SPAM frauds, fakes, and other MALWARE deliveries - archive

[AplusWebMaster]

4chan.org Malware .gif files...

FYI...

- http://isc.sans.org/diary.html?storyid=5821
Last Updated: 2009-02-07 21:51:03 UTC - "A Storm Center subscriber has just submitted malware embedded in .gif image files, downloaded from the image site 4chan.org. For the sake of expediency, and because this person did such a good write up, here is the analysis provided:

"The *.gif files were found (on) the "random" board of the image board site 4chan. The files contain a large picture with instructions to save the file with a .jse extension and run it. The *.out files are the result of applying scrdec to the gifs to reveal the encoded script. It appears to:
1) copy itself somewhere as 'sys.jse'
2) add itself to a Run key in the registry
3) a) fetch the index to 4chan's /b forum
b) download the first image
c) save it as 'j.jse'
d) attempt to run 'j.jse'
4) construct a POST request containing the image as payload
5) upload itself as a new post on 4chan
6) point an instance of IE at site it came from
(3)-(6) are in an infinite loop."

To the subscriber who did the legwork on this one, my thanx for the excellent work... will provide more data as it develops."

:fear::fear:

 

[AplusWebMaster]

Waledac new variant - Valentine's Day Theme

FYI...

Waledac new variant - Valentine's Day Theme
- http://securitylabs.websense.com/content/Alerts/3299.aspx
02.09.2009 - "... new spammed variant continues to use the Valentines theme. Once a user opens the URL in the spammed message, he is redirected to a site with 2 puppies and a love heart to give a Valentines theme. The user is then enticed to download a Valentines kit to prepare a present for a loved one, which is a new Waledac variant. This variant has a very low AV detection rate..."
- http://www.trustedsource.org/blog/182/New-Valentine-Scam-on-the-Loose
(Screenshot of spammed email available at both URLs above.)

Waledac Domain (Block) List - Updated 02-10-2009 - 4:21 UTC
- http://www.shadowserver.org/wiki/uploads/Calendar/waledac_domains.txt

- https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/239
02-09-2009 - "Up until recently, Waledac’s main purpose had been to peddle performance-enhancing pharmaceuticals by sending large runs of unsolicited mail to thousands of unwilling recipients. Today we noticed a shift in this trend. In addition to sending large volumes of spam, Waledac is now distributing misleading applications. In our testing we noticed that the misleading application that is installed this time around is MS AntiSpyware 2009..."

:fear:

 

[AplusWebMaster]

Skype Valentine SPAM lure

FYI...

Skype Valentine SPAM lure
- http://securitylabs.websense.com/content/Alerts/3305.aspx
02.12.2009 - "Websense... has spotted an emerging malicious spam lure, masquerading as a message from Skype. The spammed message uses Skype's logos and themes, posing as a Valentine promotion. With two days to go before Valentine's day, the fake promotion entices the user into sending a free Valentine video message to a loved one. The proposed video link in the message leads to a malicious compressed archive file named valentine.exe... Earlier today we noticed that the same group were sending out spoofed-Hallmark e-greetings and now they have recently switched to this spoofed-Skype video card campaign..."

(Screenshots of a spammed email available at the URL above.)

:fear:

 

[AplusWebMaster]

WALEDAC Valentine SPAM variants on the rise...

FYI...

- http://blog.trendmicro.com/waledac-spreads-more-malware-love/
Feb. 13, 2009 - "... A recently reported case of malware-related SPAM contains a short Valentine’s message — and with an embedded URL that leads to malicious content... The malicious file is actually a WALEDAC variant detected... WALEDAC variants* have been previously served through e-card spam..."
(Screenshots available at the URL above.)

Search Results for 'WALEDAC' - MALWARE and GRAYWARE List
* http://preview.tinyurl.com/akubv6
...42 records match your query

Waledac Tracker Summary Data
- http://www.sudosecure.net/waledac/index.php
2009-02-14

:fear:

 

[AplusWebMaster]

Double SPAM whammy...

FYI...

Re-resurgence of .cn URL SPAM
- https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/spam/article-id/148
02-17-2009 - "As discussed in the Symantec State of Spam Report* for February, URLs with the “.cn” country code top level domain (ccTLD) have become a popular ingredient in spam messages. A top-level domain (TLD) is the part of a domain name that follows the final dot of any domain name. A ccTLD is a top-level domain generally reserved or used by a country or a dependent territory. According to the February report, URLs with .cn ccTLDs accounted for approximately 32% of all URLs seen during that period. However, we saw a noticeable decrease in this particular technique starting around the end of January with levels dropping down to 7%. On February 12, we once again observed a revival approaching similar levels as was seen in January—these levels are currently sitting around 29%. The URLs are applied to various kinds of spam attacks, but one of the more popular versions uses legitimate messages such as newsletters and replaces the existing URLs with .cn URLs to peddle spam products..."
* http://www.symantec.com/business/theme.jsp?themeid=state_of_spam
___

SPAM Attacks on Job Seekers
- https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/spam/article-id/147
02-17-2009 - "With the worsening economic situation, unemployment figures have risen worldwide. This has led millions of people to search for jobs, using whatever resources they can find. One of the most common is online job search sites. Email alerts from recruitment agencies are anxiously viewed for future job prospects and hopes dashed when rejection letters are received. Malicious code writers are making use of this opportunity to distribute their malware. Symantec has recently observed emails with malicious attachments, informing the recipient of a job rejection and including an attached copy of their purported application. These emails pose as though they have been sent from a genuine recruitment agency... The attached zip file “copy of your CV.zip” contains an executable file, detected as Hacktool.Spammer by Symantec Antivirus. Hacktool.Spammer is a program that hackers use to attack mail boxes by flooding them with email. It can be programmed to send many email messages to specific addresses. It will be difficult to ignore emails from job agencies, but we can definitely be cautious of file types, particularly executables (.exe). -Any- email with this type of application extension should be considered suspicious, particularly if it's coming from an unknown sender. We have also seen job offer attacks with an intention of harvesting email addresses. If the recipient clicks on any of the links found in the message, the spammer gets a confirmation that the email address is a live account. This account can then be targeted in a spam campaign at a later date. Clicking an "unsubscribe" link also yields the same results, because in the action of unsubscribing you are confirming the account is a live address..."

:fear: :buried:

 

[AplusWebMaster]

eBay auction tool website infects with Malware

FYI...

eBay Auction Tool Web Site Infected With Malware
- http://preview.tinyurl.com/d6a9xm
Feb. 23, 2009 PC World - "A Trojan horse lurking on servers belonging to Auctiva.com, a Web site offering eBay auction tools, infected people's PCs last week. The problem became very public when Google's malware warning system kicked in as people tried to browse the site, saying Auctiva was infected with malware. Google will display an interstitial page warning people of certain Web sites known to contain malware. "It appears the reason these virus alert warnings started showing up on our site is because some of our machines were injected with malware originating in China," according to a post on Auctiva's community forum... It appears that the malware targeted Microsoft's Internet Explorer browser... "Found eight Trojans on my system that seemed to have snuck through my on-access protection, or maybe because, like a fool, I clicked 'ignore the warning' to get to Auctiva's front page," wrote one user on Auctiva's forum. If Google displays a warning about a dangerous Web site, it still gives people the option of browsing to the site. Auctiva said it was working with Google to ensure the warning is not displayed now that it has cleaned up its servers. However, people who browsed Auctiva between Thursday and Saturday afternoon until 2 p.m. Pacific time should ensure their machines are not infected..."

:fear::lip:

 

[AplusWebMaster]

Rogue Facebook apps...

FYI...

Rogue Facebook apps...
- http://blog.trendmicro.com/a-second-rogue-facebook-application-in-just-a-week/
Feb. 26, 2009 - "In a second attack, extremely reminiscent of the one that took place this weekend*, Facebook users have once again been victimized by cybercriminals. Reports started surfacing this afternoon of yet another rogue Facebook application posting notifications to user profiles... The link in the notification led on to an application named f a c e b o o k - - closing down!!! which, once installed, would proceed to spam all of the affected user’s friends with the same message. It may also harvest personal information along the way... Prevention of rogue applications with extremely dubious intent to propagate freely within the site is needed. Users are advised to exercise extreme caution when surfing..."
* http://blog.trendmicro.com/rogue-facebook-app-linked-to-blackhat-seo/

(Screenshots available at both URLs above.)

