Page 41 of 132 FirstFirst ... 313738394041424344455191 ... LastLast
Results 401 to 410 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #401
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Exploit Kits - OVH Canada / r5x .org ...

    FYI...

    Exploit Kits - OVH Canada / r5x .org / Penziatki
    - http://blog.dynamoo.com/2014/03/evil...penziatki.html
    13 Mar 2014 - "Hat tip to Frank Denis (@jedisct1)* for this report** on Nuclear EK's hosted by OVH Canada using their infamous "Penziatki" customer which is linked to black-hat host r5x .org***. The blocks have been identified as belonging to that customer and I would recommend that you block them:
    198.27.114.16/30
    198.27.114.64/27
    198.50.186.232/30
    198.50.186.236/30
    198.50.186.252/30
    198.50.231.204/30

    OVH Canada have repeatedly hosted exploit kits for this customer... If you are in a security-sensitive environment then you might simply want to block traffic to the following ranges:
    198.27.0.0/16
    198.50.0.0/16

    Of course this will block many legitimate sites, but if stopping exploit kits is a priority over some user inconvenience then you may want to consider it. If you want a slightly more nuanced blocklist then these ranges contain the biggest concentration of malware:
    198.27.114.0/24
    198.50.172.0/24
    198.50.186.0/24
    198.50.197.0/24
    198.50.231.0/24
    ..."
    (More detail at the dynamoo URL above.)

    * https://twitter.com/jedisct1

    ** https://gist.github.com/jedisct1/9509527 - Nuclear Exploit Kit Mar 12

    *** http://blog.dynamoo.com/search/label/R5X.org

    > http://google.com/safebrowsing/diagnostic?site=AS:16276
    ___

    Malware sites to block 13/3/14
    - http://blog.dynamoo.com/2014/03/malw...ock-13313.html
    13 Mar 2014 - "These IPs and domains seem to be involved in injection attacks today. I recommend you block them.
    64.120.242.178
    188.226.132.70
    93.189.46.90
    ...
    The domains being abused are as follows.. many of them appear to be hijacked legitimate domains..."
    (Many others listed at the dynamoo URL above.)
    ___

    Fake Blood count result - fake PDF malware
    - http://myonlinesecurity.co.uk/import...e-pdf-malware/
    13 Mar 2014 - "This email saying IMPORTANT Complete blood count result pretending to come from NICE (National Institute for Health and Care Excellence) has to be the most vicious and evil attempt by any malware purveyor to try to infect a victim. Sending an email saying that you probably have cancer will alarm & distress so many people and is just the most offensive and disgusting attempt to trick a user into opening a malware attachment... another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Other subjects in this evil email attempt to infect you are:
    - IMPORTANT:Blood analysis result
    - IMPORTANT:Blood analysis
    - IMPORTANT:Complete blood count (CBC)result ...
    > http://myonlinesecurity.co.uk/wp-con...-CBCresult.png
    ... 13 March 2014: CBC_Result_9B4824B65E.zip (55kb) Extracts to CBC_scaned_584444449.pdf.exe
    Current Virus total detections: 2/50*... careful when unzipping them and make sure you have “show known file extensions enabled"**, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened."
    * https://www.virustotal.com/en/file/d...is/1394703905/

    ** http://myonlinesecurity.co.uk/why-yo...wn-file-types/
    ___

    Key Secured Message -fake- PDF malware
    - http://myonlinesecurity.co.uk/key-se...e-pdf-malware/
    13 March 2014 - "Key Secured Message pretending to come from Payroll Reports <payroll @quickbooks .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details...
    > http://myonlinesecurity.co.uk/wp-con...ed-Message.png
    ... Extracts to NIKON-2013564-JPEG.scr ... Current Virus total detections: 2/50*
    This Key Secured Message is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day..."
    * https://www.virustotal.com/en-gb/fil...55c2/analysis/
    ___

    Fake Sky .com "Statement of account" SPAM
    - http://blog.dynamoo.com/2014/03/skyc...ount-spam.html
    13 Mar 2014 - "This -fake- Sky .com email comes with a malicious attachment:
    Date: Thu, 13 Mar 2014 12:23:09 +0100 [07:23:09 EDT]
    From: "Sky .com" [statement@ sky .com]
    Subject: Statement of account
    Afternoon,
    Please find attached the statement of account.
    We look forward to receiving payment for the December invoice as this is now due for
    payment.
    Regards, Carmela ...
    Wilson McKendrick LLP Solicitors ...


    Attached is an archive Statement.zip which in turn contains a malicious executable Statement.scr which has a VirusTotal detection rate of 6/50*. Automated analysis tools... show attempted connections to the following domains and IPs:
    188.247.130.190 (Prime Telecom SRL, Romania)
    gobemall .com
    gobehost .info
    184.154.11.228 (Singlehop, US)
    terenceteo .com
    184.154.11.233 (Singlehop, US)
    quarkspark .org
    The two Singlehop IPs appear to belong to Host The Name (hostthename .com) which perhaps indicates a problem at that reseller.
    Recommended blocklist:
    184.154.11.228
    184.154.11.233
    188.247.130.190
    gobemall .com
    gobehost .info
    terenceteo .com
    quarkspark .org
    "
    * https://www.virustotal.com/en-gb/fil...is/1394715270/
    ___

    HM Revenue & Customs Spam
    - http://threattrack.tumblr.com/post/7...e-customs-spam
    Mar 12, 2014 - "Subjects Seen:
    HMRC Tax Notice
    Typical e-mail details:
    Dear <email address>
    Please be advised that one or more Tax Notices (P6, P6B) have been issued.
    For the latest information on your Tax Notices (P6, P6B) please open attached report.
    Document Reference: 6807706.


    Malicious File Name and MD5:
    PDF_Scanned_HMRCBBD45F6647.zip (09BA8CF32FDDE3F73EA8F2E6F75BDF1E)
    scaned_7246582_pdf_4364534533.exe (3F347C85BEA303904975FF0A8DE49E7E)


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...Ge41r6pupn.png

    Tagged: HMRC, weelsof

    Last edited by AplusWebMaster; 2014-03-13 at 20:24.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #402
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Google Docs users Targeted - Phishing Scam ...

    FYI...

