SPAM frauds, fakes, and other MALWARE deliveries - archive

[AplusWebMaster]

FYI...

40% of a month’s malware - Troj/JSRedir-AK
- http://www.sophos.com/blogs/sophoslabs/v/post/8338
January 25, 2010 - "It has been a month since we added detection for Troj/JSRedir-AK* and figures generated today show that over 40% of all web-based detections have been from this malicious code. Translating the numbers into a more human comprehensible form: 1 site every 15 secs was being detected as Troj/JSRedir-AK. The affected sites include well-known names, including:
• Energy Companies
• Retail Companies
• Automobile Club
• Hotels
...Using the JavaScript .replace the malware deobfuscates itself and dynamically writes an iframe point to a Russian website on port 8080 which serves up scripts detected as Troj/Iframe-DL. This new script will write an iframe that will attempt to load a PDF (detected as Troj/PDFJs-FY) and a file claiming to be a JPG (detected as Exp/VidCtl-A). These then will install various other malware. Troj/JSRedir-AK is a continuation of the Gumblar gang’s exploits using Russian domains instead of Chinese ones... very similar to the one we saw for Troj/JSRedir-R and the infection mechanisms seem to be the same (i.e. FTP credentials)."

(Interesting graph available at the URL above.)

* http://www.sophos.com/security/analy...jsredirak.html
"More Info... Troj/JSRedir-AK will redirect the web browser to other malicious websites."

[AplusWebMaster]

FYI...

Q4 '09 web-based malware data and trends
- http://blog.dasient.com/2010/01/q409...nd-trends.html
January 26, 2010 - "... the way malware is being distributed is undergoing a fundamental shift, with more attackers focusing on "drive-by downloads" from legitimate sites that have been compromised, or from sites designed specifically for malicious purposes. In nearly all the variations on this kind of attack, no user action is required for the infection to occur, beyond loading the site in a browser - and there are very few signs that malicious code has been downloaded... Based on the telemetry data we've gathered from the web, we estimate that more than 560,000 sites and approximately 5.5 million pages were infected in Q4'09, compared with more than 640,000 sites and 5.8 million pages in Q3'09. By the end of the year, we had identified more than 100,000 web-based malware infections... we saw a more significant drop in the number of infected sites than we did in the number of infected pages because each infection tended to spread to a larger number of pages on each site... more than four of every 10 sites infected in the quarter were reinfected within a space of three months... the file names most often used in drive-by downloads included things like "setup.exe," "update.exe" (which was used in the Google attack), and "install_flash_player.exe"... In previous years, a drive-by download would often initiate 10 or more extra processes, ostensibly in an attempt to maximize the return from each infected endpoint. In response, the search providers and anti-virus vendors who scan the web for infected sites began using the number of extra processes initiated as a signal that the webpage might be malicious. But in Q4'09, the average number of extra processes initiated was just 2.8 -- enough for a downloader and perhaps one or two pieces of malware. Clearly, attackers are getting smarter about the way they structure their attacks, opting for a smaller fingerprint on an infected machine in exchange for a greater likelihood of evading detection..."

[AplusWebMaster]

FYI...

Death hoax from hacks - actor Johnny Depp
- http://blog.trendmicro.com/hackers-e...9s-death-hoax/
Jan. 27, 2010 - "News involving celebrity deaths (real or hoax) have a habit of spreading across the Internet like wildfire, sensationalizing bits of information to entice readers. So, it is easy to see why pranksters and cybercriminals exploit the fact that people love gossip. So when rumors of Johnny Depp’s supposed death due to a car crash broke out, it did not take long before cybercriminals took advantage of the supposed reports to spread malware via their usual blackhat search engine optimization (SEO) tactics... While most hoaxes come in the form of spammed messages, this particular scam involved the creation of several malicious sites where rigged search results led to, which led curious readers to system infections rather than to more information on Depp’s alleged death... Once users click the embedded links, however, they will be redirected to a video entertainment site that claims to host footage of Depp’s accident... Upon playing the supposed video, users will be prompted to download a codec in order to watch it, which is actually a malicious file detected by Trend Micro as TROJ_DLOADER.GRM. When executed, TROJ_DLOADER.GRM connects to a remote site to download a malicious file. It then displays a professional-looking graphical user interface (GUI) promoting a bogus software called DriveCleaner 2006 before opening a window that shows the software—an executable file—installation’s progress... never underestimate the speed at which an Internet hoax spreads. Whether seasoned Web surfer or first timer, it does not matter, it is always advisable to keep your guard up. Cybercriminals want profit. So, the more successful an attack, the more money they make..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Top 50 - Badware - by number of reported URLs
- http://stopbadware.org/reports/asn
Daily Change ...

How to interpret this data
- http://stopbadware.org/home/data_int...on#asn_reports

Sample chart
- http://stopbadware.org/reports/asn/15169

Google Diagnostics
- http://www.google.com/safebrowsing/d...?site=AS:15169
"Of the 723306 site(s) we tested on this network over the past 90 days, 6982 site(s), including, for example, mkdorrjvb.blogspot.com/, denisa8357.blogspot.com/, miriam8998.blogspot.com/, served content that resulted in malicious software being downloaded and installed without user consent..."

[AplusWebMaster]

FYI...

Valentine’s Day SPAM/scams begin...
- http://blog.trendmicro.com/early-hea...from-spammers/
Feb. 1, 2010 - "February has already begun, which means Valentine’s Day is close at hand. As usual, spammers will definitely hype up their malicious activities. It is only the first day of the so-called “love month” but we have already seen at least two SPAM samples leveraging one of the most-celebrated special occasions when people flock to websites that advertise gifts they can give to their loved ones... Every special occasion and/or holiday is, in today’s threat-laden Internet landscape, not just a time for people to celebrate but also a time for spammers to scam unwitting users with their devious scams... Spammed messages come in many forms and with varying payloads, some redirect users to sites that sell anything and everything under the sun, most especially pharmaceutical and replica items; some lead to links to malicious or malware-ridden sites; some lead to sites that advertise bogus promotions; and some carry malware as attachments..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Google Job app - malicious response
- http://securitylabs.websense.com/con...?cmpid=slalert
2/1/2010 - "Websense... has discovered a new malicious spam campaign that spoofs Google job application responses. The messages look very well written and are so believable that they are probably scrapes from actual Google job application responses. Typically, spam has grammatical errors or spelling mistakes that make the messages obviously unofficial and act as red flags. The text of these messages, however, has no such mistakes, making them much more believable - especially if the target really has applied for a job with Google. The From: address is even spoofed to fool victims into believing the message was sent by Google. The messages have an attached file called CV-20100120-112.zip that contains a malicious payload. This is where the message gets suspicious, because the contents of the .zip file have a double extension ending with .exe. The attackers attempt to hide the .exe extension by preceding it with .html or .pdf, followed by a number of spaces and then the .exe extension. The .exe file (SHA1:80366cde71b84606ce8ecf62b5bd2e459c54942e) has little AV coverage* at the moment..."
* http://www.virustotal.com/analisis/d...440-1265043648
File document.htm_____________________ received on 2010.02.01 17:00:48 (UTC)
Result: 10/40 (25.00%)

(Screenshot available at the Websense URL above.)

[AplusWebMaster]

FYI...

Twitter mass password reset due to phishing
- http://isc.sans.org/diary.html?storyid=8137
Last Updated: 2010-02-02 21:47:04 UTC - "Twitter is sending out a large number of e-mails, asking users to reset their passwords. It appears a large number of passwords got compromised in a recent phishing incident (mine included). When I received the message at first, I considered the e-mail a phishing attempt in itself. But all the links appeared to be "good". If you receive an e-mail like this, I recommend the following procedure:
1. delete the e-mail
2. go to twitter by entering the link in your browser. Best:
use https://www.twitter.com (httpS not http)...
3. change your password.
4. do not reuse the password, do not use a simple password scheme (like "twitterpassword" and "facebookpassword")
I know it is hard. A lot of people will advise against writing the password down, or using a "password safe" application. But considering the risks, I tend to advise people to rather write down the passwords or use a password safe application compared to using bad / repeating passwords."

Reason #4132 for Changing Your Password
- http://status.twitter.com/post/36767...-your-password
Feb. 2, 2010 - "... We strongly suggest that you use different passwords for each service you sign up for; more information on how to keep your Twitter account safe can be found here: http://twitter.zendesk.com/forums/10711/entries/76036 ."

[AplusWebMaster]

FYI...

Q3-Q4 2009 - Malware in more than 1 in 10 Search Results...
- http://preview.tinyurl.com/yadn9uj
Feb 04, 2010 - "The second half of 2009 saw malware authors focus their efforts to ensure they drove victims straight to them. In contrast to the first half of the year where mass injection attacks like Gumblar, Beladen and Nine Ball promoted a sharp rise in the number of malicious Web sites, Websense Security Labs observed a slight (3.3 percent) decline in the growth of the number of Web sites compromised. Instead, attackers replaced their traditional scattergun approach with focused efforts on Web 2.0 properties with higher traffic and multiple pages. Over the six month period, Search Engine Optimization (SEO) poisoning attacks featured heavily, and Websense Security Labs research identified that 13.7 percent of searches for trending news/buzz words lead to malware. In addition, attackers continued to capitalize on Web site reputation and exploiting user trust, with 71 percent of Web sites with malicious code revealed to be legitimate sites that had been compromised... During the second half of 2009 Websense Security Labs discovered:
• 13.7 percent of searches for trending news/buzz words (as defined by Yahoo Buzz & Google Trends) lead to malware
• 95 percent of user-generated comments to blogs, chat rooms and message boards are spam or malicious
• 35 percent of malicious Web attacks included data-stealing code
• 58 percent of data-stealing attacks are conducted over the Web
• 85.8 percent of all emails were spam
• an average growth of 225 percent in malicious Web sites ..."

[AplusWebMaster]

FYI...

Fake Firefox update site pushes adware
- http://www.infosecurity-us.com/blog/...dware/126.aspx
03/02/2010 - "Since its’ release on January 21st, the newest version of the Firefox web browser has received a great deal of attention. In just a short time it has achieved over 30 million downloads. Adware pushers are capitalizing on the success of Firefox, packing ad serving software in with the program in an effort to increase their reach. Purveyors of spyware and adware will try to take advantage of well known programs, illegitimately bundling their software into the install of the popular software. These programs are also commonly referred to as Potentially Unwanted Programs (PUPs) whose content is not necessarily malicious, but is almost never wanted by the user. These types of software are often used to collect information about the user without the users’ knowledge or consent. The latest example is found on the fake Firefox download site... (screenshot at the URL above). The page is cleverly disguised with the appearance of a legitimate Firefox download site and could easily fool many users hoping to upgrade... Taking a closer look reveals clues to the fraudulent page. While the page advertises version 3.5 the newest version is actually 3.6. There are also misspellings such as “Anti-Pishing” in the title of the security section. Victims of this scam install the “Hotbar” toolbar by Pinball Corp, formerly Zango. Not only are users subject to the annoying toolbar, they're also barraged with pop-up ads and host to a new Hotbar weather application running in the system tray... Users looking to upgrade Firefox should go to the real download site at http://getfirefox.com ..."

- http://www.theregister.co.uk/2010/02...efox_download/
3 February 2010

[AplusWebMaster]

FYI...

Gmail phish...
- http://www.f-secure.com/weblog/archives/00001876.html
February 8, 2010 - "... be aware of e-mails purportedly from Gmail administrators. One of our Fellows recently received a message from "The Google Mail Team" asking users to verify their account details to combat "anonymous registration of accounts"... The reply-to address is listed as 'verifyscecssze@gmail.com', which obviously isn't an official Gmail admin account. Meanwhile, the domain name gmeadmailcenter .com is registered to a Catholic church in Michigan. Just your typical phishing type message really. Gmail users who receive this e-mail can report it to the (real) Gmail team using the 'Report phishing' option in their account, or just delete it."

More phishing notes today (Screenshots provided at both URLs below):

- http://blog.trendmicro.com/phishing-...e-login-pages/
Feb. 8, 2010

- http://blog.trendmicro.com/caisse-d%...tomers-beware/
Feb. 8, 2010