:fear:

 

[AplusWebMaster]

New Koobface worm variant spreading on Facebook

FYI...

- http://blog.trendmicro.com/new-variant-of-koobface-worm-spreading-on-facebook/
March 1, 2009 - "I just received a Facebook message from a friend; it was a pretty standard one that is beginning to look familiar to a lot of us I am sure. What surprised me though, was the page that the link led to. On the face of it is a very familiar looking spoofed version of YouTube, complete with bogus comments from “viewers”... Take a second look though, the link had taken me to a site supposedly hosting a video posted by the same person that I had received the Facebook message from. In fact not only was the malicious landing page displaying his name, it had also pulled the photo from his Facebook profile.... Clicking the Install button redirects to a download site for the file setup.exe which is the new Koobface variant detected as WORM_KOOBFACE.AZ. It is hosted on an IP address in another part of the world, and in the last hour, we’ve seen 300+ different unique IP addresses hosting setup.exe and we’re expecting more. All seen IP addresses hosting the said malicious file are now detected as HTML_KOOBFACE.BA. Analysis by our engineers reveal that WORM_KOOBFACE.AZ propagates through other social networking sites as well..."
(Screenshots available at the URL above.)

- http://www.us-cert.gov/current/index.html#malicious_code_targeting_social_networking
March 4, 2009 - "...malicious code spreading via popular social networking sites including myspace.com, facebook.com, hi5.com, friendster.com, myyearbook.com, bebo.com, and livejournal.com. The reports indicate that the malware, named Koobface, is spreading through invitations from a user's contact that include a link to view a video. If the users click on the link in this invitation, they are prompted to update Adobe Flash Player. This update is not a legitimate Adobe Flash Player update, it is malicious code..."

:fear:

 

[AplusWebMaster]

YouTube criminal online trade

FYI...

- http://www.f-secure.com/weblog/archives/00001619.html
March 4, 2009 - "Online criminals regularly post their ads on YouTube, looking for buyers for their products. Some recent examples... (Screenshots at the URL above.) No big surprises there. A bit more surprisingly, when you want to report such videos to YouTube admins, they actually don't have an option for reporting criminal use..."

- http://www.internetnews.com/security/print.php/3808326
March 3, 2009 - "... In both the Digg and YouTube attacks, links claim to take visitors to a video. Instead, they redirect them to one of several sites that then download malware like the Adware/Videoplay worm. The worm steals cookies, passwords, user profiles and e-mail account information and sends these to a remote site over the Internet. It can also make copies of itself in removable media to spread further. The links can also direct users to download fake antivirus software..."
- http://pandalabs.pandasecurity.com/archive/Metatags-in-malware-websites.aspx

:fear::fear:

 

[AplusWebMaster]

Fake job ads up 345%...

FYI...

Fake job ads up 345%...
- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=215800622
March 5, 2009 - "Job seekers beware. Identity thieves are looking to steal personal information from those searching for employment. Fake job ads are up 345% over the past three years, according to the U.K. Association for Payment Clearing Services, and the Identity Theft Resource Center (ITRC)* warns that would-be workers should be careful about providing personal information to purported employers..."
* http://preview.tinyurl.com/2j6y3b

:fear:

 

[AplusWebMaster]

Scams - Economic Stimulus email and websites...

FYI...

Scams - Economic Stimulus email and websites...
- http://www.us-cert.gov/current/#economic_stimulus_email_and_website
March 5, 2009 - "... economic stimulus scams circulating. These scams are being conducted through both email and malicious websites. Some of the email scam messages request personal information, which can then be used for identity theft. Other email scam messages offer to deposit the stimulus funds directly into users' bank accounts. If users provide their banking information, the attackers may be able to withdraw funds from the users' accounts. The website scams entice users by claiming that they can help them get money from the stimulus fund. These websites typically request payment for their services. If users provide their credit card information, the attackers running the malicious sites may make unauthorized charges to the card, or charge users more than the agreed upon terms..."
- http://ftc.gov/opa/2009/03/stimulusscam.shtm

:fear::spider::fear:

 

[AplusWebMaster]

Fake Windows Support SPAM... Info-Stealer

FYI...

Fake Windows Support SPAM... Info-Stealer
- http://blog.trendmicro.com/fake-windows-support-spam-brings-forth-an-info-stealer/
Mar 9, 2009 - "... Spammed email messages were found pretending to come from Microsoft Windows Support and claiming that Microsoft Service Pack 1 and Service Pack 2 have been discovered to have an error that can damage the computer’s software or even the hardware. These messages encourage users to download and install a file in order to fix the problem. When users click the download button they are redirected to a site and are asked to download a file which Trend Micro detects as TROJ_DLOADER.CUT... TROJ_DLOADER.CUT connects to a certain URL to download another malicious file, which in turn is detected by Trend Micro as TSPY_BANKER.MCL. TSPY_BANKER.MCL monitors the affected user’s online transactions and steals banking related information. Not too many TSPY_BANKER variants have been reported to be related to notable attacks recently, and this incident may pretty much mark the end of the hiatus. Users are advised to ignore spammed messages and, more importantly, to never click links embedded in these messages..."

(Screenshot available at the URL above.)

:fear:

 

[AplusWebMaster]

ID theft malware rates...

FYI...

- http://preview.tinyurl.com/dn8vkj
March 9, 2009 PandaLabs blog - "Today we're announcing results of a study that analyzed 67 million computers in 2008 and revealed that 1.1 percent of the worldwide population of Internet users have been actively exposed to identity theft malware. We predict that the infection rate will increase by an additional 336 percent per month throughout 2009, based on the trend of the previous 14 months. Here are the highlights from our study on the evolution of online identity theft:
• Over three million of the audited users in the U.S. and more than 10 million users worldwide were infected with active identity theft-based malware last year.
• 1.07% of all PCs scanned in 2008 were infected with active malware (resident in memory during the scan) related to identity theft, such as banker Trojans.
• 35% of the infected PCs had up-to-date antivirus software installed.
• The number of PCs infected with identify theft malware increased by 800 percent from the first half of 2008 to the second half.
• Arizona, California and Florida continue to be the states with the highest per-capita incidence of reported identity theft.
Active malware means malware that is loaded into the PC's memory and actively running as a process. For example, users of PCs infected with this type of identity theft malware who utilize online services such as shopping, banking, and social networking, have had their identities stolen in some fashion. According to the Federal Trade Commission (FTC), the average time victims spend resolving identity theft issues is 30 hours per incident. The cumulative cost in hours alone from identity theft related malware based on Panda Security's projected infection rate could reach 90 million hours..."

:fear:

 

[AplusWebMaster]

TinyURL phishing...

FYI...

- http://blog.trendmicro.com/tinyurl-phishing-becoming-popular/
Mar. 13, 2009 - "... We previously blogged about similar phishing operations that used this exact technique to trick users into thinking links are legitimate:
• http://blog.trendmicro.com/not-so-tiny-phishing/
• http://blog.trendmicro.com/tinyurl-now-used-in-im-phishing/
...Substituting preview.tinyurl.com* for tinyurl.com also allows users to get a preview of the final link."

* http://tinyurl.com/preview.php
"Don't want to be instantly redirected to a TinyURL and instead want to see where it's going before going to the site? Not a problem with our preview feature..."

:bigthumb:

 

[AplusWebMaster]

Malicious spam run(s), again...

FYI...

Malicious spam run(s), again...
- http://www.f-secure.com/weblog/archives/00001625.html
March 13, 2009 - "The type of spam runs we saw late last year (Obama and BofA) are starting to pick up again in volume. We've seen Classmates being used as a theme and two days ago it was fake Facebook messages. Today it's back to fake Bank of America certificates... As in all previous spam runs it leads to a site prompting you to download a fake Adobe Flash player. This malware steals confidential information and sends it to a web server. In previous attacks this server was in Ukraine but it has now been moved to Hong Kong. If you see network traffic to the IP address 58.65.232.17 it's a bad sign."

(Screenshot available at the URL above.)

:fear:

 

[AplusWebMaster]

Waledac - SPAM new variant theme in the wild...

FYI...

- http://securitylabs.websense.com/content/Alerts/3321.aspx
03.16.2009 - "Websense... has detected yet another new Waledac campaign theme in the wild. The new variant uses a Reuters theme as a social engineering mechanism to report a bogus news item relating to a 'bomb explosion'. The malicious Web sites in the current attack are socially engineered to report the geolocation of the incident corresponding to the user's IP address. They encourage users to view a video supposedly related to the news report. When users click on the video or the link below the video, they are advised to download the latest version of Flash Player. This leads to the download of Waledac variants. The theme includes legitimate links corresponding to Wikipedia and Google which are presented in a 'Related Links' section of the attack Web sites. Those legitimate links are used to target unsuspecting users in order to increase chances of success with the attack..."

- http://blog.trendmicro.com/waledac-localizes-social-engineering/
Mar. 16, 2009

- http://www.sophos.com/security/blog/2009/03/3541.html
15 March 2009

(Screenshots available at each URL above.)

:fear:

 

[AplusWebMaster]

2000 percent increase in web threats - 2005-2008...

FYI...

- http://blog.trendmicro.com/online-risks-thrive-despite-a-down-economy/
Mar. 17, 2009 - "...TrendLabs reports more than a twenty-fold (2000 percent) increase in web threats between the beginning of 2005 and the end of 2008... for 2008 over 90 percent of all digital threats arrive at their targets via the Internet... from January until November 2008, a staggering 34.3 million PCs were infected with botnet-related malware..."

Trend Micro 2008 Annual Threat Roundup and 2009 Forecast
- http://us.trendmicro.com/imperia/md...ry/trend_micro_2009_annual_threat_roundup.pdf
3.26MB PDF file

:fear::blink::fear:

 

[AplusWebMaster]

New SPAM runs, fake YouTube malware...

FYI...

SPAM - fake Comcast, Facebook e-mails
- http://www.f-secure.com/weblog/archives/00001630.html
March 19, 2009 - "...new SPAM run that's going on. It's from the same group that used Bank Of America as the lure late last week and Northern Bank on Monday. Today it's Comcast and it might actually have a higher success rate then the previous run as users always want faster broadband, especially if there's no fee involved. And the page looks really convincing. Once installed the malware does the same as in the other spam runs - steals data and sends it to Hong Kong...
Update: The spam run was just changed to a Facebook scheme.
Some subjects are:
• FaceBook message: Magnificent girl dancing video clip (Last rated by Sal Velasquez)
• FaceBook message: Dancing Girl Drunk In The Pub- facebook Video (Last rated by Abe Bain)
• FaceBook message: Hot Girl Dancing At Striptease Dance Party (Last rated by Lowell Clay)
• FaceBook message: Dancing Girl Drunk In The Pub- facebook Video (Last rated by Shane Lucas)..."

YouTube e-mail link...
- http://www.f-secure.com/weblog/archives/00001629.html
March 19, 2009 "YouTube is once again being used as a lure to spread malware. Some clown is sending out e-mails... if you follow the link, this one actually uses a Java applet (complete with a fake signature) to push a variant of Parite to the machines..."

Death exploited by hackers...
- http://www.sophos.com/blogs/gc/g/2009/03/19/natasha-richardsons-death-exploited
March 19, 2009 - "Cybercriminals don't waste any time these days jumping on the coat-tails of breaking news stories in their attempt to infect as many computer users as possible. This time it's the tragic death of award-winning English actress Natasha Richardson, who died yesterday after suffering head injuries in a skiing accident earlier in the week. It appears that hackers are stuffing webpages with keywords - most likely scraping the content off legitimate news websites - in order to lure unwary surfers into visiting their dangerous sites and infecting their computers... of course, if you do visit the malicious web link a malicious script will run on your computer... that then runs a fake anti-virus product designed to scare you into making an unwise purchase. Fake anti-virus products, also known as scareware or rogueware, are one of the fastest growing threats on the internet, and attempt to frighten you into believing that your computer has a security problem and that you should purchase a solution from the very people who have tricked you..."

(Screenshots available at each URL above.)

:fear::buried:

 

[AplusWebMaster]

Ghostnet - targeted attacks

FYI...

Ghostnet - targeted attacks
- http://www.f-secure.com/weblog/archives/00001637.html
March 29, 2009 - "University of Toronto published today a great research paper on targeted attacks. We've talked about targeted attacks for years. These cases usually go like this:
1. You receive a spoofed email with an attachment
2. The email appears to come from someone you know
3. The contents make sense and talk about real things (and in your language)
4. The attachment is a PDF, DOC, PPT or XLS
5. When you open up the attachment, you get a document on your screen that makes sense
6. But you also get exploited at the same time
7. The exploit drops a hidden remote access trojan, typically Grey Pigeon or Gh0st Rat variant
8. No one else got the email but you
9. You work for a government, a defense contractor or an NGO ...
But the real news is that Greg Walton & co actually managed to get an inside view of some of the servers used in these spying attacks. This means they got to see what was being done with the infected machines and where in the world they were... The release of the paper was synchronized with the New York Times article*. University of Cambridge released a related research paper at the same time as well. The Cambridge paper goes all the way to point the finger directly at the Chinese Government. Most other parties, us included, have not done such direct accusations without concrete proof of government involment... here are selected blog posts on the topic:
• Several examples of what the attack documents looked like
- http://www.f-secure.com/weblog/archives/00001406.html
• The mystery of Sergeant "nbsstt"
- http://www.f-secure.com/weblog/archives/00001449.html
• How we found the PDF generator used in some of these attacks
- http://www.f-secure.com/weblog/archives/00001450.html ..."

* http://www.nytimes.com/2009/03/29/technology/29spy.html

(Original document - scribd.com )
- http://preview.tinyurl.com/d5q3cj
Mar, 28, 2009 - "This report documents the GhostNet - a suspected cyber espionage network of over 1,295 infected computers in 103 countries, 30% of which are high-value targets, including ministries of foreign affairs, embassies, international organizations, news media, and NGOs..."

:fear::fear:

 

[AplusWebMaster]

Trace Q1-2009 report...

FYI...

- http://www.marshal.com/TRACE/traceitem.asp?article=920&thesection=trace
April 1, 2009
"...Spam
... by the end of March 2009 the SVI (Spam Volume Index) had reached its pre-McColo level. Even so, taking a longer term view, spam volume still remains less than mid-2008. We believe successive events, including the interruption of the Atrivo/Intercage network in September, the FTC crackdown of the ‘Affking’ gang in October, the McColo shutdown in November and the subsequent demise of the Srizbi botnet, and disruption to the Bobax botnet in late 2008, have all contributed to make life more difficult for spammers...
Botnets
... a handful of botnets continue to dominate the distribution of spam. At the end of March 2009, the familiar botnets Mega-D and Rustock and Pushdo continued to dominate spam production. Xarvester is the new kid on the block, and shares quite a few similarities to its likely predecessor, Srizbi. Add a second tier of botnets, namely Donbot, Grum and Gheg, and collectively, this motley group accounts for over 70% of spam...
Malicious Spam Campaigns
... The Waledac botnet, the probable successor to Storm, has been active with a range of campaigns including President Obama, Valentines, fake coupons and bomb blast news stories. The Pushdo botnet, too, continues to pump out various malicious spam and phishing email, including fake facebook.com and classmates.com campaigns...
Malicious Web Campaigns... (Rogue AV, etc.)
The last few months has seen the resurgence of the fake anti-virus purveyors, which have been part of the scene in one form or another for the best part of 12 months. Most recently, search engine optimization, using hot Google search terms*, is being used to drive users to websites where they are prompted to download, install, and pay for this dubious ‘anti-virus’ software...."
* http://www.marshal.com/trace/traceitem.asp?article=884

:fear: