SPAM frauds, fakes, and other MALWARE deliveries - archive

[AplusWebMaster]

FYI...

ZBOT targets Facebook again (with SPAM)
- http://blog.trendmicro.com/zbot-targets-facebook-again/
Dec. 15, 2009 - "ZBOT has currently been spotted engaging in another spam run targeting Facebook yet again. By clicking the link embedded in the email, users will land on a Facebook phishing page. This time, however, the phishing page contains an iframe that points to a Web exploit toolkit. This exploit toolkit can deliver a variety of exploits, depending upon the user’s browser and OS. For users of Firefox, the toolkit will push a .PDF file (detected by Trend Micro as TROJ_PIDIEF.PAL) to exploit a known vulnerability in Collab.getIcon. If the user is not infected via the exploit toolkit, ZBOT is still left with the social engineering aspect. After a user enters credentials into the phishing page, the user is led to a download page of updatetool.exe -or- the ZBOT binary (detected as TSPY_ZBOT.CCB)..."
(Screenshot available at the URL above.)

DHL - SPAM appears to have come from known courier DHL
- http://blog.trendmicro.com/bredolab-regifts-old-spam/
Dec. 15, 2009 - "BREDOLAB set out on a spam rerun just in time for the holidays. This recent run is similar to the laptop delivery note spam run we reported in August. This time, however, the spammed message appears to have come from known courier, DHL. The spammed message makes it appear as though the users have received a notification from DHL, alerting them about an error in shipping a certain package. The message also prompts the users to open an attached file. The attached file DHL_package_label_cfb35.exe is detected as TROJ_BREDOLAB.CB. The dynamics of this spam run, although relatively old and simple, could still pack a punch, especially now that we are well within that part of the holiday season where most people do their gift shopping. People who may have purchased a laptop online and are expecting it to come through the mail are prone to being victimized by this attack..."
(Screenshot available at the URL above.)

[AplusWebMaster]

FYI...

SPAM - Christmas e-cards...
- http://blog.trendmicro.com/christmas...from-spammers/
Dec. 25, 2009 - "Spammers are clearly putting the holidays to (their) good use, as they have made Christmas just another reason to spread malware. Trend Micro threat analysts recently received a spammed message purporting to come from 123greetings.com, a legitimate site that users can access to send e-cards to family and friends. The email message even sported the site’s logo... However, upon further investigation of the spammed message’s header, we noticed that the sender’s IP address did not match that of the legitimate 123greetings.com site... The spammed message urges the user to download and open the .ZIP file attachment, which is actually an .EXE file detected by Trend Micro as WORM_PROLACO.Z, in order to view the greeting card... To keep your system malware-free this festive season, do -not- open unsolicited email messages..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Fox Sports site - injected with malicious code
- http://securitylabs.websense.com/con...rts/3516.aspx?
12.29.2009 - Malicious Web Site / Malicious Code - "Websense... has detected that the Fox Sports site has been compromised and injected with malicious code... Our research shows that the site has been injected with two pieces of malicious code. One of them is the latest Gumblar campaign, and the other redirects individuals to a malicious Web site, whose link was unreachable at the time of this alert. The ThreatSeeker Network has detected that thousands of Web sites have been compromised by the latest Gumblar campaign. The Gumblar page is highly obfuscated. After deobfuscation, the page uses PDF and Flash exploits to run malware in order to control a victim's computer. In addition, a piece of VBScript is executed to download malware..."

(Screenshots available at the Websense URL above.)

[AplusWebMaster]

FYI...

New year related malware...
- http://www.f-secure.com/weblog/archives/00001847.html
December 31, 2009 - "The first signs of New Year malware for this year were already sighted a while back, but the current one we're seeing in circulation wishes "Happy New Year 2010" and points to a fast flux domain site which serves up Trojan-Downloader:W32/Agent.MUG. This particular trojan will try to install further malware, though the content it's pointing to seems to not yet be online, at least at the time of this post. Be careful when reading electronic happy New Year's wishes also this year..."

[AplusWebMaster]

FYI...

SCAM spreading on Facebook and SEO...
- http://securitylabs.websense.com/con...rts/3518.aspx?
01.05.2010 - " Websense... has discovered several spam messages on Facebook that trick the user into visiting BINSSERVICESONLINE(dot)INFO. When the link in the message is clicked, the Web site -redirects- the user to an online scam site similar to the one we published in the blog Google Scam Kits* in mid-December. The use of Facebook to distribute links that lead to Google scam kits is fairly new, and is sure to trick some users into buying the kits. A lot of users have apparently received this message, as it quickly became a popular search string on Google. As we've seen in the past, there are criminal groups monitoring the popular search terms on Google and other search engines to start their own malicious attacks, so it didn't take long until we started seeing Google search results for BINSSERVICESONLINE leading to rogue AV products. Note that the two attacks are done by separate groups of criminals. One group started the spam attacks on Facebook and another started manipulating Google results..."
* http://securitylabs.websense.com/con...logs/3512.aspx

(Screenshots available at the Websense URL above.)

[AplusWebMaster]

FYI...

Outlook Web Access SPAM Campaign...
- http://isc.sans.org/diary.html?storyid=7918
Last Updated: 2010-01-08 21:57:40 UTC ...(Version: 3) - "... an email campaign targeting OWA users that leads to malware infections... When you review the SPAM, notice the link that is displayed shows it is from our.org but the actual hyper link is to our.org .molendf.co .kr... traced the IP and am blocking it so if others get through the SPAM filter our users will not be able to get to the site... submitted the file to VirusTotal* to see what they found and it is very new..."
* http://www.virustotal.com/analisis/2...d7b-1262953493
File settings-file.exe received on 2010.01.08 12:24:53 (UTC)
Result: 16/41 (39.02%)

Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
- http://ddanchev.blogspot.com/2010/01...-campaign.html
UPDATED: January 10, 2010

Don't Update Your Email Settings
- http://www.m86security.com/labs/i/Do...race.1215~.asp
January 10, 2010

[AplusWebMaster]

FYI...

Bogus IRS W-2 form leads to malware
- http://blog.trendmicro.com/bogus-irs...ds-to-malware/
Jan. 11, 2010 - "... spammers now are capitalizing on the upcoming tax season. Recently, Trend Micro threat analysts found spammed messages purporting to come from the Internal Revenue Service (IRS). The spammed message bears the subject, “W-2 Form update,” and informs users to update the said form because of supposed “important changes.” The W-2 form states an employee’s annual salary and total tax. The spammed message looks normal since the URLs and phone numbers in it are legitimate. This was probably done so users will not suspect anything. It also encourages users to open the attached .RTF file (Update.doc), which is supposed to be the W-2 form. When users open the .RTF file, however, they will see an embedded .PDF file. This supposedly PDF file is actually an .EXE file that uses the PDF icon. This is detected by Trend Micro as BKDR_POISON.BQA. BKDR_POISON.BQA is a component of the Darkmoon Remote Administration Tool (RAT), which enables a malicious user to execute commands on the affected system. Interestingly, this backdoor attempts to connect to a private IP address (192.168.29.1). This may be the attacker’s misconfiguration, or an attack targeting a specific internal network environment... Users are strongly advised not to open any suspicious-looking emails even though they came from a supposedly known source. It is also recommended that users verify with IRS if the email they received is legitimate or not..."

(Screenshots available at the TrendMicro URL above.)

- http://www.viruslist.com/en/weblog?weblogid=208188001
January 07, 2010

- http://www.us-cert.gov/current/#irs_...f_online_scams
January 13, 2010 - "... The U.S. Internal Revenue Service has issued a news release* on its website warning consumers about potential scams. These scams are circulating via fraudulent email or other online messages appearing to come from the IRS. They attempt to convince consumers to reveal personal and financial information that can be used to gain access to bank accounts, credit cards, and other financial institutions..."
* http://www.irs.gov/newsroom/article/...217794,00.html

[AplusWebMaster]

FYI...

40 trillion SPAM messages were sent in 2009...
- http://www.symantec.com/connect/blog...spam-explosion
January 12, 2010

(Interesting 2001-2009 Growth chart available at the URL above.)

[AplusWebMaster]

FYI...

Banker Scams - SPAM...
- http://blog.trendmicro.com/banker-sc...-spam-victims/
Jan. 14, 2010 - "Two new spam campaigns spreading variants of the BANKER family of identity-stealing Trojans have recently emerged. The first campaign features spammed messages containing malicious links to supposed pictures. Once clicked, however, users ended up with TSPY_BANKER.OCN infections. This campaign made use of standalone files... The second campaign was more elaborate, as the involved malware (detected as TSPY_BANKER.MTX) had two components - one steals banking-related information while the other steals email account information... Both campaigns may, however, be related, as the information they steal from users end up in drop zones that are hosted on the same Web server:
* {BLOCKED}unicaobr .com/phps/procopspro .php
* {BLOCKED}unicaobr .com/working/lisinho .php
Looking for more details on webcomunicaobr .com revealed the following details:
IP: 69.162.102.130 Hosted in the USA
ASN: AS46475 LIMESTONENETWORKS Limestone Networks Inc. Primary ASN
ns1 .brasilrevenda .com
ns2 .brasilrevenda .com
Digging a little bit deeper still, three interesting pages cropped up that revealed the number of systems each contracted spammer has infected so far... a list of PHP servers where stolen information is sent... and a list of files that contained encrypted information downloaded by infected hosts..."

(Screenshots available at the TrendMicro URL above.)

[AplusWebMaster]

FYI...

Targeted e-mail examples relating to MS IE 0-day CVE-2010-0249
- http://securitylabs.websense.com/con...erts/3536.aspx
01.21.2010 - "Websense... has reports that emails linking to malicious web-based exploit code that utilizes the vulnerability CVE-2010-0249 have been sent to organizations in a targeted manner since December 2009, and the attack is still on-going. This same vulnerability was used to target Google, Adobe, and approximately 30 other companies in mid-December 2009.... Investigation has so far lead to the conclusion that these targeted attacks appear to have started during the week of 20 December 2009, and are on-going to government, defence, energy sectors and other organizations in the United States and United Kingdom. Within the malicious emails the sender's domain is spoofed to match the recipient's domain making the targeted emails more convincing to the recipient. The malicious executables that are delivered by the exploit code include hxxp ://cnn[removed]/US/20100119/ update.exe or hxxp ://usnews[removed]/ svchost.exe. These exhibit traits of an information-stealing Trojan with Backdoor capabilities. As of today only 25% of AV vendors protect against the payload according to this VT report*. Example email subjects include:
"Helping You Serve Your Customers"
"Obama Slips in Polls as Crises Dominate First Year as President"
"2010 ***** Commercial SATCOM"
"The Twelve Days of Christmas" ...
* http://www.virustotal.com/analisis/e...797-1264090078
File update-exe-.txt received on 2010.01.21 16:07:58 (UTC)
Result: 11/41 (26.83%)

>>> http://forums.spybot.info/showpost.p...&postcount=110