SPAM frauds, fakes, and other MALWARE deliveries - archive

Malicious Excel XLS file...

FYI...

- http://www.f-secure.com/weblog/archives/00001649.html
April 7, 2009 @ 11:10 GMT - "We see targeted attacks and espionage with trojans regularily. Here's a typical case. A malicious Excel XLS file (md5: 3c740451ef1ea89e9f943e3760b37d3b) was emailed to a target - apprently to just one person... The exploit code creates two new DLL files to the SYSTEM32 folder ("apimgr.dll" and "netserv.dll") and executes them. These DLL files are backdoors that try to communicate back to the attackers, using these sites:
• feng.pc-officer .com
• ihe1979.3322 .org
Right now, host ihe1979.3322 .org does not resolve at all, and feng.pc-officer .com resolves to a placeholder IP (which is 63.64.63.64). The attackers can temporarily make the hostname resolve to the real IP address and then turn it back, to hide their tracks. The domain name pc-officer .com is a weird one. It has been registered already in 2006, and it has been used in targeted attacks before. See this ISC blog entry from September 2007*. Here the attack was done via a DOC files, instead of XLS. And the reporting server was ding.pc-officer .com, not feng.pc-officer .com. If you haven't read about Ghostnet** yet, now would be a good time..."
* http://isc.sans.org/diary.html?storyid=3400
** http://en.wikipedia.org/wiki/GhostNet

(Screenshot available at the F-secure URL above.)

Update: "... IP 63.64.63.64 is just a placeholder; 216.255.196.154 is the real control server. They only bring it online sporadically, trying to avoid detection.
The IP is located in Spokane, USA:
% whois 216.255.196.154
OrgName: One Eighty Networks
OrgID: OEN-1
Address: 118 N Stevens
City: Spokane
StateProv: WA
PostalCode: 99201
Country: US ..."

:fear::fear:
 
Last edited:
Match.com malware SPAM...

FYI...

- http://securitylabs.websense.com/content/Alerts/3337.aspx
04.08.2009 - "... new SPAM campaign aimed at Match.com is being used to spread a trojan called Papras over the Internet. Match.com is an online dating service. The service reportedly has more than 15 million members and has Web sites serving 37 countries in more than 12 different languages. On April 7 2009, we received thousands of malicious emails in our email Honey Pot system. The email claims that someone wants to show the user her pictures and videos, and lures the user into visiting the Web site set up by the attacker. When the user starts the video on the Web site, they are asked to install a streaming video player which is actually a trojan with relatively low AV detection*...

(Screenshots available at the Websense URL above.)

* http://www.virustotal.com/analisis/aed50eb83aa34072d761e33959e61e1d
File ADOBE_PlayerInstallation.exe

:fear::fear:
 
IRS SPAM fakes and phish..

FYI...

IRS SPAM fakes and phish...
- http://blog.trendmicro.com/tax-season-is-phishing-season/
Apr. 7, 2009 - "As usual, the approaching tax season (April 15th is Tax Day in the US) also comes with tax-related online threats. With unemployment rates reaching record highs this year, cybercriminals have yet another opportunity to polish their social engineering techniques. Last year, spammed messages supposedly from the Internal Revenue Service (IRS) delivered malware into systems. The email messages were sternly-worded. The intention was to alarm recipients of what these same messages claimed were incomplete tax forms, which could lead to tax avoidance fraud. High-profile institutions, including Fortune 500 companies and US Defense contractors, were prominent targets of this attack. This year, cybercriminals offer their recipients ways to save money by supposedly reducing their expenses on tax preparation transactions. The recent email samples no longer purport to come from the IRS, though. They do, however, offer tax relief services for tax help-seekers. And instead of downloading malware, unknowing users are tricked into giving out personal and sensitive information to phishers... The threat does not end there. After the completing the steps... for users to supposedly have tax relief, other windows load... These are supposedly credit-related sites, but like the tax relief page they also steal sensitive and confidential user information. The spammers/phishers behind this threat have thus fashioned the attack to be both timely and seemingly relevant by exploiting the tax season as well as recession-related concerns. The IRS recently set up an information page* in response to this threat..."
* http://www.irs.gov/privacy/article/0,,id=179820,00.html

(Screenshots available at the TrendMicro URL above.)

- http://isc.sans.org/diary.html?storyid=6145
Last Updated: 2009-04-07 19:50:37 UTC - "... a few things to watch out for:
• fake e-file websites. Only use reputable companies. I did a quick check earlier and didn't see any obvious fakes on Google, but this may change at any time.
• IRS e-mails: The IRS will -never- send you an e-mail asking you to go to a website to get a refund.
• malicous tax preparation software: Don't just download the next best free tax prep software package.
• and once you are all done: Make good offline backups. If you used tax preparation software, burn a couple CDs with your files and don't forget to retain a copy of the software itself so you can read the files later. Keep a paper copy. This includes supporting electronic files like account software and spread sheets that you may use to track finances..."

:fear::fear:
 
NOT the easter egg you were expecting...

FYI...

- http://www.sophos.com/blogs/sophoslabs/v/post/3962
April 10, 2009 - "Messages posing as legitimate greeting cards with titles such as “You’ve received A Hallmark E-Card! !” have been prevalent on the Internet... Over the past months, the malicious emails have become slightly more subtle in their delivery method. While they previously included a telltale zip file as an attachment or a link to an exe, the current crop of messages masquerade as legitimate notifications with no attachments, but the links embedded in the mail point to a web page on some third party web site - which is designed to load malware... avoid opening e-cards that aren’t addressed to you, and aren’t from someone you know. The majority of the spammed e-cards do not indicate the sender or the recipient in the body, and so are easy to recognize. Legitimate e-cards tend to have this personally identifiable information included in the message body..."

(Screenshot available at the URL above.)

:fear::mad:
 
Easter worm in Twitter..

FYI...

Easter worm in Twitter...
- http://www.f-secure.com/weblog/archives/00001653.html
April 12, 2009 - "A cross-site scripting worm was spreading in Twitter profiles for several hours last night. People started reporting that their profile had sent Twitter messages without their knowledge... Later on the messages morphed several times... Many people followed the links to stalkdaily .com, as they believe the messages to be genuine Tweets from their friends. A cross-site script on the site then caused new users to start to Tweet the same messages... As expected, the whole worm was a publicity stunt by stalkdaily .com... You can see the latest official status of Twitter from their status page at http://status.twitter.com/ . Updated to add: This is -not- over. There's going to be quite a few modified Twitter worms for a day or two. Be careful in Twitter, don't view profiles, don't follow links... All these attacks are Javascript-based. Turn Javascript off if you're worried..."
(Screenshots available at the F-secure URL above.)

- http://status.twitter.com/post/95693986/update-on-worm
Apr 13, 2009 - "Update on worm... We are currently addressing a new manifestation of the worm attack..."

:fear:
 
Last edited:
Copycat Twitter XSS worms...

FYI...

- http://isc.sans.org/diary.html?storyid=6187
Last Updated: 2009-04-13 18:07:20 UTC - "... copycat Twitter XSS worms exploit the same vulnerability – actually most of the code remains the same but they obfuscated it to make analysis a bit harder. They also added couple of updates so it looks like they are exploiting other profile setting fields which the original worm didn't exploit, such as the profile link color. One thing about this copycat worm I found interesting is the type of obfuscation they used. The attackers used the [ and ] operators in JavaScript in order to reference methods in objects... It looks like the folks from Twitter are still fixing all the vulnerabilities... Use addons such as Noscript* for Mozilla ..."
* http://noscript.net/getit

- http://www.f-secure.com/weblog/archives/00001654.html
April 13, 2009

Twitter Worm Mikeyy Keywords Hijacked to Serve Scareware
- http://ddanchev.blogspot.com/2009/04/twitter-worm-mikeyy-keywords-hijacked.html
April 15, 2009

:fear:
 
Last edited:
Yet another Twitter worm

FYI...

