SPAM frauds, fakes, and other MALWARE deliveries - archive

[AplusWebMaster]

FYI...

- http://securitylabs.websense.com/con...logs/3245.aspx
11.26.2008 - "As we wish our American colleagues and friends 'Happy Thanksgiving', we could be tempted to get into the spirit and maybe brighten up our desktop with screensavers, wallpapers and the like. Our advice to users is to exercise caution - such activity may lead to adware, BHOs, and other undesirables... We found examples of Thanksgiving-themed screensavers leading to Potentially Unwanted Software (PUS) in the form of browser toolbars (BHO), as well as changes to your home page, and personal data being harvested... no such thing as a free lunch, even on Thanksgiving..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

- http://asert.arbornetworks.com/2008/...-got-big-fast/
November 27, 2008 - "The Obama spam and malcode gang is back at it with a new fast flux phishing and malcode ruse. This time it’s a demo from the Bank of America that requires the classic “Flash Upgrade”. At the peak I was seeing 400 unique URLs for this run an hour. The URLs were unique strings, possibly for tracking purposes or possibly to stress URL blacklists. But, when you look more closely you see they are just a handful of domain names. This is a lot like the Rock Phish of old. The malcode download routine is very typical. If you don’t follow the lure, a meta-refresh will get ya... The malcode is tiny, but downloads hxxp ://silviocash .com/usp.exe, aka Paparus or Urlsnif. Driver file, rootkitted, and now the box will send info from IE (ie form data) to the hacker. Owned..."
* http://garwarner.blogspot.com/2008/1...nt-do-not.html

(Screenshots available at both URLs above.)

[AplusWebMaster]

FYI...

- http://securitylabs.websense.com/con...erts/3248.aspx
11.27.2008 - "Websense... has discovered that malware authors are already using Christmas themes this year as a social engineering tactic, in an effort to gain control over compromised machines. This campaign uses email messages in the form of e-greetings, leading to supposed animated postcards. These actually lead to a Trojan backdoor that has been distributed in previous malicious spam campaigns. The email messages, spoofed to appear as though they have been sent from postcards.org, display an animated Christmas scene. A URL link within the email leads to a malicious file called postcard.exe hosted on various servers, including those in the .com TLD space. Once executed, a backdoor is created by the malware author enabling access and control over the resources of the compromised machine. Control is conducted over IRC, communicating with ircserver.*snip*.la. During the install process an image called xmas.jpg is displayed to the user as a distraction technique..."

(Screenshot available at the URL above.)

[AplusWebMaster]

FYI... more holiday SCAMS...

- http://blog.trendmicro.com/getting-a...-phish-fillet/
Nov. 29, 2008 - "Phishers always think out of the box, thinking of ways to fool victims into falling for their phishing schemes. Now... we’ve found a new twist - one that involves the popular fast-food chain McDonald’s. The phishing page displays a fake Member Satisfaction Survey, and for the customer to take the bait, it promises $75 credit to the customer’s account..."

- http://blog.trendmicro.com/new-gpcod...files-hostage/
Nov. 28, 2008 - "...Just recently... a new version of the GPcode ransomware has surfaced... It drops several files which are also detected as TROJ_RANDSOM.A. After which, it searches and encrypts files found on any readable and writable drive on the system, rendering them inaccessible (without the encryption key). It also changes the file name of the encrypted files, by adding the .XNC extension. It also drops the file READ THIS.TXT in each folder that contains an encrypted file. This file informs the victim that the files have been encrypted, and that a decrypting tool must be purchased to decrypt the files. Email addresses are also included in the text file, which the victim must contact to obtain the decryption tool. Accordingly, the perpetrator of this crime demands £200 (US$307) for the decryption services... Users are strongly advised to back up their files so as not to be victimized by ransomware."

(Screenshots available at both URLs above.)

[AplusWebMaster]

FYI...

McDonald's and Coca-Cola - malicious holiday Coupons and Promotions
- http://securitylabs.websense.com/con...erts/3250.aspx
12.02.2008 - "Websense... has discovered another infectious holiday email making the rounds. Victims are receiving messages promoting a coupon from McDonald's or a holiday promotion from the Coca-Cola company. Both messages include a .zip attachment that contains either coupon.exe or promotion.exe. The malicious files (SHA1 ca973b0e458f0e0cca13636bd88784b80ccae24d) are Trojan Droppers, but have low anti-virus detection at the moment. The McDonald's email claims to present their latest discount menu, and states that the attached coupon should be printed. The Coca-Cola email states that the attachment has details about their new online game and a chance to win Coca-Cola drinks for life..."
(Screenshots available at the URL above.)

(More Screenshots):
- http://blog.trendmicro.com/bogus-mcd...worm-carriers/

[AplusWebMaster]

FYI...

- http://securitylabs.websense.com/con...erts/3252.aspx
12.08.2008 - "The fraudulent email message references a real Microsoft Security Advisory 951306 (also known as CVE-2008-1436). The email provides instructions in both French and English. When the email's malicious attachment (MSC003-WIN.scr) is run, it connects via IRC to a BOT Controller, [removed]dns .be. This connection is not through the default port, but through port 81. The application binds to startup, ensuring it will be run automatically when the computer is restarted (as instructed in the email). The SHA1 of MSC003-WIN.scr is 2056c9fa1b97fca775cc7a01768fb39818963a94. Major antivirus vendors are -not- detecting the malicious attachment."

(Screenshot available at the URL above.)

[AplusWebMaster]

FYI...

IE 7 exploit... attacks using Doc files
- http://preview.tinyurl.com/5wfx74
December 17, 2008 - (AvertLabs.com) - "... Malware authors have been coming up with innovative mechanisms to leverage this exploit to social engineer the not so tech-savvy internet users. One of the most prominent and unique techniques adopted by the malware authors involves a Microsoft word document being sent out [SPAM] to an unsuspecting user. Upon opening the word document the embedded ActiveX control... is instantiated and executed... The control then makes a request to the webpage hosting the IE 7 exploit. The charm with this approach is that the exploit is downloaded and run without the knowledge or permission of the user. To the unsuspecting user it will just appear as yet another normal Doc file..."

[AplusWebMaster]

FYI...

Another holiday, another e-card run - Waledec
- http://asert.arbornetworks.com/2008/...d-run-waledec/
December 21, 2008 - "But this time it’s not Storm, nor does it even seem at all like Storm. This one is dubbed Waldec. Infection strategy: entice email users to come to the website and get a greeting card. No graphics, but it will entice you anyhow. “Daniel just mailed to you an Online greeting card.” Thanks, Daniel!
Subject lines I’ve seen in our spamtraps:
• Merry Christmas greetings for you
• You have received an eCard
The website you go to says, “Merry Christmas”, and “If you don’t see your greeting card, just click here to download it.”. Here comes /ecard.exe, as always, via a meta-refresh. No HTTP browser exploits on the site. This is hosted on a fast flux network... The ecard.exe binary is pretty much malcode, as you would expect... Pretty weak detection when we look via VirusTotal*. Two vendors dubbed it Waledec...
• Microsoft 1.4205 2008.12.20 Trojan:Win32/Waledac.A
• NOD32 3709 2008.12.20 a variant of Win32/Waledac ..."

* http://www.virustotal.com/analisis/a...8a029cbc1e27f5

[AplusWebMaster]

FYI...

Christmas e-card malware...
- http://isc.sans.org/diary.html?storyid=5557
Last Updated: 2008-12-26 03:12:19 UTC ...(Version: 2) - "... over the last (few) days there has been an increase in malicious Christmas cards distributing the Waledac worm. The e-mails consist of a hyperlink to a "Christmas card"... The user will need to click on either button, get a Security Warning and will need to accept the fact that an executable is being run... Some of the domains that were reported to us by readers (thanks Mike and the Shadowserver foundation) include:
bestchristmascard .com
blackchristmascard .com
cheapdecember .com
christmaslightsnow .com
decemberchristmas .com
directchristmasgift .com
freechristmassite .com
freechristmasworld .com
freedecember .com
funnychristmasguide .com
holidayxmas .com
itsfatherchristmas .com
justchristmasgift .com
livechristmascard .com
livechristmasgift .com
superchristmasday .com
superchristmaslights .com
whitewhitechristmas .com
yourchristmaslights .com
yourdecember .com
Note that this list is still very much incomplete. We may post updates.
For now, we recommend:
• Blocking the download of 'ecard.exe', or the affiliated domains on your corporate proxy;
• Ensure that your anti virus and anti spam solutions are updated frequently as the AV vendors build coverage for this new threat. Given the mass mailing nature, spam protection is likely to be the first to pick up on this...
Arbor Networks has an interesting blog entry* up on the flux tactics involved with this threat here. For further data on the worm itself, visit Symantec's writeup**."
(Screenshot available at the ISC url above.)

* http://asert.arbornetworks.com/2008/...d-run-waledec/

** http://www.symantec.com/norton/secur...429-99&tabid=2

- http://blog.trendmicro.com/merry-mal...oding-inboxes/
Dec. 26, 2008

[AplusWebMaster]

FYI...

- http://www.shadowserver.org/wiki/pmw...endar.20081231
31 December 2008 - "...A new trojan, which has been called a Waledac variant, appeared in recent weeks hyping up Christmas e-cards with nice inviting e-mails leading you to cute website that you can get your e-card at... Lately the website has been peddling either "ecard.exe" or "postcard.exe" for download. But the fun does not end there. There's a nice little JavaScript reference pointing to "google-analysis.js" which has some nasty excitement embedded into it. The JavaScript currently loads a page from the domain "seocom .mobi" which in turns attempts to exploit the user and install a trojan which gets its commands from the same site. It is ultimately instructed to download and install the same Waledac trojan.
Fast-flux Domains
These e-mail lures have involved several different domains of which all are part of a fast flux network... The best option is to block the domains. The following is a list of all of the domains known to Shadowserver to be associated with the Waledac trojan: ...( see the Shadowserver URL above for the list of domains ) ...the trojan is fairly loud and starts beaconing right away to seeded hosts... we suspect the network is using some form of strong encryption for this communication...
Storm Worm?
Right! You are not the only one thinking this. In fact a lot of people are drawing similar comparisons. There are a ton of differences, but there's also a bunch of similarities for sure. Here's a few similarities we along with our fellow collaborators/security researchers have come up with:
• Fast-flux Network (domains are fast fluxing and name servers frequently change IPs)
• Several Name Servers per Domain (ns[1-6].<waledac.domain>)
• Use of Nginx (sure lots of people use it, but hey it's a similarity)
• Spreading through e-mail and Holiday Themes
• Use of "ecard.exe" and "postcard.exe" (both previously used by Storm)
• Drive-by Exploit in Domains (Storm previously used Neosploit) ...
Prevention and Detection
The first step as always is -not- click the links from your e-mail. This will keep you relatively safe and Waledac free... Your next step is to block the above listed domains. There will surely be new ones added to the mix in the future, but blocking this will definitely help in the near term. Antivirus being up to date can't hurt either..."