SPAM frauds, fakes, and other MALWARE deliveries - archive

Koobface... again

More on same...

Koobface... again
- http://securitylabs.websense.com/content/Alerts/3403.aspx
05.26.2009 - "... Koobface attempted another running campaign on Facebook. If infected, Facebook users start to spam their friends with a link to a malicious Web site. When users visit the link, they are redirected various malicious and phishing pages. We detected these on numerous .be domains and TinyURL links. One such malicious page is a fake YouTube page that appears to be a funny video. The page tells visitors to to upgrade their Flash player in order to play the video, and the Flash setup program is actually Koobface malware... Among other things, a proxy server is installed on the infected computer..."

(Screenshots available at the Websense URL above.)

:fear: :mad:
 
Another "Digital Certificate" malware campaign

FYI...

Another "Digital Certificate" malware campaign
- http://isc.sans.org/diary.html?storyid=6499
Last Updated: 2009-06-01 16:21:12 UTC - "... a "Bank of America Digital Certificate Updating" scheme is used, where a victim of the luring email is directed to a fake website... Using the <Update Certificate> button here will net you a piece of Malware that has approximately 30% AV coverage (as indicated by VirusTotal). A quick analysis of said malware shows probable signs of, suprise-suprise, Waledac..."

(Screenshot available at the URL above.)

:fear::mad:
 
Twitter hit with rogue anti-virus scam

FYI...

- http://www.theregister.co.uk/2009/06/02/twitter_malware_scam/
2 June 2009 - "Twitter users over the weekend were the target of a scam that tried to infect them with rogue anti-virus software and other malware, in what is one of the first times the micro-blogging site has been hit by a known for-profit attack, a security researcher said. The problem started after a flurry of tweets directed users to a website promising "Best Video." The site appeared to offer content from YouTube, but behind the scenes, the site delivered a PDF document designed to infect those using vulnerable versions of Adobe's Reader program. Victims then received an urgent warning that their systems were infected and needed to cleaned using fraudulent security software... The scam promoted a piece of rogue anti-virus software dubbed System Security."

- http://www.viruslist.com/en/weblog?weblogid=208187734
June 01, 2009 - "... fake program called "System Security" is being promoted... Most likely the cyber criminals behind this attack simply used the stolen credentials of those phished accounts to tweet the messages... If the trends we've seen on other social platforms are any indicator for Twitter then we can only expect an increase in attacks."
(Screenshots available at the URL above.)

- http://pandalabs.pandasecurity.com/archive/Visualizing-the-Twitter-Trends-Attack.aspx
11 June 09 - "... cyber criminals have been targeting Twitter users by creating thousands of messages (tweets) embedded with words involving trending topics and malicious URLs. If the URLs were accessed, the victims would arrive at a rogueware website designed to trick them into thinking that their computer is infected, therefore justifying the need to purchase the fake software offered. Since the initial discovery, we have been keeping a close eye on this attack, but the malicious tweets continue... The ease of carrying out this type of attack leaves us to believe that this will not go away anytime soon... "

:fear::mad:
 
Last edited:
SPAM down 15%...

FYI...

- http://www.marshal8e6.com/trace/i/FTC-Shuts-Down-Rogue-ISP,trace.1003~.asp
June 8, 2009 - "Last week the US Federal Trace Commission shut down a rogue ISP because it hosted a range of botnet command and control servers, malware, and child pornography. The ISP, known as 3FN (also as APS Telecom) was thought to be responsible for a number of spam botnet control servers, notably Pushdo/Cutwail... did this shutdown have any impact on spam? Looking at our Spam Statistics from last week, we do see a dip down of about 15% in our Spam Volume Index (SVI)... And spam originating from the Pushdo botnet indeed seems to be affected. The proportion of spam from Pushdo has dipped, along with Mega-D. Rustock seems completely unaffected... spam from Pushdo is still coming in to our spam traps, but at a much reduced rate... In terms of its impact on spam, the event is not quite in the same league as the McColo shutdown last November when spam output was halved overnight, but it is still very welcome nonetheless..."

(Charts available at the URL above.)

:spider:
 
More Blackhat SEO "scareware" campaigns...

FYI...

More Blackhat SEO "scareware" campaigns
- http://ddanchev.blogspot.com/2009/06/fake-web-hosting-provider-front-end-to.html
June 08, 2009 - "... they've got no customers but the cybercriminals themselves maintaining a portfolio of over 7,000 adult related keywords which they have been using for blackhat SEO campaigns across thousands of automatically registered - CAPTCHA recognition outsourced - Blogspot accounts since February, 2009... Not only is life4info .info or dirsite .com a bogus free hosting provider, but the campaigns hosted by them are interacting with our "dear friends" at AS30407; VELCOM .com which Spamhaus describes as "N. American base of Ukrainian cybercrime spammers" - and with a reason."

(Screenshots and more detail available at the URL above.)

:fear::mad::fear:
 
Malicious SPAM - Air France plane crash

FYI...

Malicious SPAM - Air France plane crash
- http://securitylabs.websense.com/content/Alerts/3417.aspx
06.11.2009 - "Websense... has detected a new malicious spam campaign pretending to deliver legitimate news updates about the Air France plane crash ( http://news.bbc.co.uk/1/hi/world/americas/8078147.stm ). The spam campaign is in Portuguese, and includes a link to view the first videos from the crash site. The link to the video leads to a Trojan Downloader file named: Video_AirFrance_447.com. If a user runs the file, it downloads a malicious executable file masquerading as an image from [removed].org/imgs/like2.jpg. The malware registers a password-stealing BHO component on the system masquerading as a McAfee SiteAdvisor component with this GUID: {9387b8b2-5508-11de-8729-c56f55d89593}. The GUID is linked to the malicious installed DLL file named mcieplg.dll under the system32 directory (%windir%\system32\mcieplg.dll). AV detection rates on this file are very low*..."
* http://www.virustotal.com/analisis/...da9fabb33dd6043ddf82a2550654916914-1244673584

(Screenshots available at the Websense URL above.)

:fear::mad:
 
SPAM - Fake EULAs, fixtools...

FYI...

- https://forums2.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/276
06-12-2009 - "... SPAM (message) noted that Symantec was working with Microsoft to create a patch for "Conflicker." According to the spam message, Conficker is also called "Troj/Brisv.A"... The spam is accompanied by a file named "remtool_conf.exe." The spammers have taken an extra step ahead of just spreading their Trojans. This file is actually a Symantec fixtool for Trojan.Brisv bundled with the Trojan. So, when someone runs this file they actually run the Symantec Brisv fixtool, along with the Trojan completing its task. In this case, the dropped Trojan contacts a remote site in order to download another piece of malware, which is currently detected by Symantec products as Suspicious.MH690.A... We gave the infection a run on a test machine. Almost immediately we saw our own EULA... Running the email attachment did a few things–it dropped the original (signed) Symantec Trojan.Brisv fixtool into a temporary folder; it dropped a Trojan into the same folder; and, it ran the original fixtool. One can see that this is indeed Symantec’s own legitimate fixtool. But, the Trojan file "webexplorer.exe" is basically a downloader. It contacts a remote site in order to download another file called "winupdate.exe". As you’ve guessed, that is also a Trojan and is currently detected as Suspicious.MH690.A... If you have a need to run a Symantec fixtool, go to the Symantec website* and download it for free..."
* http://www.symantec.com/business/security_response/removaltools.jsp

(Screenshots available at the first Symantec URL above.)

:fear::mad::fear:
 
Scam version of Big Brother...

FYI...

- https://forums2.symantec.com/t5/blogs/blogarticlepage/blog-id/spam/article-id/200
06-15-2009 - "It may not be encouraging news for scammers, but users are slowly but surely adopting a see-and-delete approach for the usual fake stories related to lotteries, dormant bank accounts, an inheritance of huge wealth, and relatives of deceased or exiled political leaders sharing their millions. However, lately the trends seem to show that news stories involving current events are being piggybacked or manipulated by scammers to trap users into falling for fraudulent offers... Another recent scam we have been monitoring involves an event resembling the highly rated television reality show Big Brother, which began on June 4 in the UK. Scammers have been inviting recipients to participate in their Big Brother World to be held on July 12 in London, UK... Scammers claim to be a Big Brother agent and will furnish the competition details once users respond to the mailed invitation. Users will need to reply with the application type along with their full name, address, age, and telephone number. Even a casual look at the email reveals several spelling mistakes that start right from the subject line and continue on throughout the message, including using “price” instead of “prize” in the mail body. We would recommend that users follow the usual practice of ignoring [and deleting] such unsolicited emails..."

(Screenshot of scam e-mail available at the URL above.)

:fear::mad:
 
MS09-017 exploit in the wild

FYI...