Yet another Twitter worm
- http://www.f-secure.com/weblog/archives/00001661.html
April 17, 2009 - "A new Twitter cross-site scripting worm is going around on Twitter. Just like the previous Twitter worms it talks about Mikeey... The malicious script itself is downloaded from 74.200.253.195*. Twitter is working on fixing the problem... Updated to add: Michael Mooney (Mikeey) confesses to writing this latest worm as well."
* http://centralops.net/co/DomainDossier.aspx
Queried whois.arin.net with "74.200.253.195"...
OrgName: FastServers, Inc.
OrgID: FASTS-1
Address: 175 W. Jackson Blvd
Address: Suite 1770
City: Chicago
StateProv: IL
PostalCode: 60604
Country: US ...

:fear::mad:
 
Zango: The End

FYI...

Zango: The End
- http://www.vitalsecurity.org/2009/04/zango-end.html
April 21, 2009 - "Zango Inc., the adware distributor fined $3 million by the Federal Trade Commission in 2006 for sneaking software onto people's PCs, has closed its doors after being acquired by video search engine company Blinkx PLC..."
- http://www.theregister.co.uk/2009/04/21/zango/
21 April 2009 - "... The end-game for Zango marks the end of the controversial adware business model. Other well known names in the field - including Claria (Gator), WhenU and DirectRevenue - ceased operations some time ago, leaving Zango as the last man standing."
- http://www.theregister.co.uk/2009/04/21/zango/
21 April 2009 "Updated... The adware maker was forced to pull down the shutters on its business after it was left unable to service its debts. Initially we, along with othe news outlets, incorrectly reported that video search engine firm Blinkx had acquired Zango. In fact Blinkx has only bought a proportion of its assets from administrators. "The bank foreclosed on Zango and Blinkx purchased some technical assets from the bank, including some IP and hardware, which constituted about 10 per cent of Zango's total assets," a Blinkx spokeswoman explained..."

- http://sunbeltblog.blogspot.com/2009/04/ding-dong-zango-is-dead.html
April 21, 2009

:bigthumb:
 
Last edited:
Swine flu SPAM

FYI...

Spam referencing Swine flu outbreak
- http://www.sophos.com/blogs/sophoslabs/v/post/4245
April 27, 2009 - "Predictably enough, today we started to see spam taking advantage of concerns around the current Swine Flu outbreak... In the campaign seen earlier today, the purpose of the spam is meds related. Anyone clicking on the link in the message is -redirected- to an all too familiar Canadian Pharmacy site..."
(Screenshots available at the URL above.)

- http://www.us-cert.gov/current/#swine_flu_phishing_attacks_and
April 27, 2009

- http://blog.trendmicro.com/swine-flu-outbreak-hits-the-web-through-spam/
Apr. 28, 2009 - (More screenshots...)

Spamvertised Swine Flu Domains
- http://ddanchev.blogspot.com/2009/04/spamvertised-swine-flu-domains.html
April 28, 2009 - "... Swine flu spamvertised domains (long list)... Happy blacklisting/cross-checking!"

:fear:
 
Last edited:
Facebook phishing attack

FYI...

Facebook phishing attack
- http://preview.tinyurl.com/crz7yq
April 29, 2009 Techcrunch.com - "... new phishing attack that has broken out on Facebook. If you get an email message that looks to be from Facebook with the subject, “Hello,” and featuring the text below, don’t bother clicking on the link included. Doing so takes you to a site called fbaction .net that mimics the look of the main Facebook login page, hoping to get you to sign in. Naturally, if you do that, the site will have access to your account and can send out more of these messages to your friends. The message body will apparently read something like this (with YOURFRIEND being replaced by the name of a friend of yours):
YOURFRIEND sent you a message.
Subject: Hello
“Visit http: //www.facebook .com/l/4253f;http ://fbaction .net/”...
... looks like “fbaction .net” is now the #2 hot trending search topic for all of Google Trends. This thing is apparently spreading quick... Facebook is now blocking outgoing links to that domain, and some browsers, like IE8, have flagged it as malicious."

(Screenshot available at the Techcrunch URL above.)

:fear::fear:
 
"Swine Flu" SPAM now at 4% of all SPAM

FYI...

- http://sunbeltblog.blogspot.com/2009/04/trouble-with-search-engines-and.html
April 30, 2009 - "... Spammers saw this coming on Monday. Spam with headlines claiming that celebrities (Salma Hayek, Madonna) have caught the disease are peddling generic Tamiflu – or stealing the credit card numbers of those naïve enough to make a purchase from one of the nearly 300 newly-registered domains with a “Swine Flu” twist in their name. Cisco’s IronPort anti-spam service says Swine Flu spam is now four percent of global spam. Spam that preys on public fears generated by big news stories is now a genre... See Information week’s coverage here*."
* http://www.informationweek.com/shared/printableArticle.jhtm?articleID=217200528

:fear::mad::fear:
 
Swine-Mexican-H1N1 related domains / SPAM - Fed Reserve fake

FYI...

More Swine/Mexican/H1N1 related domains
- http://isc.sans.org/diary.html?storyid=6325
Last Updated: 2009-05-02 14:21:58 UTC - "... be ever vigilant in your browsing for Swine/Mexican/H1N1 flu information. We show over 1000 new domains containing those keywords registered in the last 24 hours."

Fed Reserve Spam/Malware Attack is After Your Data
- http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20090429
29 April 2009 - "... spam campaigns that are designed to appear as if they are coming from the Federal Reserve. These attacks are not attempting to phish you and trick you into giving them banking or other personal information... They are actually looking to install an info-stealing/banking trojan on your system via drive-by exploits... it is designed to look like a message coming from the Federal Reserve with a message designed to get you to click the link from the e-mail... The bad guys behind the Federal Reserve malware use the LuckySploit exploit pack. LuckySploit has a variety of exploits... Successful exploitation tends to drop a file named wQJs.exe onto the system in the user's Temp folder. It may also drop a file named svchost.exe (same name as a legitimate Windows file) onto the system as well. This "svchost.exe" and "wQJs.exe" are the same file. They both create shell32.dll and 123.info in the user's Temp directory as well. Note that 123.info is just a text file that contains the path to the malware.
Malware Details:
File Name: wJQs.exe | svchost.exe
File Size: 9216 bytes
MD5 hash: 175ef7faf41ecbe757bcd3021311f315
File Name: shell32.dll
File Size: 6144 bytes
MD5 hash: 3182da0a9c6946e226ee6589447af170
VirusTotal Results for these files can be viewed below:
.exe: http://www.virustotal.com/analisis/a4f6ce98cb24ca1640d7f86ceb6181f1
.dll: http://www.virustotal.com/analisis/d6ba4efea309d3993c6215bf41a64f7c ..."

(Screenshot and more detail available at the Shadowserver URL above.)

:fear::mad::fear:
 
Last edited:
IFrame redirects lead to MBR rootkit

FYI...

IFrame redirects lead to MBR rootkit
- http://blog.trendmicro.com/porn-sites-lead-to-mbr-rootkit/
May 3, 2009 - "Websites related to pornography that appear to be compromised were found by Trend Micro engineers loading malicious JavaScript which redirects users onto malicious domains that ultimately lead to the download of an MBR rootkit (TROJ_SNOWAL.A) onto the affected system... malicious scripts all follow a similar routine: upon execution, it checks for the date on the target system then generates a URL based on the date obtained. It then creates an IFrame, which would redirect the user to the generated URL. The URL then leads to the download of a malicious file, which in turn downloads an MBR rootkit..."

(Screenshot and more detail available at the URL above.)

:fear::spider::fear:
 
Facebook phishing malware

FYI...

Facebook phishing malware
- http://isc.sans.org/diary.html?storyid=6328
Last Updated: 2009-05-04 14:47:00 UTC - "Looks like there may be a piece of malware out there is sending out messages to folks on Facebook trying to trick them into visiting a facsimile "Facebook" login page to steal credentials. The phishing site is currently on "junglemix .in," so you may want to block that site. More details as we figure this thing out..."

:fear::mad::fear:
 
H1N1 Domain list - 1,344

FYI...

H1N1 Domains
- http://www.f-secure.com/weblog/archives/00001674.html
May 4, 2009 - "... here is a list of domains* registered over the weekend using the words swine flu. There are 1,344 on the list. Again, so far, none of the domains we've checked are hosting any malicious files. In fact, the only malicious file we've seen is something that Symantec posted** about last week. It's a PDF "Swine Flu FAQ" exploit which drops a password stealer and then opens a clean PDF file as a decoy. One interesting thing about the exploit that hasn't been mentioned yet is the file name, The Association of Tibetan journalists Press Release.pdf. Tibet themed exploits are very popular with targeted attacks***."
* http://www.f-secure.com/weblog/archives/swineflu_domains_may_4th_2009.txt

** https://forums2.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/268

*** http://www.f-secure.com/weblog/archives/00001672.html

:fear:
 
FYI...

Waledac Turns to Cash and Vaccines w/SPAM
- http://blog.trendmicro.com/waledac-turns-to-cash-and-vaccines/
May 5, 2009 - "Riding on the ongoing global economic recession, Waledac updates its SPAM messages with email subjects related to earning a fortune through Google cash. Other spam email subjects we’ve seen so far:
* Be your own boss with Google
* Earn cash using Google today
* Google System that really works
* Make a fortune online
* Make thousands a month from home
* Start your home business today
* Use Google to earn extra cash

As of this writing, the hyperlink found in the email body redirects to an advertising link which currently returns a redirect loop error in Firefox web browser. Another current event seen leveraged on by this wave of Waledac spam runs is the swine flu outbreak, as spammed messages bear subjects that seem related to a vaccine for swine flu. Other spam email subjects seen so far:
* Anti-swine flu drugs are available here
* Anti-viral treatment for swine flu
* Are you worried about swine flu?
* Are you worried about swine flu? buy medicine!
* Be quick! anti-swine flu drugs are almost sold out
* Buy medicine that prevent you from getting swine flu
* Buy medicine to prevent swine flu
* Buy new effective medicine against swine flu
* Buy the most effective treatment for combating the new swine flu
* Do you want to prevent yourself from swine flu?
* Do you want to protect yorself against swine flu?
* Dont stand in line for swine flu medicine
* Get swine flu medicine here
* Get the swine flu medicine right here
* Hurry up! swine flu drugs are almost sold out
* Keep your family from getting swine flu
* New medicine to prevent swine flu
* New vaccine helps to prevent swine flu
* New vaccine to prevent swine flu
* Order anti-swine flu medicine today
* Order new medicine against swine flu
* Order now vaccine against swine flu
* Prevent infections with swine flu viruses
* Prevent yourself from cathcing swine flu
* Protect your family against swine flu!
* Protect yourself from swine flu
* Stop risk of being killed by swine flu!
* The vaccine protecting against swine flu
* You can buy swine flu drugs here
* You can order anti-flu drugs treaing swine flu here
* You can order anti-swine flu drugs on-line
* You can protect yourself against swine flu!

The given link however only leads to the all too familiar Canadian pharmacy site..."

(Screenshots available at the TrendMicro URL above.)

:fear::fear:
 
eBay phishing Scam...

FYI...

eBay phishing Scam...
- http://www.sophos.com/blogs/sophoslabs/v/post/4452
May 20, 2009 - "... eBay phishing scam came in the form of a seemingly innocent query about the sale of iPhones. The scam message is quite simple... At first sight, it appears to be a product spam campaign to promote the iPhone. However, when clicking the link that came with the attached email, a -fake- eBay page comes up. This email is actually a ruse designed to steal an eBay user’s information...
SophosLabs analysts have encountered many instances of such misdirection of legitimate websites. They range from internet banking websites to online retail websites. As always, online users should take precautions and never attempt to follow an embedded weblink to an online store or a banking website from an email, even if by first appearances, it looks legitimate..."

(Screenshots available at the URL above.)

:fear::mad:
 
Malicious iFrame on Gadgetadvisor.com

FYI...

Malicious iFrame on Gadgetadvisor.com
- http://www.f-secure.com/weblog/archives/00001687.html
May 22, 2009 - "Are you a gadget geek? Do you often seek advice from Gadget Advisor before making a purchase? Our Web Security Analyst discovered a malicious IFrame on the popular tech website that redirects visitors to a malicious website... If the site detects a PDF browser plugin for Adobe Acrobat and Reader, it loads a specially-crafted malicious PDF file that exploits a stack-based buffer overflow vulnerability ( http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2992 ). The net effect of the attack is to plant a trojan, detected as Trojan-Downloader.Win32.Agent.brxr, on vulnerable systems by calling the util.printf JavaScript function, which connects back to the malicious website in order to download the trojan to the machine. A remote attacker can access the user's machine once it has been infected with the trojan... This attacks is targeted against older, unpatched version of Adobe programs, as the latest Adobe updates have already fixed this problem. More information and the updates can be found at Abobe at:
http://www.adobe.com/support/security/bulletins/apsb08-19.html. Disabling the JavaScript function in Acrobat and Reader will also prevent the threat from proceeding."

(Screenshot available at the F-secure URL above.)

:fear::mad:
 
Facebook phishing/spam/"worm" ...

FYI...

Facebook phishing/spam/"worm" ...
- http://isc.sans.org/diary.html?storyid=6451
Last Updated: 2009-05-25 07:16:47 UTC ... (Version: 5) - "... new Facebook phising/spam/"worm" campaign is doing the rounds. It uses Belgium domains (.be) to impersonate the Facebook login page and steal the user credentials.
UPDATE 4: The malicious domains do not only impersonate Facebook but contain malicious "hidden" (1x1pixel) iframes, hosted on the same host, such as: "/tds/r.php?sid=2&pid=5511". Do not browse them...
UPDATE 3: As expected, more domains are coming (and some of them are still active right now - May 25, 0:00am CET)...:
• redfriend dot be, redbuddy dot be, picoband dot be, areps dot at, greenbuddy dot be
• picoband dot be, vispace dot be, whiteflash dot be, bestspace dot be
• There are other "more than suspicious" .be domains associated to the same IP address.
The ones active do resolve to IP address 211.95.78.98. From APNIC...
country: CN ..."

- http://www.f-secure.com/weblog/archives/00001689.html
May 25, 2009

:fear::mad::fear:
 
Last edited:
Facebook phish (cont'd)

FYI...

Facebook phishing using Belgium (.be) domains (cont'd)
- http://isc.sans.org/diary.html?storyid=6451
Last Updated: 2009-05-25 20:01:20 UTC ...(Version: 6)
"UPDATE 5: (May 25, 22:00h CET) It seems there is a new variation moving around, using tinyurl links... For example, you get a Facebook message pointing to "tinyurl dot com /o5kblj/" that takes you to a link at "simplemart dot be".
> Remember you can enable/disable the tinyurl preview feature through
" http://tinyurl.com/preview.php ". You just need to enable cookies on your browser.
Some of the malicious domains being used are redfriend dot be, redbuddy dot be, picoband dot be... (at this point, none of them can be resolved)..."

:fear::fear:
 
You must log in or register to reply here.
Back
Top