SPAM frauds, fakes, and other MALWARE deliveries - archive

H1N1 SPAM w/virus

FYI...

H1N1 SPAM w/virus...
- http://www.f-secure.com/weblog/archives/00001734.html
July 21, 2009 - "We recently saw this malicious file being spread in emails. The name of the file was Novel H1N1 Flu Situation Update.exe and the icon made it look like a Word document file. When the file was opened, it created several new files to the hard drive:
• %windir%\Temp\Novel H1N1 Flu Situation Update.doc
• %windir%\Temp\doc.exe
• %windir%\Temp\make.exe
• %windir%\system32\UsrClassEx.exe
• %windir%\system32\UsrClassEx.exe.reg
The executables contain backdoor functionality, including an elaborate keylogger. And the document file that is dropped gets automatically opened by the malware, causing the user to think he really opened a Word file..."

- http://www.sophos.com/blogs/sophoslabs/v/post/5517
July 22, 2009

(Screenshots available at both URLs above.)

:fear::mad:
 
Last edited:
Targeted malware calling home...

FYI...

Targeted malware calling home...
- http://www.f-secure.com/weblog/archives/00001736.html
July 23, 2009 - "In targeted attacks, we see more and more attempts to obfuscate the hostname of the server where the backdoors are connecting to. IT staff in many of the targeted organizations are fully aware of these attacks. They keep monitoring their logs for suspicious activity. The admins might spot a host that suddenly connects to known rogue locations like:
• weloveusa.3322.org
• boxy.3322.org
• jj2190067.3322.org
• hzone.no-ip.biz
• tempsys.8866.org
• zts7.8800.org
• shenyuan.9966.org
• xinxin20080628.gicp.net
However, we've now seen a shift in the hostnames. The attackers seem to be registering misleading domain names on purpose, and have now been seen using hosts with names like:
• ip2.kabsersky.com
• mapowr.symantecs.com.tw
• tethys1.symantecs.com.tw
• www.adobeupdating.com
• iran.msntv.org
• windows.redirect.hm
The apparent motive here is that a busy IT administrator might look at a firewall log alert about a machine connecting to www .adobeupdating .com and just disregard it. "That must be the PDF reader trying to download updates..." In reality, adobeupdating.com is registered to somebody in Zaire and has an IP address pointing to Australia."

:fear:
 
Dilbert sends out 419 scams

FYI...

Dilbert sends out 419 scams...
- http://www.sophos.com/blogs/sophoslabs/v/post/5633
July 29, 2009 - "... Advance Fee fraud scammers will abuse any free service they can get their hands on to send out their spam messages... In recent days, a group of Nigerian scammers have started abusing the “share-a-comic-strip” feature on Dilbert.com. The scammers do this by including their own fraud message inside the “personal message” portion of the sent messages. This is probably a money-making scheme that Dogbert would approve of..."

(Screenshots available at the URL above.)

:fear::mad:
 
PayPal fraud with CAPTCHA

FYI...

PayPal fraud with CAPTCHA
- http://blog.trendmicro.com/paypal-fraud-with-captcha/
Aug. 11, 2009 - "... CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) used to protect web sites against abusive automated softwares that can register, spam, login, or even splog. However, now a days that isn’t the case anymore. Just like the traditional PayPal phish, the web page http ://{BLOCKED}www.security-paypal.citymax.com /paypal_security.html asks the user to provide feedback from their Shopping by asking for their Name, E-mail Address and PayPal password... After which, a CAPTCHA image is shown and requires the user to enter the code indicated for spam prevention. However, after entering the user’s personal information, this could be used to create bogus mail accounts, among other things..."

(Screenshot available at the URL above.)

:mad:
 
Spam changes HOSTS file...

FYI...

Spam changes HOSTS file...
- http://blog.trendmicro.com/brazil-spam-changing-a-hosts-file/
Aug. 14, 2009 - "We have recently detected a new spam attack that attempts to grab the bank data of Brazilian users. The mechanics of this attack are simple. Users receive this spam email... The mail claims that the user has received an e-card, and contains a link to “read” the said card. Click on the related link, a file is downloaded and executed... Apparently nothing happens, just an Internet Explorer is opened showing a related web card from this initial phishing. In the background, however, the HOSTS file is changed, and set to redirect certain Brazilian baking Web sites to a malicious web site. All information posted in any of the said pages will then be grabbed by the attacker..."

(Screenshots available at the URL above.)

:fear:
 
Facebook apps phish...

FYI...

Facebook apps used for phishing
- http://blog.trendmicro.com/facebook-applications-used-for-phishing/
Aug. 19, 2009 - "It would be easy to think that once someone has logged in successfully to Facebook—and not a phishing site—that the security threat is largely gone. However, that’s not quite the case, as we’ve seen before*. Earlier this week, however, Trend Micro... found at least two—if not more—malicious applications on Facebook. (These were the Posts and Stream applications.) They were used for a phishing attack that sent users to a known phishing domain, with a page claiming that users need to enter their login credentials to use the application. The messages appear as notifications in a target user’s -legitimate- Facebook profile... While Trend Micro has informed Facebook of these findings, users should still exercise caution when entering login credentials. They should be doubly sure that these are being entered into legitimate sites, and not carefully crafted phishing sites..."
* http://blog.trendmicro.com/?s=Koobface

(Screenshots available at the URL at the top listed above.)

:fear::mad::spider:
 
Employers block social networking, web surfing at work

FYI...

- http://www.darkreading.com/shared/printableArticle.jhtml?articleID=219401053
Aug. 21, 2009 - "... According to new data collected by ScanSafe, which filters more than a billion Web queries each month, some 76 percent of companies are now blocking social networking sites - a 20 percent increase over the past six months. More companies now block social networking sites than block Webmail (58 percent), online shopping (52 percent), or sports sites (51 percent), ScanSafe says*. "Social networking sites can expose businesses to malware, and if not used for business purposes, can be a drain on productivity and bandwidth," says Spencer Parker, director of product management at ScanSafe... Companies are also increasing their restrictions on other types of sites, including travel, restaurants, and job hunting sites, according to the data..."
* http://www.scansafe.com/news/press_...employers_crack_down_on_social_networking_use

.
 
Swine flu SPAM leads to malware

FYI...

Swine flu SPAM leads to malware
- http://blog.trendmicro.com/fake-presidential-swine-flu-stories-lead-to-malware/
Sep. 5, 2009 - "No one is absolutely safe from Influenza H1N1, not even world leaders. This is the scenario painted by cybercriminals in their latest spam run. The spammed message informs recipients that the President of Peru, Alan Gabriel Ludwig García Pérez, and other attendees of the delegation of UNASUR (Union of South American Nations) summit have confirmed cases of Swine flu. Furthermore, it states that the presidents of Brazil and Bolivia were also both infected but are now recovering... Written in Spanish, the spam attempts to stir recipients’ curiosity by saying that the incident is being kept from the public. It also urges them to click on the malicious link, which purports to contain the audio news pertaining to this incident. Instead of news, however, all victims get is an executable file ( Alan.Gripe.Porcina.mp3 .exe ) detected by Trend Micro as TSPY_BANCOS.AEM. BANCOS variants are known for its info-stealing capabilities..."

(Screenshots available at the URL above.)

:fear::mad:
 
Koobface attacks on Facebook and MySpace...

FYI...

Koobface attacks on Facebook and MySpace...
- http://www.associatedcontent.com/article/2148665/rumored_fan_check_virus_scares_facebook.html?cat=15
September 07, 2009 - "Rumors of a Fan Check virus have circulated in the Facebook community. The Kaspersky Lab* two variants of Koobface viruses which (for now) are only attacking Facebook and MySpace users... As a Facebook user, it's important to remember not to open suspicious links, even if they are from "friends".... had problems in the past with hackers using my friends' accounts to spam or to send viruses. One of the current links is to a YouTube video and a message asking the users to update to the latest version of Flash Player. By clicking, the user will have effectively downloaded a worm..."
* http://www.kaspersky.com/news?id=207575670

- http://www.eset.com/threat-center/blog/2009/09/08/fan-check-fretting-about-facebook
September 8, 2009 - "... Quite a few people are talking about Fan Check at the moment, but mostly in the context of the "Facebook Fan Check Virus" hoax: briefly, the bad guys are using SEO poisoning to ensure that if you look for search terms like "Facebook Fan Check Virus" in a search engine, some of the top-ranking hits you get will be to sites that will try to trick you into downloading a rogue anti-malware application..."

:fear::fear:
 
Last edited:
Bogus work-at-home schemes...

FYI...

Bogus work-at-home schemes...
- http://voices.washingtonpost.com/securityfix/2009/09/cyber_theives_steal_447000_fro.html
September 9, 2009 - "Organized cyber thieves are increasingly looting businesses in heists that can net hundreds of thousands of dollars. Security vendors and pundits may be quick to suggest a new layer of technology to thwart such crimes, but in a great many cases, the virtual robbers are foiled because an alert observer spotted something amiss early on and raised a red flag. In mid-July, computer crooks stole $447,000 from Ferma Corp., a Santa Maria, Calif.-based demolition company, by initiating a large batch of transfers from Ferma's online bank account to 39 "money mules," willing or unwitting accomplices who typically are ensnared via job search Web sites into bogus work-at-home schemes..."

:fear::mad:
 
Google Groups trojan

FYI...

Google Groups trojan
- http://www.symantec.com/connect/blogs/google-groups-trojan
September 11, 2009 - "... A back door Trojan that we are calling Trojan.Grups* has been using the Google Groups newsgroups to distribute commands. Trojan distribution via newsgroups is relatively common, but this is the first instance of newsgroup C&C usage that Symantec has detected. It’s worth noting that Google Groups is not at fault here; rather, it is a neutral party. The authors of this threat have chosen Google Groups simply for its bevy of features and versatility. The Trojan itself is quite simple. It is distributed as a DLL, and when executed will log onto a specific account:
Escape[REMOVED]@gmail.com
h0[REMOVED]t
The Web-based newsgroup can store both static “pages” and postings. When successfully logged in, the Trojan requests a page from a private newsgroup, escape2sun. The page contains commands for the Trojan to carry out. The command consists of an index number, a command line to execute, and optionally, a file to download. Responses are uploaded as posts to the newsgroup using the index number as a subject. The post and page contents are encrypted using the RC4 stream cipher and then base64 encoded. The attacker can thus issue confidential commands and read responses. If no command is received from the static page, the infected host uploads the current time."
* http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-091013-5214-99&tabid=2

:fear::mad:
 
Last edited:
Cyber Crooks Target Public & Private Schools

FYI...

Cyber Crooks Target Public & Private Schools
- http://voices.washingtonpost.com/securityfix/2009/09/cyber_mob_targets_public_priva.html
September 14, 2009; 8:00 AM ET - "A gang of organized cyber criminals that has stolen millions from businesses across the United States over the past month appears to have turned its sights on public schools and universities... Each of the transfers was kept just below $10,000 to avoid banks' anti-money laundering reporting requirements, and went out to at least 17 different accomplices or "money mules" that the attackers had hired via work-at-home job scams... With the help of the victims interviewed in this story, Security Fix was able to track down mules who said they were involved in each of the scams. All said they had been recruited via e-mail to sign up as "financial agents" at a company called Focus Group Inc. According to a write-up* by money mule site tracker Bob Harrison, the Focus Group Web site may look legit, but is "just the latest of the numerous highly generic Russian scam websites that has been set up to form a front for a money laundering fraud job advertisement."
* http://www.bobbear.co.uk/focus-group-inc.html

:fear::mad:
 
PBS site hacked - used to serve exploits

FYI...

PBS site hacked - used to serve exploits
- http://www.threatpost.com/blogs/pbs-website-compromised-used-serve-exploits-118
September 18, 2009 - "Some sections of the popular PBS.org Web site have been hijacked by hackers serving up a cocktail of dangerous exploits. According to researchers at Purewire*, attempts to access certain PBS Web site pages yielded JavaScript that serves exploits from a malicious domain via an iframe. The malicious JavaScript was found on the "Curious George" page that provides content on the popular animation series. A look at the code on the hijacked site shows malicious activity coming from a third-party .info domain. The URL serves exploits that target a variety of software vulnerabilities, including those in Acrobat Reader (CVE-2008-2992, CVE-2009-0927, and CVE-2007-5659), AOL Radio AmpX (CVE-2007-6250), AOL SuperBuddy (CVE-2006-5820) and Apple QuickTime (CVE-2007-0015)..."
* http://blog.purewire.com/bid/20389/PBS-Website-Compromised-Used-to-Serve-Exploits

:fear::mad:
 
Monopoly Game malware...

FYI...

Monopoly Game malware...
- http://securitylabs.websense.com/content/Alerts/3481.aspx
09.21.2009 - "Websense... discovered a new spam campaign that is targeting players of the Monopoly game. The Monopoly World Championships take place every four years, and Las Vegas is the host city of 2009. Because the Monopoly Regional Championships are going on all over the world and many Monopoly enthusiasts take part, the spammers utilize this chance to play their tricks. Our email honeypot systems detected over 30 thousand Monopoly spam messages on September 21, 2009 alone. The spam uses a social networking technique to "invite" you to play the online board game. It then provides a link to the fake Monopoly game download site, which in fact downloads a Trojan..."

(Screenshots available at the URL above.)

:fear::mad::fear:
 
Malvertisements - weekend run...

FYI...

Malvertisements - weekend run...
- http://blog.scansafe.com/journal/2009/9/24/weekend-run-of-malvertisements.html
September 24, 2009 - "Between Sep 19-21, malicious banner ads were served via multiple popular sites, including drudgereport.com, lyrics.com, horoscope.com and slacker.com. The ads delivered a trojan downloader using a variety of Adobe PDF exploits as well as the Microsoft ActiveX DirectShow exploit described in MS09-032. Detection of the malicious PDF is quite low, with only 3 out of 41 scanners detecting, as seen in this VirusTotal report*... Attackers use online ads for the same reasons a legitimate company would do so. When an attacker can infiltrate an advertising network, it enables them to reach a broad number of websites within a chosen category. This provides the attacker with the same return on investment that it would a legitimate advertiser – broad exposure to the audience of their choosing..."

- http://www.theregister.co.uk/2009/09/24/malware_ads_google_yahoo/
24 September 2009 - "... They were delivered over networks belonging to Google's DoubleClick; Right Media's Yield Manager (owned by Yahoo); and Fastclick, owned by an outfit called ValueClick... the payload installed Win32/Alureon, a trojan that drops a backdoor on infected machines... also appeared on slacker.com ..."

- http://www.virustotal.com/analisis/...589255f1bb1e29fe56f1ea5b376322023b-1253635686
File 201f338a343e02a41dc7a5344878b862 received on 2009.09.22 16:08:06 (UTC)
Current status: finished
Result: 3/41 (7.32%)

:mad:
 
Phishing attacks - Q2 2009

FYI...

Phishing attacks reach record levels in Q2 2009
- http://www.markmonitor.com/pressreleases/2009/pr090928-bji.php
September 28 2009 - "...
• During Q2 2009, phish attacks reached record levels with more than 151,000 unique attacks
• The average number of phishing attacks per organization also increased to record levels, with 351 attacks per organization, on average, in Q2 2009
Social networking attacks continued to rise significantly, recording a 168% increase from the same period in 2008
• Brands in the financial and payment services industries are the most heavily-targeted industry categories for phishers, constituting 80 percent of all phish attacks in Q2 2009..."

:fear::fear:
 
Fraudsters on social networking sites

FYI...

Fraudsters on social networking sites
- http://www.ic3.gov/media/2009/091001.aspx
October 1, 2009 - "Fraudsters continue to hijack accounts on social networking sites and spread malicious software by using various techniques. One technique involves the use of spam to promote phishing sites, claiming there has been a violation of the terms of agreement or some other type of issue which needs to be resolved. Other spam entices users to download an application or view a video. Some spam appears to be sent from users' "friends", giving the perception of being legitimate. Once the user responds to the phishing site, downloads the application, or clicks on the video link, their computer, telephone or other digital device becomes infected. Another technique used by fraudsters involves applications advertised on social networking sites, which appear legitimate; however, some of these applications install malicious code or rogue anti-virus software. Other malicious software gives the fraudsters access to your profile and personal information. These programs will automatically send messages to your "friends" list, instructing them to download the new application too. Infected users are often unknowingly spreading additional malware by having infected Web sites posted on their Webpage without their knowledge. Friends are then more apt to click on these sites since they appear to be endorsed by their contacts..."

(Tips on avoiding these tactics available at the URL above.)

:fear::mad::fear:
 
SSL SPAM... w/Zbot

FYI...

SSL SPAM... w/Zbot
- http://isc.sans.org/diary.html?storyid=7333
Last Updated: 2009-10-13 13:13:34 UTC - "... started receiving SPAM messages along the following lines:
'On October 16, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour. The changes will concern security, reliability and performance of mail service and the system as a whole. For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure. This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That's all.
http ://evil-link/evil-file
Thank you in advance for your attention to this matter and sorry for possible inconveniences...'

UPDATE
the sample file we received was named patch.exe MD5=9abc553703f4e4fedb3ed975502a2c7a
ZBOT characteristics, so trojan, keylogger, disables AV.
http://www.threatexpert.com/report.aspx?md5=9abc553703f4e4fedb3ed975502a2c7a
"... Trojan-Spy.Zbot.YETH - Trojan-Spy.Zbot.YETH is a rootkit trojan which steals online banking information and downloads other malware as well..."

... ThreatExpert on the file... http://www.threatexpert.com/report.aspx?md5=174aeb93b8d642c2cddfd9c50b0015c9
"... Trojan-Spy.Zbot.YETH - Trojan-Spy.Zbot.YETH is a rootkit trojan which steals online banking information and downloads other malware as well..."
___

- http://blog.trendmicro.com/tailor-made-zbot-spam-campaign-targets-various-companies/
Oct. 14, 2009

:fear::fear:
 
Last edited:
SSL SPAM - New variation...

FYI...

New variation of SSL Spam
- http://isc.sans.org/diary.html?storyid=7357
Last Updated: 2009-10-14 18:25:16 UTC
"... update to a diary we did earlier this week. The body of the spam today is:
' Dear user of the <some company> mailing service!

We are informing you that because of the security upgrade of the mailing
service your mailbox (<user>@<some company>) settings were changed. In
order to apply the new set of settings click on the following link ... '

The email contains a link with a file to download. Some of the files we have seen are:
settings-file.exe MD5: 0244586f873a83d89caa54db00853205
settings-file2.exe MD5: e6436811c99289846b0532812ac49986
The files are being detected by some anti-virus software programs at this time as Zbot variants..."

:fear:
 
Outlook SPAM/Scam w/malware

FYI...

Outlook SPAM/Scam w/malware
- http://securitylabs.websense.com/content/Alerts/3491.aspx
10.14.2009 - "Websense... has discovered a new wave of malicious attacks claiming to be an update for Microsoft Outlook Web Access (OWA). Victims receive a message leading to a site to apply mailbox settings which were supposedly changed due to a "security upgrade." The especially dangerous thing about these messages is that they are very deceiving. The messages and attack pages are personalized for the To: email address to imply the message is being sent from tech support of the domain. The URL in the email looks like it leads to the company's own OWA system. We have seen upwards of 30,000 of these messages per hour and they have low AV detection*... The malicious site is also very believable. The victim's domain is used as a sub-domain to the site so that the attack site appears to be the victim's actual OWA site. The victim's domain name and email address are also used in a number of locations on the malicious site to make it that much more believable..."
* http://www.virustotal.com/analisis/...a301f17fb2253567b72e00f59bf51a99b8-1255552077
File settings-file.exe received on 2009.10.14 20:27:57 (UTC)
Result: 6/41 (14.63%)

(Screenshots available at the Websense URL above.)

- http://www.us-cert.gov/current/#malware_circulating_via_spam_messages
October 15, 2009

:fear:
 
Last edited:
You must log in or register to reply here.
Back
Top