SPAM frauds, fakes, and other MALWARE deliveries - archive

[AplusWebMaster]

FYI...

64-bit banker rootkit spies on online customers
- http://www.h-online.com/security/new...s-1247881.html
23 May 2011 - "... Kaspersky has discovered* another rootkit with 64-bit Windows support: a variant of the Banker rootkit is targeting the access credentials of online banking customers in Brazil. The malware is injected into systems via a hole in an obsolete version of Java and first disables the Windows User Account Control (UAC) feature so that it can go about its business without being interrupted. It then installs bogus root certificates and modifies the HOSTS file in such a way that victims trying to access the banking web site are redirected to a phishing site operated by the criminals. The injected certificate prevents the browser from issuing an alert when establishing an encrypted connection to the phishing site, and the victim is left unaware. Kaspersky says that the malware also deletes a security plug-in used by various Brazilian banks. Unusually, the malware installs a custom system driver to uninstall the security plug-in and modify the HOSTS file. On 64-bit Windows systems, this requires some effort because Microsoft's Kernel Patch Protection (PatchGuard) prevents unsigned drivers from being installed. As 64-bit Windows installations still have a relatively small market share, rootkits with 64-bit support are currently still quite rare; a 64-bit version of the Alureon/TDL rootkit was discovered last November..."
* http://www.securelist.com/en/blog/11...also_to_64_bit

[AplusWebMaster]

FYI...

Pharmacy SPAM sucks...
- http://www.theregister.co.uk/2011/05/23/spam_economics/
23 May 2011 - "Computer scientists are advocating the targeting of card-processing middlemen as a way of clamping down on spam... the vast majority (95 per cent) of the credit card payments to unlicensed pharmaceutical sites are handled by just three payment processing firms – based in Azerbaijan, Denmark and Nevis, in the West Indies, respectively. By putting the squeeze on these firms it might be possible to choke the flow of money to spammers, making spam less profitable and, hopefully, less prevalent.
Pharmacy spam levels fluctuate but the class of junk mail has long been the biggest single category of spam. The findings came after three months of analysing spam data, broad crawling of naming and hosting infrastructures, and over 100 purchases from spam-advertised sites. The study* discovered that payment-processing for replica and software products advertised through spam was also monetised using merchant services from just a handful of banks. Spam makes up 74.8 per cent of all email messages, compared to 90 per cent last year, according to the latest statistics from Symantec, published last week. The net security efforts credits botnet takedown efforts, most notably against the infamous Rustock botnet, for the decrease..."
* http://cseweb.ucsd.edu/~savage/papers/Oakland11.pdf
(16-page pdf/2.3MB)

[AplusWebMaster]

FYI...

Web-based attacks use JavaScript tricks...
- http://krebsonsecurity.com/2011/05/b...n-the-browser/
May 25, 2011 - "... Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. To protect yourself, it is critically important to have an easy method of selecting which sites should be allowed to run JavaScript in the browser. It is true that selectively allowing JavaScript on known, “safe” sites won’t block all malicious scripting attacks: Even legitimate sites sometimes end up running malicious code when scammers figure out ways to sneak tainted, bogus ads into the major online ad networks. But disallowing JavaScript by default and selectively enabling it for specific sites remains a much safer option than letting all sites run JavaScript unrestricted all the time... Noscript*... lets the user decide which sites should be allowed to run JavaScript, including Flash Player content. Users can choose to allow specific exceptions either permanently or for a single browsing session... Firefox.. offers the most options for dealing with JavaScript. But, whichever browser you use, be aware that running JavaScript can be the point of entry for intrusive and infectious malware. Use caution before deciding to allow it on any site that you visit."
* https://addons.mozilla.org/en-US/fir...ddon/noscript/
Downloads: 85,892,086...

[AplusWebMaster]

FYI...

Fake VirusTotal site serves malware
- http://www.net-security.org/malware_news.php?id=1730
24.05.2011 - "VirusTotal - the popular free file checking website - has been spoofed by malware peddlers, warns Kaspersky Lab*. A simple -visit- to the site triggers the download of a worm via a java applet embedded in the code... It's aim is to recruit the computer it infected into a botnet that would ultimately be used to perform DDoS attacks, and to communicate to the C&C information about the system (hostname, type and version of the OS, etc.)... malware peddlers have lately begun combining the use of malicious JavaScript code and social engineering techniques, since it allows them to infect computers regardless of the browser or operating system used."
* http://www.securelist.com/en/blog/20...ated_java_worm
"... the website looks the same way as the original**. However, hidden in the source the parameters needed to infect the system through a java applet through which discharge completely silent malware..."
** http://www.securelist.com/en/images/.../208188087.png
(Screenshot at the URL above.)

(Hat tip to cnm @ spywareinfoforum.com)

[AplusWebMaster]

FYI...

Fake Epsilon phish - Breach Warning...
- http://isc.sans.edu/diary.html?storyid=10930
Last Updated: 2011-05-26 14:53:19 UTC - "... website that attempts to scare people into purchasing a credit report. The website... reminds the visitor of the relatively recent Epsilon data breach. The goal is to persuade the person into proceeding to another site that is being promoted. This looks like a technique to make money through affiliate marketing..."
(Screenshot and more detail at the URL above.)

[AplusWebMaster]

FYI...

SPAMbot stats for May 2011
- http://www.m86security.com/labs/bot_statistics.asp
Week ending May 29, 2011

- http://labs.m86security.com/2011/05/...mbling-scheme/
May 26, 2011 - "... the Donbot botnet changed its spam campaign to one promoting online casinos. The barrage of of Fake AV we saw coming out of Donbot suddenly stopped and within 15 minutes we started receiving this new campaign... Upon downloading the Casino-Online.exe binary and scanning it through VirusTotal.com, 4 of 42 antivirus packages detected it, with the following results: “RealTimeGaming, CasOnline, Artemis!B7E6F50C181D, and W32/Malware.SWHU” ..."

- http://labs.m86security.com/2011/05/...ester-returns/
May 24, 2011 - "... big rise in spam from two botnets well known to us from the past – Donbot and Xarvester. Six months ago, spam from these botnets hardly got our attention... someone has breathed new life into these spamming machines..."

[AplusWebMaster]

FYI...

Money mule recruiters ...
- http://ddanchev.blogspot.com/2011/05...-short_30.html
May 30, 2011 - "... currently active money mule recruitment web sites, actively recruiting money mules for the processing of fraudulently obtained funds... Currently active sites residing within AS42708, PORTLANE Network www .portlane .com; AS29713, INTERPLEXINC Interplex LLC; AS38913, Enter-Net-Team-AS; AS24940, HETZNER-AS Hetzner Online... Monitoring of money mule recruitment campaigns is ongoing."
(Screenshot and more detail available at the ddanchev URL above.)

- http://www.google.com/safebrowsing/d...?site=AS:42708
- http://www.google.com/safebrowsing/d...?site=AS:29713
- http://www.google.com/safebrowsing/d...?site=AS:38913
- http://www.google.com/safebrowsing/d...?site=AS:24940

[AplusWebMaster]

FYI...

Bulk SPAM msgs... Bulker .biz...
- http://blogs.technet.com/b/mmpc/arch...headaches.aspx
1 Jun 2011 - "... Yahoo email account was hacked... his email account was used to send over 20 emails with links to domains like “Canadian Neighbor Pharmacy” to his contact lists at 2:59 AM in the morning, while he was asleep... spam messages sent in bulk by a spammer... the “Canadian Neighbor Pharmacy” site is part of a list of sites promoted by an underground organization called “Bulker .biz”. This organization encourages spammers and hackers to target email recipients from domains like Yahoo.com, Aol.com, Hotmail.com, etc. The site itself functions as a front for credit card fraud and identity theft by targeting unwitting users that register an account on the site and order promoted pharmaceuticals that may never arrive... Be alert to email messages with typos or bad form and a single hyperlink with little or no explanation about the link itself..."
(Screenshots and more detail at the technet URL above.)

[AplusWebMaster]

FYI...

LinkedIn SPAM emails download malware
- http://www.trusteer.com/blog/linkedi...wnload-malware
June 02, 2011 - "LinkedIn has more than 90 million members, many of which are business users... In the last couple of days, we've witnessed a malware campaign that targets LinkedIn users. It starts with a simple connect request sent to the victim's mailbox... If you click the "Confirm that you know" link on the genuine email, it takes you to LinkedIn's website. However if the same button is clicked on the fraudulent email, it takes you to a malicious website that downloads malware onto your computer. The fraudulent website is hxxp: //salesforceappi .com/ loginapi.php?tp=1da14085e243eaf9 ...The domain salesforceappi .com was registered two days ago and the IP address of the server is in Russia. The domain was designed to look like it's associated with Salesforce.com but in fact it has nothing to do with Salesforce .com. The malicious server uses the BlackHole exploit kit to download malware to the victim's computer... recently made available for free... It is based on PHP and has a MySQL database. Thousands of websites have been infected with BlackHole which is used to exploit vulnerabilities on visitors’ computers in order to place malware on them... drive by download... we've recently seen evidence of Zeus targeting enterprise networks in order to steal proprietary information and to gain unauthorized access to sensitive systems... Only two anti-malware solutions out of 42 detect this variant at the moment*..."
(Screenshots and more detail available at the trusteer URL above.)
* http://www.virustotal.com/file-scan/...d37-1306969338
File name: file-2324493_swat
Submission date: 2011-06-01 23:02:18 (UTC)
Result: 2/42 (4.8%)

- http://labs.m86security.com/2011/06/...edin-campaign/
June 3, 2011 - "... The messages look realistic, but the giveaway is the bogus link exposed when you hover over the confirm button... Remember, just because it looks legit, doesn’t mean it is."

[AplusWebMaster]

FYI...

Phoenix exploit kit updated...
- http://labs.m86security.com/2011/06/...to-be-updated/
June 4th, 2011 - "... As expected, the author of the exploit kit released a new version of the tool, version 2.7... The new pack 2.7 contains the following updates:
• JAVA exploit added – Java for Business JRE Trusted Method Chaining Remote Code Execution Vulnerability – CVE-2010-0840
Old exploits were removed, the exploit kit currently contains the following exploits:
• Windows Help and Support Center Protocol Handler Vulnerability – CVE-2010-1885
• Integer overflow in the AVM2 abcFile parser in Adobe Flash Player – CVE-2009-1869,
• Integer overflow in Adobe Flash Player 9 – CVE-2007-0071
• IEPeers Remote Code Execution – CVE-2009-0806
• Internet Explorer Recursive CSS Import Vulnerability – CVE-2010-3971
• PDF Exploit – collab. collectEmailInfo – CVE-2007-5659
• PDF Exploit – util.printf – CVE-2008-2992
• PDF Exploit – collab.geticon – CVE-2009-0927
• PDF Exploit – doc.media.newPlayer – CVE-2009-4324
• PDF Exploit – LibTIFF Integer Overflow – CVE-2010-0188
... cybercriminals use JAVA and PDF exploits, as they have become the most efficient and reliable attack vector."