SPAM frauds, fakes, and other MALWARE deliveries - archive

[AplusWebMaster]

FYI...

Fake "browser update" worm ...
- http://www.malwarecity.com/blog/upda...pass-1155.html
23 September 2011 - "... As the DNS infrastructure is well defended against attacks, cyber-crooks often try to mess with the local DNS settings. This is the case of the infections with Worm.Rorpian.E that, once it successfully infects a computer on the network, starts acting as a DHCP server (an application that manages the connectivity of the network computers) and tampers with the local DNS servers to resolve all the requests to a rogue IP in Romania...
If you give in to the demand and “update your browser”, you’ll get infected with the same Worm.Rorpian.E, and your PC will start acting like a rogue DHCP server for the other clients connected to your network. Once the user clicks the “browser update” button, a php script fetches the malware from the server and names it as updbrowser[date].exe, where date is the current year, month and day. Of course, since we’re talking about cybercrime, the infection wasn’t only designed for fun. Once your PC has been infected with the “browser patch”, the worm starts bringing its friends to the party, cloaked by the infamous TDSS rootkit. Rorpian also has secondary spreading mechanisms: it “jumps” via network shares, exploits a couple of old, critical vulnerabilities such asthe .LNK (MS10-046) and the one in the Windows DNS RPC Interface (MS07-029) to download and execute further malware onto the infected PCs..."
(More detail at the malwarecity URL above.)

[AplusWebMaster]

FYI...

mysql.com hacked - malware served to visitors...
- http://blog.armorize.com/2011/09/mys...tors-with.html
9.26.2011 - "Our HackAlert 24x7 Website malware monitoring platform today indicated that mysql.com has been hacked...
Step 1: http ://www .mysql .com
Causes the visiting browser to load the following:
Step 2: http ://mysql .com /common/js/s_code_remote.js?ver=20091011...
Step 3: http ://falosfax .in/info/in.cgi?5&ab_iframe=1&ab_badtraffic=1&antibot_hash=1255098964&ur=1&HTTP_REFERER=http ://mysql .com/
Throws out a 302 redirect to Step 4.
Step 4: http ://truruhfhqnviaosdpruejeslsuy .cx.cc/main.php
This domain hosts the BlackHole exploit pack. It exploits the visitor's browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java, ...), and upon successful exploitation, permanently installs a piece of malware into the visitor's machine, without the visitor's knowledge. The visitor doesn't need to click or agree to anything; simply visiting mysql .com with a vulnerable browsing platform will result in an infection.
Currently, 9 out of 44 vendors on VirusTotal* can detect this piece of malware."
(More detail at the armorize URL above.)

** http://www.virustotal.com/file-scan/...0a1-1317040603
File name: w.php
Submission date: 2011-09-26 20:23:24 (UTC)
Result: 9/44 (20.5%)
There is a more up-to-date report...
- https://www.virustotal.com/file-scan...0a1-1317260745
File name: e1d511259779f6a02f2a61cfedc2551ec70885b6.bin
Submission date: 2011-09-29 01:45:45 (UTC)
Result: 28/43 (65.1%)
___

- https://krebsonsecurity.com/2011/09/...erves-malware/
Monday, September 26th, 2011 at 3:52 pm - "... it appears the malicious scripts were injected into the site sometime within the last seven hours. If that’s accurate, that was enough time for approximately 120,000 Internet users to browse the site and expose their systems to the exploit kit..."
> http://www.alexa.com/search?q=mysql...._home&p=bigtop

- https://www.computerworld.com/s/arti..._serve_malware
September 26, 2011 03:19 PM ET - "... Armorize noticed the problem at around 5 a.m. Pacific Time Monday. Hackers had installed JavaScript code that threw a variety of known browser attacks at visitors to the site, so those with out-of-date browsers or unpatched versions of Adobe Flash, Reader or Java on their Windows PCs could have been quietly infected with malicious software. By just after 11 a.m., the issue had been cleaned up, said Wayne Huang, Armorize's CEO..."
___

- https://isc.sans.edu/diary.html?storyid=11638
Last Updated: 2011-09-26 21:50:32 UTC – “… now been cleaned up on mysql .com but no further words on the scope of the compromise. It also appears to be the second time this year*. In the last incident, SQL injection was used to gain access to the information on the site.”
* https://www.scmagazineus.com/oracles...rticle/199419/
March 28, 2011

[AplusWebMaster]

FYI...

Malicious emails with subject “ACH Payment xxxxx Canceled”
- http://community.websense.com/blogs/...-canceled.aspx
28 Sep 2011 01:00 AM - "Have you got an email with subject “ACH Payment xxxxx Canceled” ? Please don’t open the url in the email. Because it will take you to a malicious url. Websense... has detected that an email campaign broke out on 27th September, 2011. In this campaign, all the emails with the subject “ACH Payment xxxxxx Canceled”, xxxx means random numbers generated from spamers. Each email in this campaign has one same url, after being clicked, victims will be led to various malicous links, via redirection, finally downloaded trojan files without any notice... Now we can see there is a iframe in its payload, it will lead you to redirect to another malicious url. That malicious url hosts blackhole exploit kit, which is the most widely used exploit kits. It will download a Zbot file, which has been confirmed by VirusTotal*... more than 200,000 messages in this campaign..."
* https://www.virustotal.com/file-scan...5fc-1317198424
File name: calc[1].ex_e
Submission date: 2011-09-28 08:27:04 (UTC)
Result: 29/43 (67.4%)
There is a more up-to-date report,,,
- https://www.virustotal.com/file-scan...5fc-1317334191
File name: 13172629856976457567
Submission date: 2011-09-29 22:09:51 (UTC)
Result: 29/42 (69.0%)
___

- http://labs.m86security.com/2011/09/...spam-campaign/
September 6, 2011

[AplusWebMaster]

FYI...

How to get infected with malware...
- https://www.csis.dk/en/csis/news/3321
2011-09-27 - "When a Microsoft Windows machine gets infected by viruses/malware it does so mainly because users forget to update the Java JRE, Adobe Reader/Acrobat and Adobe Flash... CSIS has over a period of almost three months actively collected real time data from various so-called exploit kits. An exploit kit is a commercial hacker toolbox that is actively exploited by computer criminals who take advantage of vulnerabilities in popular software. Up to 85 % of all virus infections occur as a result of drive-by attacks automated via commercial exploit kits. The purpose of this study is to reveal precisely how Microsoft Windows machines are infected with the virus/malware and which browsers, versions of Windows and third party software that are at risk. We have monitored more than 50 different exploit kits on 44 unique servers/IP addresses... The statistical material covers all in all more than half a million user exposures out of which as many as 31.3 % were infected with the virus/malware due to missing security updates... On the basis of the total statistical data of this study it is documented that following products frequently are abused by malware in order to infect Windows machines: Java JRE, Adobe Reader/Acrobat, Adobe Flash and Microsoft Internet Explorer... The conclusion of this study is that as much as 99.8 % of all virus/malware infections caused by commercial exploit kits are a direct result of the lack of updating five specific software packages*..."
* https://www.csis.dk/images/infection.Png

> https://www.csis.dk/images/browser.Png

> https://www.csis.dk/images/os.Png

[AplusWebMaster]

FYI...

More bad ads in Bing
- http://sunbeltblog.blogspot.com/2011...s-in-bing.html
September 29, 2011 - "... they're back again - this time promoting fake Firefox downloads whose ads are displayed when searching for... "Firefox download"... they missed a trick there, advertising Firefox 6 instead of the freshly minted Firefox 7. The URLs involved are hotelcrystalpark(dot)com/firefox_1 and firefox(dot)dl-labs(dot)com, with the rogue downloads being hosted at the dl-labs URL. VirusTotal score* currently gives us 6/43, with VIPRE detecting this as Trojan.Win32.Kryptik.cqw (v)..."
* https://www.virustotal.com/file-scan...285-1317230589
File name: firefox_6.s0.1.exe_
Submission date: 2011-09-28 17:23:09 (UTC)
Result: 6/43 (14.0%)
There is a more up-to-date report...
- https://www.virustotal.com/file-scan...285-1318368926
File name: firefox_6.s0.1.exe_
Submission date: 2011-10-11 21:35:26 (UTC)
Current status: finished
Result: 27/43 (62.8%)

[AplusWebMaster]

FYI...

Fake pharma domains suspended
- http://www.theregister.co.uk/2011/09...rma_addresses/
30 September 2011 - "Nominet, the .uk address registry, has suspended hundreds of internet domain names as part of a global police crackdown on crime gangs peddling fake pharmaceuticals. Operation Pangea IV saw almost 13,500 websites taken down and dozens of suspects arrested in 81 countries, according to Interpol, which coordinated the swoop. Over 2.4 million potentially harmful counterfeit pills, worth about £4m, were seized in raids between 20 and 27 of September, Interpol said. Confiscated medicines included everything from diet pills to anti-cancer drugs. Cops worked with customs agencies, ISPs, payment processors and delivery companies to close down the allegedly criminal operations, Interpol said. In the UK, Nominet acted upon advice given by the Medicines and Healthcare products Regulatory Agency and the Police Central e-Crime Unit to suspend about 500 .uk domains.."

