SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

FYI...

New variation of SSL Spam
- http://isc.sans.org/diary.html?storyid=7357
Last Updated: 2009-10-14 18:25:16 UTC
"... update to a diary we did earlier this week. The body of the spam today is:
' Dear user of the <some company> mailing service!

We are informing you that because of the security upgrade of the mailing
service your mailbox (<user>@<some company>) settings were changed. In
order to apply the new set of settings click on the following link ... '

The email contains a link with a file to download. Some of the files we have seen are:
settings-file.exe MD5: 0244586f873a83d89caa54db00853205
settings-file2.exe MD5: e6436811c99289846b0532812ac49986
The files are being detected by some anti-virus software programs at this time as Zbot variants..."

[AplusWebMaster]

FYI...

Outlook SPAM/Scam w/malware
- http://securitylabs.websense.com/con...erts/3491.aspx
10.14.2009 - "Websense... has discovered a new wave of malicious attacks claiming to be an update for Microsoft Outlook Web Access (OWA). Victims receive a message leading to a site to apply mailbox settings which were supposedly changed due to a "security upgrade." The especially dangerous thing about these messages is that they are very deceiving. The messages and attack pages are personalized for the To: email address to imply the message is being sent from tech support of the domain. The URL in the email looks like it leads to the company's own OWA system. We have seen upwards of 30,000 of these messages per hour and they have low AV detection*... The malicious site is also very believable. The victim's domain is used as a sub-domain to the site so that the attack site appears to be the victim's actual OWA site. The victim's domain name and email address are also used in a number of locations on the malicious site to make it that much more believable..."
* http://www.virustotal.com/analisis/e...9b8-1255552077
File settings-file.exe received on 2009.10.14 20:27:57 (UTC)
Result: 6/41 (14.63%)

(Screenshots available at the Websense URL above.)

- http://www.us-cert.gov/current/#malw..._spam_messages
October 15, 2009

[AplusWebMaster]

FYI...

New Koobface campaign spoofs Adobe's Flash updater
- http://blogs.zdnet.com/security/?p=4594
October 14, 2009 - "Earlier this week, the botnet masters behind the most efficient social engineering driven botnet, Koobface, launched a new campaign currently spreading across Facebook with a new template spoofing Adobe’s Flash updater embedded within a fake Youtube page. The malware campaign is relying on compromised legitimate web sites, now representing 77% of malicious sites in general, and on hundreds of automatically registered Blogspot accounts with the CAPTCHA recognition process done on behalf of the users already infected by Koobface, compared to the gang’s previous reliance on commercial CAPTCHA recognition services..."

[AplusWebMaster]

FYI...

Zbot SPAM campaign continues
- http://blog.trendmicro.com/zbot-spam...ign-continues/
Oct. 16, 2009 - "A slightly modified Zbot spam campaign currently making rounds pretend to come from the IT support of various companies. It informs users that a security update in the mailing service caused changes in their mailbox settings. They are instructed to open the ZIP attachment and run the .EXE file, INSTALL.EXE to supposedly apply the changes. Trend Micro detects this as TROJ_FAKEREAN.CF. When executed, this Trojan accesses http ://{BLOCKED}nerkadosa.com /xIw1yPD0q5Gb8t0br4×6k5sk to download another malicious file detected as TROJ_FAKEREAN.BI... Spammers usually employed random email address in the FROM and TO field headers but in this case, the actual company domain is used as email addresses in both fields. This is done to make the email message more credible, and convincingly coming internally from the company, thus luring unknowing users into executing the malware... The said email purports as a notification from the company’s “system administrator” to update the user’s system because of a server upgrade. Accordingly, the subdomains are tailor-made to make it more legitimate. Users are encouraged not to open suspicious-looking emails even though it supposedly came from a trusted source. It is also advisable that users contact first their IT or tech support in case they received such emails to verify if indeed a security update had occured..."

(Screenshots available at the TrendMicro URL above.)

- http://atlas.arbor.net/
"... We are also seeing email spam attacks to spread malware from the Bredolab botnet, from the ZBot botnet, and a Rogue AV downloader purporting to be an anti-conficker system update."

[AplusWebMaster]

FYI...

Malicious update for Outlook/Outlook Express (KB910721)
- http://www.sophos.com/blogs/sophoslabs/v/post/7044
October 22, 2009 - "... Didn’t I see this a while ago and didn’t it contain a rather nasty Trojan? The format of the October version differs slightly in that it includes a link to a website from which you may download the ‘Microsoft/Outlook/Outlook Express Update’ rather than an attached executable. The details have also been updated... Of course this is not a Microsoft security update, but rather simply another attempt by the malware authors to fool you into installing their Trojan... Visit the genuine Microsoft update site* in order to obtain your fixes."
* http://update.microsoft.com/

[AplusWebMaster]

FYI...

Malicious Facebook password SPAM
- http://securitylabs.websense.com/con...erts/3496.aspx
10.26.2009 - " Websense... has discovered a new wave of malicious email attacks claiming to be a password reset confirmation from Facebook. The From: address on the messages is spoofed using support @ facebook.com to make the messages believable to recipients. The messages contain a .zip file attachment with an .exe file inside (SHA1: d01c02b331f47481a9ffd5e8ec28c96b7c67a8c6). The .exe file currently has a detection rate of about 30 percent on VirusTotal*. Our ThreatSeeker™ Network has seen up to 90,000 of these messages sent out so far today. The malicious exe file connects to two servers to download additional malicious files and joins the Bredolab botnet which means the attackers have full control of the PC, such as steal customer information, send spam emails. One of the servers is in the Netherlands and the other one in Kazakhstan..."
* http://www.virustotal.com/analisis/9...10c-1256597978
File Facebook_Password_c92dd.exe received on 2009.10.26 22:59:38 (UTC)
Result: 12/41 (29.27%)

- http://www.symantec.com/connect/blog...other-comeback
October 27, 2009

(Screenshot available at the Websense and Symantec URLs above.)

First Facebook, now MySpace...
- http://www.m86security.com/trace/i/F...race.1157~.asp
October 30, 2009

[AplusWebMaster]

FYI...

FDIC alert NOT...
- http://sunbeltblog.blogspot.com/2009...alert-not.html
October 27, 2009 - "Malicious SPAM. Don’t go there. Zeus Trojan..."

- http://ddanchev.blogspot.com/2009/10...rves-zeus.html
October 27, 2009

(Screenshots available at both URLs above.)

- http://www.fdic.gov/consumers/consum...rts/index.html
October 26, 2009 - "... This e-mail and associated Web site are fraudulent. Recipients should consider the intent of this e-mail as an attempt to collect personal or confidential information, some of which may be used to gain unauthorized access to on-line banking services or to conduct identity theft. The FDIC does -not- issue unsolicited e-mails to consumers..."

- http://blog.trendmicro.com/fdic-spam...-info-stealer/
Oct. 27, 2009 - "... same cybercriminals responsible for other spam campaigns like the CapitalOne phishing attack and the Outlook update spam... characteristics of the domains (fast-flux and character patterns), URLs (wildcarded subdomains, long URLs), and binaries (Zeus) used in FDIC spam are somewhat similar to the above-mentioned spam waves..."

- http://www.us-cert.gov/current/#fede...poration_warns
October 27, 2009

[AplusWebMaster]

FYI...

Worms return - MS SIR report...
- http://www.theregister.co.uk/2009/11...curity_report/
2 November 2009 - "Microsoft's latest security intelligence report* shows a resurgence in worms, although rogue security software also remains a big issue. Rogue security software was found and removed from 13.4m machines, compared to 16.8m last time. It is still an issue but numbers are falling. Worm figures doubled in the first six months of 2009 - from fifth to second. The focus on worms is partly to do with attention given to Conficker which infected 5.2m machines. Taterf doubled to 4.9m compared to the second half of 2008. Taterf is a worm aimed at massive multi-player games. It spreads via USB drives and mapped drives. Surprisingly it appears in enterprise space rather than consumer space - presumably by people sticking USB sticks into work machines... Cliff Evans, head of security and privacy at Microsoft, advised consumers to keep automatic updates on, keep a firewall running and use one of the newest browsers and up to date anti-malware. He said it was important to check all your software, not just Microsoft's... Microsoft works out the infection rate per thousand machines. The worldwide average is 8.7, Japan, Austria, Germany run at about 3 and the UK 4.9, down from 5.7. In the US the figure is 8.6. The top worm in the UK is koobface which spreads via Facebook and MySpace. It has been around a while but infection is increasing. Microsoft publishes this report every six months..."
* http://www.microsoft.com/security/po...hreat/SIR.aspx

[AplusWebMaster]

FYI...

Opachki hijacker trojan analysis
- http://www.secureworks.com/research/threats/opachki/
November 02, 2009 - "Opachki is one of many software tools developed by criminals to hijack and monetize Windows users' search traffic using affilate-based search engines that are ultimately advertiser-sponsored, sometimes by well-known and respected firms. Each search-hijacking-by-malware scheme... so far seems to have a different twist, and the Opachki trojan is no different. Instead of only hijacking search result links, Opachki attempts to hijack as many links as it can on any web page, using the text enclosed by the HTML HREF tag as a faux search phrase when redirecting the user to an affiliate-based search engine. Opachki carries out this link hijacking using a small bit of JavaScript code that is injected into the top of HTML pages... Opachki demonstrates that even a "benign" threat such as a search/link hijacker has additional risks and costs that sometimes go unseen. For this reason, any trojan infection should be quickly resolved. Manual removal of Opachki is extremely difficult, given the many methods it uses to maintain its code on a system. Because of these difficulties and also because of other unknown trojans, worms or viruses Opachki may have downloaded, the recommended method of removal is to reformat and reinstall the operating system from known good media."

- http://isc.sans.org/diary.html?storyid=7519
Last Updated: 2009-11-03 12:46:11 UTC - "... prevents the system from booting in Safe Mode – the attackers did this to make it more difficult to remove the trojan. This goes well with what I've been always saying – do not try to clean an infected machine, always reimage it. As Opachki's main goal is to hijack links, it hooks the send and recv API calls in the following programs: FIREFOX.EXE, IEXPLORE.EXE, OPERA.EXE and QIP.EXE. While the first three are well known, I had to investigate the last one. It turned out that QIP.EXE is an ICQ client that is very popular in Russia, so the trojan has a component that directly attacks Russian users. The trojan will monitor web traffic (requests and responses) that above mentioned applications make and will inject a malicious script tag into every response..."

(More detail available at both URL's above.)

[AplusWebMaster]

FYI...

FBI investigates $100 million in losses from spear phishing
- http://sunbeltblog.blogspot.com/2009...in-losses.html
November 04, 2009 - "The FBI has said it is investigating thefts in the last five years of more than $100 million from small and medium sized businesses that fell victim to spear-phishing attacks which siphoned funds from their bank accounts. There are more of the attacks reported each week, they said. The attacks typically involved malware sent by email that installed key loggers and targeted someone in the company who could initiate fund transfers. The criminals used the key loggers to capture the victim’s banking log-in information then initiated fund transfers to money mules, generally in amounts below $10,000 – the level that triggers currency transaction reporting. The mules transfer the funds to the criminals via Western Union or other international money transfer systems. The phishing emails were sent from groups or people known to the victims so they wouldn’t be inclined to consider them fraudulent. Among other measures, the FBI suggests removing the company organization chart from web sites in order to preclude spear-phishing emails that target company financial personnel...". Report here*.
* http://www.ic3.gov/media/2009/091103-1.aspx
November 3, 2009