FYI...
Fake DHL SPAM / DHL-LABEL-ID-2456-8344-5362-5466.zip
- http://blog.dynamoo.com/2013/04/dhl-...8344-5362.html
23 Apr 2013 - "This fake DHL spam has a malicious attachment.
Date: Tue, 23 Apr 2013 12:21:40 +0800 [00:21:40 EDT]
From: Ramon Brewer - DHL regional manager [reports @dhl .com]
Subject: DHL DELIVERY REPORT NY73377
DHL notification
Our company’s courier couldn’t make the delivery of parcel.
REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: New York
DELIVERY STATUS: sort order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: ETBAKPRSU3
FEATURES: No
Label is enclosed to the letter.
Print a label and show it at your post office.
An additional information:
If the parcel isn’t received within 15 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.
You can find the information about the procedure and conditions of parcels keeping in the nearest office.
Thank you for using our services.
DHL Global ...
Screenshot: https://lh3.ggpht.com/-ETQLGLo29qk/U...s1600/dhl2.png
Attached is a ZIP file called DHL-LABEL-ID-2456-8344-5362-5466.zip which contains an executable DHL-LABEL-ID-2456-8344-5362-5466.exe. VirusTotal detections are patchy at 22/45*..."
(More detail at the dynamoo URL above.)
* https://www.virustotal.com/en/file/b...is/1366703919/
File name: DHL-LABEL-ID-2456-8344-5362-5466.exe
Detection ratio: 22/45
Analysis date: 2013-04-23
> http://camas.comodo.com/cgi-bin/subm...94ecd0257d185b
___
Something evil on 173.246.104.104
- http://blog.dynamoo.com/2013/04/some...246104104.html
23 April 2013 - "173.246.104.104 (Gandi, US) popped up on my radar after a malvertising attack apparently utilising a hacked OpenX server (I'm not 100% which one so I won't name names) and leading to a payload on [donotclick]laserlipoplasticsurgeon .com/news/pint_excluded.php (report here*).
Both VirusTotal** and URLquery* detect multiple malicious domains on this IP. It appears that the domains were originally legitimate, but it looks like they have been hijacked by the bad guys somehow... I recommend that you apply the following blocklist for the time being:
173.246.104.104
(More listed at the dynamoo URL above.)
* http://urlquery.net/report.php?id=2122697
... Detected live BlackHole v2.0 exploit kit 173.246.104.104
- https://www.google.com/safebrowsing/...?site=AS:29169
** https://www.virustotal.com/en/ip-add...4/information/
___
Fake CareerBuilder SPAM / CB_Offer_04232013_8817391.zip
- http://blog.dynamoo.com/2013/04/care...tion-spam.html
23 Apr 2013 - "This fake CareerBuilder email has a malicious attachment containing malware.
Date: Tue, 23 Apr 2013 11:13:54 -0700 [14:13:54 EDT]
From: CareerBuilder [Herman_Gallagher @careerbuilder .com]
Subject: CareerBuilder Notification
Hello,
I am a customer service employee at CareerBuilder. I found a vacant position that you may be interested in based on information from your resume or a recent online submission you made on our site.
You can review the position on the CareerBuilder by downloading the attached PDF file.
Attached file is scanned in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: http ://www.adobe .com
Best wishes in your job search !
Hal_Shields
Careerbuilder Customer Service Team
CareerBuilder ,5550-A Peachtree Parkway , Norcross, GA 30092
The attachment CB_Offer_04232013_8817391.zip contains a file called CB_Offer_04232013_8817391.exe with an icon designed to look like a PDF file. Note that the date is encoded into the file and future variants will have a different filename. VirusTotal detections are patchy*... I'm still waiting for some sort of analysis..
MD5 924310716fee707db1ea019c3b4eca56
SHA1 2d0d9c7da13f9ec9e4f49918ae99e9f17505a9cd
SHA256 e66a9c463e3f4eb4ca2994a29ec34e0a021ff2541f6a9647dfd3b9131ba38dd5 "
* https://www.virustotal.com/en/file/e...8dd5/analysis/
File name: CB_Offer_04232013_8817391.exe
Detection ratio: 19/46
Analysis date: 2013-04-24