SPAM frauds, fakes, and other MALWARE deliveries - archive

[AplusWebMaster]

FYI...

Rogue Facebook app propagates via users
- http://securitylabs.websense.com/con...logs/3563.aspx
02.26.2010 - "The latest scam targeted at Facebook users hit the public today. The rogue app, which comes in many variants of "Who is checking your profile?", has improved its technique beyond the previous attacks we've seen. Rather than spreading a single app that Facebook can easily block, it tricks users into propagating the exploit by creating a brand new Facebook application that hands over the controls to the bad guys. The attack starts with a friend, whom you trust, posting a link on your wall, asking you who is checking your profile. It also entices you by telling you that your friend is viewing your profile. The draw itself has been around for a long time, and the idea of being able to tell which users have looked at your profile is an attractive proposition. But Facebook policy and the API itself prevent this capability, which means that all applications that promise this feature are bogus... The most important thing for Facebook users to remember is that clicking “Allow” authorizes an application, and by doing so you are giving it the proverbial “keys to the kingdom.” Do not add any applications that you do not trust..."

(More detail and screenshots at the Websense URL above.)

[AplusWebMaster]

FYI...

Blackhat SEO PDF - Chile and Hawaii disasters
- http://securitylabs.websense.com/con...rts/3568.aspx?
02.28.2010 - "Over 13% of all searches on Google* looking for popular and trending topics will lead to malicious links and searching for the latest news on the earthquake in Chile and the tsunami hitting Hawaii are no exception. Both are now used to lure people into downloading fake antivirus products. Usually the links in the search results look like ordinary links pointing to regular web pages. This time the bad guys have changed tactics to make their search results look even more convincing, by tricking Google into thinking it's a PDF file... Google tells you the file format is PDF and not HTML. That's not true, it is infact a regular HTML page that when visited will redirect the user to a page that looks like this - just another rogue AV fake scanning page. This one, just like the majority or rogue AV sites we have seen this week, is in the .IN TLD which is the top-level domain for India. By making the search result look like a PDF it gives the link more authenticity. Perhaps it's a research paper or at least a more well written article. The likelihood that a user will click on these type of links is probably higher than if it were just another random web link... The Rogue AV file itself is currently detected by 26.20%** of the antivirus engines used by VirusTotal..."
* http://preview.tinyurl.com/yzv4nze

(Screenshots available at the Websense URL aabove.)

** http://www.virustotal.com/analisis/f...0c8-1267321093
File packupdate_build6_287.exe received on 2010.02.28 01:38:13 (UTC)
Result: 11/41 (26.83%)

[AplusWebMaster]

FYI...

New Domains - fastflux, rogue, koobface...
- http://www.malwaredomains.com/wordpress/?p=859
March 1st, 2010 - "Upload was delayed by a few days due to weather issues from the latest storm..."

- http://www.malwaredomains.com/wordpress/?page_id=2
"The DNS-BH project creates and maintains a listing of domains that are known to be used to propagate malware and spyware... available in AdBlock and ISA Format..."

[AplusWebMaster]

FYI...

ESET statistics on infections
- http://www.eset.com/threat-center/bl...-on-infections
March 2, 2010 - "... the statistics we are seeing in through our online scanner logs are consistent with our observation from last September. We are seeing an average of 3 different malware families per infected computer. This means that on average, when a computer is infected, we find three different malware families installed on it... The average of different malware families per infected hosts in the United States is close to the global average. On the other hand, this number reaches 4.5 in China where it has one of the highest values. This indicates that malware operations are not conducted the same way around the world. We usually see less bank information stealers in Asia but more online game password stealers. Online game password stealers are usually installed by other malware families and don’t propagate by themselves, explaining why we see an higher average in China than in the United States. On a daily basis, ESET is collecting more than 200,000 new and unique binary malicious files..."
___
... which translates to over 73 million new malware items for 2010, a record rate by any standard.

[AplusWebMaster]

FYI...

Huge update: malicious advertising domains...
- http://www.malwaredomains.com/wordpress/?p=870
March 5, 2010 - "We are adding the malicious domains being served up at ad banner networks based on the listings at malwaredomainlist and trojaned binaries. Most of these malicious ad banners serve up fake antivirus scareware. There are also few phishing and zeus domains in this update..."

- http://www.malwaredomains.com/wordpress/?p=864
March 4, 2010 - "From SANS*: Block google-analitics (dot) net and salefale (dot) com ASAP. Sites will be added on the next update..."
* http://isc.sans.org/diary.html?storyid=8350

- http://www.malwaredomains.com/wordpress/?page_id=2
"The DNS-BH project creates and maintains a listing of domains that are known to be used to propagate malware and spyware. This project creates the Bind and Windows zone files required to serve fake replies to localhost for any requests to these, thus preventing many spyware installs and reporting. This list is also available in AdBlock and ISA Format..."

[AplusWebMaster]

FYI...

Energizer DUO USB Battery Charger Software Allows Remote System Access
- http://www.us-cert.gov/current/#enge...attery_charger
March 8, 2010 - "US-CERT is aware of a backdoor in the software for the Energizer DUO USB battery charger. This backdoor may allow a remote attacker to list directories, send and receive files, and execute programs on an affected system... US-CERT encourages users and administrators to review Vulnerability Note VU#154421* and apply the recommended solutions."
* http://www.kb.cert.org/vuls/id/154421

- http://www.symantec.com/connect/blog...arger-software
March 5, 2010

- http://secunia.com/advisories/38894/
Release Date: 2010-03-08
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Solution: Uninstall the software and remove "Arucer.dll" from the Windows system32 directory.
Original Advisory: VU#154421:
http://www.kb.cert.org/vuls/id/154421

- http://phx.corporate-ir.net/phoenix....675&highlight=
March 5, 2010 - "... Energizer has discontinued sale of this product and has removed the site to download the software..."

[AplusWebMaster]

FYI...

Hacks steal $120M+ in 3 months: FDIC
- http://www.computerworld.com/s/artic..._three_months?
March 8, 2010 - "Ongoing computer scams targeting small businesses cost U.S. companies $25 million in the third quarter of 2009, according to the (FDIC). Online banking fraud involving the electronic transfer of funds has been on the rise since 2007 and rose to over $120 million in the third quarter of 2009, according to estimates presented Friday at the RSA Conference in San Francisco, by David Nelson, an examination specialist with the FDIC. The FDIC receives a variety of confidential reports from financial institutions, which allow it to generate the estimates, Nelson said. Almost all of the incidents reported to the FDIC "related to malware on online banking customers' PCs," he said. Typically a victim is tricked into visiting a malicious Web site or downloading a Trojan horse program that gives hackers access to their banking passwords. Money is then transferred out of the account using the Automated Clearing House (ACH) system that banks use to process payments between institutions. Even though banks now force customers to use several forms of authentication, hackers are still stealing money. "Online banking customers are getting too reliant on authentication and on practicing layers of controls," Nelson said... Commercial deposit accounts do not receive the reimbursement protection that consumer accounts have, so a lot of small businesses and nonprofits have suffered some relatively large losses," Nelson said. "In the third quarter of 2009, small businesses suffered $25 million in losses due to online ACH and wire transfer fraud." That's led to some nasty legal disputes, where customers say the banks should have stopped payments, and the banks argue that the customers should have protected their own computers from infection. Often small businesses do not have the controls in place to prevent unauthorized ACH payments, even when their banks make them available, Nelson said. "Hackers are definitely targeting higher-balance accounts and they're looking for small businesses where controls might not be very good." The FDIC's estimates are "reasonable," but they illustrate a problem that is becoming too expensive for banks and businesses, said Avivah Litan, an analyst with Gartner. She said that attacks that install a password-stealing botnet program, known as Zeus, have increased so far in 2010, so those losses may be even higher this year."

[AplusWebMaster]

FYI...

iPad giveaway gives users identities away
- http://blog.trendmicro.com/ipad-give...entities-away/
Mar 9, 2010 - "... spammed messages that promise free iPads to lure unwitting users into their scams. In one such spam sample, recipients are being invited to test the iPad at no cost by simply applying to be part of a “word-of-mouth” marketing campaign. They may not have to shell out a single cent but the price they have to pay will be their identities... The spammed messages instruct users to reply to the email with their personal information, which spammers could easily use for further malicious activities... This recent spam run is no different from how cybercriminals leveraged the iPad launch in January, which led to a FAKEAV variant. Users should thus continue exercising caution in opening email messages from unknown senders. It is also important to be cautious in conducting Web searches on hot topics such as the iPad, as these are often used for blackhat search engine optimization (SEO) attacks... Apple does not own any iPad-related domain names so users should really pay close attention to URLs before they click."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

IC3 2009 Internet Crime Annual Report
- http://www.ic3.gov/media/2010/100312.aspx
March 12, 2010 - "... Online crime complaints increased substantially once again last year, according to the report. The IC3 received a total of 336,655 complaints, a 22.3 percent increase from 2008. The total loss linked to online fraud was $559.7 million; this is up from $265 million in 2008... Although the complaints consisted of a variety of fraud types, advanced fee scams that fraudulently used the FBI's name ranked number one (16.6 percent). Non-delivery of merchandise and/or payment was the second most reported offense (11.9 percent)... The report is posted in its entirety on the IC3 website*. The Internet Crime Complaint Center (IC3) is a joint operation between the FBI and the National White Collar Crime Center (NW3C). IC3 receives, develops, and refers criminal complaints regarding the rapidly expanding arena of cyber crime. The IC3 gives the victims of cyber crime a convenient and easy-to-use reporting mechanism utilized to alert authorities of suspected criminal or civil violations..."
* http://www.ic3.gov/media/annualreports.aspx

[ Replace the word “complaints” with “citizen-reported-criminal-activity”… ‘do same in the actual report itself. ]

- http://www.eset.com/blog/2010/03/17/...g-peanuts-here
March 17, 2010 - "... these figures relate only to the USA. Multiply those amounts many times over to give you some idea of the size of the losses on a global basis. The amount of money that is lost to global cybercrime activities is massive... because the size of the problem is often not understood, it seems to slip under the radar and often isn’t even considered a serious problem... The drug trade problem has plenty of awareness in the public eye and plenty of focus from law enforcement. Yet in fact the global cybercrime trade makes more money these days than the global drug trade..."

[AplusWebMaster]

FYI...

ZeuS detection on your PC...
- http://www.secureworks.com/research/threats/zeus/
March 11, 2010 - "... How to detect the ZeuS Banking Trojan on your computer
Computers infected with this version of ZeuS will have the following files and folders installed. The location depends on whether the victim has Administrator rights. The files will most likely have the HIDDEN attribute set to hide them from casual inspection...
sdra64.exe (malware)
user.ds (encrypted stolen data file)
user.ds.lll (temporary file for stolen data)
local.ds (encrypted configuration file)
The sdra64.exe program uses process injection to hide its presence in the list of running processes. Upon startup, it will inject code into winlogon.exe (if Administrator rights available) or explorer.exe (for non-Administrators) and exit. The injected code infects other processes to perform its data theft capabilities..."

(More detail available at the URL above.)