SPAM frauds, fakes, and other MALWARE deliveries - archive

[AplusWebMaster]

FYI...

Google Groups trojan
- http://www.symantec.com/connect/blog...-groups-trojan
September 11, 2009 - "... A back door Trojan that we are calling Trojan.Grups* has been using the Google Groups newsgroups to distribute commands. Trojan distribution via newsgroups is relatively common, but this is the first instance of newsgroup C&C usage that Symantec has detected. It’s worth noting that Google Groups is not at fault here; rather, it is a neutral party. The authors of this threat have chosen Google Groups simply for its bevy of features and versatility. The Trojan itself is quite simple. It is distributed as a DLL, and when executed will log onto a specific account:
Escape[REMOVED]@gmail.com
h0[REMOVED]t
The Web-based newsgroup can store both static “pages” and postings. When successfully logged in, the Trojan requests a page from a private newsgroup, escape2sun. The page contains commands for the Trojan to carry out. The command consists of an index number, a command line to execute, and optionally, a file to download. Responses are uploaded as posts to the newsgroup using the index number as a subject. The post and page contents are encrypted using the RC4 stream cipher and then base64 encoded. The attacker can thus issue confidential commands and read responses. If no command is received from the static page, the infected host uploads the current time."
* http://www.symantec.com/business/sec...214-99&tabid=2

[AplusWebMaster]

FYI...

Cyber Crooks Target Public & Private Schools
- http://voices.washingtonpost.com/sec...lic_priva.html
September 14, 2009; 8:00 AM ET - "A gang of organized cyber criminals that has stolen millions from businesses across the United States over the past month appears to have turned its sights on public schools and universities... Each of the transfers was kept just below $10,000 to avoid banks' anti-money laundering reporting requirements, and went out to at least 17 different accomplices or "money mules" that the attackers had hired via work-at-home job scams... With the help of the victims interviewed in this story, Security Fix was able to track down mules who said they were involved in each of the scams. All said they had been recruited via e-mail to sign up as "financial agents" at a company called Focus Group Inc. According to a write-up* by money mule site tracker Bob Harrison, the Focus Group Web site may look legit, but is "just the latest of the numerous highly generic Russian scam websites that has been set up to form a front for a money laundering fraud job advertisement."
* http://www.bobbear.co.uk/focus-group-inc.html

[AplusWebMaster]

FYI...

PBS site hacked - used to serve exploits
- http://www.threatpost.com/blogs/pbs-...e-exploits-118
September 18, 2009 - "Some sections of the popular PBS.org Web site have been hijacked by hackers serving up a cocktail of dangerous exploits. According to researchers at Purewire*, attempts to access certain PBS Web site pages yielded JavaScript that serves exploits from a malicious domain via an iframe. The malicious JavaScript was found on the "Curious George" page that provides content on the popular animation series. A look at the code on the hijacked site shows malicious activity coming from a third-party .info domain. The URL serves exploits that target a variety of software vulnerabilities, including those in Acrobat Reader (CVE-2008-2992, CVE-2009-0927, and CVE-2007-5659), AOL Radio AmpX (CVE-2007-6250), AOL SuperBuddy (CVE-2006-5820) and Apple QuickTime (CVE-2007-0015)..."
* http://blog.purewire.com/bid/20389/P...Serve-Exploits

[AplusWebMaster]

FYI...

Monopoly Game malware...
- http://securitylabs.websense.com/con...erts/3481.aspx
09.21.2009 - "Websense... discovered a new spam campaign that is targeting players of the Monopoly game. The Monopoly World Championships take place every four years, and Las Vegas is the host city of 2009. Because the Monopoly Regional Championships are going on all over the world and many Monopoly enthusiasts take part, the spammers utilize this chance to play their tricks. Our email honeypot systems detected over 30 thousand Monopoly spam messages on September 21, 2009 alone. The spam uses a social networking technique to "invite" you to play the online board game. It then provides a link to the fake Monopoly game download site, which in fact downloads a Trojan..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Malvertisements - weekend run...
- http://blog.scansafe.com/journal/200...tisements.html
September 24, 2009 - "Between Sep 19-21, malicious banner ads were served via multiple popular sites, including drudgereport.com, lyrics.com, horoscope.com and slacker.com. The ads delivered a trojan downloader using a variety of Adobe PDF exploits as well as the Microsoft ActiveX DirectShow exploit described in MS09-032. Detection of the malicious PDF is quite low, with only 3 out of 41 scanners detecting, as seen in this VirusTotal report*... Attackers use online ads for the same reasons a legitimate company would do so. When an attacker can infiltrate an advertising network, it enables them to reach a broad number of websites within a chosen category. This provides the attacker with the same return on investment that it would a legitimate advertiser – broad exposure to the audience of their choosing..."

- http://www.theregister.co.uk/2009/09..._google_yahoo/
24 September 2009 - "... They were delivered over networks belonging to Google's DoubleClick; Right Media's Yield Manager (owned by Yahoo); and Fastclick, owned by an outfit called ValueClick... the payload installed Win32/Alureon, a trojan that drops a backdoor on infected machines... also appeared on slacker.com ..."

- http://www.virustotal.com/analisis/6...23b-1253635686
File 201f338a343e02a41dc7a5344878b862 received on 2009.09.22 16:08:06 (UTC)
Current status: finished
Result: 3/41 (7.32%)

[AplusWebMaster]

FYI...

Phishing attacks reach record levels in Q2 2009
- http://www.markmonitor.com/pressrele...090928-bji.php
September 28 2009 - "...
• During Q2 2009, phish attacks reached record levels with more than 151,000 unique attacks
• The average number of phishing attacks per organization also increased to record levels, with 351 attacks per organization, on average, in Q2 2009
• Social networking attacks continued to rise significantly, recording a 168% increase from the same period in 2008
• Brands in the financial and payment services industries are the most heavily-targeted industry categories for phishers, constituting 80 percent of all phish attacks in Q2 2009..."

[AplusWebMaster]

FYI...

Fraudsters on social networking sites
- http://www.ic3.gov/media/2009/091001.aspx
October 1, 2009 - "Fraudsters continue to hijack accounts on social networking sites and spread malicious software by using various techniques. One technique involves the use of spam to promote phishing sites, claiming there has been a violation of the terms of agreement or some other type of issue which needs to be resolved. Other spam entices users to download an application or view a video. Some spam appears to be sent from users' "friends", giving the perception of being legitimate. Once the user responds to the phishing site, downloads the application, or clicks on the video link, their computer, telephone or other digital device becomes infected. Another technique used by fraudsters involves applications advertised on social networking sites, which appear legitimate; however, some of these applications install malicious code or rogue anti-virus software. Other malicious software gives the fraudsters access to your profile and personal information. These programs will automatically send messages to your "friends" list, instructing them to download the new application too. Infected users are often unknowingly spreading additional malware by having infected Web sites posted on their Webpage without their knowledge. Friends are then more apt to click on these sites since they appear to be endorsed by their contacts..."

(Tips on avoiding these tactics available at the URL above.)

[AplusWebMaster]

FYI...

SSL SPAM... w/Zbot
- http://isc.sans.org/diary.html?storyid=7333
Last Updated: 2009-10-13 13:13:34 UTC - "... started receiving SPAM messages along the following lines:
'On October 16, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour. The changes will concern security, reliability and performance of mail service and the system as a whole. For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure. This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That's all.
http ://evil-link/evil-file
Thank you in advance for your attention to this matter and sorry for possible inconveniences...'

UPDATE
the sample file we received was named patch.exe MD5=9abc553703f4e4fedb3ed975502a2c7a
ZBOT characteristics, so trojan, keylogger, disables AV.
http://www.threatexpert.com/report.a...3ed975502a2c7a
"... Trojan-Spy.Zbot.YETH - Trojan-Spy.Zbot.YETH is a rootkit trojan which steals online banking information and downloads other malware as well..."

... ThreatExpert on the file... http://www.threatexpert.com/report.a...dfd9c50b0015c9
"... Trojan-Spy.Zbot.YETH - Trojan-Spy.Zbot.YETH is a rootkit trojan which steals online banking information and downloads other malware as well..."
___

- http://blog.trendmicro.com/tailor-ma...ous-companies/
Oct. 14, 2009

[AplusWebMaster]

FYI...

New variation of SSL Spam
- http://isc.sans.org/diary.html?storyid=7357
Last Updated: 2009-10-14 18:25:16 UTC
"... update to a diary we did earlier this week. The body of the spam today is:
' Dear user of the <some company> mailing service!

We are informing you that because of the security upgrade of the mailing
service your mailbox (<user>@<some company>) settings were changed. In
order to apply the new set of settings click on the following link ... '

The email contains a link with a file to download. Some of the files we have seen are:
settings-file.exe MD5: 0244586f873a83d89caa54db00853205
settings-file2.exe MD5: e6436811c99289846b0532812ac49986
The files are being detected by some anti-virus software programs at this time as Zbot variants..."

[AplusWebMaster]

FYI...

Outlook SPAM/Scam w/malware
- http://securitylabs.websense.com/con...erts/3491.aspx
10.14.2009 - "Websense... has discovered a new wave of malicious attacks claiming to be an update for Microsoft Outlook Web Access (OWA). Victims receive a message leading to a site to apply mailbox settings which were supposedly changed due to a "security upgrade." The especially dangerous thing about these messages is that they are very deceiving. The messages and attack pages are personalized for the To: email address to imply the message is being sent from tech support of the domain. The URL in the email looks like it leads to the company's own OWA system. We have seen upwards of 30,000 of these messages per hour and they have low AV detection*... The malicious site is also very believable. The victim's domain is used as a sub-domain to the site so that the attack site appears to be the victim's actual OWA site. The victim's domain name and email address are also used in a number of locations on the malicious site to make it that much more believable..."
* http://www.virustotal.com/analisis/e...9b8-1255552077
File settings-file.exe received on 2009.10.14 20:27:57 (UTC)
Result: 6/41 (14.63%)

(Screenshots available at the Websense URL above.)

- http://www.us-cert.gov/current/#malw..._spam_messages
October 15, 2009