PDF exploit disguised ...
FYI...
PDF exploit disguised...
- http://labs.m86security.com/2011/02/...nned-document/
February 7, 2011 - "Most office network printers and scanners have a feature that sends scanned documents over email. Cyber crooks however, have imitated email templates used by these devices for malicious purposes. This week we noticed a malicious spam email that purports to be a scanned document sent using a Xerox WorkCentre Pro scanner... Variations of subject lines were used like
“Scan from XER0X”,
“Scan from XER0X ZIP Office”,
“Scan from XER0X Center Office” or
“Scan from XER0X Center Office”
... the attachment is actually not a Xerox WorkCentre Pro scanned document but instead a PDF exploit file that utilizes old Adobe Acrobat Reader vulnerabilities ..."
(Screenshots available at the URL above.)
More malicious email - Virus Outbreak In Progress
- http://tools.cisco.com/security/cent...utbreak.x?i=77
February 08, 2011
:fear::mad:
SPAM - Imageshack Scam Alerts
FYI...
SPAM - Imageshack Scam Alerts...
- http://krebsonsecurity.com/2011/02/i...r-scam-alerts/
February 12, 2011 - "... Spammers have been promoting their rogue pharmacy sites via images uploaded to free image hosting service imageshack.com. In response, the company appears to have simply replaced those images with the following subtle warning:
- http://krebsonsecurity.com/wp-conten...2/imgshack.png ..."
:fear::lip:
BBC - injected w/malicious iFrame
FYI...
BBC - injected w/malicious iFrame
- http://community.websense.com/blogs/...ious-code.aspx
15 Feb 2011 - "The BBC - 6 Music Web site has been injected with a malicious iframe, as have areas of the BBC 1Xtra radio station Web site. At the time of writing this blog, the sites are still linking to an injected iframe... The injected iframe occurs at the foot of the BBC 6 Music Web page, and loads code from a Web site in the .co.cc TLD. The iFrame injected into the Radio 1Xtra Web page leads to the same malicious site. If an unprotected user browsed to the site they would be faced with drive-by downloads, meaning that simply browsing to the page is enough to get infected with a malicious executable. The payload is delivered to the end user only once, with the initial visit being logged by the malware authors. The code that is delivered to end users utilizes exploits delivered by the Phoenix exploit kit:
- http://community.websense.com/blogs/...oit-s-kit.aspx
A malicious binary is ultimately delivered to the end user. The VirusTotal detection* of this file is currently around 20%..."
* http://www.virustotal.com/file-scan/...6bc-1297784293
File name: 4a0ab371e6c6dd54deeab41ab1b77fa373d2face149523dfd183d669b[...].bin
Submission date: 2011-02-15 15:38:13 (UTC)
Result: 9/43 (20.9%)
There is a more up-to-date report...
- http://www.virustotal.com/file-scan/...6bc-1298083200
File name: 3810631eeaea4950d0e1bd48ec89be12
Submission date: 2011-02-19 02:40:00 (UTC)
Result: 28/43 (65.1%)
:mad:
Smitnyl - MBR infector...
FYI...
Smitnyl - MBR infector...
- http://www.f-secure.com/weblog/archives/00002101.html
Feb. 17, 2011 - "... an MBR file system infector such as Trojan:W32/Smitnyl.A (98b349c7880eda46c63ae1061d2475181b2c9d7b), which appears to be distributed via some free file-sharing networks, seems worth a quick analysis, even if it only targets one portable executable system file and the infection is straightforward compared to common virus file infectors. Smitnyl.A first infects the MBR via raw disk access. Then it replaces it with a malicious MBR containing the file infector routine... MBR File System Infector... can bypass Windows File Protection (WFP). As WFP is running in protected mode, any WFP-protected file will be restored immediately if the file is replaced...
Userinit... is one of the processes launched automatically when the system starts, allowing the malware to execute automatically when the system starts.
Smitnyl infects Userinit from the first stage of the boot sequence. When the MBR is loaded to 0x7C00, it determines the active partition from the partition table and also the starting offset of boot sector. It then checks the machine’s file system type... Smitnyl will check for the Windows path from $ROOT down to the System32 directory, where userinit.exe is located... After decoding, it launches %temp%\explorer.exe using ShellExecute — this serves as a decoy to hide the infection. At the same time, it will execute the real explorer.exe using Winexec... there is nothing special about the final payload — it is merely a downloader. The infected userinit.exe disables 360safe's IE browser protection so that the downloader can retrieve files from the remote server http://[...].perfectexe.com/."
(More detail at the F-secure URL above.)
- http://www.urlvoid.com/scan/perfectexe.com
Detections: 8/19 (42%)
Status: DANGEROUS
:fear::fear::mad:
Social engineering to infect with malware ...
FYI...
Social engineering to infect with malware ...
- http://www.securitypark.co.uk/securi...cle265838.html
18/02/2011 - "In the past weeks, new malicious codes that use Facebook to ensnare victims have been wreaking havoc. The recent trend for developing computer threats designed to spread by exploiting the most popular social media continues to gather pace. One of these, Asprox.N, is a Trojan that reaches potential victims via email. It deceives users by telling them that their Facebook account is being used to distribute spam and that, for their security, the login credentials have been changed. It includes a fake Word document supposedly containing the new password. The email attachment has an unusual Word icon, and is called Facebook_details.exe. This file is really the Trojan which, when run, downloads a .doc file that runs Word to make users think the original file has opened. The Trojan, when run, downloads another file designed to open all available ports, connecting to various mail service providers in an attempt to spam as many users as possible. The other, Lolbot.Q, is distributed across IM applications such as MSN and Yahoo!, displaying a message with a malicious link. This link downloads a worm designed to hijack Facebook accounts and prevent users from accessing them. If users then try to login to Facebook, a message appears informing that the account has been suspended and that to reactivate them they must complete a questionnaire, with the offer of prizes –including laptops, iPads, etc.– to encourage users to take part... PandaLabs advises all users to be wary of any messages with unusually eye-catching subjects, whether via email or IM or any other channel; and to be careful when clicking on external links in Web pages..."
- http://pandalabs.pandasecurity.com/
:mad: :mad:
Oddjob trojan keeps sessions open...
FYI...
Oddjob Trojan keeps banking sessions open after victims log out
- http://www.theregister.co.uk/2011/02...anking_trojan/
February 22, 2011 - "... OddJob Trojan hijacks customers’ online banking sessions in real time using their session ID tokens. By keeping accounts open even after victims think they have quit, the malware creates a window for fraudsters to loot compromised accounts and commit fraud... Trusteer, the transaction security firm that discovered the malware, said it made the discovery a few months ago but is only able to report on it now following the conclusion of a police investigation. OddJob is being used by cyber-crooks based in Eastern Europe to attack their customers in several countries including the USA, Poland and Denmark... More information on the Oddjob Trojan can be found in a blog post by Trusteer here*."
* http://www.trusteer.com/blog/new-fin...ogout%E2%80%9D
:mad::fear:
Facebook clickjacking malware - in Italian...
FYI...
Facebook clickjacking malware - in Italian...
- http://nakedsecurity.sophos.com/2011...ian-disguises/
February 22, 2011 - "Non-English speaking Facebook users shouldn't be fooled into believing that they are somehow immune from the scams and attacks that plague the social networking site. The latest few campaigns seen by SophosLabs, for instance, target Italian users of the social network... Colorful clickjacking attacks, requiring users to click on a series of rainbow-colored boxes without realizing they're authorizing other actions, are nothing new of course. As more and more criminals discover how successful attacks via Facebook can be, we can expect the tried-and-trusted techniques of the English-speaking world to be cloned elsewhere around the globe..."
:fear::mad:
Ransomware a successor of scareware? ...
FYI...
Ransomware a successor of scareware?
- http://community.websense.com/blogs/...ransomway.aspx
24 Feb 2011 - "... We dare to say it is not. Both malware groups try to convince the victim that there is no way to avoid paying money, although the approach is very different. With scareware the victims at least have a chance to resist the social engineering offering the only solution and work on the cleaning process on their own. With ransomware this chance hardly exists at all. Yes, there are many similarities and it is likely the same people stand behind both types of malware groups. However, in one case there is a "seller" offering the "products and services"; in the other one an extorter asking for ransom. Even though both are illegal and dishonest, the approach is different.
Restoration and Protection: Restoration of data or access depend on the kind of malware. In some cases it is possible to download a utility and clean the infected system, in other cases to replace malicious parts with clean ones. Unfortunately, there is no means to bypass malware such as Gpcode. Therefore the only protection is to keep up-to-date backups stored -off- the machine all the time..."
- http://www.youtube.com/watch?v=JZT0JZybfVc
:fear::fear: