FYI...
Fake Flash Updates - via SPAM attachment...
- http://www.gfi.com/blog/fake-adobe-f...es-in-the-web/
Jan 24, 2013 - "Following the return of fake Google Chrome browser updates almost two weeks ago, online criminals are now banking on fake Adobe Flash Player updates to lure the unwary user into downloading malware onto their system... spam emails claiming to be from the Better Business Bureau (BBB) and eFax Corporate... The BBB email contains an attachment that is found to be a Pony downloader that, once opened, downloads a variant of the ZeuS banking Trojan onto the affected user’s system. The said downloader also steals various passwords related to FTP sites..."
(Screenshots available at the gfi URL above.)
___
Malicious BT SPAM
- http://www.gfi.com/blog/beware-malic...ng-in-inboxes/
Jan 24, 2013 - "... if you’re a client of the BT (British Telecom) Group, be warned that there is a new spam campaign under the guise of a “Notice of Delivery” mail* pretending to originate from BT Business Direct... Once users download and open the attached HTM file, they are -redirected- to a Russian website the file calls back to. The website serves a Blackhole Exploit Kit, which then downloads Cridex once it finds a software vulnerability..."
* http://gfisoftware.tumblr.com/post/4...ttachment-spam
___
Fake ADP SPAM / 14.sofacomplete .com
- http://blog.dynamoo.com/2013/01/adp-...mpletecom.html
24 Jan 2013 - "This fake ADP spam leads to malware on 14.sofacomplete .com:
From: Erna_Thurman @ADP .com Date: 24 January 2013 17:48
Subject: ADP Generated Message: Final Notice - Digital Certificate Expiration
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY. If you have any questions, please contact your administrator for assistance.
Digital Certificate About to Expire
The digital certificate you use to access ADP's Internet services is about to expire. If you do not renew your certificate by the expiration date below, you will not be able to access ADP's Internet services.
Days left before expiration: 1
Expiration date: Jan 25 23:59:59 GMT-03:59 2013
Renewing Your Digital Certificate
1. Go to this URL: https ://netsecure.adp .com/pages/cert/register2.jsp
2. Follow the instructions on the screen.
3. Also you can download new digital certificate at https ://netsecure.adp .com/pages/cert/pickUpCert.faces.
Deleting Your Old Digital Certificate
After you renew your digital certificate, be sure to delete the old certificate. Follow the instructions at the end of the renewal process.
The malicious payload is at [donotclick]14.sofacomplete .com/read/saint_hate-namely_fails.php hosted on 73.246.103.26 (Comcast, US). There will probably be other malicious domains on this same IP, so blocking it may be useful."
___
Fake LinkedIn emails lead to client-side exploits and malware
- http://blog.webroot.com/2013/01/24/f...s-and-malware/
Jan 24, 2013 - "... Over the past 24 hours, cybercriminals have launched yet another massive spam campaign, impersonating LinkedIn, in an attempt to trick its users into clicking on the malicious links found in the bogus “Invitation Notification” themed emails. Once they click on the links, users are automatically exposed to the client-side exploits served by the Black Hole Exploit Kit...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....xploit_kit.png
... Name servers used by these malicious domains:
Name server: ns1.http-page .net – 31.170.106.17 – Email: ezvalue @yahoo .com
Name server: ns2.http-page .net – 7.129.51.158 – Email: ezvalue @yahoo .com
Name Server: ns1.high-grades .com – 208.117.43.145
Name Server: ns2.high-grades .com – 92.121.9.25
Sample malicious payload dropping URL:
hxxp ://shininghill .net/detects/solved-surely-considerable.php?vf=1o:31:1h:1l:2w&fe=33:1o:1g:1l:1m:1k:2v:1l:1o:32&n=1f&dw=w&qs=p
Upon successful client-side exploitation, the campaign drops MD5: fdc05614f56aca9421271887c1937f51 * ...Trojan-Spy.Win32.Zbot.ihgm.
Upon execution, the same creates the following process on the affected hosts:
%AppData%\Bytaa\yjdoly.exe
The following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Rekime
... Once executed, the sample also attempts to establish multiple UDP connections with the following IPs:
177.1.100.2 :11709
190.33.36.175 :11404
213.109.254.122 :29436
41.69.182.117 :29817
64.219.114.114 :13503
161.184.174.65 :14545
93.177.174.72 :10119
69.132.202.147 :16149..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/file/224c...b58d/analysis/
File name: info.ex_
Detection ratio: 30/44
Analysis date: 2013-01-23
___
Fake pharma sites 24/1/13
- http://blog.dynamoo.com/2013/01/fake...tes-24113.html
24 Jan 2013 - "Here's an updated list of fake RX sites being promoted through vague spam like this:
Date: Thu, 24 Jan 2013 04:44:45 +0000 (GMT)
From: "Account Info Change" [noreply @etraxx .com]
Subject: Updated information
Attention please:
- Over 50 new positions added (view recently added products)
- Free positions included with all accounts (read more here)
- The hottest products awaiting you in the first weeks of the new year (read more here)
- We want you to feel as comfortable as possible while you?re at our portal.
Click Here to Unsubscribe
As with a few days ago, these sites are hosted on:
199.59.56.59 (Hostwinds, Australia)
209.236.67.220 (WestHost Inc, US)
Currently active spamvertised sites are as follows:
(Long list available at the dynamoo URL above.)
___
Fake Efax Corporate SPAM / epimarkun .ru
- http://blog.dynamoo.com/2013/01/efax...imarkunru.html
24 Jan 2013 - "This fake eFax spam leads to malware on epimarkun .ru:
Date: Thu, 24 Jan 2013 04:04:42 +0600
From: Habbo Hotel [auto-contact @habbo .com]
Subject: Efax Corporate
Attachments: Efax_Corporate.htm
Fax Message [Caller-ID: 963153883]
You have received a 28 pages fax at Thu, 24 Jan 2013 04:04:42 +0600, (157)-194-4168.
* The reference number for this fax is [eFAX-009228416].
View attached fax using your Internet Browser.
� 2013 j2 Global Communications, Inc. All rights reserved.
eFax � is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax � Customer Agreement.
There is an attachment called Efax_Corporate.htm leading to a malicious payload at [donotclick]epimarkun .ru:8080/forum/links/column.php which is hosted on the following IPs:
50.31.1.104 (Steadfast Networks, US)
94.23.3.196 (OVH, France)
202.72.245.146 (Mongolian Railway Commercial Center, Mongolia)
These IPs and domains are all malicious:
50.31.1.104
94.23.3.196
202.72.245.146
dmssmgf .ru
esekundi .ru
esenstialin .ru
disownon .ru
epimarkun .ru
damagalko .ru
dumarianoko .ru
epiratko .ru
dfudont .ru ..."