- http://blog.trendmicro.com/air-france-flight-447-spam-arrives-with-powerpoint-exploit/
June 17, 2009 - "After a blackhat SEO attack, cybercriminals are again using the terrifying catastrophe of Air France Flight 447 or about China-made C919 Jumbo Jets competing with Airbus and Boeing for malicious intent. This time, spam messages are sent with an attached PowerPoint presentation, which is specially crafted to exploit a vulnerability in Microsoft Powerpoint*. The spammed emails suggest that there are images in the attached PowerPoint presentation related to both the China-made jumbo jets and the Air France Flight 447, in order to lure the user into opening the specially crafted file... Users are strongly advised to apply the patch* provided by Microsoft to avoid being victimized by this threat..."
* http://www.microsoft.com/technet/security/bulletin/ms09-017.mspx

:fear::mad:
 
Nonstop site re-infections

FYI...

Nonstop site re-infections
- http://securitylabs.websense.com/content/Blogs/3425.aspx
06.24.2009 - "We recently published an alert* about the Ethiopian Embassy site being compromised... This isn't the first time the site has been compromised. In March of 2009, we noticed an iframe injection pointing to hxxp://[REMOVED]vv.com/index.php. The domain was also serving virus-infected files in other locations, including hxxp://[REMOVED]vv.com/unic/1.exe, a Trojan [see VirusTotal report**]... Attackers are in control and re-compromising the site over and over, potentially infecting visitors with malicious code at any time. These attacks are somewhat of a trend. We've documented a number of compromised embassy sites in the past, illustrating how malware delivery occurs through Web sites..."
* http://securitylabs.websense.com/content/Alerts/3423.aspx

** http://www.virustotal.com/analisis/...630fdf4967237114032d91fe4ecddf05a9-1240536959
"File 5143155606c013934a4601648e310800aff688c2.EXE ..."

(Screenshots and more detail available at the Websense URL above.)

:fear::mad:
 
Zbot In Your Inbox

FYI...

Zbot In Your Inbox
- http://www.marshal8e6.com/trace/i/Zbot-In-Your-Inbox,trace.1005~.asp
June 24, 2009 - "A password stealing Zbot (ZeuS bot) Trojan has been increasingly spammed throughout the previous two weeks. We believe the spam originates from the Pushdo botnet. The spam template varies from time to time, mostly using subject lines such as “You have received a Greeting ecard ”, “Statement request”, “Microsoft outlook update”, “Postal Tracking” and may come either as an attachment or a link in the message body... Zbot attempts to download a file named "djwl.bin". This file is an encrypted configuration file..."
(Screenshots available at the URL above.)

Also see: http://www.abuse.ch/?p=1192
March 20, 2009

:fear::mad:
 
SPAM runs exploit celebrity deaths

FYI...

SPAM runs exploit celebrity deaths
- http://www.theregister.co.uk/2009/06/26/jackson_death_spam/
26 June 2009 - "Spammers have wasted no time exploiting the shock death of Michael Jackson to run an email harvesting campaign. Security watchers warn that malware-laced email themed around the death of the King of Pop and Charlie's Angels star Farrah Fawcett, who also died on Thursday, are likely to follow..."

- http://securitylabs.websense.com/content/Alerts/3426.aspx
06.26.2009
- http://www.virustotal.com/analisis/...2f4b07a1a62d7d3018e28ccd5ee93e0ce4-1246012313
File michael_1_.gif received on 2009.06.26 10:31:53 (UTC)
...Result: 5/41 (12.20%)
- http://www.virustotal.com/analisis/...4fefba5ce06ef6f703e37f76ab88ad2ff9-1246029869
File Michael.Jackson.videos.scr received on 2009.06.26 15:24:29 (UTC)
...Result: 10/41 (24.39%)

- http://www.sophos.com/blogs/sophoslabs//?p=5035
June 26, 2009

:fear::fear:
 
Last edited:
MSN IM - Pushdo variant...

FYI...

MSN IM - Pushdo variant...
- http://blog.trendmicro.com/msn-bot-plays-on-controversy-over-michael-jacksons-death/
June 26, 2009 - "... a slew of malicious links related to Michael Jackson’s last moments in the hospital before his death are now being proliferated in the wild via the instant messaging (IM) application, MSN... When recipients of such messages click on any of these links, they are then prompted to save a file named PIC-IMG029-www.hi5.com.exe (with the MD5 checksum of 031429fc14151f94c8651a3fb110c19b), instead of being led to an image site or gallery. Initial analysis shows that the said file is a variant of the SDBOT family...
Update - 27 June 2009: The botnet is said to push the templated messages through an IRC to the client to be spammed... The malware responsible for this is detected as WORM_IRCBOT.GAT. It opens a certain port on the affected system then listens for remote commands. Kharouni reports that commands to download certain files are received and executed by the affected system, ultimately leading to the download a PUSHDO variant. PUSHDO is a botnet responsible for a huge amount of spam activity..."

(Screenshot available at the URL above.)

:fear::mad::fear:
 
More celebrity malware...

FYI...

More celebrity malware...
- http://www.f-secure.com/weblog/archives/00001709.html
June 29, 2009 - "There have been a couple of malware attacks that have tried to use the news coverage of the death of Michael Jackson as the lure to get people infected. Last night we saw this one: a file called Michael-www.google.com.exe. This file was distributed through a site called photos-google.com and possibly also through photo-msn.org, facebook-photo.net and orkut-images.com. Do not visit these sites. When executed, Michael-www.google.com.exe drops files called reptile.exe and winudp.exe. These are IRC bots with backdoor capability. The file also shows this fake error message..."
(Screenshot available at the F-secure URL above.)

- http://www.sophos.com/blogs/gc/g/2009/07/01/michael-jackson-emailaware-worm-hits-inboxes/
July 1, 2009 - "... we have encountered a mass-mailing worm that spams out messages with the following characteristics:
Subject: Remembering Michael Jackson
Attached file: Michael songs and pictures.zip
The email, which claims to come from sarah @michaeljackson.com, says that the attached ZIP file contains secret songs and photos of Michael Jackson. opening the attachment exposes you to infection - and if your computer is hit you will be spreading the worm onto other internet users. Besides spreading via email, the malware is also capable of spreading as an Autorun component on USB memory sticks (an increasingly common trend for malware as use of these devices has become more and more popular). Sophos detects the malware proactively as Mal/ZipMal-B and Mal/VB-AD, and recommends that users of other anti-virus products ensure that their defences are properly updated..."

:fear:
 
Last edited:
Torrentreactor site compromised

FYI...

Torrentreactor site compromised
- http://securitylabs.websense.com/content/Alerts/3430.aspx
07.01.2009 - "Websense... has detected that Torrentreactor, one of the oldest and most reliable torrent search engines on the Web, has been compromised and injected with malicious code. The site has been injected with an IFrame leading to a site laden with exploits. The exploits on the payload site include Internet Explorer (MDAC) and Microsoft Office Snapshot Viewer, as well as Acrobat Reader and Adobe Shockwave. If the user's browser is successfully exploited, a malicious file is downloaded and run from the exploit site. The malicious file has an extremely low AV detection rate*. The file (MD5: 24bd24f8673e3985fc82edb00b24ba73) is a Trojan Downloader and connects to a Bot C&C server at IP 78.109.29.116. After connecting to the IP, the file downloads a Rootkit installer from the same IP..."
* http://www.virustotal.com/analisis/...3e545fa5339e4da159062abfe6f326b2b7-1246425266
File rncsys32.exe received on 2009.07.01 05:14:26 (UTC)
Result: 2/41 (4.88%)

- http://www.theregister.co.uk/2009/07/01/torrentreactor_breach/
1 July 2009 - "... The malicious file in the latest compromise communicates with a server at 78.109.29.116, an IP address that web searches suggest has ties to the Russian Business Network..."

:fear::spider::mad:
 
Last edited:
Click fraud trojan...

FYI...

Click fraud trojan...
- http://secureworks.com/research/threats/ffsearcher/?threat=ffsearcher
June 26, 2009 - "While analyzing a slew of malware downloaded by the exploit kit used in the "Nine-Ball" web attacks, the SecureWorks Counter Threat Unit came across an interesting trojan that used a previously-unseen HTTP request pattern... After some time we came to the conclusion that the trojan was a search hijacker trojan used for click fraud. Click fraud trojans are as old as Internet advertising itself, and usually we see one of two types: browser hijackers that change one's start page and searches to redirect to a third-party search engine, or trojans that silently pull down a list of ad URLs and generate fake clicks on the ads in a hidden Internet Explorer window. This trojan however, was much more subtle and creative - in this case, every click on an ad is user-generated, and the user never notices any change in their web-surfing experience. We call this trojan search hijacker "FFSearcher", named after one of the websites used in this scheme. Detection of the dropper executable by anti-virus engines is poor at this time, with only 4 of 39 scanners* detecting it at all... As click-fraud trojans go, this is one of the more clever that we've seen, with an impressive feature set:
1. Working code to hijack both Firefox and IE
2. Difficult to spot by the average user
3. Minimally impacting to the infected machine
4. Probably difficult for fraud detection systems at the search engine sites to detect, since every ad-click that comes through is generated on purpose by a user in the course of normal web-surfing activity..."
(Screenshots available at the Secureworks URL above.)
* http://www.virustotal.com/analisis/...f3222552988982da2571c6af30262f6c9b-1244830834
File nkavnxe.exe received on 2009.06.12 18:20:34 (UTC)
Result: 4/39 (10.26%)

:fear::fear:
 
Happy 4th from Waledac...

