SPAM frauds, fakes, and other MALWARE deliveries - archive

[AplusWebMaster]

FYI...

Spamvertised.. campaign serving scareware
- http://ddanchev.blogspot.com/2011/04...-campaign.html
April 12, 2011 - "A currently spamvertised scareware-serving campaign is enticing end users into downloading and executing a malicious binary, which drops a scareware variant.
Sample subject: Reqest rejected (SP?)
Sample message: "Dear Sirs, Thank you for your letter! Unfortunately we can not confirm your request! More information attached in document below. Thank you Best regards."
Sample attachments: EX-38463.pdf.zip; EX-38463.pdf.exe
Detection rate:
- http://www.virustotal.com/file-scan/...932-1302746736
File name: EX-38463.pdf.exe
Submission date: 2011-04-14 02:05:36 (UTC)
Current status: finished
Result: 35/41 (85.4%)
... Upon execution downloads hdjfskh .net/ pusk .exe - 208.43.90.48...
Detection rate:
- http://www.virustotal.com/file-scan/...83c-1302681312
File name: VRB.EXE.Muestra EliStartPage v23.03
Submission date: 2011-04-13 07:55:12 (UTC)
Current status: finished
Result: 19/42 (45.2%)

Phones back..."

(More detail at the ddanchev.blogspot URL above.)

[AplusWebMaster]

FYI...

Fraud - intuit TurboTax e-mails...
- http://security.intuit.com/alert.php?a=29
04/15/2011 - "... fraudulent email (copy shown at the URL above)...
What we won't do
- We will -never- send you an email with a "software update" or "software download" attachment.
- We will -never- send you an email asking you for login or password information to be sent to us.
- We will -never- ask you for your banking information or credit card information in an email. We will -never- ask you for confidential information about your employees in an email.
What we'll do
- We will provide you with instructions on how to stay current with your Intuit product, and we will provide you with information on how to securely download an update from your computer.
- If we need you to update your account information, we will request that you do so by logging into your account..."

[AplusWebMaster]

FYI...

Facebook scam "My Top 10 stalkers"...
- http://community.websense.com/blogs/...countries.aspx
19 Apr 2011 - "A new spam campaign, similar to campaigns we have seen in the past, is spreading on Facebook... It works by creating an album - “My Top 10 stalkers” - with the description "Check who views your profile @," followed by a bit.ly URL-shortened link. It then automatically uploads a photo to the app and tries to mark all the user's friends in the photo... The bit.ly link redirects the user to a page that uses JavaScript to determine the geographical location of the computer based on its IP address. Depending on the location, the page then redirects users located in specific targeted countries to the Facebook App in an attempt to further spread the infected link. The campaign is targeted at Facebook users in the United States, Canada, United Kingdom (including a specific target for Great Britain), Saudi Arabia, Norway, Germany, Spain, Slovenia, Ireland, and United Arab Emirates... Regardless of whether the JavaScript redirects the browser to the Facebook app because of its origin, all users are ultimately redirected to a scam page that tries to lure them into completing several fake surveys. Hackers use this method to try to collect personal information such as the user's home address, e-mail address, or phone number... If the user tries to navigate away from the page or close the browser, a message appears asking them to stay and complete a "SPAM-free market research survey to gain access to this special content." Special it may sound, but it is definitely not spam-free! As always, if a page forces you to Like, Share, or install an application in order to view it, DON'T..."
(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

TDL rookit bypasses security on x64 Vista/Win7
- http://www.informationweek.com/news/...ndly=this-page
April 22, 2011 - "The malware state of the art continues to improve. In particular, the latest version of the TDL rootkit family - aka Olmarik, TDSS, Alureon - contains sophisticated mechanisms for bypassing security features built into 64-bit versions of Microsoft Windows Vista and Windows 7, and can download additional, standalone malware applications. The fourth version of the TDL malware first appeared* in August 2010 and contained sophisticated new techniques for defeating security measures... TDL4 can "load its kernel-mode driver on systems with an enforced kernel-mode code signing policy," meaning the 64-bit versions of Vista and Windows 7. At that point, the malware can hook directly into the Windows operating system... Since the fourth version of TDL first appeared, it's undergone numerous, incremental revisions. For example, in March 2011, a new version of TDL4 appeared that - after infecting a PC - installs the standalone Glupteba.D malware**, which can then download and execute other pieces of malware... no matter the security defense, such as driver signing, a way to defeat it can be found..."
* http://www.informationweek.com/news/...ndly=this-page