[AplusWebMaster]

FYI...

Facebook malvertisement leads to Exploits
- http://blog.trendmicro.com/facebook-...s-to-exploits/
Oct. 4, 2011 - "... We encountered an infection chain wherein the user is led from a page within Facebook to a couple of ad sites then, finally, to a page that hosts exploits. When we traced the connection between the ad sites and Facebook, we found that the ad providers were affiliated with a certain Facebook application. We checked out the said application and found that it is indeed ad supported. We were able to come up with the likely infection chain... Upon accessing the application, the malvertisement gets loaded, triggering a series of redirections. The redirections finally lead to a malicious site, which then loads several exploits, particularly those related to Java and ActiveX:
• CVE-2006-0003: http://web.nvd.nist.gov/view/vuln/de...=CVE-2006-0003
• CVE-2010-4452: http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-4452
• CVE-2010-1423: http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-1423
The exploits were loaded to download more malicious files although we weren’t able to trace these anymore since the URLs they accessed were already inaccessible... Malvertisements are considered grave threats, especially since much like website compromises, attacks related to these usually involve trusted sites that users already typically visit without risk of system infection..."
(More detail at the trendmicro URL above.)

[AplusWebMaster]

FYI...

Halloween malware, scares, scams ...
- http://community.websense.com/blogs/...een-scare.aspx
5 Oct 2011 - "... malware authors have already concocted a brew of early scares: blackhat SEO, fake Adobe Flash notification, and a malicious file download... start with the search term "halloween skeleton templates," which brings up a poisoned search result. The link redirects users to what appears to be a fake YouTube site... The fake YouTube site uses nude images of celebrities like Emma Watson and Paris Hilton as a ploy. These, along with salacious captions, are meant to entice users into playing the apparent video. When users click any of the links on the page, they are prompted to update Adobe Flash Player... Users who fall for the trick are prompted to download a malicious file called scandsk.exe, identified by 15/43 VirusTotal* engines..."
* https://www.virustotal.com/file-scan...774-1317839174
File name: scandsk.exe
Submission date: 2011-10-05 18:26:14 (UTC)
Result: 15/43 (34.9%)
There is a more up-to-date report...
- https://www.virustotal.com/file-scan...774-1318022043
File name: afe4e70aa3210b8b04c53330d6037378a0aeaf7f.bin
Submission date: 2011-10-07 21:14:03 (UTC)
Result: 21/43 (48.8%)

[AplusWebMaster]

FYI...

Blackhole Exploit + Rogue AV capitalizes on Steve Jobs' passing
- http://community.websense.com/blogs/...s-passing.aspx
6 Oct 2011 - "Websense... has detected malicious email messages claiming that the late Apple founder and CEO, Steve Jobs, is still alive... Some of the email subjects used in this attack include :
Steve Jobs: Not Dead Yet!
Steve Jobs Alive!
Steve Jobs Not Dead
The email messages contain links to compromised web sites that redirect to Blackhole Exploit Kit and install Rogue AV malware. The malicious file used in this attack is poorly detected by AV engines*. As always, don't click on links in emails you didn't expect to receive, they tend to be bad news."
(Screenshots available at the websense URL above.)
* https://www.virustotal.com/file-scan...19c-1317941431
File name: contacts.exe
Submission date: 2011-10-06 22:50:31 (UTC)
Result: 5/43 (11.6%)
There is a more up-to-date report...
- https://www.virustotal.com/file-scan...19c-1318232093
File name: worms.exe
Submission date: 2011-10-10 07:34:53 (UTC)
Current status: finished
Result: 18/43 (41.9%)

Facebook scammers exploit Steve Jobs' death
- http://nakedsecurity.sophos.com/2011...facebook-scam/
6 October 2011

Malicious SPAM...
- http://blog.trendmicro.com/steve-job...alive-by-spam/
Oct. 7, 2011

- http://labs.m86security.com/2011/10/...-exploit-page/
October 7, 2011

[AplusWebMaster]

FYI...

Virus outbreak in Progress...
- http://www.ironport.com/toc/
Octiober 12, 2011

> http://tools.cisco.com/security/cent...utbreak.x?i=77

Fake IRS Arrears Document E-mail Messages - October 12, 2011
- http://tools.cisco.com/security/cent...?alertId=24284
Malicious Link E-mail Messages - October 12, 2011
- http://tools.cisco.com/security/cent...?alertId=24350
Fake Online Reservation Status E-mail Messages - October 12, 2011
- http://tools.cisco.com/security/cent...?alertId=24351
Fake FedEx Package Delivery Failure E-mail Messages - October 12, 2011
- http://tools.cisco.com/security/cent...?alertId=24349