Holiday shopping advisories ...
Ecard SPAM malware - from "banks" ...
FYI...
Ecard SPAM malware - from "banks" ...
- http://techblog.avira.com/2010/11/30...from-banks/en/
November 30, 2010 - "Our spamtraps started to get flooded with a new type of spam which is spreading a malicious file. The authors somehow couldn’t decide how to make the scam more credible, so they mixed up whatever they could find. The email pretends to be an electronic card coming from a “Europe Bank” but in the body the German bank “Bankpost” (which doesn’t exist, but should remind the recipient of Postbank obviously) is mentioned... The file referenced is called “card.exe” and contains the Trojan detected by our products TR/Drop.Agent.ctj.
With Christmas coming soon, we expect more and more of such scams pretending to be ecards from known persons, financial institutions and companies. Never click on the links contained, never execute the files attached in the email..."
:fear::mad:
Fake viral SPAM messages ...
FYI...
Fake viral SPAM messages ...
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake System Performance Software E-mail Messages...
December 06, 2010
Fake Secure Banking Application E-mail Messages...
December 06, 2010
Rapidshare Link E-mail Messages...
Updated! December 06, 2010
- http://www.ironport.com/toc/
Virus Outbreak In Progress
- http://labs.m86security.com/2010/12/...vice-or-is-it/
December 6, 2010 - "... Users should carefully check the links coming from emails, Facebook or any other social network, when the sender is unknown and the link is shortened, because there is no guarantee the URL is safe ..."
:mad:
SPAM msgs lead to "Virus Outbreak In Progress"
FYI...
SPAM msgs lead to "Virus Outbreak In Progress" ...
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake United Parcel Service Shipment Arrival E-mail Messages...
New! December 10, 2010
Fake DHL Shipment E-mail Messages...
Updated! December 10, 2010
Rapidshare Link E-mail Messages...
Updated! December 10, 2010
Fake Chat Invitation E-mail Messages...
Updated! December 10, 2010
- http://www.ironport.com/toc/
Virus Outbreak In Progress ...
:fear::fear:
TDSS malware/rootkit autostart...
FYI...
TDSS malware/rootkit autostart...
- http://blog.trendmicro.com/dissectin...nique-of-tdss/
Dec. 20, 2010 - "... Samples of a new TDSS variant, WORM_TDSS.TX, use the infamous LNK vulnerability (first brought to public attention by Stuxnet) to propagate... There are two techniques that TDSS uses for its autostart routines:
• Randomly choosing a system driver file (normally seen in %Windows%\System32\Drivers), modify its resource section, and use this to directly read hard disk sectors, and assemble its DLL file for its main malware behavior.
• Modifying the Master Boot Record (MBR) and use this to directly read hard disk sectors, and assemble its DLL file for its main malware behavior...
TDSS targets BootExecute applications that are started by the Session Manager (smss.exe) before invoking the initial command (Winlogon in Windows XP) and before various subsystems were started. User-mode applications are not yet running at this point. Because they run so early, there is significant restriction on BootExecute applications: they must be native applications. In this context, “native” means that only the Windows NT Native API, resident in ntdll.dll, is available. At this stage, the Win32 subsystem, composed of the kernel-mode win32k.sys component and the user-mode client/server runtime CSRSS have not yet been started by SMSS. Not even the Kernel32 library is usable by BootExecute applications..."
(More detail and flowchart available at the URL above.)
TDSS infection count (alias: TDL3, Alureon)
- http://blog.trendmicro.com/wp-conten...tion-count.jpg
- http://support.kaspersky.com/viruses...&qid=208280684
2010 Dec 17
- http://blog.urlvoid.com/new-tdss-var...y-of-software/
December 19, 2010
:sad::fear::mad:
Beware of strange web sites bearing gifts
FYI...
Beware of strange web sites bearing gifts ...
- http://isc.sans.edu/diary.html?storyid=10168
Last Updated: 2010-12-29 22:02:52 UTC - "... a recent wave of Java exploits to several addresses in the same 91.204.48.0/22 netblock**. The latest exploits in this case start with a file called "new.htm", which contains obfuscated code... The good news is that "host.exe" already has pretty decent anti-virus coverage on VirusTotal*... all the user has to do is click "Run" to get owned. The one small improvement is that the latest JREs show "Publisher: (NOT VERIFIED) Java Sun" in the pop-up, but I guess that users who read past the two exclamation marks will be bound to click "Run" anyway ..."
- http://isc.sans.edu/diaryimages/d-img3%281%29.jpg
* http://www.virustotal.com/file-scan/...9d8-1293650723
File name: host.exe
Submission date: 2010-12-29 19:25:23 (UTC)
Result: 31/43 (72.1%)
** http://isc.sans.edu/diary.html?storyid=10165
Last Updated: 2010-12-29 00:04:58 UTC
:fear::fear:
Android trojan found in wild - NEW
FYI...
Android trojan found in wild - NEW
- http://blog.mylookout.com/2010/12/geinimi_trojan/
December 29, 2010 - "A new Trojan affecting Android devices has recently emerged in China. Dubbed “Geinimi” based on its first known incarnation, this Trojan can compromise a significant amount of personal data on a user’s phone and send it to remote servers... Geinimi is also the first Android malware in the wild that displays botnet-like capabilities. Once the malware is installed on a user’s phone, it has the potential to receive commands from a remote server that allow the owner of that server to control the phone..."
- http://www.h-online.com/security/new...a-1162008.html
30 December 2010 - "... If you get your apps from obscure sources, you will want to be careful not to give them unlimited rights, which the apps request upon installation; instead contact the vendor to see what rights are actually needed."
- http://isc.sans.edu/diary.html?storyid=10186
Last Updated: 2010-12-31 09:47:01 UTC
:mad:
New Year SPAM - Storm/Waledac...
FYI...
New Year SPAM - Storm/Waledac...
- http://community.websense.com/blogs/...m-waledac.aspx
31 Dec 2010 09:50 PM - "... emails mentioned were an early campaign done by what's now believed to be Storm v3 or Waledac v2. As our friends over at ShadowServer mention**... The URL in the email leads to lots of different sites, all compromised, where the user is immediately redirected using a <meta refresh> tag... A few other noteworthy things about this attack:
• The domains it uses to serve the malware are fast-fluxing which means that when you request the URL it redirects to you a different IP address every time
• The file itself is either server-side generated or just updated very frequently
• AV coverage is pretty bad* ..."
* http://www.virustotal.com/file-scan/...57e-1293849911
File name: flash-006.exe
Submission date: 2011-01-01 02:45:11 (UTC)
Result: 7/42 (16.7%)
** http://forums.spybot.info/showpost.p...3&postcount=52
:fear::fear:
Xvid video fakes... TRON previews...
FYI...
Xvid video fakes... TRON previews...
- http://sunbeltblog.blogspot.com/2011...ts-galore.html
January 04, 2011 - "... hunting for some TRON action on the internet may end in frustration, surveys and installs aplenty. For example, hd-movies(dot)biz gives us a fairly standard “Fake advert on Youtube/hit you with a survey” scam... You might not want to bother... Clicking the player underneath the banner splash takes you to browserdl(dot)com/xvid_dl/ which wants you to install a program... XvidSetup.exe... there isn’t any TRON action going down once the end-user has installed ClickPotato, ShopperReports, QuestBrowser and blinkx Beat..."
:fear::mad: