Fake Fedex email invoice lead to BlackHole Exploit kit
FYI...
Fake Fedex email invoice lead to BlackHole Exploit kit
- http://blog.webroot.com/2012/09/14/s...e-exploit-kit/
Sep 14, 2012 - "... cybercriminals have launched yet another massive spam run, this time impersonating FedEx in an attempt to trick its customers into clicking on a malware and exploits-serving URL found in the malicious email...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....xploit_kit.png
... Sample client-side exploits serving URLs: hxxp ://studiomonahan .net/main.php?page=2bfd5695763b6536 (200.42.159.6, AS10481; 206.253.164.43, AS6921); hxxp ://gsigallery .net/main.php?page=2bfd5695763b6536 (208.91.197.54, AS40034)
Sample client-side exploits served: CVE-2010-1885
Detection rate for a sample Java script redirector: MD5: 32a74240c7e1a34a2a8ed8749758ef15* ...
JS/Iframe.FR; Trojan-Downloader.JS.Iframe.dbe; JS/Exploit-Blacole.hd
Upon successful client-side exploitation, the campaign drops MD5: f9904f305de002ad5c0ad4b4648d0ca7** ... Trojan.Win32.Obfuscated.aopm; Worm:Win32/Cridex.E
... and MD5: 0e2c968865d34c8570bb69aa6156b915*** Worm.Win32.Cridex.jb
The first sample phones back to 195.111.72.46 :8080/mx/5/B/in/ (AS1955) and to 87.120.41.155 :8080/mx/5/B/in (AS13147), and the second sample initiates DNS queries to droppinlever .pro; lambolp700tuning .ru and it also produces TCP traffic to 146.185.220.32 on port 443, as well as to 192.5.5.241 again on port 443.
... We’ve already seen numerous malicious campaigns phoning back one of these command and control servers, 87.120.41.155 :8080/mx/5/B/in in particular..."
* https://www.virustotal.com/file/ae6b...is/1347545788/
File name: Fedex.html
Detection ratio: 8/41
Analysis date: 2012-09-13
** https://www.virustotal.com/file/b417...9ba0/analysis/
File name: f9904f305de002ad5c0ad4b4648d0ca7.malware
Detection ratio: 30/42
Analysis date: 2012-09-13
*** https://www.virustotal.com/file/cb66...4a47/analysis/
File name: a36fc381c480e4e7ee09c89d950195c2
Detection ratio: 24/42
Analysis date: 2012-09-11
:fear: :mad:
Multiple fake emails/SPAM lead to malware...
FYI...
Multiple fake emails/SPAM lead to malware...
"Photos" Spam...
- http://blog.dynamoo.com/2012/09/phot...reuomopru.html
18 Sept 2012 14:43 - "This spam leads to malware ondiareuomop .ru:
From: Carleen Garrett
Sent: Tuesday, September 18, 2012 3:17:33 PM
Subject: Photos
Hi,
as promised your photos - hxxp ://flyershot .com/gallery.htm
The payload is at [donotclick]diareuomop.ru:8080/forum/links/column.php hosted on the following IPs: 50.56.92.47, 203.80.16.81, 46.51.218.71
These IPs are a subset of the ones found here*. Block 'em if you can."
Fake Intuit email/Spam...
* http://blog.dynamoo.com/2012/09/intu...eloffceru.html
17 Sept 2012 22:41 - "This fake Intuit.com spam attempts to load malware from kerneloffce .ru:
Date: Mon, 17 Sep 2012 08:54:50 -0600
From: "Mason Jordan" [LillieRoell@digitalnubia.com]
Subject: Your Intuit.com software order.
Attachments: Intuit_Order_A49436.htm
Dear customer: Thank you for ordering from Intuit Market. We are processing and will message you when your order ships. If you ordered multiple items, we may sned them in more than one delivery (at no extra cost to you) to ensure quicker delivery. If you have questions about your order please call 1-900-130-1601 ($4.79/min).
ORDER INFORMATION
Please download your complete order id #1197744 from the attachment.(Open with Internet Explorer)
2012 Intuit, Inc. All rights reserved. Intuit, the Intuit Logo, Quickbooks, Quicken and TurboTax, among others, are registered trademarks of Intuit Inc.
The malicious payload is at kerneloffce .ru:8080/forum/links/column.php which was hosted on 46.51.218.71 (Amazon, Ireland) until it got nuked..."
> http://google.com/safebrowsing/diagn...erneloffce.ru/
"Site is listed as suspicious - visiting this web site may harm your computer... the last time suspicious content was found on this site was on 2012-09-17. Malicious software includes 1 trojan(s)... this site has hosted malicious software over the past 90 days. It infected 4 domain(s)..."
Fake IRS email/Spam...
- http://blog.dynamoo.com/2012/09/irs-...achingnet.html
17 Sept 2012 22:30 - "This spam leads to malware on virtual-geocaching .net:
Date: Mon, 17 Sep 2012 11:28:14 -0600
From: Internal Revenue Service [tangierss4 @porterorlin .com]
Subject: IRS report of not approved tax transfer
Your State Tax transfer (ID: 30062091798009), recently sent from your checking account was returned by Internal Revenue Service payment processing unit.
Not Accepted Tax transaction
Tax Transaction ID: 30062091798009
Reason of rejection See details in the report below
Federal Tax Transaction Report tax_report_30062091798009.doc (Microsoft Word Document)
Internal Revenue Service 3192 Aliquam Rd. Davis 71320 VA
The malicious payload is at [donotclick]virtual-geocaching .net/main.php?page=7de3f5c4200c896e (report here) on 203.91.113.6 (G Mobile, Mongolia) as used in this recent attack and several others..."
> http://google.com/safebrowsing/diagn...eocaching.net/
"Site is listed as suspicious - visiting this web site may harm your computer... the last time suspicious content was found on this site was on 2012-09-17. Malicious software includes 57 trojan(s), 8 exploit(s), 3 scripting exploit(s)..."
Fake IRS email/Spam...
- http://blog.dynamoo.com/2012/09/irs-...mmwrapnet.html
17 Sept 2012 16:06 - "This fake IRS spam leads to malware on thebummwrap .net:
From: Internal Revenue Service [mailto:fascinatesh07 @deltamar .net]
Sent: 17 September 2012 15:30
Subject: Your federal tax transaction has been not accepted
Your State Tax transaction (ID: 60498447771657), recently initiated from your bank account was canceled by The Electronic Federal Tax Payment System.
Not Accepted Tax transaction
Tax Transaction ID: 60498447771657
Rejection code See details in the report below
Income Tax Transaction Report tax_report_60498447771657.doc (Microsoft Word Document)
Internal Revenue Service Ap #822-9450 Cum Avenue Edmond 33020 MI
The malicious payload is at [donotclick]thebummwrap .net/main.php?page=7de3f5c4200c896e hosted on 203.91.113.6 (G Mobile Mongolia) which has been used several times recently for evil purposes..."
___
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Last Updated September 18, 2012
:mad::mad:
Fake US Airways emails serve exploits and malware
FYI...
Fake US Airways emails serve exploits and malware ...
- http://blog.webroot.com/2012/09/18/s...s-and-malware/
Sep 18, 2012 - "Cybercriminals are currently spamvertising millions of emails impersonating U.S Airways, in an attempt to trick users into clicking on the malicious links found in the legitimately looking emails...
Sample screenshot of the spamvertised US Airways themed email:
> https://webrootblog.files.wordpress....explot_kit.png
Sample client-side exploits served: http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-1885 - 9.3 (HIGH)
Responding to the same IP 203.91.113.6 (AS24559) ...
Detection rate for a sample Java script redirection: MD5: 5c5a3c6e91c1c948c735e90009886e37 *
... Mal/Iframe-W
Upon successful client-side exploitation, the campaign drops MD5: 9069210d0758b34d8ef8679f712b48aa **
... Trojan.Winlock.6049; W32/Cridex.R
Upon execution, the sample phones back to 199.71.213.194 :8080/mx/5/B/in/ (AS40676).
More MD5s are known to have phoned back to the same IP..."
* https://www.virustotal.com/file/08cb...is/1347403787/
File name: Airways.html
Detection ratio: 3/42
Analysis date: 2012-09-11
** https://www.virustotal.com/file/c6c8...b59a/analysis/
File name: readme.exe
Detection ratio: 6/42
Analysis date: 2012-09-14
:mad:
Malicious UPS/FedEx emails re: iPhone 5 orders
FYI...
Malicious UPS/FedEx emails re: iPhone 5 orders ...
- http://community.websense.com/blogs/...-iphone-5.aspx
18 Sep 2012 - "The first batch of iPhone 5s will be delivered on Friday of this week... From reading discussion forums online... all orders from Apple's online store will ship with UPS... when I received a UPS notification email today, I obviously expected it to be about my iPhone. Turns out, it wasn't.
> http://community.websense.com/cfs-fi...ion_5F00_1.png
... the email contained an attached HTML page that, when loaded, displayed the page below:
> http://community.websense.com/cfs-fi...00_browser.png
... the risk is great that recipients will have their guards down and will run the attached file... There's a hidden, obfuscated script on the page... it loads an iframe from a .RU domain, which is a Blackhole Exploit Kit site that pushes a banking trojan to the PC... the phrase used for the .RU domain name translates to "money on account". Banking trojan, money on account... be extra careful if you're waiting for a delivery notification, and don't run any attachments contained in those types of emails."
___
(More) Fake UPS e-mail messages ...
> http://tools.cisco.com/security/cent...?alertId=25171
Sep 19, 2012
:mad:
Fake FDIC emails serve client-side exploits and malware
FYI...
Fake FDIC emails serve client-side exploits and malware
- http://blog.webroot.com/2012/09/19/c...s-and-malware/
Sep 19, 2012 - "... cybercriminals started spamvertising millions of emails impersonating the Federal Deposit Insurance Corporation (FDIC), in an attempt to trick businesses into installing a bogus and non-existent security tool promoted in the emails. Upon clicking on the links, users are exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised FDIC impersonating email:
> https://webrootblog.files.wordpress....xploit_kit.png
Once the user clicks on the malicious link, he’s exposed to the following bogus “Page loading…” page:
> https://webrootblog.files.wordpress....oit_kit_01.png
Client-side exploits serving URL: hxxp ://afgreenwich .net/main.php?page=0f123fe645ddf8d7 - 203.91.113.6 (AS24559)...
Upon successful client-side exploitation, the campaign drops MD5: 3ce1ae2605aa800c205ef63a45ffdbfa *
... Trojan-Ransom.Win32.Gimemo.aovu; W32.Cridex
Once executed, it attempts to phone back to 72.167.253.106 :8080/mx/5/B/in (AS26496)...
More MD5s are known to have phoned back to the same IP in the past, for instance:
MD5: 97974153c25baf5826bf441a8ab187a6 **
...Trojan.Win32.Jorik.Zbot.fxq; Gen:Variant.Zusy.17989
... and MD5: 9069210d0758b34d8ef8679f712b48aa ***
... Trojan.Winlock.6049; W32/Cridex.R ..."
* https://www.virustotal.com/file/8774...8c93/analysis/
File name: b9126f7be02c682d7b1b534c928881a0aba6ae0c
Detection ratio: 25/42
Analysis date: 2012-09-16
** https://www.virustotal.com/file/4b9a...325b/analysis/
File name: test73608696665548.bin
Detection ratio: 16/42
Analysis date: 2012-09-13
*** https://www.virustotal.com/file/c6c8...b59a/analysis/
File name: readme.exe
Detection ratio: 6/42
Analysis date: 2012-09-14
___
New Malware Sites using Blackhole Exploit Kit v2.0
- https://blog.opendns.com/2012/09/18/...loit-kit-v2-0/
Sep 18, 2012
:mad: :mad:
LinkedIn SPAM - Blackhole Exploit Kit v2.0...
FYI...
LinkedIn SPAM / 69.194.201.21
- http://blog.dynamoo.com/2012/09/link...919420121.html
22 Sep 2012 - "This fake LinkedIn spam leads to malware on 69.194.201.21:
Date: Sat, 22 Sep 2012 15:16:47 -0500
From: "Reminder" [CC8504C0E@updownstudio.com]
Subject: LinkedIn: New messages awaiting your response
LinkedIn
REMINDERS
Invitation reminders:
From Emilio Byrd (Insurance Manager at Wolseley)
PENDING MESSAGES
There are a total of 88 message(-s) awaiting your response. Go to InBox now.
This message was sent to [redacted]. This is an occasional email to help you get the most out of LinkedIn.
Adjust your message settings.
LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission.
2012, LinkedIn Corporation.
The malicious payload is at [donotclick]69.194.201.21 /links/deep_recover-result.php (Solar VPS, US) which appears to be a Blackhole 2 exploit kit. Blocking this IP address would be prudent."
___
Fake 'KLM e-Ticket' attempts to install backdoor
- http://community.websense.com/blogs/...-backdoor.aspx
21 Sep 2012 - "... malicious zipped attachment..."
___
New Malware Sites using Blackhole Exploit Kit v2.0
- https://blog.opendns.com/2012/09/18/...loit-kit-v2-0/
Sep 18, 2012
:fear: :mad:
Twitter DMs from "friends" lead to backdoor Trojan...
FYI...
Twitter DMs from "friends" lead to backdoor Trojan
- http://nakedsecurity.sophos.com/2012...video-malware/
Sep 24, 2012 - "Have you received a Twitter message from an online friend, suggesting you have been captured in a Facebook video?... The aim of the messages? To trick the unwary into clicking on a link... and ultimately infect computers. Here is one example:
> https://sophosnews.files.wordpress.c...cked.jpg?w=640
... here's another. Note that there are many different combinations of wording that can be used.
> https://sophosnews.files.wordpress.c...ed-2.jpg?w=640
Users who click on the link are greeted with what appears to be a video player and a warning message that "An update to Youtube player is needed". The webpage continues to claim that it will install an update to Flash Player 10.1 onto your computer.
> https://sophosnews.files.wordpress.c...ware.jpg?w=640
... In this example, the program you are being invited to download is called FlashPlayerV10.1.57.108.exe, and is detected by Sophos anti-virus products as Troj/Mdrop-EML, a backdoor Trojan that can also copy itself to accessible drives and network shares. Quite how users' Twitter accounts became compromised to send the malicious DMs in the first place isn't currently clear, but the attack underlines the importance of -not- automatically clicking on a link just because it appeared to be sent to you by a trusted friend. If you do find that it was your Twitter account sending out the messages, the sensible course of action is to assume the worst, change your password (make sure it is something unique, hard-to-guess and hard-to-crack) and revoke permissions of any suspicious applications that have access to your account."
:mad:
Multiple malware IP's to be blocked ...
FYI...
Evil network: 108.178.59.0/26
- http://blog.dynamoo.com/2012/09/evil...817859026.html
25 Sep 2012 - "There's quite a bit of malware coming from a range of Singlehop IPs over the past few days. The range is 108.178.59.0/26 (108.178.59.0 - 108.178.59.63)
So far, I've seen blackhole samples from 108.178.59.20, 108.178.59.11 and 108.178.59.26 which is enough to convince me that the whole /26 is bad and should be blocked.
Singlehop have reallocated the IP range to a customer:
network: IP-Network: 108.178.59.0/26
network: State: Italy
network: Country-Code: IT ...
It's quite possible that Mr Coco doesn't know that the IP range is being abused in this way, but blocking access to it would be prudent..."
- http://centralops.net/co/DomainDossier.aspx
network: IP-Network: 108.178.59.0/26
network: State:Italy
network: Country-Code: IT
___
BBB SPAM / one.1000houses .biz
- http://blog.dynamoo.com/2012/09/bbb-...housesbiz.html
25 Sep 2012 - "This fake BBB spam leads to malware at one.1000houses .biz:
Date: Tue, 25 Sep 2012 11:42:18 +0200
From: "Better.Business Bureau" [8050910@zread.com]
Subject: Activity Report
Dear business owner, we have received a complaint about your company possible involvement in check cashing and Money Order Scam.
You are asked to provide response to this complaint within 7 days.
Failure to provide the necessary information will result in downgrading your Better Business Bureau rating and possible cancellation of your BBB accreditation status.
Complaint ID#125368
Council of Better Business Bureaus
3033 Wilson Blvd, Suite 600
Arlington, VA 22201
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
The malicious payload is at [donotclick]one.1000houses .biz/links/deep_recover-result.php hosted on 199.195.116.185 (A2 Hosting, US). The domain 1000houses .biz appears to be a legitimate domain where the GoDaddy account has been hacked to serve malware on subdomains. There seems to be a long-standing issue with GoDaddy domains being used in this way.
Blocking 199.195.116.185 would probably be prudent..."
:mad: :mad:
FTC halts computer spying
FYI...
FTC halts computer spying
* http://www.ftc.gov/opa/2012/09/designware.shtm
09/25/2012
Rent-to-own laptops were spying on users
- http://h-online.com/-1717567
26 Sep 2012 - "The US Federal Trade Commission (FTC) has settled a case with several computer rent-to-own companies and a software maker over their use of a program which spied on as many as 420,000 users of the computers. The terms of the settlement* will ban the companies from using monitoring software, deceiving customers into giving up information or using geo-location to track users. "The FTC orders today will put an end to their cyber spying" said Jon Leobowitz, FTC Chairman. The software for rental companies from DesignerWare included a "Detective Mode", a spyware application that, according to the FTC's complaint, could activate the webcam of a laptop and take pictures and log keystrokes of user activity. The software also regularly presented a fake registration screen designed to trick users into entering personal information. The data from this application was then transmitted to DesignerWare where it was then passed on to the rent-to-own companies... The FTC is limited in its actions, telling Wired**, "We don't have criminal authority. We only have civil authority" and, as this was a first violation of the FTC act, it cannot impose fines on the companies. Instead, the companies will be monitored by the FTC for compliance with the ban on using the software, or, in the case of DesignerWare, licensing it, for the next 20 years..."
** http://www.wired.com/threatlevel/201...yware-scandal/
:mad: