Results 1 to 10 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

Threaded View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005

    Exclamation Fake MS email phish delivers Zeus via Java vuln ...


    Fake MS email phish delivers Zeus via Java vuln ...
    Last Updated: 2012-09-01 - "Thanks to Susan Bradley for reporting this to ISC.
    We're receiving multiple reports of a phishing campaign using the template from a legitimate Microsoft email regarding Important Changes to Microsoft Services Agreement and Communication Preferences.
    The legitimate version of this email is specific to a services agreement seen here*, per a change to Microsoft services as of 27 AUG. The evil version of this email will subject victim to a hyperlink that will send them to a Blackhole-compromised website, which will in turn deliver a fresh Zeus variant... (evil) email including the following header snippet:
    Received: from [] ([]) by
    inbound94.exchangedefender .com (8.13.8/8.13.1) with ESMTP id q7VFDPjO029166
    A legitimate header snippet:
    Received: from smtpi.msn .com ([]) by with Microsoft SMTPSVC(6.0.3790.4900) is in China, is Microsoft. The legitimate email will include a hyperlink for , which points to the above mentioned services agreement.
    (Obfuscated to protect the innocent): The phishing mail will instead include a hyperlink to the likes of allseasons****.us, radiothat****.com, and likely a plethora of others. I assessed radiothat****.com and was redirected to 209.x.y.14 which is running the very latest Blackhole evil as described on 28 AUG by Websense in this post**.
    Source code review of the web page served included <applet/code="ndshesa.ndshesf"/archive="Leh.jar"><param/nam=123 name=uid value="N013:011:011:04:037:061:061:047:034:076:074:0102:076:074:
    The VirusTotal link for Leh.jar is here(3), and the VirusTotal link for the Zeus variant offered is here(4)...
    Contemplate disabling Java(5) until the -next- update(6) is released..."



    File name: Leh.jar
    Detection ratio: 8/42
    Analysis date: 2012-09-01 05:28:51 UTC

    File name: updateflashplayer.exe
    Detection ratio: 6/42
    Analysis date: 2012-09-01 01:00:31 UTC


    inetnum: -
    netname: TSINGHUA-CN
    country: CN
    origin: AS4538
    ... 231 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2012-09-02, and the last time suspicious content was found was on 2012-09-02... We found 27 site(s)... that infected 743 other site(s).

    "... If you want to test whether you’ve successfully disabled Java, check out Rapid7's page, ."

    Last edited by AplusWebMaster; 2012-09-02 at 14:10.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts