Spamvertised.. campaign serving scareware
FYI...
Spamvertised.. campaign serving scareware
- http://ddanchev.blogspot.com/2011/04...-campaign.html
April 12, 2011 - "A currently spamvertised scareware-serving campaign is enticing end users into downloading and executing a malicious binary, which drops a scareware variant.
Sample subject: Reqest rejected (SP?)
Sample message: "Dear Sirs, Thank you for your letter! Unfortunately we can not confirm your request! More information attached in document below. Thank you Best regards."
Sample attachments: EX-38463.pdf.zip; EX-38463.pdf.exe
Detection rate:
- http://www.virustotal.com/file-scan/...932-1302746736
File name: EX-38463.pdf.exe
Submission date: 2011-04-14 02:05:36 (UTC)
Current status: finished
Result: 35/41 (85.4%)
... Upon execution downloads hdjfskh .net/ pusk .exe - 208.43.90.48...
Detection rate:
- http://www.virustotal.com/file-scan/...83c-1302681312
File name: VRB.EXE.Muestra EliStartPage v23.03
Submission date: 2011-04-13 07:55:12 (UTC)
Current status: finished
Result: 19/42 (45.2%)
Phones back..."
(More detail at the ddanchev.blogspot URL above.)
:mad:
Fraud - intuit TurboTax e-mails ...
FYI...
Fraud - intuit TurboTax e-mails...
- http://security.intuit.com/alert.php?a=29
04/15/2011 - "... fraudulent email (copy shown at the URL above)...
What we won't do
- We will -never- send you an email with a "software update" or "software download" attachment.
- We will -never- send you an email asking you for login or password information to be sent to us.
- We will -never- ask you for your banking information or credit card information in an email. We will -never- ask you for confidential information about your employees in an email.
What we'll do
- We will provide you with instructions on how to stay current with your Intuit product, and we will provide you with information on how to securely download an update from your computer.
- If we need you to update your account information, we will request that you do so by logging into your account..."
:sad::mad:
TDL rookit bypasses security on x64 Vista/Win7
FYI...
TDL rookit bypasses security on x64 Vista/Win7
- http://www.informationweek.com/news/...ndly=this-page
April 22, 2011 - "The malware state of the art continues to improve. In particular, the latest version of the TDL rootkit family - aka Olmarik, TDSS, Alureon - contains sophisticated mechanisms for bypassing security features built into 64-bit versions of Microsoft Windows Vista and Windows 7, and can download additional, standalone malware applications. The fourth version of the TDL malware first appeared* in August 2010 and contained sophisticated new techniques for defeating security measures... TDL4 can "load its kernel-mode driver on systems with an enforced kernel-mode code signing policy," meaning the 64-bit versions of Vista and Windows 7. At that point, the malware can hook directly into the Windows operating system... Since the fourth version of TDL first appeared, it's undergone numerous, incremental revisions. For example, in March 2011, a new version of TDL4 appeared that - after infecting a PC - installs the standalone Glupteba.D malware**, which can then download and execute other pieces of malware... no matter the security defense, such as driver signing, a way to defeat it can be found..."
* http://www.informationweek.com/news/...ndly=this-page
** http://resources.infosecinstitute.com/tdss4-part-1/
April 19, 2011
:mad::mad:
SPAM - malicious e-mail msgs...
FYI...
Virus Outbreak In Progress...
- http://www.ironport.com/toc/
April 25, 2011
- http://tools.cisco.com/security/cent...o=1&sortType=d
Fake Microsoft Live Messenger Download Link E-mail Messages - April 25, 2011
- http://tools.cisco.com/security/cent...?alertId=23009
Fake Purchase Receipt E-mail Messages - April 25, 2011
- http://tools.cisco.com/security/cent...?alertId=23008
Malicious Program Download E-mail Messages - April 25, 2011
- http://tools.cisco.com/security/cent...?alertId=23007
Fake Malware Threat Notification E-mail Messages - April 25, 2011
- http://tools.cisco.com/security/cent...?alertId=23006
Fake UPS Shipment Error E-mail Messages - April 25, 2011
- http://tools.cisco.com/security/cent...?alertId=19743
Malicious Video Link E-mail Messages - April 25, 2011
- http://tools.cisco.com/security/cent...?alertId=21895
Fake CNO Guidance Attachment E-mail Messages - April 21, 2011
- http://tools.cisco.com/security/cent...?alertId=22996
Malicious Photo Attachment E-mail Messages - April 22, 2011 ...
- http://tools.cisco.com/security/cent...?alertId=23003
:fear::mad:
Spamvertised "Successfull Order..." leads to scareware
FYI...
Spamvertised "Successfull Order..." leads to scareware
- http://ddanchev.blogspot.com/2011/04...er-977132.html
April 28, 2011 - "A currently ongoing malware campaign is impersonating Bobijou Inc for malware-serving purposes.
Sample subject: "Successfull Order 977132"
Sample message: "Thank you for ordering from Bobijou Inc.This message is to inform you that your order has been received and is currently being processed.
Your order reference is 901802. You will need this in all correspondence. This receipt is NOT proof of purchase. We will send a printed invoice by mail to your billing address. You have chosen to pay by credit card. Your card will be charged for the amount of 262.00 USD and “Bobijou Inc”...
Sample attachments: Order_details.zip ...
Detection rates...
* http://www.virustotal.com/file-scan/...904-1303915483
File name: Order details.exe
Submission date: 2011-04-27 14:44:43 (UTC)
Result: 24/40 (60.0%)
There is a more up-to-date report...
- http://www.virustotal.com/file-scan/...904-1303987793
File name: 1
Submission date: 2011-04-28 10:49:53 (UTC)
Result: 34/42 (81.0%)
>>> Upon execution phones back to: kkojjors.net/f/g.php - 95.64.9.15...
variantov.com/pusk.exe - 94.63.149.26...
** http://www.virustotal.com/file-scan/...a05-1303916125
File name: pusk.exe
Submission date: 2011-04-27 14:55:25 (UTC)
Result: 4/41 (9.8%)
There is a more up-to-date report...
- http://www.virustotal.com/file-scan/...a05-1303939887
File name: hew.exe.VIR
Submission date: 2011-04-27 21:31:27 (UTC)
Result: 11/41 (26.8%)
:mad::mad:
Malicious SPAM on the rise...
FYI...
Malicious SPAM on the rise...
- http://labs.m86security.com/2011/04/...ncrease-again/
April 29, 2011 - "... our stats show the bot herders are gearing up again with the proportion of spam with malware attachments rising*, although still not as high as the peaks we saw mid last year... After the bot herders took a brief Easter break, they are back to sending new waves of malicious spam. The first spam campaign was sent by the Cutwail botnet earlier this week. The email claims to be an invoice from Bobijou Inc. – an online jewellery brand. There is a chance that people might fall into this trap especially as it claims money on your credit card was involved. But take a closer look at the subject line: Successfull Order 3677718, that wrong spelling should easily alert you that this email is a scam... Another malicious spam campaign originating from the Donbot botnet that came in later this week. It uses a common, uncreative theme with subject line like, “my hot pic : )“, “my naked pic is attached“, etc. The Donbot botnet’s spam output is on the rise and this is the first time we have seen it spreading malicious attachments... In addition, this week we have been seeing more of the Asprox botnet’s “Spam from your Facebook account” campaign, that preys on peoples fears about the security of their Facebook accounts. This campaign first came out last year, illustrating that the bot herders behind Asprox often cycle their spam campaigns between UPS, DHL, FEDEX and iTunes Gift Certificate among others... The attachment is a Trojan that aims to seed the Asprox bot executable in the infected host, which is then used for spamming purposes..."
* http://labs.m86security.com/wp-conte...iciousSpam.png
:mad::mad:
Facebook Scam... leads to Adware
FYI...
Facebook Scam... leads to Adware
- http://labs.m86security.com/2011/05/...ads-to-adware/
May 1, 2011 - "... we observed a new type of scam, this one leveraging Facebook’s new social plugin for websites that allow for comments. This is being exploited by scammers to get their rogue websites visible on users’ news feeds... There are various flavors of the scam making the rounds. However, the newest one to make the rounds focuses on a familiar Apple product: the iPhone. With rumors circulating about the iPhone 5, loyal Apple followers are drawn to the various news articles that cover these stories... The report claims to be from Wired News and has one of those headlines that is used to lure a user into clicking on the link... Once a user clicks on the link, they are -redirected- to a random .info site. There have been over 10 of these in circulation for this particular scam. Before the user can click on anything, they are asked to answer a CAPTCHA-like verification form... Unlike most Facebook scams of late, at the end of this rainbow, there is no survey scam. Instead, the users are prompted to download an executable file. The executable file is videogameboxinstaller.exe and it is dubious in nature, as it it downloads other pieces of software... PageRage notes in its terms above that it will display ads to the end user. Sounds like Adware? Four antivirus vendors agree*, flagging this as Adware.Yontoo... "
* http://www.virustotal.com/file-scan/...b4a-1304294930
File name: pagerage.exe
Submission date: 2011-05-02 00:08:50 (UTC)
Result: 4/41 (9.8%)
:mad: