SPAM frauds, fakes, and other MALWARE deliveries - archive

[AplusWebMaster]

FYI...

Pictures Ruse Used to SPAM Zeus/Zbot
- http://blog.trendmicro.com/spam-with...o-spread-zbot/
Mar. 24, 2010 - "... fresh wave of spammed messages that were used to spread another ZBOT variant of the infamous ZeuS botnet. These messages warned users that a “jerk” posted photos of them and contained a link to the said images... the spammed messages appear to be from innocent users that the recipients presumably knew. In addition, they were also signed or at least had the sender’s name at the end of the message. In the sample above, the sender’s name has been blurred to protect his/her identity. Combined, this may lead users to believe the message is legitimate. However, the link does not go to any legitimate social-networking or photo-hosting site. Users were instead prompted to download a “photo archive”. In addition, the download page also contains a malicious iframe, which leads to a website that previously hosted the Phoenix Exploit’s Kit, which was designed to take advantage of vulnerabilities in several popular applications like Adobe Flash, Internet Explorer (IE), Microsoft Office, and Mozilla Firefox..."

(Screenshots available at the URL above.)

- http://threatinfo.trendmicro.com/vin...30210-ZBOT.xml

- http://ddanchev.blogspot.com/2010/03...-exploits.html
March 24, 2010 - "... Updates will be posted as soon as new developments emerge. Consider going through the 'related posts', to catch up with the gang's activities for Q1, 2010..." ("Related posts" listed there)

[AplusWebMaster]

FYI...

Closer look on Swizzor
- http://techblog.avira.com/2010/03/25...on-swizzor/en/
March 25, 2010 - "We were analysing a recent version of Swizzor – an Adware which Avira detects as TR/Dldr.Swizzor.Gen – and after getting past the first encryption layers of the software, we stumbled over a few interesting strings in the malware. Quite obviously it installs a browser helper object (BHO, an Internet Explorer plug-in) which does some form of search hijacking. In case users get infected with Swizzor, they usually experience a -redirected- start page and a few pop-ups with advertisements for online poker or potency pills... Different Swizzor samples contain also different messages and links. Also, the malware is highly polymorphic. The Swizzor sample also contains a lengthy list of URLs which it blocks within the windows hosts file by redirecting them to localhost (127.0.0.1). Interestingly, those URLs all point to FakeAV or RogueAV... Also we see reports by users on the net which are victim of a Swizzor infection and didn’t download such “sponsored software” knowingly, but installed it for example with the “Windows Live Messenger” -add-on “Windows Live Plus! Messenger” where users can choose whether to install the “sponsor software” or not. Always keep an open eye whether the software you are going to install really is free or installs further stuff to your computer. You should find hints pointing to such add-ons in the EULA of the software."

[AplusWebMaster]

FYI...

Fake lawsuit notification Attack
- http://www.f-secure.com/weblog/archives/00001917.html
March 25, 2010 - "A few of days ago, we encountered an e-mail with a malicious RTF attachment. It was sent with a supposed lawsuit notification message. The e-mail didn't mention any company by name and took a shotgun, rather than targeted, approach... At this point, it appears that the attachment has been replaced by hyperlink pointing to the Marcus Law Center... It is difficult to determine whether or not the MLC site is compromised or just completely bogus. Their Our Firm page text borrows heavily from a New York lawyer's site, but that could just be a case of "honest" plagiarism. In any case, our browsing protection feature is now blocking the sub-directory hosting the malicious file as unsafe. The RTF file includes an embedded object that acts as a trojan dropper (Trojan-Dropper:W32/Agent.DIOY) and it drops a downloader (Trojan-Downloader:W32/Lapurd.D), which then attempts to connect to a server located in Southern China. The earlier attachment that we saw also attempted to connect to a server in China. Updated to add: SANS diary reports* that a number of .edu sites have also received a similar message. The domain, touchstoneadvisorsonline .com, is hosting the same RTF (.doc) file. .."
* http://isc.sans.org/diary.html?storyid=8497
Last Updated: 2010-03-25 13:30:36 UTC - "An email is being sent out warning the recipient of a "Copyright Lawsuit filed against you." We received a copy here and a number of .EDUs have reported it's receipt... Currently only a few AV solutions detect the initial document:
- http://www.virustotal.com/analisis/9...d87-1269486837 ..."
File r439875.doc-25mar10 received on 2010.03.25 03:13:57 (UTC)
Result: 7/42 (16.67%)

- http://isc.sans.org/diary.html?storyid=8506
Last Updated: 2010-03-26 14:19:15 UTC
> http://www.virustotal.com/analisis/b...8ee-1269619641
File suit.exe received on 2010.03.26 16:07:21 (UTC)
Result: 21/42 (50.00%)

- http://www.us-cert.gov/current/#copy...uit_email_scam
March 26, 2010 - "... messages may contain malicious attachments or web links. If a user opens the attachment or follows the link, malicious code may be installed on the user's system..."

- http://ddanchev.blogspot.com/2010/03...ainst-you.html
March 29, 2010

[AplusWebMaster]

FYI...

Zeus wants to do your taxes
- http://isc.sans.org/diary.html?storyid=8503
Last Updated: 2010-03-25 20:44:53 UTC ...(Version: 2) - "... received reports of suspicious emails claiming to be from the IRS. It's a common scheme to get a user to click and run an executable. It looks like zeus/zbot to me...The email looks something like...
Subject: Underreported Income Notice
Taxpayer ID: <recipient>-00000198499136US
Tax Type: INCOME TAX
Issue: Unreported/Underreported Income (Fraud Application)
Please review your tax statement on Internal Revenue Service (IRS) website (click on the link below):
Internal Revenue Service
hxxp ://www.irs.gov.assewyx .co.uk/fraud.applications/application/statement.php?
The download in this particular link was "tax-statement.exe"..."

Child Tax Credit... Phishing Bait
- http://www.symantec.com/connect/blog...-phishing-bait
March 25, 2010

- http://www.us-cert.gov/current/#us_t...phishing_scams
March 26, 2010 - "... tax season malware campaign. This malware campaign may be using malicious code commonly known as Zeus or Zbot..."

- http://www.irs.gov/privacy/article/0...html?portlet=5
"... The IRS does -not- initiate taxpayer communications through e-mail..."

[AplusWebMaster]

FYI...

Fake update utilities...
- http://www.theregister.co.uk/2010/03...update_trojan/
29 March 2010 - "Miscreants have begun creating malware that overwrites software update applications from Adobe and others. Email malware that poses as security updates from trusted companies is a frequently used hacker ruse. Malware posing as update utilities, rather than individual updates, represents a new take on the ruse... recently detected Fakeupver trojan establishes a backdoor on compromised systems while camouflaging its presence by posing as an Adobe update utility. The malware camouflages itself by using the same icons and version number as the official package... "... malware is written in Visual Basic, faking such popular programs as Adobe, DeepFreeze, Java, Windows, etc. In addition, on being executed, they immediately turn on the following services: DHCP client, DNS client, Network share and open port to receive hacker’s commands..."

[AplusWebMaster]

FYI...

Fake Facebook AV
- http://www.f-secure.com/weblog/archives/00001920.html
March 29, 2010 - "Facebook-specific antivirus application sound like a good idea? Maybe not. One of our analysts saw this particular application claiming to be an antivirus wreak havoc on his Friends list. Of course, there is no such thing... If a Friend looking through the photos then clicks on the app's (apparently randomly generated) link... you might end up with a series of albums... Once installed on one Friend's account, this application tags 20 Friend into a picture... You can find more information about this, including instructions on how to remove the tags on the photos, at FacebookInsider*.
Updated to add: Examples include Antivirus in Focebook and F'acebook antivirus.
Notice the -misspelling- of Facebook in both names. Facebook is already in the process removing and preventing such rogue apps."

(Screenshots available at the URL above.)

* http://thefacebookinsider.com/2010/0...-your-friends/

[AplusWebMaster]

FYI...

SPAM site registrations flee China for Russia - A Little Sunshine
- http://www.krebsonsecurity.com/2010/...na-for-russia/
March 31, 2010 - "... In early January 2010, and indeed in the months leading up to the new year, the percentage of domains advertised in spam registered in the .cn space dwarfed the number of .ru spam-related domains, according to figures gathered by the University of Alabama at Birmingham. But by mid-January, the number of .cn spam domains began to fall off dramatically, while the number of .ru spam domains increased markedly, UAB found (see graphic*). Gary Warner, director of research in computer forensics at UAB Birmingham, said a sizable share of spam-related new domain registrations continue to come through the .com space — which is served by hundreds of domain name registrars. But he said the biggest bulk registrations for spam domains routinely came out of .cn, particularly those associated with rogue online pharmacies. “The .com never had the volumes of abuse you’d see at one time in .cn, where you’d typically have one guy registering hundreds or thousands of spam domains every day,” Warner said. There is a decent chance that the spammers will move to another country-code registrar soon. Beginning April 1, Russia’s Coordination Center for domain registration will require individuals and businesses applying for a .ru address to provide a copy of a passport or legal registration papers. Warner said he’s looking forward to seeing a similar exodus from Russia in the weeks ahead. “I’m excited about the prospects of seeing the [number of] .ru spam domains going down just like we saw with China,” he said... ISC’s spam traps had identified more than 10,000 unique domain names being advertised in spam. More than 1,870 of those domains were tied to recently registered rogue pharmacies, and of those, 491 were registered in the .com space, while 18 were from .cn and 1,366 were at .ru Web sites..."
* http://www.krebsonsecurity.com/wp-co...3/cnruspam.jpg

[AplusWebMaster]

FYI...

Korea: 31% of malware origins - March 2010
- http://sunbeltblog.blogspot.com/2010...spikes-in.html
April 07, 2010 - Number of infected computers spikes in Korea - "Hong Kong-based security firm Network Box reported that Korea was the country of origin for 31.1 percent of the malware on the Internet in March*. In February the country only pumped out 8.9 percent, leading researchers to theorize that there has been a huge increase in infected machines there pushing out phishing spam. Network Box includes phishing in its calculations of monthly malware statistics. They also include North and South Korea as one country in their categories, but say the lack of public computers in the North means that South Korea is the country of origin for the bulk of the statistic. The US was second on the list at 9.34 percent..."
* http://www.infosecurity-us.com/view/...ware-threats-/

- http://response.network-box.com/

[AplusWebMaster]

FYI...

Facebook SCAM again - fake Ikea page...
- http://www.computerworld.com/s/artic...?taxonomyId=17
April 9, 2010 - "... latest example of a new and pernicious trend on the social-networking site as scammers - usually disreputable online marketers trying to earn review by generating Web traffic - have flooded Facebook with these fake gift card pages over the past months. In late March, a similar $1,000 Ikea gift card scam took in more than 70,000 victims, and just last week another scam Facebook page offering a $500 Whole Foods gift certificate was widely reported. Friday's scam page had taken in more than 37,000 users by 11:30 a.m. Pacific Time, offering them a $1,000 gift certificate in exchange for promoting Ikea to their friends. At that time, the page was gaining new fans at the rate of about 5,000 per hour. The promotion, the page said, was only available for one day. To participate, users must become a fan of the fake Ikea page, hosted on Facebook, and then invite all their friends to become fans. They are then directed to an affiliate marketing page hosted by GiftDepotDirect .com, where they are asked personal information such as name, address, date of birth and home telephone number. After that step, the victim is told to sign up for two online marketing offers - these ones with legitimate Web sites such as Netflix and CreditReport .com - in order to claim the gift card. The promised cards in these scams never show up..."

[AplusWebMaster]

FYI...

Wordpress blogs hit by ‘Networkads.net’ hack
- http://krebsonsecurity.com/2010/04/h...kads-net-hack/
April 9, 2010 - "A large number of bloggers using Wordpress are reporting that their sites recently were hacked and are redirecting visitors to a page that tries to install malicious software. According to multiple postings on the Wordpress user forum and other blogs, the attack doesn’t modify or create files, but rather appears to inject a Web address — “networkads .net/grep” — directly into the target site’s database, so that any attempts to access the hacked site redirects the visitor to networkads .net. Worse yet, because of the way the attack is carried out, victim site owners are at least temporarily locked out of accessing their blogs from the Wordpress interface. It’s not clear yet whether the point of compromise is a Wordpress vulnerability (users of the latest, patched version appear to be most affected), a malicious Wordpress plugin, or if a common service provider may be the culprit. However, nearly every site owner affected so far reports that Network Solutions is their current Web hosting provider... A scan of the file delivered by that redirect shows rather poor detection by most anti-virus products: Virustotal.com found that only 7 out of 39 anti-virus products detected it as malicious*...
The following how-to-repair instructions appear to have worked for a number of Network Solutions customers hit by this attack.
- Log in to your site at networksolutions.com
- Using Network Solution’s MySQL admin console, browse to the wp_options table and change the value for “siteurl” to your blog’s URL . For example: “http://example.com/wordpress”.
- Edit wp_config.php to override value of SITEURL (this way even if the database value is altered, it gets overridden by the config value.
Still, that fix may only be temporary ..."
* http://www.virustotal.com/analisis/3...777-1270828595
File 8d2c18111ad5d4815c4b610c0fa30043e received on 2010.04.09 15:56:35 (UTC)
Result: 7/39 (17.95%)

- http://google.com/safebrowsing/diagn...etworkads.net/
"Site is listed as suspicious - visiting this web site may harm your computer...
last time Google visited this site was on 2010-04-09, and the last time suspicious content was found on this site was on 2010-04-09... Malicious software includes 29 exploit(s), 4 trojan(s)..."

- http://blog.sucuri.net/2010/04/detai...wordpress.html
April 10, 2010

Alert: WordPress Blog & Network Solutions
- http://blog.networksolutions.com/201...ork-solutions/
Update: 04/10/2010

- http://blog.trendmicro.com/wordpress...ss-compromise/
Apr. 11, 2010