division, Epsilon and the Pacific Northwest National Laboratory have quickly changed that view. Over the past few years, phishers have increasingly taken advantage of natural disasters and other highly publicized incidents to slip infected emails and other malware onto users' desktops..."

- http://www.fbi.gov/news/news_blog/charity_082611
08.26.11 - "In light of Hurricane Irene, the public is reminded to beware of fraudulent e-mails and websites claiming to conduct charitable relief efforts. Disasters prompt individuals with criminal intent to solicit contributions purportedly for a charitable organization or a good cause. To learn more about avoiding online fraud, please see "Tips on Avoiding Fraudulent Charitable Contribution Schemes" at:
> http://www.ic3.gov/media/2011/110311.aspx "
___

- https://www.us-cert.gov/current/#pot...phishing_scams
August 29, 2011

[AplusWebMaster]

FYI...

Morto worm spreads via RDP - Port 3389/TCP
- http://www.theregister.co.uk/2011/08...orm_spreading/
28 August 2011 - "... an Internet worm dubbed “Morto” spreading via the Windows Remote Desktop Protocol (RDP). F-Secure is reporting that the worm is behind a spike in traffic on Port 3389/TCP. Once it’s entered a network, the worm starts scanning for machines that have RDP enabled. Vulnerable machines get Morto copied to their local drives as a DLL, a.dll, which creates other files detailed in the F-Secure post*... SANS (ISC)**, which noticed heavy growth in RDP scan traffic over the weekend, says the spike in traffic is a “key indicator” of a growing number of infected hosts. Both Windows servers and workstations are vulnerable..."
* http://www.f-secure.com/weblog/archives/00002227.html

** https://isc.sans.edu/diary.html?storyid=11470
- https://isc.sans.edu/diary.html?storyid=11452
___

- http://h-online.com/-1332673
29 August 2011

[AplusWebMaster]

FYI...

Malicious SPAM campaign - Facebook
- http://labs.m86security.com/2011/08/...lick-the-link/
August 29, 2011 - "... we are now observing another large malicious spam campaign – this time without attachments. Like the majority of last week’s campaigns, this spam is being sent out from the Cutwail botnet. The message arrives as a fake Facebook friend invite notification. The message looks convincing, it appears the spammers have copied the actual Facebook template and substituted their own links. However, there are clues it is fake. The message doesn’t contain any profile photos, and they have omitted the recipient’s email address in the fine print at the bottom... Clicking the link fetches a web page that contains two ways you can infect yourself. First, there is a link pretending to be an Adobe Flash update where you can download and install malware manually. Second, there is a hidden iframe that loads data from a remote server hosting the Blackhole Exploit Kit, which attempts to automatically exploit vulnerabilites on your system, notably Java..."
(Screenshots available at the m86 URL above.)

[AplusWebMaster]

FYI...

FTC malicious email campaign
- http://community.websense.com/blogs/...-campaign.aspx
01 Sep 2011 - "Websense... has detected malicious emails posing as a consumer complaint notice from the Federal Trade Commission... The exact email format seen in this case was also used a few years back... Malware authors constantly change the malicious file involved in their campaigns. The malware is poorly detected by AV engines*..."
(Screenshot available at the websense URL above.)
* https://www.virustotal.com/file-scan...d28-1314955779
File name: complaint9302.vcr
Submission date: 2011-09-02 09:29:39 (UTC)
Result: 18/44 (40.9%)
There is a more up-to-date report...
- https://www.virustotal.com/file-scan...d28-1315065041
File name: 1315064295.complaint9302.scr
Submission date: 2011-09-03 15:50:41 (UTC)
Result: 25/44 (56.8%)
___

- http://www.ftc.gov/opa/2011/09/scamemail.shtm
09/01/2011 - "The FTC is warning small businesses that an email with a subject line “URGENT: Pending Consumer Complaint” is -not- from the FTC. The email says that a complaint has been filed with the agency against their company. The FTC advises not to click on any of the links or attachments with the email. Clicking on the links may install a virus on the computer. The FTC’s advice: Delete the email..."