** http://resources.infosecinstitute.com/tdss4-part-1/
April 19, 2011

[AplusWebMaster]

FYI...

Virus Outbreak In Progress...
- http://www.ironport.com/toc/
April 25, 2011

- http://tools.cisco.com/security/cent...o=1&sortType=d

Fake Microsoft Live Messenger Download Link E-mail Messages - April 25, 2011
- http://tools.cisco.com/security/cent...?alertId=23009
Fake Purchase Receipt E-mail Messages - April 25, 2011
- http://tools.cisco.com/security/cent...?alertId=23008
Malicious Program Download E-mail Messages - April 25, 2011
- http://tools.cisco.com/security/cent...?alertId=23007
Fake Malware Threat Notification E-mail Messages - April 25, 2011
- http://tools.cisco.com/security/cent...?alertId=23006
Fake UPS Shipment Error E-mail Messages - April 25, 2011
- http://tools.cisco.com/security/cent...?alertId=19743
Malicious Video Link E-mail Messages - April 25, 2011
- http://tools.cisco.com/security/cent...?alertId=21895

Fake CNO Guidance Attachment E-mail Messages - April 21, 2011
- http://tools.cisco.com/security/cent...?alertId=22996
Malicious Photo Attachment E-mail Messages - April 22, 2011 ...
- http://tools.cisco.com/security/cent...?alertId=23003

[AplusWebMaster]

FYI...

Spamvertised "Successfull Order..." leads to scareware
- http://ddanchev.blogspot.com/2011/04...er-977132.html
April 28, 2011 - "A currently ongoing malware campaign is impersonating Bobijou Inc for malware-serving purposes.
Sample subject: "Successfull Order 977132"
Sample message: "Thank you for ordering from Bobijou Inc.This message is to inform you that your order has been received and is currently being processed.
Your order reference is 901802. You will need this in all correspondence. This receipt is NOT proof of purchase. We will send a printed invoice by mail to your billing address. You have chosen to pay by credit card. Your card will be charged for the amount of 262.00 USD and “Bobijou Inc”...
Sample attachments: Order_details.zip ...
Detection rates...
* http://www.virustotal.com/file-scan/...904-1303915483
File name: Order details.exe
Submission date: 2011-04-27 14:44:43 (UTC)
Result: 24/40 (60.0%)
There is a more up-to-date report...
- http://www.virustotal.com/file-scan/...904-1303987793
File name: 1
Submission date: 2011-04-28 10:49:53 (UTC)
Result: 34/42 (81.0%)

>>> Upon execution phones back to: kkojjors.net/f/g.php - 95.64.9.15...
variantov.com/pusk.exe - 94.63.149.26...
** http://www.virustotal.com/file-scan/...a05-1303916125
File name: pusk.exe
Submission date: 2011-04-27 14:55:25 (UTC)
Result: 4/41 (9.8%)
There is a more up-to-date report...
- http://www.virustotal.com/file-scan/...a05-1303939887
File name: hew.exe.VIR
Submission date: 2011-04-27 21:31:27 (UTC)
Result: 11/41 (26.8%)

[AplusWebMaster]

FYI...

Malicious SPAM on the rise...
- http://labs.m86security.com/2011/04/...ncrease-again/
April 29, 2011 - "... our stats show the bot herders are gearing up again with the proportion of spam with malware attachments rising*, although still not as high as the peaks we saw mid last year... After the bot herders took a brief Easter break, they are back to sending new waves of malicious spam. The first spam campaign was sent by the Cutwail botnet earlier this week. The email claims to be an invoice from Bobijou Inc. – an online jewellery brand. There is a chance that people might fall into this trap especially as it claims money on your credit card was involved. But take a closer look at the subject line: Successfull Order 3677718, that wrong spelling should easily alert you that this email is a scam... Another malicious spam campaign originating from the Donbot botnet that came in later this week. It uses a common, uncreative theme with subject line like, “my hot pic : )“, “my naked pic is attached“, etc. The Donbot botnet’s spam output is on the rise and this is the first time we have seen it spreading malicious attachments... In addition, this week we have been seeing more of the Asprox botnet’s “Spam from your Facebook account” campaign, that preys on peoples fears about the security of their Facebook accounts. This campaign first came out last year, illustrating that the bot herders behind Asprox often cycle their spam campaigns between UPS, DHL, FEDEX and iTunes Gift Certificate among others... The attachment is a Trojan that aims to seed the Asprox bot executable in the infected host, which is then used for spamming purposes..."
* http://labs.m86security.com/wp-conte...iciousSpam.png

[AplusWebMaster]

FYI...

Facebook Scam... leads to Adware
- http://labs.m86security.com/2011/05/...ads-to-adware/
May 1, 2011 - "... we observed a new type of scam, this one leveraging Facebook’s new social plugin for websites that allow for comments. This is being exploited by scammers to get their rogue websites visible on users’ news feeds... There are various flavors of the scam making the rounds. However, the newest one to make the rounds focuses on a familiar Apple product: the iPhone. With rumors circulating about the iPhone 5, loyal Apple followers are drawn to the various news articles that cover these stories... The report claims to be from Wired News and has one of those headlines that is used to lure a user into clicking on the link... Once a user clicks on the link, they are -redirected- to a random .info site. There have been over 10 of these in circulation for this particular scam. Before the user can click on anything, they are asked to answer a CAPTCHA-like verification form... Unlike most Facebook scams of late, at the end of this rainbow, there is no survey scam. Instead, the users are prompted to download an executable file. The executable file is videogameboxinstaller.exe and it is dubious in nature, as it it downloads other pieces of software... PageRage notes in its terms above that it will display ads to the end user. Sounds like Adware? Four antivirus vendors agree*, flagging this as Adware.Yontoo... "
* http://www.virustotal.com/file-scan/...b4a-1304294930
File name: pagerage.exe
Submission date: 2011-05-02 00:08:50 (UTC)
Result: 4/41 (9.8%)

[AplusWebMaster]

FYI...

Goal.com serving malware
- http://blog.armorize.com/2011/05/goa...g-malware.html
5.02.2011 - "Goal.com receives 232,116 unique visitors per day according to compete.com, 215,989 according to checksitetraffic.com, and ranks 379 globally on alexa.com. Recently between April 27th to 28th, it was detected by HackAlert to be actively serving malware (drive-by downloads). From what we've observed, we believe the attacker has a way into goal.com's system and was only testing during this time. This is our technical report.
Summary
A. From what we've collected, parts of goal.com seem to have been compromised allowing the attacker to manipulate content at will. A backdoor may exist to allow the attacker continuous control of goal.com's content.
B. During this time we've observed different malicious scripts injected into goal.com, leading us to believe that this isn't a one-time mass SQL injection attempt. We've also not found the injected content to appear in other websites.
C. The malicious domains include:
1. pxcz .cz .cc, which is neither being flagged by any antivirus blacklist nor by Google SafeBrowsing.
2. opofy7puti .cz .cc, which is neither being flagged by any antivirus blacklist nor by Google SafeBrowsing.
3. justatest .cz .cc, which is neither being flagged by any antivirus blacklist nor by Google SafeBrowsing.
> This further suggests that this is an attack targeted at goal.com
D. Duration was between April 27th to 28th. The attacker seemed to be testing their injections and was picked up by our scanners.
E. Browser exploits used during this "test-drive" included: CVE-2010-1423 (Java), CVE-2010-1885 (MS help center HCP), CVE-2009-0927 (PDF), and CVE-2006-0003 (MS MDAC).
F. The g01pack exploit pack was being used. It includes a fake admin page which is used as a honeynet for security researchers--to allow the attacker to observe who is studying their malicious domains.
G. The exploit codes were well mutated. We don't mean well "obfuscated," because in addition to obfuscation, the primitive form of the exploit itself has been mutated well so as to avoid detection.
H. Malware served was packed with UPX and modifies setupapi.dll and sfcfiles.dat. When we first submitted it to VirusTotal, 4 out of 41 antivirus vendors were able to flag it.
I. The malware connects to the following domains:
1. testurl .ipq .co:80 (in UK), which again, is neither flagged by any antivirus blacklist nor by Google SafeBrowsing
2. 74.125.47.99 :80 (US), which reverses back to coldgold .co .uk, and which again, isn't blacklisted by any, including Google SafeBrowsing.
Details:
3. banderlog .org, not flagged by antivirus / Google SafeBrowsing, but has some records on clean-mx.de..."

(More detail and screenshots available at the blog.armorize URL above.)

[AplusWebMaster]

FYI...

Osama alive scam - Twitter
- http://www.theregister.co.uk/2011/05..._twitter_scam/
24 May 2011
___

Osama RTF Exploit
- http://www.f-secure.com/weblog/archives/00002154.html
May 5, 2011
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-3333
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-3334
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-3335
CVSS v2 Base Score: 9.3 (HIGH)
- http://www.microsoft.com/technet/sec.../MS10-087.mspx
• V2.1 (April 12, 2011): Announced that the security update for Microsoft Office 2004 for Mac (KB2505924) offered in MS11-021, MS11-022, and MS11-023 also addresses the vulnerabilities described in this security bulletin.
- http://www.microsoft.com/technet/sec.../MS11-021.mspx
> CVE-2011-0097, CVE-2011-0098, CVE-2011-0101, CVE-2011-0103, CVE-2011-0104, CVE-2011-0105, CVE-2011-0978, CVE-2011-0979, CVE-2011-0980
- http://www.microsoft.com/technet/sec.../MS11-022.mspx
> CVE-2011-0655
- http://www.microsoft.com/technet/sec.../MS11-023.mspx
> CVE-2011-0107, CVE-2011-0977
___

SPAM - Osama dead pics
- http://www.symantec.com/connect/blog...-osama-s-death
3 May 2011 - "The first spam using the news of Osama Bin Laden’s death was seen in the wild within three hours of the event—Symantec reported this spam activity along with other spam samples in a blog entitled “Osama Dead” is No Longer a Hoax. As anticipated, we started observing a rise in malicious and phishing attacks... The links in this spam email dump Downloader onto the victim’s machine, which in turn downloads the actual malware. Further analysis of these attacks shows that most of the malicious attacks have originated from Brazil, Europe, and the U.S... Spammers are making an effort to not only push the messages into users’ inboxes, but also getting them to open and install the executable payload... The phishing site shows an auto-running Bin Laden related video in an iframe and asks the user to click on a link to download a “complete” video. Clicking on that link forces the download of an .exe file..."

- http://community.websense.com/blogs/...dead-pics.aspx
04 May 2011 03:26 PM - "Messages inviting users to see the "real photos" of Osama Bin Laden's remains made the rounds in the email realm today, in addition to the Facebook scams and malware recently spread via Twitter abusing the same topic... Clicking on the provided link prompts the user to download a file called FOTOS.Terroris.zip, which is fairly detected by AV engines*."
* http://www.virustotal.com/file-scan/...b1a-1304596429
File name: Fotos.exe.vir
Submission date: 2011-05-05 11:53:49 (UTC)
Result: 30/42 (71.4%)

- http://www.us-cert.gov/current/#osama_bin_laden_s_death
May 2, 2011
___

Osama malware scams spread to Facebook
- http://www.theregister.co.uk/2011/05...malware_scams/
3 May 2011