    Google Docs users Targeted - Phishing Scam
    - http://www.symantec.com/connect/blog...-phishing-scam
    13 Mar 2014 - "We see -millions- of phishing messages every day, but recently, one stood out: a sophisticated scam targeting Google Docs and Google Drive users. The scam uses a simple subject of "Documents" and urges the recipient to view an important document on Google Docs by clicking on the included link. Of course, the link doesn't go to Google Docs, but it does go to Google, where a very convincing fake Google Docs login page is shown:
    Google Docs phishing login page:
    > http://www.symantec.com/connect/site...site_image.png
    The -fake- page is actually hosted on Google's servers and is served over SSL, making the page even more convincing. The scammers have simply created a folder inside a Google Drive account, marked it as public, uploaded a file there, and then used Google Drive's preview feature to get a publicly-accessible URL to include in their messages. This login page will look familiar to many Google users, as it's used across Google's services. (The text below "One account. All of Google." mentions what service is being accessed, but this is a subtlety that many will not notice.) It's quite common to be prompted with a login page like this when accessing a Google Docs link, and many people may enter their credentials without a second thought. After pressing "Sign in", the user’s credentials are sent to a PHP script on a -compromised- web server. This page then redirects to a real Google Docs document, making the whole attack very convincing. Google accounts are a valuable target for phishers, as they can be used to access many services including Gmail and Google Play, which can be used to purchase Android applications and content..."
    ___

    ABSA Global business - certificate update – fake PDF malware
    - http://myonlinesecurity.co.uk/absa-g...e-pdf-malware/
    Mar 14, 2014 - "ABSA Global business customers 'certificate update' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. ABSA Global is a South African Bank so I wouldn’t expect a high number of US or UK citizens to have accounts with them, so this should be a quite obvious scam, phishing, malware attack to the majority of users. After examination of the malware, although many Antiviruses detect it as a Zbot, It looks more like an Androm version, possibly dropped by Asprox botnet. Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details.
    Attention!
    On March 14, 2014 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
    The changes will concern security, reliability and performance of mail service and the system as a whole.
    For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.
    This procedure is quite simple. All you have to do is just to install new server certificate attached to the letter.
    Thank you in advance for your attention to this matter and sorry for possible inconveniences.
    System Administrator ABSA Global


    cert p12 install instruction.zip (58kb) - Extracts to ABSA cert p12 install instruction.exe
    Current Virus total detections: 11/50* ... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/f...5843/analysis/
    ___

    Fake Facebook messages
    - http://myonlinesecurity.co.uk/fake-facebook-messages/
    Mar 14, 2014 - "... plagued by Fake Facebook messages saying ” somebody commented on your status” (1) or “You requested a new Facebook password” (2) ...
    1) http://myonlinesecurity.co.uk/wp-con...our-status.png
    2) http://myonlinesecurity.co.uk/wp-con...k-password.png
    Always -hover- over the links in these emails and you will see that they do -not- lead to Facebook. Do not click on the links, just delete the emails as soon as they arrive. Thee is always the very high possibility that one of the other botnets will use these to send you to a malicious site where your computer will be infected, rather than trying to scam you out of money by selling fake medicines that could kill you."
    ___

    Banks to be hit with MS costs for running outdated ATMs
    - http://www.reuters.com/article/2014/...0M345C20140314
    LONDON/NEW YORK, March 14, 2014 - "Banks around the world, consumed with meeting more stringent capital regulations, will miss a deadline to upgrade outdated software for automated teller machines (ATMs) and face additional costs to Microsoft to keep them secure. The U.S. software company first warned that it was planning to end support for Windows XP in 2007, but only one-third of the world's 2.2 million ATMs which use the system will have been upgraded to a new platform, such as Windows 7 by the April deadline, according to NCR, one of the biggest ATM makers. To ensure the machines are protected against viruses and hackers many banks have agreed deals with Microsoft to continue supporting their ATMs until they are upgraded, extra costs and negotiations that were avoidable but are now likely to be a distraction for bank executives... Britain's five biggest banks - Lloyds Banking Group , Royal Bank of Scotland, HSBC, Barclays and Santander UK - either have, or are in the process of negotiating, extended support contracts with Microsoft. The cost of extending support and upgrading to a new platform for each of Britain's main banks would be in the region of 50 to 60 million pounds ($100 million), according to Sridhar Athreya, London-based head of financial services advisory at technology firm SunGard Consulting, an estimate corroborated by a source at one of the banks. Athreya said banks have left it late to upgrade systems after being overwhelmed by new regulatory demands in the wake of the 2007-08 financial crisis... Windows XP currently supports around 95 percent of the world's ATMs... many of the banks operating them will still be running their ATMs with Windows XP for a while after the April 8 deadline..."
    ___

    Bogus online casino themed campaigns intercepted in the wild
    - http://www.webroot.com/blog/2014/03/...ead-w32casino/
    Mar 14, 2014 - "... proliferation of social engineering driven, privacy-violating campaigns serving W32/Casino variants. Relying on affiliate based revenue sharing schemes and spamvertised campaigns as the primary distribution vectors, the rogue operators behind them continue tricking tens of thousands of gullible users into installing the malicious applications. We’ve recently intercepted a series of spamvertised campaigns distributing W32/Casino variants...
    Sample screenshots of the landing pages for the rogue casinos:
    1) https://www.webroot.com/blog/wp-cont...ationc_PUA.png
    2) https://www.webroot.com/blog/wp-cont...onc_PUA_01.png
    3) https://www.webroot.com/blog/wp-cont...onc_PUA_02.png
    4) https://www.webroot.com/blog/wp-cont...onc_PUA_03.png
    5) https://www.webroot.com/blog/wp-cont...onc_PUA_04.png
    6) https://www.webroot.com/blog/wp-cont...5-1024x576.png
    Spamvertised URLs:
    hxxp ://bit. ly/1brCoxg
    hxxp ://bit .ly/1bQRudq
    hxxp ://bit .ly/1mLQr5I
    hxxp ://bit .ly/MCOyaL
    hxxp ://bit .ly/1ec3UMN
    hxxp ://bit .ly/1hN6Vbd
    hxxp ://bit .ly/1mQ3XFu
    hxxp ://bit .ly/17DJ4pZ
    hxxp ://bit .ly/1ec2JNa
    hxxp ://bit .ly/1fBY6d5
    W32.Casino PUA domains reconnaisance:
    hxxp ://rubyfortune .com – 78.24.211.177
    hxxp ://grandparkerpromo .com – 95.215.61.160
    hxxp ://kingneptunescasino1 .com – 67.211.111.169
    hxxp ://riverbelle1 .com – 193.169.206.233
    hxxp ://europacasino .com – 87.252.217.13
    hxxp ://vegaspartnerlounge .com – 66.212.242.136

    Sample detection rates for the W32/Casino PUA:
    MD5: b80db6ec0e6c968499ce01232fbfdc5c * ... W32/Casino.P.gen!Eldorado
    MD5: a2a545adf4498e409f7971f326333333 ** ... Heuristic.BehavesLike.Win32.Suspicious-DTR.S
    MD5: a2a545adf4498e409f7971f326333333 *** ... W32/Casino.P.gen!Eldorado
    MD5: 1cd6db7edbbc07d1c68968f584c0ac82 **** ... W32/Casino.P.gen!Eldorado
    ... (More) Known to have been downloaded from the same IP (87.248.203.254) ..."
    * https://www.virustotal.com/en/file/1...is/1394642298/
    ** https://www.virustotal.com/en/file/4...is/1394642439/
    *** https://www.virustotal.com/en/file/3...is/1394643637/
    **** https://www.virustotal.com/en/file/4...is/1394643413/

    Last edited by AplusWebMaster; 2014-03-15 at 00:02.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #403
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Something evil on 198.50.140.64/27, 192.95.6.196/30 ...

    FYI...

    Something evil on 198.50.140.64/27
    - http://blog.dynamoo.com/2014/03/some...501406427.html
    17 Mar 2014 - "Thanks again to Frank Denis (@jedisct1) for this heads up* involving grubby web host OVH Canada and their black hat customer "r5x .org / Penziatki" hosting the Nuclear EK in 198.50.140.64/27. A full list of all the web sites I can find associated with this range can be found here**, but the simplest thing to do is block 198.50.140.64/27 completely (or if you are paranoid about security and don't mind some collateral damage block 198.27.0.0/16 and 198.50.0.0/16). Domains in use that I can identify are listed below. I recommend you block -all- of them. Domains listed as malicious by Google are in red, those listed as suspect by SURBL are in italics.
    Recommended blocklist:
    198.50.140.64/27
    ingsat .eu
    kingro .biz
    ..."
    (More detail and domains listed at the dynamoo URL above.)
    * https://twitter.com/jedisct1/status/445220289534631937

    ** http://pastebin.com/kkPRKu6v
    ___

    Something evil on 192.95.6.196/30
    - http://blog.dynamoo.com/2014/03/some...295619630.html
    17 Mar 2014 - "Another useful tip by Frank Denis* on evil in the OVH Canada IP ranges, suballocated to their black hat customer "r5x .org / Penziatki", this time on 192.95.6.196/30. The following domains should be considered as dangerous and I would recommend blocking them as soon as possible:
    shoalfault .ru
    addrela .eu
    backinl .org
    A full list of the domains I can find in this /30 can be found here** [pastebin].
    Given the extremely poor reputation of these OVH Canada ranges, I would suggest blocking the following network ranges if you have a security-sensitive environment and are prepared to put up with the collateral damage of blocking some legitimate sites:
    198.27.0.0/16
    198.50.0.0/16
    198.95.0.0/16
    "
    * https://twitter.com/jedisct1/status/445690516433145856

    ** http://pastebin.com/RWG8uj00
    ___

    Bank of America / Merrill Lynch - Completion of request for ACH CashPro – fake PDF malware
    - http://myonlinesecurity.co.uk/bank-a...e-pdf-malware/
    Mar 17, 2014 - "Bank of America Merrill Lynch Completion of request for ACH CashPro is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details...
    > http://myonlinesecurity.co.uk/wp-con...CH-CashPro.png
    17 March 2014 securedoc.zip (12kb) Extracts to securedoc.exe
    Current Virus total detections: 2/49* - MALWR Auto Analysis**
    This Bank of America Merrill Lynch Completion of request for ACH CashPro is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
    * https://www.virustotal.com/en/file/4...9bf5/analysis/

    ** https://malwr.com/analysis/Njc2MjY3Y...VhYTEyMzI4OTY/
    ___

    Injection attack in progress 17/3/14
    - http://blog.dynamoo.com/2014/03/inje...ess-17314.html
    17 Mar 2014 - "A couple of injection attacks seem to be in progress, I haven't quite got to the bottom of them yet.. but you might want to block the following domains:
    fsv-hoopte-winsen .de
    grupocbi .com
    These are hosted on 82.165.77.21 and 72.47.228.162 respectively. The malware is resistant to automated tools and redirects improperly-formed attempt to analyse it to Bing [1] [2]. The malware is appended to hacked .js files on target sites... This sort of attack has been used to push -fake- software updates* in the past. Even though I can't quite get to the bottom of this at the moment, you can be pretty sure that this is Nothing Good and I would recommend blocking these domains."
    1) http://urlquery.net/report.php?id=9933756

    2) http://urlquery.net/report.php?id=9933677

    * http://blog.dynamoo.com/2014/01/scri...end-media.html
    ___

    Fake Personal message from Gmail Service – spam
    - http://myonlinesecurity.co.uk/fake-p...-service-spam/
    Mar 17, 2014 - "< your name> Personal message from Gmail Service is an alternative version of the Fake Facebook messages*. Just like the Facebook versions these either take you to a Women’s Health page trying to sell you fake drugs for slimming or other women’s problems. Other days they send you to one of the Canadian or Russian Pharmacy pages selling Viagra, valium or other illegal drugs.
    Fake Personal message from Gmail Service
    > http://myonlinesecurity.co.uk/wp-con...il-message.png
    Always -hover- over the links in these emails and you will see that they do -not- lead to Gmail. Do -not- click on the links, just delete the emails as soon as they arrive. There is always the very high possibility that one of the other -botnets- will use these to send you to a malicious site where your computer will be infected, rather than trying to scam you out of money by selling fake medicines..."
    * http://myonlinesecurity.co.uk/fake-facebook-messages/
    ___

    Fake Salesforce/Quickbooks invoice - malware
    - http://blog.dynamoo.com/2014/03/sale...d-overdue.html
    Mar 17, 2014 - "This -fake- Salesforce spam comes with a malicious attachment... actually two malicious attachments..
    Date: Mon, 17 Mar 2014 16:12:20 +0100 [11:12:20 EDT]
    From: "support @ salesforce .com" [support @ salesforce .com]
    Subject: Please respond - overdue payment
    Priority: High Priority 2
    Please find attached your invoices for the past months. Remit the payment by 01/9/2013 as outlines under our "Payment Terms" agreement.
    Thank you for your business,
    Sincerely,
    Alvaro Rocha
    This e-mail has been sent from an automated system...


    Attached are two archive files quickbook_invoice_89853654.rar and quickbook_invoice_8988561346654.zip which in turn contain the same malicious executable quickbook_invoice.scr which has a VirusTotal detection rate of 8/49*. Automated analysis tools... don't give much of a clue as to what is going on..."
    * https://www.virustotal.com/en-gb/fil...is/1395087978/

    Last edited by AplusWebMaster; 2014-03-18 at 07:56.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #404
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down AMEX phish, Gov't Biz Dept SPAM ...

    FYI...

    AMEX phish...
    - http://myonlinesecurity.co.uk/americ...hing-attempts/
    Mar 18, 2014 - "We are seeing quite a few American Express -phishing- attempts trying to get your American Express details. These are very well crafted and look identical to genuine American Express emails. The senders appear to be from American Express until you look carefully at the email headers. They are using literally hundreds if not thousands of -hijacked- websites to perform these attacks. The site listed in the email is the first step in the chain and you are bounced on to other sites. The coding on the primary hijacked sites suggest that they are under the control of the Blackhole and Angler exploit kit criminals. This means that at any time when they have taken stolen enough identities and money, they will switch to spreading malware via the same network and emails. Do not click any links in these emails. Hover your mouse over the links and you will see a web address that isn’t American Express. Immediately -delete- the email and the safest way to make sure that it isn’t a genuine email form American Express is to type the American Express web address in your browser. and then log in to the account that way. There are currently 2 main avenues of the American Express phishing attempts:
    AmericanExpress phishing attempts:
    1) http://myonlinesecurity.co.uk/wp-con...hing-email.png
    2) http://myonlinesecurity.co.uk/wp-con...hing-email.png
    Following the link in these takes you to a website that looks exactly like the real American Express site. You are then through loads of steps to input a lot of private and personal information. Not only will this information enable them to clear out & use your American Express account, but also your Bank Account, Email details, webspace ( if you have it) They then want enough information to completely impersonate you and your identity not only in cyberspace but in real life..."
    ___

    Gov't Biz Dept. – fake PDF malware
    - http://myonlinesecurity.co.uk/govern...e-pdf-malware/
    Mar 18, 2014 - "Government Business Departament pretending to come (from a) Department for Business Innovation & Skills <business_dep@ gov .uk> from is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Please note the poor -spelling- in the email subject, which should be enough of a flag to warn users of the -fake- . Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details.
    > http://myonlinesecurity.co.uk/wp-con...epartament.png
    ... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    ___

    Fake YouTube email – fake mov malware
    - http://myonlinesecurity.co.uk/receiv...e-mov-malware/
    Mar 18, 2014 - "'You have received a YouTube video' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details... plain simple email with subject You have received a YouTube video and content just says 'Sent from my iPad'...
    18 March 2014 : VIDEO_819562694.MOV.ZIP (79kb) : Extracts to VIDEO_890589685.MOV.exe
    Current Virus total detections: 6/50*
    ... another one of the spoofed icon files... will look like a proper mov ( movie) file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/5...69ae/analysis/

    Screenshot: https://gs1.wac.edgecastcdn.net/8019...ywx1r6pupn.png
    ___

    500,000 PCs attacked after 25,000 UNIX servers hijacked ...
    - http://www.welivesecurity.com/2014/0...ation-windigo/
    Mar 18, 2014 - "... Researchers at ESET, in collaboration with CERT-Bund, the European Organization for Nuclear Research (CERN), the Swedish National Infrastructure for Computing and other agencies, have uncovered a widespread cybercriminal operation that has seized control of tens of thousands of Unix servers. And if your system is found to be infected, experts strongly recommend you re-install the operating system, and consider all credentials used to log into the machine as compromised. In short, if you are a victim, all passwords and private OpenSSH keys should be changed. The attack, which has been given the name “Windigo” after a mythical creature from Algonquian Native American folklore, has resulted in over 25,000 Unix servers being hacked, resulting in 35 million spam messages being sent each day from compromised machines...
    > http://www.welivesecurity.com/wp-con...digo-spam.jpeg
    ... That would be bad enough, normally. But in this case, malicious hackers have also been using hijacked web servers to infect visiting Windows PCs with click fraud and spam-sending malware, and display dating website adverts to Mac users. Even smartphone users don’t escape – finding their iPhones redirected to X-rated content, with the intention of making money for the cybercriminals...
    > http://www.welivesecurity.com/wp-con...go-iphone.jpeg
    ESET’s security research team has published a detailed technical paper* into “Operation Windigo”, and says it believes that the cybercrime campaign has been gathering strength, largely unnoticed by the security community, for over two and a half years..."
    An analysis of the visiting computers revealed a wide range of operating systems being used:
    > http://www.welivesecurity.com/wp-con...ims-by-os.jpeg
    (More detail at the welivesecurity URL at the top.)
    * http://www.welivesecurity.com/wp-con...on_windigo.pdf

    Indicators of Compromise
    - https://github.com/eset/malware-ioc

    Last edited by AplusWebMaster; 2014-03-19 at 01:42.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #405
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down OVH Canada hosted exploit kits, Twitter Spamrun ...

    FYI...

    More OVH Canada hosted exploit kits
    - http://blog.dynamoo.com/2014/03/more...loit-kits.html
    19 Mar 2014 - "... Yesterday Frank identified three new OVH Canada ranges* being used to host the Nuclear EK [1], again the customer is "r5x .org / Penziatki"
    198.50.212.116/30
    198.50.131.220/30
    192.95.40.240/30

    Update: also 192.95.51.164/30 according to this Tweet**... A full list of everything I can find is here*** [pastebin] ... At a mininum I recommend that you block those IP ranges and/or domains.
    Given the extremely poor reputation of these OVH Canada ranges, I would suggest blocking the following network ranges if you have a security-sensitive environment and are prepared to put up with the collateral damage of blocking some legitimate sites:
    198.27.0.0/16
    198.50.0.0/16
    198.95.0.0/16
    "
    (More detail at the dynamoo URL above.)

    * https://twitter.com/jedisct1/status/445970337490927616

    ** https://twitter.com/jedisct1/status/446154856093343744

    *** http://pastebin.com/4eGWBwHV

    1] http://krebsonsecurity.com/tag/nuclear-exploit-pack/

    Updated - Mar 20, 2014: http://blog.dynamoo.com/search/label/OVH
    ___

    Something evil on 64.120.242.160/27
    - http://blog.dynamoo.com/2014/03/some...024216027.html
    19 Mar 2014 - "64.120.242.160/27 (Network Operations Center, US) is hosting a number of exploit domains (see this example report at VirusTotal*). There appears to be a variety of badness involved, and many of the domains hosted in the range are flagged as malicious by Google or SURBL (report here** [csv]). There appears to be nothing legitimate in this whole range. Domains flagged as malicious by Google are highlighted, ones marked as malicious by SURBL are in italics. I would recommend you block the entire lot.
    64.120.242.160/27
    asifctuenefcioroxa .net
    hukelmshiesuy .net
    asifctuenefcioroxa .com
    asifctuenefcioroxa .info
    ..."
    (Long list at the dynamoo URL above.)
    * https://www.virustotal.com/en-gb/ip-...0/information/

    ** http://www.dynamoo.com/files/64.120.242.160-27.csv
    ___

    Fake NatWest SPAM ...
    - http://blog.dynamoo.com/2014/03/natw...ed-secure.html
    19 Mar 2014 - "This -fake- NatWest spam has a malicious attachment:
    Date: Wed, 19 Mar 2014 15:14:02 +0100 [10:14:02 EDT]
    From: NatWest [secure.message@ natwest .co .uk]
    Subject: You have received a secure message
    You have received a secure message
    Read your secure message by opening the attachment, SecureMessage.zip. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
    If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 4226.
    First time users - will need to register after opening the attachment...


