SPAM frauds, fakes, and other MALWARE deliveries - archive

[AplusWebMaster]

FYI...

Facebook game Farm Town serving "malvertisement"...
- http://www.theregister.co.uk/2010/04...malicious_ads/
12 April 2010 - "... Facebook game with more than 9 million users... Farm Town..."

>>> http://msmvps.com/blogs/spywaresucks...2/1763312.aspx
Apr 12 2010 18:55 - "... screenshot of the malvertisement... (leads to) run-of-the-mill fake antivirus software..."
- http://msmvps.com/blogs/spywaresucks...2/1763300.aspx
Apr 12 2010 16:45

[AplusWebMaster]

FYI...

Copyright ransomware in the Wild...
- http://ddanchev.blogspot.com/2010/04...rt-themed.html
April 12, 2010 - "The copyright violation alert themed ransomware campaign (Copyright violation alert ransomware in the wild; ICPP Copyright Foundation is fake*) is not just a novel approach for extortion of the highest amount of money seen in ransomware variants so far, but also, offers interesting clues into the multitasking mentality of the cybercriminals whose campaigns have already been profiled..."
* http://www.f-secure.com/weblog/archives/00001931.html

SSDD ...
- http://isc.sans.org/diary.html?storyid=8620
Last Updated: 2010-04-13 13:35:41 UTC

[AplusWebMaster]

FYI...

Q1 2010: 0-day exploit deliveries...
- http://blog.scansafe.com/journal/201...zero-days.html
April 9, 2010 - "ScanSafe STAT has been investigating an ongoing series of attacks which has been a hotbed for zero day exploits over the first quarter of 2010. The attackers are using three layers of legitimate sites. Two layers are compromised websites used to host malicious content that is then subsequently pushed to a third layer of legitimate websites via syndicated ads. In its current rendition, the attacks are being delivered to finanical services themed websites. Previous rounds have been delivered via syndicated ads on Wikia-hosted websites and assorted game forums. The ads pull content from an attacker-planted HTML file contained in the /images directory of the compromised site. (Method of compromise is not known, but it's presumed to be a result of stolen FTP credentials)... Through the course of these attacks which began in late January, the attackers have been quick to incorporate the latest zero day du jour. These have included:
CVE-2010-0806 Internet Explorer uninitialized memory corruption vulnerability
CVE-2009-4324 "use-after-free" vulnerability in Adobe Reader/Acrobat
CVE-2009-3867 HsbParser.getSoundBank buffer overflow vulnerability in Sun Java
Mixed in with these have been an assortment of older exploits for Adobe Flash, Microsoft DirectShow, and miscellaneous Adobe Reader/Acrobat PDF exploits. Successful exploit leads to the download of a binary (also hosted on the same domain) which in observed cases has been a variant of the Bredolab trojan... Bredolab acts as a downloader agent. In the cases we've observed, this particular variant of Bredolab is downloading Zbot/Zeus. Encounters with these attacks are fairly steady and comprised 1% of all ScanSafe Web malware blocks in March (compared to Gumblar at 17%). What's particularly interesting about these attacks isn't the volume, but rather that they appear to be a vector for rapid deployment of the latest zero day exploits. And while the IP addresses and domain names for the attacker-owned sites have changed, the delivery method has remained constant."

[AplusWebMaster]

FYI...

songlyrics .com... hacked/serving exploits
- http://www.h-online.com/security/new...te-978283.html
15 April 2010 - "... songlyrics .com... site appears to have been hacked by criminals who have embedded a program to download malicious code from a Russian web server... According to analysis by Wepawet... the attackers are not just exploiting the Java vulnerability, but also multiple vulnerabilities in Adobe Reader... fixed 15 vulnerabilities in Reader with update 9.3.2..."

Java JRE 6 Update 20 update released
- http://java.sun.com/javase/downloads/index.jsp
April 15, 2010

Adobe Reader and Acrobat v9.3.2 update released
- http://www.adobe.com/support/securit...apsb10-09.html
April 13, 2010

- http://google.com/safebrowsing/diagn...onglyrics.com/
"... 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-04-17, and the last time suspicious content was found on this site was on 2010-04-14..."

- http://thompson.blog.avg.com/2010/04...is-a-lure.html
April 14, 2010 - "... So far, it's not in any of the exploit kits, as far as we can see, but it's a given that it soon will be..."

[AplusWebMaster]

FYI...

Network Solutions hacked again
- http://blog.sucuri.net/2010/04/netwo...ked-again.html
April 18, 2010 - "Network Solutions is getting hacked again. Just today we were notified of more than 50 sites hacked with... malware javascript... it is injecting this iframe from http ://corpadsinc .com/grep/ *... this time we are seeing all kind of sites hacked. From Wordpress, Joomla to just simple HTML sites..."
(More detail and updates at the URL above.)

* http://google.com/safebrowsing/diagn...orpadsinc.com/
"... Site is listed as suspicious - visiting this web site may harm your computer... The last time Google visited this site was on 2010-04-19, and the last time suspicious content was found on this site was on 2010-04-19. Malicious software includes 9 exploit(s)... this site has hosted malicious software over the past 90 days. It infected 226 domain(s)..."

- http://isc.sans.org/diary.html?storyid=8647
Last Updated: 2010-04-18 21:47:10 UTC

- http://www.malwaredomains.com/wordpress/?p=935
April 18, 2010 - "Make sure the following domains are blocked or blacklisted:
binglbalts . com
corpadsinc .com
fourkingssports .com
networkads .net
mainnetsoll .com
sources: http://ddanchev.blogspot.com/2010/04...ompromise.html ,
http://isc.sans.org/diary.html?storyid=8647 ."

- http://krebsonsecurity.com/2010/04/n...n-under-siege/
April 19, 2010
- http://stopmalvertising.com/malverti...ustomers-again
April 19, 2010

- http://forums.spybot.info/showpost.p...&postcount=242
April 10, 2010

[AplusWebMaster]

FYI...

Bot installs adware with FLV video player
- http://sunbeltblog.blogspot.com/2010...ith-video.html
April 20, 2010 - "... investigating a botnet that auto installed FLV Direct Player. The player bundles Zugo Search adware, also known as LoudMo, on victims’ machines. FLV Direct is available freely on the web. The bot, however, uses an AutoIT script to script through the installation screens so the victim never sees the install... It also changes the victim machine’s home page to bing.zugo .com. Apparently this is some kind of affiliate operation – the malefactor affiliates get paid for installing LoudMo adware on the machines of unknowing victims and they just decided to do it wholesale with a botnet. Affiliates also are spamming heavily on Twitter (and who else knows where else) trying to get people to install the FLV Player..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Twitter SPAM in your Inbox
- http://isc.sans.org/diary.html?storyid=8674
Last Updated: 2010-04-22 15:25:05 UTC - "... received several emails today "from" support@twitter .com (Of course they really aren't from support.). We are also receiving reports from our readers that they are seeing the same thing. The emails claim that you have unread messages from Twitter and contain a link that you can supposedly click on to view the messages. The links are to various locations other than Twitter. Don't be fooled. The emails are -not- from Twitter and the links are -not- at Twitter. Just a reminder NEVER click on links in emails. Always login to your account to check it out... contacted Twitter and reported the emails..."

[AplusWebMaster]

FYI...

Facebook - Koobface spreading campaign
- http://ddanchev.blogspot.com/2010/04...gs-latest.html
April 27, 2010 - "During the weekend... the Koobface gang... launched another spreading attempt across Facebook, with Koobface-infected users posting bogus video links on their walls.
> Recommended reading: 10 things you didn't know about the Koobface gang
- http://blogs.zdnet.com/security/?p=5452 [February 23, 2010]

What's particularly interesting about the campaign, is that the gang is now starting to publicly acknowledge its connections with xorg .pl* (Malicious software includes 40706 scripting exploit(s), 4119 trojan(s), 1897 exploit(s), with an actual subdomain residing there embedded on Koobface-serving compromised hosts..."
* http://www.google.com/safebrowsing/d...?site=xorg.pl/
"... The last time Google visited this site was on 2010-04-29, and the last time suspicious content was found on this site was on 2010-04-29..."

[AplusWebMaster]

FYI...

Undetectable Facebook Scams
- http://www.pcworld.com/article/19518...ook_scams.html
Apr 28, 2010 - "... recently received two Facebook e-mail notifications... Nothing was obviously wrong with the e-mail messages, which said that my friend had tagged a photo of me and then commented on it. But something about a reference to an app named "Who stalks into your profile" just didn't feel right. So I checked it out. I dug into the e-mail header to make sure that it was from Facebook - it was. A search for the app's name didn't turn up any warnings. The app's installation page didn't give me any obvious clues, either. Still, I let my paranoia have its day, and I sat on the app. Sure enough, it was a scam, and an ingenious one. When anyone installed the supposed stalker app, it first created a photo montage of friends' images and then commented on that montage. Facebook duly sent out "your friend tagged a photo of you" messages, effectively advertising the scam app, which was created to generate illicit online ad revenue. Facebook, with its millions of users, has become a major target for online crooks who try to use malicious apps for everything from phishing to spam to a first step toward installing more dangerous malware onto your PC..."

[AplusWebMaster]

FYI...

New Yahoo! Messenger worm
- http://www.symantec.com/connect/blog...messenger-worm
May 2, 2010 - "... new Yahoo! Messenger worm doing the rounds. Potential victims receive instant messages from contacts in their list, containing a link claiming to be a photo, which in reality points to a malicious executable... The page at the end of the link is basic and does not employ any exploits in order to install the worm, it relies solely on social engineering to trick victims into believing they are opening a picture from a friend, while in fact they run the worm... When the link is clicked, the default browser is redirected to the worm executable, which has a misleading name. Please note the file extension is actually “.exe”. In order to run, the worm still needs the user’s action to open/run the file. Once run, the worm copies itself to %WinDir%\infocard.exe, then it adds itself to the Windows Firewall List, stops the Windows Updates service and sets the following registry value so that it runs every time the system boots:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\“Firewall Administrating” = “%WinDir%\infocard.exe”
Then it looks for the Yahoo! Messenger application on the system, and sends out links to the worm to everyone in the contact list. It may also download and execute other malicious files. When run the first time, the worm will open a new page to the following address, so some photos eventually appear to the user, in order to mask the infection: browseusers.myspace .com/Browse/Browse.aspx Symantec detects and remediates this threat as W32.Yimfoca..."
(Screenshots available at the Symantec URL above.)

- http://www.internetnews.com/security...sers+Trust.htm
May 7, 2010 - "... This latest socially engineered malware scam first appears as a friendly invite from a contact in a user's Yahoo Messenger account. What appears to be a smiley-faced invite to take a gander at some new photos is actually the first step down the slippery slope to becoming a botnet..."