FYI...

Happy 4th from Waledac...
- http://securitylabs.websense.com/content/Alerts/3431.aspx
07.03.2009 - "Websense... has detected yet another new Waledac campaign theme in the wild. The new variant uses an Independence Day theme as a social engineering mechanism. The USA celebrates Independence Day on July 4 each year. The malicious emails that are sent use subjects and content related to Independence Day, Fourth of July and fireworks shows. The malicious Web sites in the current attack also have a July 4 or fireworks theme within the domain name. ThreatSeeker has been monitoring the registration of these domains. Should the user click on the video, which is designed to appear to be a YouTube video, an .exe is offered. When downloaded the .exe would install the latest Waledac variant onto the user's machine..."
(Screenshots available at the URL above.)

- http://www.eset.com/threat-center/blog/?p=1244
July 2, 2009
- http://www.eset.com/threat-center/blog/?p=1250
July 3, 2009

:fear::mad::fear:
 
Last edited:
Waledac July 4th update - New domains added

FYI...

Waledac July 4th update - New domains added
- http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20090704
4 July 2009 - "... quick update on Waledac. We have been keeping an eye on it for a bit and it's been actively spamming and updating clients to Fake Antivirus products for the last few months. However, we also saw it start spamming itself out again starting yesterday. Actually saw a quick first post of the from sudosecure.net:
http://www.sudosecure.net/archives/583
No real need to have tons of duplicate write-ups and screen shots. You can get the same basic information from the site. It's the standard spam to a link involving a fake YouTube video that wants you to download an executable... We have updated our Waledac domain lists that you can use to block/track Waledac domains. The first URL is to the list that is updated with timestamps, ugly comments, and newest domains at the bottom:
http://www.shadowserver.org/wiki/uploads/Calendar/waledac_domains.txt
We also have the all-time Waledac domain list that contains just the domain listing since the start. It currently has 244 domains on it and can be reached via the following URL:
http://www.shadowserver.org/wiki/uploads/Calendar/waledac_list.txt
These are domains you definitely want to avoid visiting and consider blocking where possible."

:fear::fear:
 
Twitter suspends Koobface infected computers

FYI...

Twitter suspends Koobface infected computers
- http://blog.trendmicro.com/koobface-increases-twitter-activity/
July 9, 2009 - "... Koobface has increased its Twitter activity, sending out tweets with different URL links pointing to Koobface malware. This is in contrast with previous Koobface Twitter activity wherein only three TinyURLs pointing to Koobface were used. As of writing, there are a couple of hunded Twitter users affected by Koobface in the past few hours, but dozens more are being infected as we speak. We advise Twitter users to (not click on) URLs on tweets, especially if the tweet advertises a home video.
Update: It seems this Koobface problem in Twitter is getting bigger and bigger, prompting Twitter itself to temporarily suspend* infected user accounts."
* http://status.twitter.com/post/138789881/koobface-malware-attack
July 9, 2009 - "... If we suspend your account, we will send you an email notifying you of the suspension. This email also includes tips for removing the malware from your PC."

> http://www.sophos.com/blogs/gc/g/2009/07/10/twitter-warns-users-koobface-worm/
July 10, 2009

Preview a TinyURL
- http://tinyurl.com/preview.php
"Don't want to be instantly redirected to a TinyURL and instead want to see where it's going before going to the site? Not a problem with our preview feature..."

- http://www.threatpost.com/blogs/koobface-worm-infections-exploding
July 6, 2009 - "In June, we saw an explosive rise in the number of Koobface modifications - the number of variants we detected jumped from 324 at the end of May to nearly 1000 by the end of June. And this weekend brought another flood, bringing us up to 1049 at the time of writing... Koobface spreads via major social networking sites like Facebook and MySpace. It's now spreading via Twitter as well... the pool of potential victims is growing day by day - just take a look at the Alexa stats* for Facebook. So naturally, cybercriminals are going to be targeting these sites more and more often."
* http://www.alexa.com/siteinfo/facebook.com
"... Percent of global Internet users who visit facebook.com:
... 7 day avg: 20.01% ..."

:fear::mad::fear:
 
Last edited:
You must log in or register to reply here.
Back
Top