    Attached to the message is an archive file SecureMessage.zip which in turn contains a malicious executable SecureMessage.scr which has a VirusTotal detection rate of 8/51*. Automated analysis tools... show attempted downloads from the following domains, both hosted on servers that appear to be completely compromised and should be blocked.
    199.193.115.111 (NOC4Hosts, US) ...
    184.107.149.74 (iWeb, Canada) ...
    50.116.4.71 (Linode, US) ...
    Recommended blocklist:
    199.193.115.111
    184.107.149.74
    50.116.4.71
    ..."
    (More detail at the dynamoo URL above.)
    * https://www.virustotal.com/en-gb/fil...is/1395245960/

    Screenshot: https://gs1.wac.edgecastcdn.net/8019...ol61r6pupn.png
    ___

    Steer Clear of the Latest Twitter Spamrun
    - http://blog.malwarebytes.org/social-...itter-spamrun/
    Mar 19, 2014 - "Watch out for messages on your Twitter feed like the ones below, because they’ll try their best to give your account a bad hair day:
    > http://cdn.blog.malwarebytes.org/wp-...twitphish1.jpg
    Some of the (many) messages read as follows, and all are designed to entice the recipient into clicking:
    lmao I had a eerie feeling this was yours
    haha this post by you is so funny
    haha this was made by you?
    Im laughing so much right now at this
    haha this update by you is odd
    lol I had a eerie feeling this was you
    lolz this post by you is nuts
    lol this was posted by you?
    omfg this entry by you is crazy
    lolz this tweet by you is so funny
    LOL you got 2 see this, its epic
    omfg this post by you is cool
    lolz this post by you is hilarious... (more)

    There are others, but those seem to be the main ones and everything else is typically a variation on the above themes. The links take end-users to a site informing them of the following:
    “Your current session has ended
    For security purposes you were forcibly signed out. For security purposes you need to verify your Twitter account, please login”

    > http://cdn.blog.malwarebytes.org/wp-...3/twitpsh2.jpg
    ... change your password if you think you’ve already been affected by this one and clear up any rogue links lying around on your feed – your followers will thank you for it.
    Christopher Boyd (Hat-tip to @Cliffsull *)"
    * https://twitter.com/cliffsull

    Last edited by AplusWebMaster; 2014-03-20 at 17:20.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #406
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Something evil on 66.96.195.32/27, PHP bug ...

    FYI...

    Something evil on 66.96.195.32/27
    - http://blog.dynamoo.com/2014/03/some...961953227.html
    Mar 20, 2014 - "Another bad bunch of IPs hosted by Network Operations Center in Scranton following on from yesterday*, this time 66.96.195.32/27 which seems to be more of the same thing. The exploit kit in question is the Goon EK, as shown in this URLquery report**. It seems that it spreads by malicious SWF files being injected into legitimate websites (I think this one, for example [3]). The easiest thing to do would be to block traffic to 66.96.195.32/27, but I can see... malicious websites active in that range (all on 66.96.195.49 [4])..."
    * http://blog.dynamoo.com/2014/03/some...024216027.html

    ** http://urlquery.net/report.php?id=1395311494976

    3] http://urlquery.net/report.php?id=1395322515680

    4] https://www.virustotal.com/en/ip-add...9/information/
    ___

    PHP bug allowing site hijacking still menaces Internet 22 months on
    - http://arstechnica.com/security/2014...-22-months-on/
    Mar 19 2014 - "A vulnerability that allows attackers to take control of websites running older versions of the PHP scripting language continues to threaten the Internet almost two years after security researchers first warned that attackers could use it to remotely execute malicious code on vulnerable servers. As Ars reported 22 months ago, the code-execution exploits worked against PHP sites only when they ran in common gateway interface mode, a condition that applied by default to those running the Apache Web server. According to a blog post published Tuesday*, CVE-2012-1823**, as the vulnerability is formally indexed, remains under attack today by automated scripts that scour the Internet in search of sites that are susceptible to the attack. The sighting of in-the-wild exploits even after the availability of security patches underscores the reluctance of many sites to upgrade... PHP versions prior to 5.3.12 and 5.4.2 are vulnerable. The Imperva blog post* said that an estimated 16 percent of public websites are running a vulnerable version. People running susceptible versions should upgrade right away. Readers who visit vulnerable sites should notify the operators of the risk their site poses..."
    * http://blog.imperva.com/2014/03/thre...r-command.html
    Mar 18, 2014

    ** https://web.nvd.nist.gov/view/vuln/d...=CVE-2012-1823 - 7.5 (HIGH)
    Last revised: 07/20/2013
    ___

    Threat Outbreak Alerts
    - http://tools.cisco.com/security/cent...utbreak.x?i=77
    Fake Product Shipping Documents Email Messages - 2014 Mar 20
    Fake Financial Documents Email Messages - 2014 Mar 20
    Email Messages with Malicious Attachments - 2014 Mar 20
    Fake Tax Return Notification Email Messages - 2014 Mar 20
    Email Messages with Malicious Attachments - 2014 Mar 20
    Fake Document Processing Request Email Messages - 2014 Mar 20
    Fake Fax Message Delivery Email Messages - 2014 Mar 20
    Fake Product Order Quotation Email Messages - 2014 Mar 20
    Fake Tax Document Email Messages - 2014 Mar 20
    Fake Payroll Information Notification Email Messages - 2014 Mar 20
    Fake Incoming Money Transfer Notification Email Messages - 2014 Mar 20
    Fake Bank Payment Transfer Notification Email Messages - 2014 Mar 20
    Fake Lawsuit Details Attachment Email Messages - 2014 Mar 20
    Fake Account Payment Information Email Messages - 2014 Mar 20
    Fake Product Order Notification Email Messages - 2014 Mar 20
    Fake Failed Delivery Notification Email Messages - 2014 Mar 20
    Fake Bank Transaction Notification Email Messages - 2014 Mar 19
    (More detail and links at the cisco URL above.)

    Last edited by AplusWebMaster; 2014-03-21 at 02:32.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #407
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Amazon, Companies House SPAM, Something evil on 50.116.4.71 ...

    FYI...

    Fake Amazon .co .uk SPAM, Something evil on 50.116.4.71
    - http://blog.dynamoo.com/2014/03/amaz...g-evil-on.html
    21 Mar 2014 - "This -fake- Amazon .co .uk spam comes with a malicious attachment:
    Date: Fri, 21 Mar 2014 13:40:05 +0530 [04:10:05 EDT]
    From: "AMAZON .CO .UK" [SALES@ AMAZON .CO .UK]
    Cc: ; Fri, 21 Mar 2014 13:40:05 +0530
    Subject: Your Amazon.co.uk order ID841-6379889-7781077
    Hello, Thanks for your order. We’ll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.
    Order Details
    Order #799-5059801-3688207 Placed on March 21, 2014 Order details and invoice in attached file.
    Need to make changes to your order? Visit our Help page for more information and video guides.
    We hope to see you again soon. Amazon .co .uk...


    There is an attachment Order details 21.04.2014 Amazon 19-1101.zip which contains a quite large 596Kb malicious executable Order details 21.04.2014 Amazon 19-1101.exe which only has a VirusTotal detection rate of 2/51*. The Malwr analysis** the most comprehensive, and shows that it attempts to phone home... Out of these, aulbbiwslxpvvphxnjij .biz seems to be active on 50.116.4.71 (Linode, US). Combining the "phone home" domains with the other malicious domains hosted on that IP gives the following recommended blocklist:
    50.116.4.71
    afaxdlrnjdevgddqrcvkdmvemwo .org
    ..."
    (Long list at the dynamoo URL above.)

    * https://www.virustotal.com/en-gb/fil...is/1395393900/

    ** https://malwr.com/analysis/MWI1MGFlY...MzMmViZTk4ZjI/

    - https://www.virustotal.com/en/ip-add...1/information/
    ___

    Fake Companies House SPAM and 50.116.4.71 (again)
    - http://blog.dynamoo.com/2014/03/comp...471-again.html
    21 Mar 2014 - "This -fake- Companies House spam comes with a malicious attachment:
    Date: Fri, 21 Mar 2014 11:05:35 +0100 [06:05:35 EDT]
    From: Companies House [WebFiling@ companieshouse .gov .uk]
    Subject: Incident 8435407 - Companies House
    The submission number is: 8435407
    For more details please check attached file.
    Please quote this number in any communications with Companies House.
    All Web Filed documents are available to view / download for 10 days after their
    original submission. However it is not possible to view copies of accounts that
    were downloaded as templates.
    Companies House Executive Agency may use information it holds to prevent
    and detect fraud. We may also share such information, for the same purpose,
    with other Organizations that handle public funds.
    If you have any queries please contact the Companies House Contact Centre
    on +44 (0)303 1234 500 or email enquiries@companies-house .gov .uK
    Note: This email was sent from a notification-only email address which cannot
    accept incoming email. Please do not reply directly to this message...


    Attached is an archive file CH_Case_8435407.zip which in turn contains the malicious executable CH_Case_21032014.scr which has a VirusTotal detection rate of 3/49*. The Malwr analysis -again- shows an attempted connection to a Linode IP at 50.116.4.71 using the domain aulbbiwslxpvvphxnjij .biz. The malware also downloads a config file from a hacked WordPress installation at [donotclick]premiercrufinewine .co .uk/wp-content/uploads/2014/03/2103UKp.qta plus a number of other domains that are not resolving (listed below). I would recommend... the following blocklist in combination with this one.
    50.116.4.71
    aulbbiwslxpvvphxnjij.biz
    ..."
    (Long list at the dynamoo URL above.)

    * https://www.virustotal.com/en-gb/fil...is/1395396703/
    ___

    Fake Air Canada Ticket - malware
    - http://www.threattracksecurity.com/i...icket-malware/
    Mar 20, 2014 - "... The email (pictured below) was directed to an employee inbox purporting to be from Air Canada and directing the recipient to download and print their ticket. (Note: Air Canada was not hacked, nor were they part of this malware. The malicious URL distributing a previously unidentified malware is simply being masked to look like it’s coming from Air Canada.)
    > http://www.threattracksecurity.com/i...ious-Email.png
    The link hxxps ://www.aircanada .com/travelInformation/viewOrderInfo.do?action=download&fid=QB820910108CA pointed to another address, hxxp ://alienstub.com/pdf_ticket_820910108.zip, which hosts the malware, a zipped malicious file. Once the zip file is decompressed, the user will see a file called pdf_ticket_820910108.pif . Analysis by ThreatSecure quickly revealed the sample as an exploit categorized with a high severity (see in-product analysis screen below), exhibiting malicious behavior like disabling the Windows firewall, changing proxy settings in Internet Explorer, opening the command prompt, creating executable files and connecting to Windows Remote Access Connection Manager.
    > http://www.threattracksecurity.com/i...f-analsysi.jpg
    ... At the time of posting this blog, 16/51* antivirus vendors on VirusTotal detect this file as being malicious. The domain hxxp ://alienstub .com appears to be registered in China...
    * https://www.virustotal.com/en/file/d...7622/analysis/

    alienstub .com

    108.162.198.134
    - https://www.virustotal.com/en-gb/ip-...4/information/

    108.162.199.134 - https://www.virustotal.com/en-gb/ip-...4/information/

    Last edited by AplusWebMaster; 2014-03-22 at 01:09.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #408
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Malware sites to block 23/3/14 (P2P/Gameover Zeus)

    FYI...

    Malware sites to block 23/3/14 (P2P/Gameover Zeus)
    - http://blog.dynamoo.com/2014/03/malw...ock-23314.html
    23 Mar 2014 - "These domains and IPs are associated with the Peer-to-peer / Gameover variant of Zeus as described in this blog post at MalwareMustDie*. I recommend that you -block- the -IPs- and/or domains listed as they are all malicious:
    50.116.4.71 (Linode, US) ...
    178.79.178.243 (Linode, UK)
    212.71.235.232 (Linode, UK)
    23.239.140.156 (Root Level Technology, US)

    50.116.4.71 ...
    178.79.178.243 ...
    212.71.235.232 ...
    23.239.140.156
    ..."
    (More - long list of domains listed at the dynamoo URL above.)
    * http://blog.malwaremustdie.org/2014/...er-crooks.html

    Last edited by AplusWebMaster; 2014-03-23 at 13:36.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #409
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Flash update hosted on OneDrive, HMRC SPAM

    FYI...

    Fake Flash update hosted on OneDrive
    - http://blog.dynamoo.com/2014/03/js-i...sh-update.html
    25 Mar 2014 - "This kind of attack is nothing new, but there has been a sharp uptick recently in injection attacks that alter .js files on vulnerable systems. The payload is a -fake- Flash update with a surprisingly low detection rate, hosted on Microsoft OneDrive. The first step in the attack is through a vulnerable site such as this one [urlquery*]. In turn, the infected .js file leads to [donotclick]alientechdesigns .com/NLBFH8ZG.php?id=88473423 which in turn leads to a fake Flash popup hosted at [donotclick]alientechdesigns .com/NLBFH8ZG.php?html=27 which you can see an approximation of here [urlquery**].
    > https://lh3.ggpht.com/-sLx4s_0GoKQ/U...fake-flash.jpg
    The link in the popup goes to a download loction at [donotclick]onedrive.live .com/download.aspx?cid=20e850f993bd56fd&resid=20E850F993BD56FD%21111 which downloads a file flashplayerinstaller.exe. flashplayerinstaller.exe is the first stage in the infection, it has a VirusTotal detection rate of just 3/51***. The Malwr report shows that this then downloads two additional components, from:
    [donotclick]onedrive.live .com/download.aspx?cid=20e850f993bd56fd&resid=20E850F993BD56FD%21112
    [donotclick]onedrive.live .com/download.aspx?cid=20e850f993bd56fd&resid=20E850F993BD56FD%21108
    The first one of these is called flashplayer2.exe which has a VirusTotal detection rate of 4/51 [5]. Malwr, Anubis and Comodo CAMAS show some working of this malware. The second file is called update2.exe with a VirusTotal detection rate of 5/49****. This seems somewhat resistant to automated analysis tools... This sort of attack is hard to block from a network point of view as it leverages legitimate sites. Perhaps the best way to protect yourself is a bit of user education about where it is appropriate to download updates from."
    * http://urlquery.net/report.php?id=1395739538065

    ** http://urlquery.net/report.php?id=1395739786885

    *** https://www.virustotal.com/en-gb/fil...is/1395739964/

    **** https://www.virustotal.com/en-gb/fil...is/1395742041/

    5] https://www.virustotal.com/en/file/9...is/1395740434/
    ___

    Fake HMRC SPAM
    - http://blog.dynamoo.com/2014/03/you-...ages-from.html
    25 Mar 2014 - "This fake HMRC spam comes with a malicious attachment:
    Date: Tue, 25 Mar 2014 12:59:28 +0100 [07:59:28 EDT]
    From: "noreply@hmrc .gov .uk" [noreply@hmrc .gov .uk]
    Subject: You have received new messages from HMRC
    Please be advised that one or more Tax Notices (P6, P6B) have been issued.
    For the latest information on your Tax Notices (P6, P6B) please open attached report.
    Please do not reply to this e-mail.
    1.This e-mail and any files or documents transmitted with it are confidential and
    intended solely for the use of the intended recipient. Unauthorised use, disclosure or
    copying is strictly prohibited and may be unlawful. If you have received this e-mail in
    error, please notify the sender at the above address and then delete the e-mail from your
    system. 2. If you suspect that this e-mail may have been intercepted or amended, please
    notify the sender. 3. Any opinions expressed in this e-mail are those of the individual
    sender and not necessarily those of QualitySolicitors Punch Robson. 4. Please note that
    this e-mail and any attachments have been created in the knowledge that internet e-mail
    is not a 100% secure communications medium. It is your responsibility to ensure that they
    are actually virus free. No responsibility is accepted by QualitySolicitors Punch Robson
    for any loss or damage arising from the receipt of this e-mail or its contents.
    QualitySolicitors Punch Robson: Main office 35 Albert Road Middlesbrough TS1 1NU
    Telephone 01642 230700. Offices also at 34 Myton Road, Ingleby Barwick, Stockton On Tees,
    TS17 0WG Telephone 01642 754050 and Unit E, Parkway Centre, Coulby Newham, Middlesbrough
    TS8 0TJ Telephone 01642 233980 VAT no. 499 1588 77. Authorised and regulated by the
    Solicitors Regulation Authority (57864). A full list of Partners names is available from
    any of our offices....


    The attachment is called HMRC_TAX_Notice_rep.zip which in turn contains a malicious exectuable HMRC_TAX_Notice_rep.scr which has a VirusTotal detection rate of 5/51*. According to the Malwr report, the malware makes a download from the following locations hosted on 67.205.16.21 (New Dream Network, US):
    [donotclick]sandsca .com.au/directions/2503UKp.tis
    [donotclick]www.sandsca .com.au/directions/2503UKp.tis
    Subsequent communications are made with aulbbiwslxpvvphxnjij .biz on the familiar looking Linode IP of 50.116.4.71, and also qkdapcqinizsczxrwaelaimznfbqq .biz on another Linode IP of 178.79.178.243. An attempt it also made to connect to hzdmjjneyeuxkpzkrunrgyqgcukf .org which does not resolve...
    Recommended blocklist:
    50.116.4.71
    178.79.178.243
    sandsca .com
    aulbbiwslxpvvphxnjij .biz
    qkdapcqinizsczxrwaelaimznfbqq .biz
    hzdmjjneyeuxkpzkrunrgyqgcukf .org
    "
    * https://www.virustotal.com/en-gb/fil...is/1395750216/

    - https://www.virustotal.com/en/ip-add...1/information/

    - https://www.virustotal.com/en/ip-add...1/information/

    - https://www.virustotal.com/en/ip-add...3/information/
    ___

    Google Drive Email - Phish ...
    - http://www.hoax-slayer.com/google-dr...ing-scam.shtml
    Mar 25, 2014 - "... email requests recipients to click a link to view a document that the sender uploaded using Google Cloud Drive. There is no document to be viewed, urgent or otherwise. The email is a -phishing- scam designed to trick recipients into giving their email login details to Internet criminals... Example:
    Hello,
    Kindly click the link to view the document I uploaded for you using Google
    cloud drive.
    [Link removed]
    Just Sign in with your email to view the document, it is very important.
    Thank you,
    Rev. Dr. Karen [Surname Removed]
    Serving Humanity Spiritually
    [Phone number removed]
    Good works are links that form a chain of love.
    Mother Teresa


    Screenshot of phishing website:
    > http://www.hoax-slayer.com/images/go...ing-scam-1.jpg
    ... Users who fall for the ruse and click the link as instructed will be taken to a -bogus- website that includes the Google Drive logo along with a login screen that asks for both their email address and email password. If users submit their email credentials as requested and click the 'View document' button, they will be redirected to Google's Gmail home page... however, their email address and password will be sent to online criminals. The criminals can use the stolen details to hijack webmail accounts belonging to victims. Hijacked accounts can be used to perpetrate more scam and spam campaigns, all in the names of the victims. If victims submitted details for a Gmail account, the scammers may be able to use the same login information to access other Google services as well as email..."
    ___

    Gameover ZeuS now targets users of employment websites
    - http://net-security.org/malware_news.php?id=2745
    Mar 25, 2014 - "Some newer variants of the Gameover Zeus Trojan, which is exceptionally good at using complex web injections to perform Man-in-the-Browser (MITB) attacks and gain additional information about the victims to be used for bypassing multi-factor authentication mechanisms and effecting social engineering attacks, has been spotted targeting users of popular employment websites. They initially focused on CareerBuilder.com (largest employment website in the US), but now also on Monster.com (one of the largest in the world). The -fake- login page victims are served with looks virtually identical to the legitimate one, but the next one is web form injected by the malware:
    > http://www.net-security.org/images/a...r-25032014.jpg
    There are 18 different questions to choose from, and they range from the name of the city where your sibling lives/you got your first job/you met your spouse, to the name of your school(s)/friend/work supervisor and significant dates and numbers in your life..."

    - http://www.f-secure.com/weblog/archives/00002687.html
    March 25, 2014
    ___

    Deceptive ads expose users to the Adware.Linkular/Win32.SpeedUpMyPC.A PUAs
    - http://www.webroot.com/blog/2014/03/...-applications/
    Mar 25, 2014 - "Rogue vendors of Potentially Unwanted Applications (PUAs) continue tricking tens of thousands of gullible users into installing deceptive and privacy violating applications. Largely relying on ‘visual social engineering’ tactics and basic branding concepts, the majority of campaigns convincingly present users with legitimately looking ToS (Terms of Service)/EULA (End User License Agreements) which socially engineered users accept, thereby assuming the responsibility for the potential privacy-violating activities taking place on their host. We’ve recently spotted yet another PUA campaign, relying on deceptive “Download Now” types of ads, enticing users into downloading the bogus GetMyFiles (Adware.Linkular) application, as well as the rogue SpeedUpMyPC (Win32.SpeedUpMyPC.A) PUA...
    Sample screenshot of Adware.Linkular download page:
    > https://www.webroot.com/blog/wp-cont...pplication.png
    Sample screenshot of Win32.SpeedUpMyPC.A download page:
    > https://www.webroot.com/blog/wp-cont...ication_01.png
    Domain name reconnaissance:
    getmyfilesnow .info – 54.208.165.36
    getmyfilesnow .com – 174.142.147.2
    coollinks .us – 174.142.147.5
    linkular .com – 208.109.216.125
    Detection rate for the PUA: MD5: 0d60941d1ec284cab2e861e05df89511 * ...
    Known to have responded to 54.208.165.36 ...
    Once executed, the sample phones back to:
    hxxp // 107.23.152.80 /api/software/?s=887&os=win32&output=1&v=2.2.2&l=1033&np=0&osv=5.1&b=ie&bv=8.0.6001.18702&c=12&cv=2.2.2.1768
    Sample detection rate for the Win32.SpeedUpMyPC.A PUA:
    MD5: 0a8ecb11e39db5647dcad9f0cc938c99 ** ... "
    * https://www.virustotal.com/en/file/2...is/1395713453/

    ** https://www.virustotal.com/en/file/e...is/1395717259/

    Last edited by AplusWebMaster; 2014-03-26 at 01:01.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #410
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Something evil on 173.212.223.249, Fake PDF malware...

    FYI...

    Something evil on 173.212.223.249
    - http://blog.dynamoo.com/2014/03/some...212223249.html
    26 Mar 2014 - "There's some sort of evil at work here, but I can't quite replicate it.. however I would recommend that you put a block in for 173.212.223.249 (Network Operations Center, US). The infection chain I have spotted here starts with a typical compromised website, in this case:
    [donotclick]onerecipedaily .com/prawn-patia-from-anjum-anands-i-love-curry/
    A quick look at the URLquery report* shows a general alert, but no smoking gun.. The incident logs come up with a generic detection... The following malicious subdomains are also active on 173.212.223.249:
    bkbr.beuqnyrtz .com
    syb.beuqnyrtz .com
    sxxmxv.beuqnyrtz .info
    The simplest thing to do to protect yourself against this particular threat is to use the following blocklist:
    173.212.223.249
    beuqnyrtz .com
    beuqnyrtz .info
    "
    (More detail at the dynamoo URL above.)
    * http://urlquery.net/report.php?id=1395844844686

    - https://www.virustotal.com/en/ip-add...9/information/

    - https://www.virustotal.com/en/ip-add...1/information/
    ___

    Info from SantanderBillpayment. co .uk - fake PDF malware
    - http://myonlinesecurity.co.uk/info-s...e-pdf-malware/
    26 Mar 2014 - "Info from SantanderBillpayment.co.uk pretending to come from Santanderbillpayment-noreply@SantanderBillPayment .co .uk is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details. Analysis of this one is showing it likely to be a Gameover Zeus/Zbot variant. This is “new” — it’s going after a similar URL as the Pony samples we have been seeing in the last few weeks, but completely different binary. This has VM detection and if it detects that, it runs routines to choke memory and the CPU. On real hardware, it tries this URL (http :// 62.76.45.233 /2p/1.exe) given recent patterns, this is likely to be a Gameover production...
    Thank you for using BillPay. Please keep this email for your records.
    The following transaction was received on 18 March 2014 at 20:03:41.
    Payment type: VAT
    Customer reference no: 9789049470611
    Card type: Visa Debit
    Amount: 483.93 GBP
    Your transaction reference number for this payment is IR19758383.
    Please quote this reference number in any future communication regarding this payment.
    Full information in attachment.
    Yours sincerely,
    Banking Operations
    This message is intended for the named person above and may be confidential, privileged or otherwise protected from disclosure...


    26 March 2014 : VAT_F37D8FE5F9.zip (72kb) : Extracts to ATT00347_761105586544.pdf.exe
    Current Virus total detections: 7/51* MALWR Auto Analysis** ...
    ... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/c...d4a2/analysis/

    ** https://malwr.com/analysis/NTQyOGVhN...RlMDZmMjVhMDk/

    - https://www.virustotal.com/en/ip-add...3/information/

    Last edited by AplusWebMaster; 2014-03-26 at 19:10.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •