SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

Mother’s Day SPAM ...

FYI...

Mother’s Day SPAM ...
- http://www.symantec.com/connect/blogs/spammers-continue-exploit-mother-s-day
6 May 2013 - "... Spam messages related to Mother’s Day have begun flowing into the Symantec Probe Network. Clicking the URL contained in the spam message automatically -redirects- the recipient to a website containing a bogus Mother’s Day offer upon completion of a -fake- survey.
> https://www.symantec.com/connect/sites/default/files/users/user-1013481/mothers%201.png
Once the survey is completed, a page is then displayed asking the user to enter their personal information in order to receive the -bogus- offer.
> https://www.symantec.com/connect/sites/default/files/users/user-1013481/mothers%202.png
Next...
> https://www.symantec.com/connect/sites/default/files/users/user-1013481/mothers%203.png
... Symantec is observing an increase in spam volume related to Mother’s Day, which can be seen in the following graph.
> https://www.symantec.com/connect/sites/default/files/users/user-1013481/mothers%205.png
... use caution when receiving unsolicited or unexpected emails. We are closely monitoring Mother’s Day spam attacks to ensure that readers are kept up to date with information on the latest threats..."

- https://www.bbb.org/blog/2013/05/avoiding-mothers-day-email-scams/
May 6, 2013

- http://mashable.com/2013/05/01/mothers-day-email-scams/
2013-05-01

:fear:

 

[AplusWebMaster]

AutoIt malware - 188.161.9.226 ...

FYI...

AutoIt malware - 188.161.9.226 ...
- http://blog.trendmicro.com/trendlab...e/autoit-used-to-spread-malware-and-toolsets/
May 6, 2013 - "... In addition to tools being found on sites like Pastebin and Pastie, we are also seeing a tremendous increase in the amount of malware utilizing AutoIt as a scripting language. One piece of malware that was found in the wild was particularly interesting. This malware is a variant of the popular DarkComet RAT – utilizing AutoIt. This variant runs a backdoor on the victim machine and communicates outbound to a nefarious host at shark18952012.no-ip .info (188.161.9.226 at the time of writing) over port 1604... In addition to this malware’s outbound communication, it also modifies the local software firewall policies to disable them, in addition to installing itself at startup for persistency... Upon execution of the malware, it immediately disables the Windows Firewall. After disabling the firewall, the malware then disables the ability to get into the registry of Windows to view or undo the changes performed... As scripting languages like AutoIt continue to gain popularity, we expect more of these types of malware to make a migration to using them. The ease of use and learning, as well as the ability to post code easily to popular dropsites make this a great opportunity for actors with nefarious intentions to propagate their tools and malware. We recommend continuing to update your Anti-Virus signatures as well as consider blocking access to Pastebin, Pastie and other code dropsites on your corporate network where applicable."
___

Something evil on 151.248.123.170 Part III
- http://blog.dynamoo.com/2013/05/something-evil-on-151248123170-part-iii.html
7 May 2013 - "I've covered 151.248.123.170 (Reg.ru, Russia*) a couple of times in the past month [1] [2], and it's still actively pushing out malware via dynamic DNS domains, many of which are injection attacks on hacked sites. There are hundreds or possibly thousands of malicious domains on this IP. Blocking them individually is likely to be problematic, the best approach is to block all traffic to 151.248.123.170 or to the Dynamic DNS domains involved.. although this might potentially block access to some legitimate sites..."

1) http://blog.dynamoo.com/2013/04/something-evil-on-151248123170_24.html

2) http://blog.dynamoo.com/2013/04/something-evil-on-151248123170.html

* https://www.google.com/safebrowsing/diagnostic?site=AS:39134
___

Fake Citibank ‘Merchant Billing Statement’ emails lead to malware
- http://blog.webroot.com/2013/05/07/...ling-statement-themed-emails-lead-to-malware/
May 7, 2013 - "Over the past 24 hours, we’ve intercepted yet another spam campaign impersonating Citibank in an attempt to socially engineer Citibank customers into thinking that they’ve received a Merchant Billing Statement. Once users execute the malicious attachment found in the fake emails, their PCs automatically join the botnet operated by the cybercriminal/cybercriminals...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2013/05/citibank_merchant_billing_statement_malware_malicious_software_social_engineering_botnet_botnets_trojan.png
Detection rate for the malicious executable: MD5: 75a666f81847ccf7656790162e6a666a * ... Trojan-Spy.Win32.Zbot.lcnn..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/...73271434157489c7addcdb03/analysis/1367618876/
File name: Kwmfd2.exe
Detection ratio: 33/46
Analysis date: 2013-05-05

 

[AplusWebMaster]

Fake Amazon SPAM, Fake AV and ransomware combo...

FYI...

Fake Amazon.com SPAM / ehrap .net
- http://blog.dynamoo.com/2013/05/amazoncom-spam-ehrapnet.html
8 May 2013 - "This fake Amazon spam leads to malware on ehrap .net:
Date: Tue, 7 May 2013 22:54:26 +0100 [05/07/13 17:54:26 EDT]
From: "Amazon.com" [drudgingb50@m.amazonmail.com]
Subject: Your Amazon.com order confirmation.
Thanks for your order, [redacted]!
Did you know you can view and edit your orders online, 24 hours a day? Visit Your Account.
Order Information:
E-mail Address: [redacted]
Billing Address:
216 CROSSING CRK N
GAHANNA
United States
Phone: 1-747-289-5672
Order Grand Total: $ 53.99
Earn 3% rewards on your Amazon.com orders with the Amazon Visa Card. Learn More
Order Summary:
Details:
Order #: I12-4392835-6098844
Subtotal of items: $ 53.99
Total before tax: $ 53.99
Tax Collected: $0.00
Grand Total: $ 50.00
Gift Certificates: $ 3.99
Total for this Order: $ 53.99
The following item is auto-delivered to your Kindle or other device. You can view more information about this order by clicking on the title on the Manage Your Kindle page at Amazon.com.
Mockingjay (The Final Book of The Hunger Games) [Kindle Edition] $ 53.99
Sold By: Random House Digital, Inc.
Give Kindle books to anyone with an e-mail address - no Kindle required!
You can review your orders in Your Account. If you've explored the links on that page but still have a question, please visit our online Help Department.
Please note: This e-mail was sent from a notification-only address that cannot accept incoming e-mail. Please do not reply to this message.
Thanks again for shopping with us.
Amazon.com
Earth's Biggest Selection
Prefer not to receive HTML mail? Click here

The link in the email goes through a legitimate hacked site and ends up on [donotclick]ehrap .net/news/days_electric-sources.php (report here*) hosted on (or with nameservers on) the following IPs:
85.41.88.24 (Telecom Italia, Italy)
98.210.212.79 (Comcast, US)
140.121.140.92 (TANet, Taiwan)
178.175.140.185 (Trabia-Network, Moldova)
197.246.3.196 (The Noor Group, Egypt)
216.70.110.21 (Media Temple, US)
The domains involved indicate that this is the gang behind what I call the Amerika series of spam emails.
Blocklist:
85.41.88.24
98.210.212.79
140.121.140.92
178.175.140.185
197.246.3.196
216.70.110.21 ..."
* http://urlquery.net/report.php?id=2377955
___

Fake AV and ransomware combo
- https://www.net-security.org/malware_news.php?id=2486
8 May 2013 - "Ransomware and fake antivirus solutions are well-known threats, but a deadly fraudulent combination of the two has been recently spotted... The software - dubbed "Secure Bit" - first tries to convince the victims that the "security level" of their computer is low and instructs them to call for support so that the “threats” it has "found" can be removed. The claim is accompanied with a pop-ups that lists a great number of them. But if the victims don't do as they are told after a period of time, the fake AV turns nasty (well, nastier), and locks the computer screen. The victims can't do anything on their machine, and they are again told to contact the given phone number in order to regain control of it. The phone call reveals that it will cost the victims $49.99 to do that, and Total Defense's Tsahi Carmona warns* that many users may not recognize it's a scam and may pay the ransom..."
* http://www.totaldefense.com/blogs/2013/05/07/newfake-anti-virus-secure-bit.aspx
"... This anti-virus software pretender combines two methods of fraud – the fake anti-virus software and a malware that supposedly locks the screen in order to make the victim pay money to unlock. After the user installs this free “anti-virus” software it immediately notifies that the security level of the computer is low and which they need to call for support to address the found “threats”..."
___

Fake Amazon emails lead to malware...
- http://blog.webroot.com/2013/05/08/...ild-lead-to-client-side-exploits-and-malware/
May 8, 2013 - "... Cybercriminals are currently mass mailing tens of thousands of fake Amazon “You Kindle E-Book Order” themed emails in an attempt to trick Kindle users into clicking on the malicious links found in these messages. Once they do so, they’ll be automatically exposed to the client-side exploits served by the Black Hole Exploit Kit, ultimately joining the botnet operated by the cybercriminal/cybercriminals that launched the campaign...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress...amvertised_social_engineering.png?w=650&h=486
... MD5 for the Java exploit: MD5: c9bc87eef8db72f64bac0a72f82b04cf * ... HEUR:Exploit.Java.CVE-2012-0507.gen
MD5 for the PDF exploit: MD5: 53c90140fde593713efe6298547ff205 ** ...Exploit:Win32/CVE-2010-0188
Upon successful client-side exploitation, the campaign drops MD5: 330ad00466bd44a5fb2786f0f5e2d0da *** ...Trojan.Win32.Reveton.a (v).
... phones back to:
85.214.143.90
130.79.80.40
213.199.201.180
46.51.189.229
91.121.30.185
89.110.148.213
81.17.22.14
88.119.156.20
161.53.184.3
94.23.6.95
88.191.130.98 /J9/vp/EGa+AAAAAA/2MB9vCAAAA ..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/...8b610dcefeb06876647043b0/analysis/1367968246/
File name: days_electric-sources.php
Detection ratio: 5/46
Analysis date: 2013-05-07
** https://www.virustotal.com/en/file/...18e4b7fcc35b9087cc6b534f/analysis/1367968346/
File name: Kindle.pdf
Detection ratio: 26/46
Analysis date: 2013-05-07
*** https://www.virustotal.com/en/file/...1d44b55883a229e07dd0bdcf33a0a827274/analysis/
File name: sndrec32.exe
Detection ratio: 16/46
Analysis date: 2013-05-08
___

Malicious Better Business Bureau Spam
- http://threattrack.tumblr.com/post/49947201132/malicious-better-business-bureau-spam
8 May 2013 - "Subjects Seen:
Better Business Beareau Complaint ID [removed]
Typical e-mail details:
The Better Business Bureau has been entered the above mentioned complaint from one of your users in regard to their business contacts with you. The information about the consumer’s concern are available at the link below. Please give attention to this point and notify us about your belief as soon as possible.
We kindly ask you to open the RECLAMATION REPORT to answer on this claim.
We are looking forward to your prompt response.
WBR
Colton Reed
Dispute Advisor
Better Business Bureau

Malicious URLs
stopwulgaryzmom .pl/bbb_view_compl.html?complain=DFMI30GA2_80VJA8
pub.mumbailocaltraintimetable .net/ensure/misuse-restrict-systems_properties.php

Screenshot: https://gs1.wac.edgecastcdn.net/801...86a835646/tumblr_inline_mmht3xfiSm1qz4rgp.png

:fear:

 

[AplusWebMaster]

Fake Citibank, Traffic Ticket SPAM ...

FYI...

Fake Citibank SPAM / Statement ID 64775-4985.doc
- http://blog.dynamoo.com/2013/05/citibank-spam-statement-id-64775-4985doc.html
9 May 2013 - "This fake Citibank spam contains a malicious Word document that leads to malware.
Date: Thu, 9 May 2013 01:22:21 +0200 [05/08/13 19:22:21 EDT]
From: CITIBANK [noreply @citybank .com]
Subject: Merchant Statement
Enclosed DOC is your Citibank Paymentech electronic Merchant Billing Statement. If you need help, please contact your Account Executive or call Merchant Services at the telephone number listed on your statement. PLEASE DO NOT RESPOND BY USING REPLY. This email is sent from an unmonitored email address, and your response will not be received by Citibank Paymentech. Citibank Paymentech will not be responsible for any liabilities that may result from or relate to any failure or delay caused by Citibank Paymentech's or the Merchant's email service or otherwise. Citibank Paymentech recommends that Merchants continue to monitor their statement information regularly. ---------- Learn more about Citibank Paymentech Solutions, LLC payment processing services at Citibank. ---------- THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information intended only for the use of the recipient(s) named above. If you are not the intended recipient, you may not print, distribute, or copy this message or any attachments. If you have received this communication in error, please notify the sender by return e-mail and delete this message and any attachments from your computer.

The attached document Statement ID 64775-4985.doc contains an exploit (analysis pending) with a VirusTotal detection rate of just 10/46*. It appears to exploit a flaw in the RTF converter... making sure that your copy of Microsoft Office is up-to-date and fully patched will help to mitigate against this sort of threat."
* https://www.virustotal.com/en/file/...dcf8241723020f1216b89a1a706addf9347/analysis/
File name: Statement ID 64775-4985.doc
Detection ratio: 10/46
Analysis date: 2013-05-09

Update: another version is using the filename Statement ID 4657-345-347-0332.doc. It looks like it is exploiting CVE-2012-0158* aka MS12-027.
* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0158 - 9.3 (HIGH)
Last revised: 03/07/2013
___

Fake Traffic Ticket serves malware
- http://blog.webroot.com/2013/05/09/...partment-of-motor-vehicles-dmv-serve-malware/
9 May 2013 - "Cybercriminals are currently spamvertising tens of thousands of -bogus- emails impersonating New York State’s Department of Motor Vehicles (DMV) in an attempt to trick users into thinking they’ve received an uniform traffic ticket, that they should open, print and send to their town’s court. In reality, once users open and execute the malicious attachment, their PCs will automatically join the botnet operated by the cybercriminal/cybercriminals behind the campaign...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress...s_software_social_engineering.png?w=423&h=290
Detection rate for the malicious executable: MD5: 247c67cb99922fd4d0e2ca5d6976fc29 * ... Trojan-Spy.Win32.Zbot.lhim..."
(More detail available at the webroot URL above.)
* https://www.virustotal.com/en/file/...bf70bbb1e3a294842470c9f75f757ca43b1/analysis/
File name: Unihl.exe
Detection ratio: 30/45
Analysis date: 2013-05-08

:fear:

 

[AplusWebMaster]

Malicious Facebook SPAM, Evil IP...

FYI...

Malicious Facebook Friend Notification Spam
- http://threattrack.tumblr.com/post/50026329673/malicious-facebook-friend-notification-spam
9 May 2013 - "Subjects Seen:
[removed] wants to be friends on Facebook
Typical e-mail details:
[removed] wants to be friends with you on Facebook Facebook.

Malicious URLs
web.jen-pages .de/fbreq.html
job.bgita .ru/fbreq.html
yup.mumbailocaltraintimetable .net/ensure/specified_drop_similarly.php?jnlp=7ad5b52a64
yup.mumbailocaltraintimetable .net/ensure/specified_drop_similarly.php?zvvsj=edwwqnl&wit=tjm
yup.mumbailocaltraintimetable .net/ensure/specified_drop_similarly.php?mf=1i:1f:32:33:2v&le=1m:2v:31:1k:2w:1k:1h:2v:1l:1j&u=1f&yj=i&cp=j&jopa=5216591

Screenshot: https://gs1.wac.edgecastcdn.net/801...b86b7c58e/tumblr_inline_mmjo2ooht71qz4rgp.png
___

Something evil on 151.248.123.170, Part IV
- http://blog.dynamoo.com/2013/05/something-evil-on-151248123170-part-iv.html
10 May 2013 - "Here are some additional malicious domains from a very evil malware server on 151.248.123.170 (Reg.ru, Russia)... you can download a full list of everything that I can find here** [.txt]. This server is currently being used as the payload for injection attacks. Blocking the IP address is the obvious solution, or you could block the Dynamic DNS domains listed here*..."
* http://blog.dynamoo.com/2013/05/something-evil-on-151248123170-part-iii.html

** http://www.dynamoo.com/files/151-248-123-170.txt
___

USAA Credentials Phish
- http://threattrack.tumblr.com/post/50108697070/usaa-credentials-phish
10 May 2013 - "Subjects Seen:
Important Message From Usaa
Typical e-mail details:
Dear Valued Customer,
We have created new dedicated security servers to keep all our
online banking customers account safe and secure. This is server< /span>
has been tested,now we are asking all our online banking customers
to register for the new security server to keep them safe.
To register for this new security server quickly click on the button
below to complete registration immediately.
Click Here To Register
We hope you find our Internet Banking service easy and convenient to use.
Yours sincerely
USAA,
Digital Banking Director

Malicious URLs
sehyup .com/08_dev/board/file/bbs_notice/vi.htm
philanthropyexpert .org/ass/index.html

Screenshot: https://gs1.wac.edgecastcdn.net/801...5bb0eb294/tumblr_inline_mmln1qLK0n1qz4rgp.png

 

[AplusWebMaster]

Something evil on 188.241.86.33

FYI...

Something evil on 188.241.86.33
- http://blog.dynamoo.com/2013/05/something-evil-on-1882418633.html
13 May 2013 - "188.241.86.33 (Megahost, Romania) is a malware server currently involved in injection attacks, serving up the Blackhole exploit kit, Zbot and a side order of Cdorked [1] [2]. This IP hosts a variety of domains, some of which are purely malicious, some of which are hijacked subdomains of legitimate ones. Blocking the IP address is the easiest approach..."
(More detail at the dynamoo URL above.)

1) http://urlquery.net/search.php?q=188.241.86.33&type=string&start=2013-04-28&end=2013-05-13&max=50

2) https://www.virustotal.com/en/ip-address/188.241.86.33/information/
___

Browser extension hijacks Facebook profiles
- https://blogs.technet.com/b/mmpc/ar...ijacks-facebook-profiles.aspx?Redirected=true
10 May 2013 - "We have received reports about a wave of malicious browser extensions trying to hijack Facebook profiles. This threat was first discovered in Brazil. We detect it as Trojan:JS/Febipos.A. The malware is a malicious browser extension specifically targeting Chrome and Mozilla Firefox..."
- http://h-online.com/-1861398
13 May 2013 - "... The trojan extensions themselves monitor users' browser activity to see if they are logged into Facebook and then retrieve a configuration file from a site, disguised as a .php file, which contains commands for the extension. The extension is able to like pages, share pages, post, join groups, invite friends to groups, chat to friends or comment on posts... Microsoft recommends that users review their installed extensions..."
___

Fake BoA Paymentech Malicious Word Doc Attachment Spam
- http://threattrack.tumblr.com/post/50349361323/bank-of-america-paymentech-malicious-word-doc
13 May 2013 - "Subjects Seen:
BOA Merchant Statement
Typical e-mail details:
Attached (DOC|WORD file|document|file) is your Bank of America Paymentech electronic Merchant Billing Statement.
If you need assistance, please (contact|message|call) your Account Executive or call Merchant Services at the telephone number listed on your statement.
PLEASE DO NOT RESPOND BY USING REPLY. This (email|mail) is sent from an unmonitored email address, and your response will not be received by Bank of America Paymentech.
Bank of America Paymentech will not be responsible for any liabilities that may result from or relate to any failure or delay caused by Bank of America Paymentech’s or the Merchant’s email service or otherwise. Bank of America Paymentech recommends that Merchants continue to monitor their statement information regularly.

Spam contains malicious attachment.

Screenshot: https://gs1.wac.edgecastcdn.net/801...5ee12678f/tumblr_inline_mmqx7bdxu51qz4rgp.png
___

Malicious Citibank Secure Message Spam
- http://threattrack.tumblr.com/post/50357500910/malicious-citibank-secure-message-spam
13 May 2013 - "Subjects Seen:
You have received a secure message
Typical e-mail details:
Read your secure message by opening the attachment, securedoc.html You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it with Internet Explorer.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Citi Secure Email Help Desk at (866) 535-2504.
First time users - will need to register after opening the attachment.
About Email Encryption - citi .com/citi/citizen/privacy/email.htm

Malicious URLs
mail.yaklasim .com:8080/forum/viewtopic.php
116.122.158.195 :8080/forum/viewtopic.php
vulcantire .net/forum/viewtopic.php
westautorepair .com/forum/viewtopic.php
metroimport-tires .com/forum/viewtopic.php
iis1.ontera .net/AUWY5Z.exe

Screenshot: https://gs1.wac.edgecastcdn.net/801...42ef617f2/tumblr_inline_mmr3owXmUI1qz4rgp.png
___

Fake AMEX SPAM / SecureMail.zip
- http://blog.dynamoo.com/2013/05/confidential-secure-message-from-amex.html
13 May 2013 - "This fake Amex email has a malicious attachment:
Date: Tue, 14 May 2013 01:34:36 +0600 [15:34:36 EDT]
From: American Express [Jarvis_Randall @aexp .com]
Subject: Confidential - Secure Message from AMEX
Secure Message
The security of your personal information is of the utmost importance to American Express, so we have sent the attached as a secure electronic file.
Note: The attached file contains encrypted data.
If you have any questions, please call us at 800-748-8515, option 0. Representatives are available to assist you Monday through Thursday between 8:00 a.m. and 8:00 p.m. ET and Friday between 8:00 a.m. and 6:00 p.m. ET.
The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.
Thank you,
American Express
2012 American Express Company. All rights reserved.

There is an attachment SecureMail.zip which in turn contains an executable file SecureMail .exe which has an icon designed to look like a PDF file. VirusTotal results for the malware are just 15/46*. Comodo CAMAS reports the following characteristics and also a connection to a known malware C&C server mail.yaklasim .com on 212.58.4.13 (DorukNet, Turkey).
Size 137216
MD5 20de8bad8bf8279e4084e9db461bd140
SHA1 caacc00d68f41dad9b1abb02f9e243911f897852
SHA256 18e2fc0b9386cadc31fb15cb38d9fa5d274f42b8127b349a14c962329b691ee7
The ThreatTrack report*** also shows a connection to 212.58.4.13 as well as 62.233.104.156 (IOMART, UK) and several other IPs that may form part of a botnet. Blocking EXE-in-ZIP files at the perimeter is a good move if you can do it.
Blocklist:
mail.yaklasim .com
212.58.4.13
62.233.104.156 ..."
* https://www.virustotal.com/en/file/...127b349a14c962329b691ee7/analysis/1368476716/
File name: SecureMail.exe
Detection ratio: 15/46
Analysis date: 2013-05-13

** http://camas.comodo.com/cgi-bin/sub...b15cb38d9fa5d274f42b8127b349a14c962329b691ee7

*** http://www.dynamoo.com/files/analysis_30572_20de8bad8bf8279e4084e9db461bd140.pdf

:fear::fear:

 

[AplusWebMaster]

Fake BoA SPAM, Something evil on 94.242.198.16 ...

FYI...

Fake BoA SPAM / RECEIPT428-586.doc
- http://blog.dynamoo.com/2013/05/bank-of-america-spam.html
14 May 2013 - "This fake Bank of America message has a malicious Word document attached:
Date: Tue, 14 May 2013 10:16:05 +0500 [01:16:05 EDT]
Subject: Your transaction is completed
Transaction is completed. $51317477 has been successfully transferred.
If the transaction was made by mistake please contact our customer service.
Receipt of payment is attached.
*** This is an automatically generated email, please do not reply ***
Bank of America, N.A. Member FDIC. Equal Housing Lender Opens in new window
© 2013 Bank of America Corporation. All rights reserved

The attached document is RECEIPT428-586.doc which contains a CVE-2012-0158 / MS12-027 exploit, so a fully patched Windows system should be immune. Further analysis is pending, but the payload is likely to be P2P / Gameover Zeus as found in this attack*. VirusTotal detections stand at just 11/46**. Further analysis is pending."
* http://blog.dynamoo.com/2013/05/citibank-spam-statement-id-64775-4985doc.html

** https://www.virustotal.com/en/file/...32acd711fb6c706eabd1b9613e937e3e356/analysis/
File name: RECEIPT428-586.doc
Detection ratio: 18/43
Analysis date: 2013-05-14
___

Something evil on 94.242.198.16
- http://blog.dynamoo.com/2013/05/something-evil-on-9424219816.html
14 May 2013 - "I'm not entirely sure what this is, I think it's an injection attack leading to a malware server on 94.242.198.16 (Root SA, Luxemburg) which is using various stealth techniques to avoid detection. This is what I'm seeing.. code is getting injected into sites referring to [donotclick]fryzjer .me/hpoxqnj.php (report*) or [donotclick]stempelxpress .nl/vechoix.php (report**) which (if called in the correct way) tries to forward the victim to
[donotclick]ice.zoloni-kemis .info/lyxtp?ftqvixid=94764 or [donotclick]ice.zoloni-kemis .info/lifym?ftypyok=947645 hosted on 94.242.198.16.

VirusTotal reports this as a bad IP***, and out of several domains associated with this IP, almost all are red-flagged by Google for malware. The site contains several subdomains of the following domains.. I would recommend the following blocklist:
94.242.198.16
integrate-koleiko .com
integrate-koleiko .org
integrate-koleiko .net
muroi-uroi-loi .info
muroi-uroi-loi .org
muroi-uroi-loi .net
zoloni-kemis .info ..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=2455754

** http://urlquery.net/report.php?id=2455905

*** https://www.virustotal.com/en/ip-address/94.242.198.16/information/

- https://www.google.com/safebrowsing/diagnostic?site=AS:5577
"... over the past 90 days, 50 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-05-14, and the last time suspicious content was found was on 2013-05-14... Over the past 90 days, we found 30 site(s) on this network... that appeared to function as intermediaries for the infection of 131 other site(s)... We found 282 site(s)... that infected 4631 other site(s)..."
___

Malicious Dun and Bradstreet Compliant Spam
- http://threattrack.tumblr.com/post/50425045511/malicious-dun-and-bradstreet-compliant-spam
14 May 2013 - "Subjects Seen:
FW : Complaint - [removed]
Typical e-mail details:
Dun & Bradstreet has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position.
In the interest of time and good customer relations, please provide the DnB with written verification of your position in this matter by May 18, 2013. Your prompt response will allow DnB to be of service to you and your customer in reaching a mutually agreeable resolution. Please inform us if you have contacted your customer directly and already resolved this matter.
The Dun & Bradstreet develops and maintains Reliability Reports on companies across the United States and Canada . This information is available to the public and is frequently used by potential customers. Your cooperation in responding to this complaint becomes a permanent part of your file with the Better Business Bureau. Failure to promptly give attention to this matter may be reflected in the report we give to consumers about your company.
We encourage you to print this complaint (attached file), answer the questions and respond to us.
We look forward to your prompt attention to this matter.

Malicious URLs
mail.yaklasim .com:8080/forum/viewtopic.php
116.122.158.195 :8080/forum/viewtopic.php
hurricanestormsavings .com/ponyb/gate.php
hurricanestrengthsavings .com/ponyb/gate.php
62.233.104.156 /tHjefFt.exe

Screenshot: https://gs1.wac.edgecastcdn.net/801...b66835591/tumblr_inline_mmspwolB071qz4rgp.png

:fear:

 

[AplusWebMaster]

Fake Free Media Player, Malicious FedEx SPAM...

FYI...

Fake ‘Free Media Player’ via rogue ‘Adobe Flash Player HD’ ad ...
- http://blog.webroot.com/2013/05/15/...ia-rogue-adobe-flash-player-hd-advertisement/
May 15, 2013 - "Our sensors just picked up a rogue advertisement served through the Yieldmanager ad network, which exposes users to fake Adobe Flash Player HD ads, ultimately dropping a copy of the potentially unwanted application (PUA)/adware, known as Somoto Better Installer...
Sample screenshot of the actual advertisement:
> https://webrootblog.files.wordpress.com/2013/05/fake_flash_player_hd_02_adware_somoto.png?w=869
... once users click, they’re presented with a rogue Free Media Player page, instead of of a Adobe Flash Player HD themed page. Users who fall victim to the social engineering scam will end up installing multiple potentially unwanted applications... Landing domain:
hxxp ://www.softigloo .com – 78.138.105.151. Responding to the same IP is also the following typosquatted domain – hxxp ://down1oads .com...
Detection rate for the sampled malware:
MD5: 3ee49800cc3c2ce74fa63e6174c81dff * ... Somoto BetterInstaller; Adware.Somoto
MD5: b57cc4b5aecd69eb57063f4de914d4dd ** ... Somoto BetterInstaller; TROJ_GEN.F47V0429 ...
And initiates the following TCP connections:
78.138.97.8 :80
54.239.158.55 :80
78.138.127.129 :80
54.239.158.183 :80
54.239.158.247 :80
78.138.127.7 :80
The affiliate network participant that’s abusing the Yieldmanager ad network is currently earning revenue through the Somoto’s BetterInstaller PPI (Pay-Per-Install) revenue sharing network..."
(More detail at the websense URL above.)
* https://www.virustotal.com/en/file/...e76bb6dd49289aa96d72217a/analysis/1368314633/
File name: VLCMediaPlayerSetup-9Kf76Wv.exe
Detection ratio: 8/46
Analysis date: 2013-05-11
** https://www.virustotal.com/en/file/...238f7c0b98c9e863061fc0ba/analysis/1368314918/
File name: 7ZipSetup-aVEkw5Y.exe
Detection ratio: 8/46
Analysis date: 2013-05-11

Removal Guide for Somoto.BetterInstaller
> http://forums.spybot.info/showthrea...nstaller&highlight=Somoto%92s+BetterInstaller
2013-05-08
___

Malicious FedEx SPAM delivers trojan ...
- http://www.hotforsecurity.com/blog/...gamarue-trojans-instead-of-packages-6173.html
May 15, 2013 - "A new wave of malicious FedEx spam delivers Trojans instead of packages, infecting users with malware when opening the attachments. In the last couple months, the Gamarue Trojan has spread intensely in the US, Australia, Croatia, Romania, Iran, the UK, Germany and Spain...
Screenshot1: http://www.hotforsecurity.com/wp-co...ers-gamarue-trojans-instead-of-packages-1.jpg
... To give credibility to the malicious payload, scammers added links to the authentic shipping company. Trojan.Gamarue silently installs itself on the system, sending sensitive information to the command and control center. The stolen data can then be used for identity theft and other cyber-criminal activities. Gamarue can also download and execute arbitrary files, performing updates without users noticing. The malicious software can also spread to removable drives, so users should be careful when managing important documents through USB devices...
Screenshot2: http://www.hotforsecurity.com/wp-co...ers-gamarue-trojans-instead-of-packages-2.png
FedEx is a common target for cyber-criminals, who only change the bait from time to time. Other excuses to ship malware include parcel delivery notifications. Scammers also request money in return for delivery of a package by posing as representatives of the shipping service. They also go so far as to create spoofed web sites to collect usernames, passwords, Social Security Numbers, credit card details and more..."
___

Fake Facebook SPAM / otophone .net
- http://blog.dynamoo.com/2013/05/facebook-spam-otophonenet.html
15 May 2013 - "This fake Facebook spam leads to malware on otophone .net:
Date: Tue, 14 May 2013 15:29:24 -0500 [05/14/13 16:29:24 EDT]
From: Facebook [notification+LTFS15RDTR @facebookmail .com]
Subject: Jonathan Rogers wants to be friends on Facebook
facebook
Jonathan Rogers wants to be friends with you on Facebook Facebook...
1083 friends · 497 photos · 2 notes · 1535 Wall posts
Confirm Friend Request
See All Requests
This message was sent to dynamoo @spamcop .net. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 417 P.O Box 10005 Palo Alto CA 96303

The link in the email goes through a legitimate hacked site and then ends up on a malware landing page at [donotclick]otophone .net/news/appreciate_trick_hanging.php (report here*) hosted on the following IPs:
36.224.16.74 (Chunghwa Telecom, Taiwan)
108.5.125.134 (Verizon, US)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)...
Blocklist:
36.224.16.74
108.5.125.134
198.61.147.58 ..."
* http://urlquery.net/report.php?id=2474662
___

Something evil on 184.95.51.123
- http://blog.dynamoo.com/2013/05/something-evil-on-1849551123.html
15 May 2013 - "184.95.51.123 (Secured Servers LLC, US) appears to be trying to serve the Blackhole Exploit kit through an injection attack (for example). The payload appears to be 404ing when viewed in the automated tools I am using, but indications are that the malware on this site is still very much live. The domains on this server belong to a legitimate company, Lifestyle exterior Products, Inc. of Florida who are probably completely unaware of the issue.
These following domains are all flagged by Google as being malicious, and are all based on 184.95.51.123. I would recommend blocking the IP if you can..."
___

Malicious DocuSign Payroll Spam
- http://threattrack.tumblr.com/post/50498753152/malicious-docusign-payroll-spam
15 May 2013 - "Subjects Seen:
Completed: Please DocuSign this document : Payroll May 2013..pdf
Typical e-mail details:
Your document has been completed
Sent on behalf of [removed].
All parties have completed the envelope ‘Please DocuSign this document: Payroll April 2013..pdf’.
To view or print the document download the attachment .
(self-extracting archive, Adobe PDF)
This document contains information confidential and proprietary to [removed]

Malicious URLs
mail.yaklasim .com:8080/forum/viewtopic.php
116.122.158.195 :8080/forum/viewtopic.php
lifestylehomeowners .com/ponyb/gate.php
lifestylehurricaneguide .com/ponyb/gate.php
parpaiol a.com/0nWhFjZ.exe

Screenshot: https://gs1.wac.edgecastcdn.net/801...7f707e11f/tumblr_inline_mmuhuxrAIV1qz4rgp.png
___

Fake ADP SPAM / outlookexpres .net
- http://blog.dynamoo.com/2013/05/adp-spam-outlookexpresnet.html
15 May 2013 - "This fake ADP spam leads to malware on outlookexpres .net:
Date: Wed, 15 May 2013 22:39:26 +0400
From: "donotreply @adp .com" [phrasingr6 @news.adpmail .org]
Subject: adp_subj
ADP Instant Warning
Report #: 55233
Respected ADP Client May, 15 2013
Your Processed Transaction Report(s) have been uploaded to the website:
Sign In here
Please see the following information:
• Please note that your bank account will be charged within 1 business banking day for the sum shown on the Statement(s).
• Please don't try to reply to this message. automative notification system not configured to accept incoming email. Please Contact your ADP Benefits Expert.
This email was sent to existing users in your company that access ADP Netsecure.
As every time, thank you for using ADP as your business affiliate!
Rep: 55233 [redacted]

The link in the spam email goes through a legitimate but hacked site and ends up on a malware landing page at [donotclick]outlookexpres .net/news/estimate_promising.php (report here*) hosted on the same IPs found in this attack:
36.224.16.74 (Chunghwa Telecom, Taiwan)
108.5.125.134 (Verizon, US)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)
Blocklist:
36.224.16.74
108.5.125.134
198.61.147.58 ..."
* http://urlquery.net/report.php?id=2479638
___

- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Scanned Document Attachment E-mail Messages - 2013 May 15
Fake Product Order E-mail Messages - 2013 May 15
Fake Document Sharing Notification E-mail Messages - 2013 May 15
Fake Invoice Statement Attachment E-mail Messages - 2013 May 15
Malicious Attachment E-mail Messages - 2013 May 15
Fake Delta E-Ticket Attachment E-mail Messages - 2013 May 15
Fake Third Party Consumer Complaint Notification E-mail Messages - 2013 May 15
Fake Portuguese Invoice Notification E-mail Messages - 2013 May 15
Fake Photo Sharing E-mail Messages - 2013 May 15
Fake Product Order Request E-mail Messages - 2013 May 15
Fake Xerox Scan Attachment E-mail Messages - 2013 May 15
Malicious Attachment E-mail Messages - 2013 May 15
(More info and links at the cisco URL above.)

:fear:

 

[AplusWebMaster]

Fake Invoice, HMRC, Walmart, Wells Fargo, Citi bank SPAM...

FYI...

Fake "Invoice Copy" SPAM / invoice copy.zip
- http://blog.dynamoo.com/2013/05/invoice-copy-spam-invoice-copyzip.html
16 May 2013 - This fake invoice email contains a malicious attachment:
Date: Thu, 16 May 2013 00:27:41 -0500 [01:27:41 EDT]
From: Karen Parker [Kk.parker @tiffany .com]
Subject: invoice copy
Kindly open to see export License and payment invoice attached,meanwhile we sent the balance payment yesterday.Please confirm if it has settled in your account or you can call ifthere is any problem.ThanksKaren parker

The attachment is invoice copy.zip which in turn contains an executable invoice copy.exe which has an icon to make it look like a spreadsheet. VirusTotal results are a pretty poor 7/45* and indicate that this is a Zbot variant. The Comodo CAMAS report** indicates that the malware seems to be rummaging though address books and gives the following characteristics:
Size 331776
MD5 ebdcd7b8468f28932f235dc7e0cd8bcd
SHA1 a3d251b8f488ef1602e7016cb1f51ffe116d7917
SHA256 4b15971cf928a42d44afdf87a517d229e4aabbb5967cb9230a19592d2b939fe6
... The ThreatTrack report*** is nicely detailed and gives some details about network connections... As ever, blocking EXE-in-ZIP files at the perimeter is the best way to guard against this type of threat."
* https://www.virustotal.com/en/file/...967cb9230a19592d2b939fe6/analysis/1368687945/
File name: invoice copy.exe
Detection ratio: 7/45
Analysis date: 2013-05-16

** http://camas.comodo.com/cgi-bin/sub...fdf87a517d229e4aabbb5967cb9230a19592d2b939fe6

*** http://www.dynamoo.com/files/analysis_30635_ebdcd7b8468f28932f235dc7e0cd8bcd.pdf
___

Fake HMRC SPAM / VAT Returns Repot 517794350.doc
- http://blog.dynamoo.com/2013/05/hmrc-spam-vat-returns-repot-517794350doc.html
16 May 2013 - "This fake HMRC (UK tax authority) spam contains a malicious attachment:
From: noreply @hmrc .gov.uk [mailto:noreply @hmrc .gov.uk]
Sent: 16 May 2013 10:48
Subject: Successful Receipt of Online Submission for Reference 517794350
Thank you for sending your VAT Return online. The submission for reference 517794350 was successfully received on 2013-05-16 T10:45:27 and is being processed. Make VAT Returns is just one of the many online services we offer that can save you time and paperwork.
For the latest information on your VAT Return please open attached report.
The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Cable&Wireless Worldwide in partnership with MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.

The attachment is VAT Returns Repot 517794350.doc which contains an exploit which is currently being analysed. It is likely to use the same vulnerability as this attack*. VirusTotal results are just 1/46**, so either this is something completely new or it is a corrupt sample. UPDATE: ThreatTrack reports*** that the malware sample appears to make contact with the following IPs which are all dynamic IP addresses, indicating perhaps a P2P version of Zeus:
62.103.27.242
76.245.44.216
86.124.111.218
92.241.139.165
122.179.128.38
189.223.139.172
190.42.161.35 ..."
* http://blog.dynamoo.com/2013/05/bank-of-america-spam.html

** https://www.virustotal.com/en/file/...86fea66091171e5b4268cb25/analysis/1368697862/
File name: VAT Returns Repot 517794350.doc
Detection ratio: 1/46
Analysis date: 2013-05-16

*** http://www.dynamoo.com/files/analysis_30639_f49ba87bdcbb24ecf22f9b5b3a8c2a34.pdf
___

Fake Walmart SPAM / bestunallowable .com
- http://blog.dynamoo.com/2013/05/walmartcom-spam-bestunallowablecom.html
16 May 2013 - "This fake Walmart spam leads to malware on bestunallowable .com:
From: Wallmart.com [deviledm978 @news.wallmart .com]
Date: 16 May 2013 14:02
Subject: Thanks for your Walmart.com Order 3795695-976140
Walmart
Visit Walmartcom | Help | My Account | Track My Orders
[redacted]
Thanks for ordering from Walmart.com. We're currently processing your order.
Items in your order selected for shipping
• You'll receive another email, with tracking information, when your order ships.
• If you're paying by credit card or Bill Me Later®, your account will not be charged until your order ships. If you see a pending charge on your account prior to your items shipping, this is an authorization hold to ensure the funds are available. All other forms of payment are charged at the time the order is placed.
Shipping Information
Ship to Home
Hannah Johnson
1961 12 Rd
Orange, NC 68025-3157
USA
---
Walmart.com Order Number: 3795695-976140
Ship to Home - Standard
Items Qty Arrival Date Price
Philips UN65EH9060 50" 1080p 60Hz Class LED (Internet Connected) 3D HDTV 1 Arrives by Tue., May 21
Eligible for Free Standard Shipping to Home. $898.00
Subtotal: $898.00
Shipping: Free
Tax: $62.86
See our Returns Policy or
contact Customer Service Walmart.com Total: $960.86
Order Summary
Order Date: 05/15/2013
Subtotal: $898.00
Shipping: Free
Tax: $62.86
Order Total: $960.86
Credit card: $960.86
Billing Information
Payment Method:
Credit card
If you have any questions, please refer to help.walmart.com or reply to this email and let us know how we can help.
Thanks,
Your Walmart.com Customer Service Team...
Rollbacks Sign Up for Email Savings and Updates
Have the latest Rollbacks, hot new releases, great gift ideas and more sent right to your inbox!
©Walmart.com USA, LLC, All Rights Reserved.

The link goes through a legitimate hacked site and ends up on a malware page at [donotclick]bestunallowable .com/news/ask-index.php (report here*) hosted on:
108.5.125.134 (Verizon, US)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)
The WHOIS details are characterstic of the Amerika gang...
Blocklist (including nameservers):
71.107.107.11
108.5.125.134
198.50.169.2
198.61.147.58
bestunallowable.com ..."
* http://urlquery.net/report.php?id=2494957
___

More Walmart SPAM / virgin-altantic .net
- http://blog.dynamoo.com/2013/05/walmartcom-spam-virgin-altanticnet.html
16 May 2013 - "Another -variant- of this spam* is doing the rounds, this time leading to a landing page on virgin-altantic .net:
From: Wallmart.com [mailto:sculptsu @complains .wallmartmail .com]
Sent: 16 May 2013 15:35
Subject: Thanks for your Walmart.com Order 3450995-348882 ...
---
Subtotal: $898.00
Shipping: Free
Tax: $62.86
See our Returns Policy or
contact Customer Service
Walmart.com Total: $960.86
Order Summary
Order Date: 05/15/2013
Subtotal: $898.00
Shipping: Free
Tax: $62.86
Order Total: $960.86
Credit card: $960.86
Billing Information
Payment Method:
Credit card
If you have any questions, please refer to help.walmart.com or reply to this email and let us know how we can help.
Thanks,
Your Walmart.com Customer Service Team...

The malicious payload is at [donotclick]virgin-altantic .net/news/ask-index.php (report here**). IP addresses are the same as in the other attack, although obviously if you are blocking by domain you should add virgin-altantic .net too."
* http://blog.dynamoo.com/2013/05/walmartcom-spam-bestunallowablecom.html

** http://urlquery.net/report.php?id=2496275
___

Fake Wells Fargo and Citi SPAM / SecureMessage.zip and Securedoc.zip
- http://blog.dynamoo.com/2013/05/wells-fargo-and-citi-spam.html
16 May 2013 - "This fake Wells Fargo message contains a malicious attachment:
Date: Thu, 16 May 2013 23:24:38 +0800 [11:24:38 EDT]
From: "Grover_Covington @wellsfargo .com" [Grover_Covington @wellsfargo .com]
Subject: New Secure Message
Wells Fargo
Help
To Read This Message:
Look for and open SecureMessage.zip (typically at the top or bottom; location varies by email service).
Secure Message
This message was sent to : [redacted]
Email Security Powered by Voltage IBE
Copyright 2013 Wells Fargo. All rights reserved

The attachment SecureMessage.zip contains a file SecureMessage.exe which has a SHA256 of 289bd82b66ed0c66f0e6a947cb61c928275c1053fa5d2b1119828217f61365ba and is only detected by 2/45 scanning engines at VirusTotal**.
The second version is a fake Citi spam with an attachment Securedoc.zip which contains Securedoc.exe. This is the same executable with the same SHA256, just a different name.
Date: Thu, 16 May 2013 10:16:27 -0500 [11:16:27 EDT]
From: "secure.email @citi .com" [secure.email @citi .com]
Subject: You have received a secure message
You have received a secure message
Read your secure message by opening the attachment, securedoc.html You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it with Internet Explorer.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Citi Secure Email Help Desk at (866) 535-2504.
First time users - will need to register after opening the attachment.
About Email Encryption - http ://www.citi .com/citi/citizen/privacy/email.htm

... the best analysis is this ThreatTrack report*... some IPs and domains worth blocking:
69.89.21.99
116.122.158.195
212.58.4.13
mail.yaklasim .com
ryulawgroup .com "
* http://www.dynamoo.com/files/analysis_30642_d5893c62d897d95a30c950cddcbdc604.pdf

** https://www.virustotal.com/en/file/...fa5d2b1119828217f61365ba/analysis/1368718128/
File name: SecureMessage.exe
Detection ratio: 2/45
Analysis date: 2013-05-16
___

Get Free Followers! on Instagram? Get Free Malware, Survey Scams Instead
- http://blog.trendmicro.com/trendlab...tagram-get-free-malware-survey-scams-instead/
May 16, 2013 - "The popular photosharing app Instagram is the latest social networking site targeted by the ubiquitous survey scams seen on Facebook and Twitter. This time, we found that these survey scams may also lead users to download an Android malware... these Instagram followers have repetitive account names like “Tawna Tawna” and “Concetta Concetta”... Given these suspicious signs, I then checked this “Get Free Followers” picture (which is actually clickable) and was led to this page that supposedly offers the “Get Followers” app. This app is detected by Trend Micro as ANDROIDOS_GCMBOT.A, which can be used to launch malicious webpages or send SMS from the device.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/05/instagram-survey-scam-4.jpg
Whether users download the said app or not (in my case, I tried to), in the end they are redirected to your run-of-the-mill survey scams. Since Instagram can also be accessed via a PC, we tried to access the malicious website and survey scam using a desktop. Fortunately, this ruse didn’t work. Cybercriminals profit from these survey scams via ad-tracking sites, which users are redirected to before the actual survey page. Plus, these bad guys can also use the data gathered from these scams by either peddling them to other cybercriminal groups or using them in their future schemes. Facebook, Pinterest, Tumblr, and now Instagram. The people behind these scams are jumping on every popular networking sites and potential engineering hooks like the Google Glass contest. To protect yourself against this scam, you must always double-check posts on your social media accounts, even if they come from friends, family members, or known acquaintance. Caution is your best defense..."

 

[AplusWebMaster]

e-netprotections .su, Malicious Wells Fargo SPAM...

FYI...

e-netprotections .su ?
- https://isc.sans.edu/diary.html?storyid=15818
Last Updated: 2013-05-17 - "Like with .biz, I sometimes have the impression that .su and .cc could be sinkholed in their entirety, because the bad domains seem to vastly outnumber whatever (if any) good is running under these TLDs as well. Earlier today, ISC reader Michael contacted us with information that several PCs on his network had started to communicate with iestats .cc, emstats .su, ehistats .su, e-protections .su and a couple other domains. I was pretty sure that I had seen the latter domain on an earlier occasion in a malware outbreak, but I couldn't find it in our records .. until I only searched for "e-protections", and found e-protections .cc. This domain had been implicated back in October 2012 in a malware spree that was linked to the nasty W32.Caphaw, a backdoor/information stealer... each infected box was apparently running a slightly different version of the EXE. Anti-Virus coverage is still thin (Virustotal*) , but the Heuristics of some products seem to be catching on. This sample looks more like a ransomware trojan than Caphaw, but we'll know more once we analyze all the information gathered so far..."
Partial list of IPs involved:
64.85.161.67
85.25.132.55
173.224.210.244
178.63.172.88
188.95.48.152
199.68.199.178
91.227.220.104
* https://www.virustotal.com/en/file/...c0d4bf9dff503a991cbbc670cc673db9041/analysis/
File name: dwdsrtrt
Detection ratio: 4/46
Analysis date: 2013-05-16

- https://www.abuse.ch/?p=3581
___

Malicious Wells Fargo Secure Message Spam
- http://threattrack.tumblr.com/post/50597669027/malicious-wells-fargo-secure-message-spam
16 May 2013 - "Subjects Seen:
New Secure Message
Typical e-mail details:
View attachment for details
To Read This Message:
Look for and open SecureMessage.zip (typically at the top or bottom; location varies by email service).

Malicious URLs
mail.yaklasim .com:8080/forum/viewtopic.php
116.122.158.195 :8080/forum/viewtopic.php
mylifestylestormproducts .com/forum/viewtopic.php
mysafefloridahomelife .com/forum/viewtopic.php
ryulawgroup .com/Gsdw1.exe

Screenshot: https://gs1.wac.edgecastcdn.net/801...7ae80520d/tumblr_inline_mmwrmi4bl91qz4rgp.png
___

Malicious "Referral link" SPAM / rockingworldds .net and parishiltonnaked2013 .net
- http://blog.dynamoo.com/2013/05/referral-link-spam-rockingworlddsnet.html
17 May 2013 - "This spam comes from a hacked AOL email account and leads to malware on 62.76.190.11:
From: [AOL sender]
Sent: 17 May 2013 14:12
To: [redacted]
Subject: [AOL screen name]
Subject :RE ( 8 )
Sent: 5/17/2013 2:11:53 PM
referral link
http ://printcopy.co .za/elemqi.php?whvbcfm

The link goes through a legitimate -hacked- site and in this case ends up at [donotclick]rockingworldds .net/sword/in.cgi?6 (report here*) which either -redirects- to a weight loss spam site or alternatively a malware landing page at [donotclick]parishiltonnaked2013 .net/ngen/controlling/coupon_voucher.php (report here**) which appears to load the BlackHole Exploit Kit. Both these sites are hosted on 62.76.190.11 (Clodo-Cloud / IT House, Russia)... I have several IPs blocked in the 62.76.184.0/21 range, you may want to consider blocking the entire lot if you don't have any reason to send web traffic to Russia."
* http://urlquery.net/report.php?id=2512341

** http://urlquery.net/report.php?id=2512431
___

Fake Newegg .com SPAM / balckanweb .com
- http://blog.dynamoo.com/2013/05/neweggcom-spam-balckanwebcom.html
17 May 2013 - "This fake Newegg.com spam leads to malware:
Date: Fri, 17 May 2013 10:29:20 -0600 [12:29:20 EDT]
From: Newegg [info @newegg .com]
Subject: Newegg.com - Payment Charged
Priority: High Priority 1
Newegg logo
My Account My Account | Customer Services Customer Services
Twitter Twitter You Tube You Tube Facebook Facebook Myspace Myspace
click to browse e-Blast click to browse Shell Shocker click to browse Daily Deals
Computer Hardware PCs & Laptops Electronics Home Theater Cameras Software Gaming Cell Phones Home & Office MarketPlace Outlet More
Customer ID: [redacted]
Account Number: 23711731
Dear Customer,
Thank you for shopping at Newegg.com.
We are happy to inform you that your order (Sales Order Number: 97850177) has been successfully charged to your AMEX and order verification is now complete.
If you have any questions, please use our LiveChat function or visit our Contact Us Page.
Once You Know, You Newegg.
Your Newegg.com Customer Service Team
ONCE YOU KNOW, YOU NEWEGG. Ž
Policy and Agreement | Privacy Policy | Confidentiality Notice
Newegg.com, 9997 Rose Hills Road, Whittier, CA. 90601-1701 | Š 2000-2013 Newegg Inc. All rights reserved.

Screenshot: https://lh3.ggpht.com/-Si0jHOHqviw/UZZqyHxGvPI/AAAAAAAABOY/5HZq7dloGwE/s1600/newegg.png

In the version I have the link doesn't work, but I believe that it goes to [donotclick]balckanweb .com/news/unpleasant-near_finally-events.php (report here*) hosted or having nameservers on the following IPs:
5.231.24.162 (GHOSTnet, Germany)
71.107.107.11 (Verizon, US)
108.5.125.134 (Verizon, US)
198.50.169.2 (OVH, Canada)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)
209.59.223.119 (Endurance International Group, US)
The domains and IPs indicate that this is part of the "Amerika" spam run.
Blocklist (including nameservers):
5.231.24.162
71.107.107.11
108.5.125.134
198.50.169.2
198.61.147.58
209.59.223.119 ..."
* http://urlquery.net/report.php?id=2504632

Also at: http://threattrack.tumblr.com/post/50671403152/malicious-newegg-order-spam
May 17, 2013
Screenshot: https://gs1.wac.edgecastcdn.net/801...906a63447/tumblr_inline_mmyl9yAwpg1qz4rgp.png
___

- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Product Order Quotation Attachment E-mail Messages - 2013 May 17
Fake Product Order E-mail Messages - 2013 May 17
Fake Purchase Order E-mail Messages - 2013 May 17
Fake Account Compromise Notification E-mail Messages - 2013 May 17
Fake Scanned Document Attachment E-mail Messages - 2013 May 17
Fake Social Media User Notification E-mail Messages - 2013 May 17
Fake Facebook Security Software E-mail Messages - 2013 May 17
Fake Incoming Fax Message E-mail Messages - 2013 May 17
Fake Document Sharing E-mail Messages - 2013 May 17
Fake Italian Shared Document E-mail Messages - 2013 May 17
Fake Invoice Statement Attachment E-mail Messages - 2013 May 17
Fake Money Transfer Notification E-mail Messages - 2013 May 17
Fake Xerox Scan Attachment E-mail Messages - 2013 May 17
(More detail and links at the cisco URL above.)

 

[AplusWebMaster]

Something evil on 50.116.28.24 ...

FYI...

Something evil on 50.116.28.24
- http://blog.dynamoo.com/2013/05/something-evil-on-501162824.html
19 May 2013 - "50.116.28.24 (Linode, US) is hosting the callback servers for some Mac malware as mentioned here* and here** plus some other suspect sites. I would advise that you assume that -all- domains hosted on this IP are malicious..."
(More detail at the dynamoo URL above.)

* http://www.f-secure.com/weblog/archives/00002554.html

** http://forums.macrumors.com/showthread.php?t=1583233
___

Wells Fargo Credentials Phish
- http://threattrack.tumblr.com/post/50913877787/wells-fargo-credentials-phish
20 May 2013 - "Subjects Seen:
Account Update
Typical e-mail details:
In order to safeguard your account, we require that you confirm your details.
To help speed up this process, please access the following link so we can complete the verification of your Wells Fargo information details.
To get started, visit the link below:
Wells Fargo Online Confirmation

Malicious URLs
update.id5027-wellsfargo .com/index.php?id=586616

Screenshot: https://gs1.wac.edgecastcdn.net/801...a8f92e4a0/tumblr_inline_mn3umbkVzo1qz4rgp.png
___

Malicious Invoice Attachment Spam
- http://threattrack.tumblr.com/post/50914381181/malicious-invoice-attachment-spam
20 May 2013 - "Subjects Seen:
invoice copy
Typical e-mail details:
Kindly open to see export License and payment invoice attached,
meanwhile we sent the balance payment yesterday.
Please confirm if it has settled in your account or you can call if
there is any problem.
Thanks
Karen parker

Spam contains malicious attachment.

Screenshot: https://gs1.wac.edgecastcdn.net/801...41a68aad0/tumblr_inline_mn3v14O1qo1qz4rgp.png
___

Chase Bank Credentials Phish
- http://threattrack.tumblr.com/post/50929274377/chase-bank-credentials-phish
20 May 2013 - "Subjects Seen:
Billing Code:[removed]
Typical e-mail details:
During regularly scheduled account maintenance and verification procedures, we have detected a slight error in your billing information.
This might be due to either of the following reasons:
1. A recent change in your personal information ( i.e. change of address).
2. Submitting invalid information during the initial sign up process.
3. An inability to accurately verify your selected option of payment due to an internal error within our processors.
Click on the guide-link below and follow the directions or please call our Online Helpdesk.
Regards,
Chase Online
Billing Department
Thanks for your co-operation.

Malicious URLs
goodnickfitness .com.au/hnav.html
diamondtek .cl/diamondtek .cl/http/online.chaseonline1/com/logon.html

Screenshot: https://gs1.wac.edgecastcdn.net/801...0986fe381/tumblr_inline_mn45ob1itt1qz4rgp.png
___

Blackhole Spam Run evades detection using Punycode
- http://blog.trendmicro.com/trendlab...ole-spam-run-evades-detection-using-punycode/
May 20, 2013 - "... we have seen a slew of spam crafted as a notice from the popular retail chain Walmart. However, this spam run offers something different.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/05/BHEK-walmart.jpg
... some of the URLs lead to Cyrillic domain names. These domains were translated into the English alphabet through punycode. Punycode* is a way to convert Unicode characters into a smaller character set. URLs in punycode have to be decoded first in order to see its original format. The use of international domain names (IDNs) can pose additional security risks to users. Users can be redirected to a phishing page that appears to have the same URL as a legitimate site. IDNs also allow spammers to create more spam domains not limited to English characters. This can make blocking malicious sites more difficult. This technique is not new, but seeing punycode used in a BHEK email campaign is unusual. Users who click the links are redirected to several sites, until they are lead to the site hosting a malware (detected as TROJ_PIDIEF.SMXY), which exploits a in Adobe Reader and Acrobat (CVE-2009-0924) to download and execute other malware onto the vulnerable system. This attempt at evading detection is not surprising, given how 2013 is shaping up to be the year of refining existing tools. In our 1Q 2013 Security Roundup, we already noticed how dated threats like Asprox and banking Trojans like CARBERP were returning to the scene with new and improved features. We can expect this trend to continue this year, though new threats can always appear anytime soon..."
* http://www.ietf.org/rfc/rfc3492.txt

:fear: :fear:

 

[AplusWebMaster]

Fake NATO jobs SPAM, Delivery_Information ...

FYI...

Fake NATO jobs SPAM ...
- http://blog.webroot.com/2013/05/21/...-soliciting-email-campaign-impersonates-nato/
May 21, 2013 - "Want to join the North Atlantic Treaty Organization (NATO)?... you’d be involuntarily sharing your information with what looks like an intelligence gathering operation...
Sample screenshot of the -fake- NATO Employment Application Form:
> https://webrootblog.files.wordpress.com/2013/05/fake_nato_employment_application.png
A copy of the -fake- NATO Employment Application Form
> http://webrootblog.files.wordpress.com/2013/05/nato-employment-application-form.pdf
A copy of the -fake- NATO Interview Form
> http://webrootblog.files.wordpress.com/2013/05/nato-interview-form.pdf
... NATO impersonating domain name reconnaissance:
nspa-nato.int.tf – 188.40.117.12; 188.40.70.27; 188.40.70.29
Name server: ns1.idnscan .net
Name server: ns2.idnscan .net
usnato-hr.org – 208.91.198.24
Name Server: DNS1.SPIRITDOMAINS .COM
Name Server: DNS2.SPIRITDOMAINS .COM
... We know that on 2013-05-10 07:01:46 CET, responding to the same IP (188.40.117.12) was also the following Black Hole Exploit Kit redirecting URLs...
Always watch where you apply and be aware of offers which sound too good to be true."
(More detail at the webroot URL above.)
___

Fake Delivery_Information_ID-000512430489234.zip
- http://blog.dynamoo.com/2013/05/deliveryinformationid-000512430489234zip.html
21 May 2013 - "The file Delivery_Information_ID-000512430489234.zip is being promoted by a spam run (perhaps aimed at Italian users, although all the hosts are German)... best guess is that it is a fake package delivery report. So far I have identified three download locations for the malicious ZIP file:
[donotclick]www.interapptive .de/get/Delivery_Information_ID-000512453420234.zip
[donotclick]www.vankallen .de/get/Delivery_Information_ID-000512453420234.zip
[donotclick]www.haarfashion .de/get/Delivery_Information_ID-000512430489234.zip
The ZIP file decompresses to Delivery_Information_ID-000512453420234.Pdf_______________________________________________________________.exe (note all those underscores!) which has a VirusTotal detection rate of 23/47* and has the following checksums:
MD5: 791a8d50acfea465868dfe89cdadc1fc
SHA1: be67a7598c32caf3ccea0d6598ce54c361f86b0a
SHA256: 9ae8fe5ea3b46fe9467812cbb2612c995c21a351b44b08f155252a51b81095d7
The Anubis report is pretty inconclusive but ThreatTrack reports** [pdf] some peer-to-peer traffic and also some rummaging around the Window Address Book (WAB)."
* https://www.virustotal.com/en/file/...b44b08f155252a51b81095d7/analysis/1369127051/
File name: Delivery_Information_ID-000512453420234.Pdf______________________...
Detection ratio: 23/47
Analysis date: 2013-05-21
** http://www.dynamoo.com/files/analysis_30721_791a8d50acfea465868dfe89cdadc1fc.pdf
___

Malicious eFax Corporate Spam
- http://threattrack.tumblr.com/post/50992552536/malicious-efax-corporate-spam
21 May 2013 - "Subjects Seen:
Corporate eFax message from [removed]
Typical e-mail details:
You have received a 3 fax at 2013-05-07 10:24:18 CST.
* The reference number for this fax is [removed].
Please visit efaxcorporate.com/corp/twa/page/customerSupport if you have any questions regarding this message or your service. You may also e-mail our corporate support department at corporatesupport @mail.efax.com.
Thank you for using the eFax Corporate service!

Malicious URLs
116.122.158.195 :8080/ponyb/gate.php
mail.yaklasim .com:8080/ponyb/gate.php
debthelpsmart .org/ponyb/gate.php
debtsmartretirement .com/ponyb/gate.php
50.63.222.182 /GGBG2H.exe

Screenshot: https://gs1.wac.edgecastcdn.net/801...6b5dfe3a7/tumblr_inline_mn5mcsC2PH1qz4rgp.png
___

prospectdirect .org SPAM
- http://blog.dynamoo.com/2013/05/prospectdirectorg-spam.html
21 May 2013 - "Everything that this spammer says is a lie:
From: Emily Norton [emily.norton @prospectdirect .org]
To: [redacted]
Date: 21 May 2013 16:33
Subject: Cater to your email marketing needs
Signed by: prospectdirect .org
Hello,
I hope you don’t mind but I just wanted to contact you to discuss your email marketing strategy. If you don’t currently have one that is working for you then our client can help.
The company I am contacting you on behalf of have the dedicated knowledge and services to cater to your email marketing needs.
If you would like a quote please complete this form: http ://prospectdirect .org/email-marketing-strategy
Leave your details at the link above or reply with any requirements.
Kind Regards,
Emily Norton
75 Glandovey Terrace, Newquay, Cornwall TR8 4QD
Tel: 0843 289 4698
This email (including any attachments) is intended only for the recipient(s) named above. It may contain confidential or privileged information and should not be read, copied or otherwise used by any other person. If you are not the named recipient please contact the sender and delete the email from your system. If you would no longer like to receive emails from us please unsubscribe here http ://www.prospectdirect .org/landing/page.php?jq=[snip]

Firstly, the email was sent to a scraped address from the website of the Slimeware Corporation and isn't any sort of opted-in address at all. The address of "75 Glandovey Terrace, Newquay, Cornwall TR8 4QD" simply does -not- exist, and the telephone number of 0843 289 4698 appears to belong to a completely -unrelated- company. I very much doubt there is anybody called "Emily Norton" involved, and there is no company in the UK with the name "Prospect Direct". The website prospectdirect .org itself carefully hides any contact details, the WHOIS details are anonymous, the domain was created on 2012-07-19 and is hosted on 109.235.51.98 (Netrouting / Xeneurope , Netherlands). There are no contact details on the website and there is no identifying information at all.. it hasn't just been omitted by accident, the whole thing has been left meticulously clean by a professional spamming outfit.
> https://lh3.ggpht.com/-t6eWqUjKl84/UZvEKHeSs4I/AAAAAAAABOo/XRPXQOIt8rg/s400/prospect-direct.png
I would recommend giving these spammers a wide berth given their catalogue of lies."

 

[AplusWebMaster]

Malicious ADP SPAM...

FYI...

Malicious ADP Spam
- http://threattrack.tumblr.com/post/51071699249/malicious-adp-invoice-spam
22 May 2013 - "Subjects Seen:
Invoice #[removed] - Remit file
Typical e-mail details:
Attached is the invoice (ADP_Invoice_[removed].zip) received from your bank.
Please print this label and fill in the requested information. Once you have filled out
all the information on the form please send it to payroll.invoices @adp .com.
For more details please see the attached file.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you ,
Automatic Data Processing, Inc...

Malicious URLs
116.122.158.195 :8080/ponyb/gate.php
mail.yaklasim .com:8080/ponyb/gate.php
10healthynails .com/ponyb/gate.php
advprintgraphics .com/ponyb/gate.php
50.63.222.182 /GGBG2H.exe
Malicious File Name and MD5:
ADP_Invoice_[removed].zip (638d32dc80678f17609fe21dF73c6f6d)
ADP_Invoice_[removed].exe (a8aab9bcd389348823b77b090fb0afcc)
uszyly.vxe (707423e64a6ab41d694a9e1d8e823d292)

Screenshot: https://gs1.wac.edgecastcdn.net/801...fdf754515/tumblr_inline_mn7fuoyMJg1qz4rgp.png
___

- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Purchase Order E-mail Messages - 2013 May 22
Fake Xerox Scan Attachment E-mail Messages - 2013 May 22
Fake Product Order Quote Request E-mail Messages - 2013 May 22
Fake Document Sharing E-mail Messages - 2013 May 22
Fake Facebook Voice Comment E-mail Message - 2013 May 22
Fake DHL Order Tracking Notification E-mail Messages - 2013 May 22
Fake Product Order Quote Request E-mail Messages - 2013 May 22
Fake Check Return Notification E-mail Messages - 2013 May 22
Fake Picture Link E-mail Messages - 2013 May 22
Fake Money Transfer Notification E-mail Messages - 2013 May 22
Fake Invoice Statement Attachment E-mail Messages - 2013 May 22
Fake Product Order E-mail Messages - 2013 May 22
Fake Holiday Photo Sharing Request E-mail Messages - 2013 May 22
Fake Scanned Document Attachment E-mail Messages - 2013 May 22
Fake Payment Request Notification E-mail Messages - 2013 May 22
(More detail and links at the cisco URL above.)

:fear:

 

[AplusWebMaster]

Spear-phish, Fake Invoice emails, Fake FBI Ransomware ...

FYI...

Spear-phish e-mails lead to APT
- https://atlas.arbor.net/briefs/index#-1950400672
Elevated Severity
May 22, 2013
Yet another targeted attack is dissected. Password theft was one of the motivating factors in the campaign.
Analysis: Well-crafted spear-phish e-mails were sent to the victim organizations. These spear phish included exploit code for patched vulnerabilities in Microsoft Office and also delivered bait files of interest to the target. In some cases, the bait files contain exploit code and in other cases they merely serve as a distraction. This is a tried-and-true method in wide use by cybercriminals and nation-state espionage actors. Once the malware is installed, credential theft applications can be used. The document provided by trend includes various Indicators of Compromise (IOCs) that organizations can use to help detect if they have been or are currently a victim. Additionally, domains used for malicious purposes are sometimes re-used at a later time, so keeping an eye on DNS logs and HTTP activity can help spot a new campaign re-using older infrastructure.
Source: http://www.trendmicro.com/cloud-con...ce/white-papers/wp-safe-a-targeted-threat.pdf

- http://blog.trendmicro.com/trendlabs-security-intelligence/hiding-in-plain-sight-a-new-apt-campaign/
"... The distribution method of this campaign involves spear-phishing emails that contain a malicious attachment exploiting a Microsoft Office vulnerability (CVE-2012-0158*)..."
* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0158 - 9.3 (HIGH) - MS12-027

- https://www.net-security.org/malware_news.php?id=2500
May 20, 2013 - "... Dubbed "Safe," the campaign has first been spotted in October 2012 and has so far resulted in nearly 12,000 unique IP addresses spread over more than 100 countries to be connected to two sets of command-and-control (C&C) infrastructures..."
___

Fake ‘Export License/Payment Invoice’ emails lead to malware
- http://blog.webroot.com/2013/05/23/fake-export-licensepayment-invoice-themed-emails-lead-to-malware/
May 23, 2013 - "... just intercepted yet another currently ongoing malicious spam campaign, enticing users into executing a fake Export License/Payment Invoice. Once gullible and socially engineering users do so, their PCs automatically join the botnet operated by the cybercriminals. More details:
Detection rate for the malicious executable: MD5: 4e7dc191117a6f30dd429cc619041552 * ... Trojan.Win32.Inject.foiq; Trojan.Zbot.
Once executed, the sample starts listening on port 28723...
It then phones back to the following C&C servers:
213.230.101.174 :11137
87.203.65.0 :12721
180.241.97.79 :16114
83.7.104.50 :13647
84.59.222.81 :10378
194.94.127.98 :25549
98.201.143.22 :19595
78.139.187.6 :14384
180.183.178.134 :20898
We’ve also seen the following C&C server IP (194.94.127.98) in previously profiled malicious campaigns... As well as 78.139.187.6 ... We’re aware of more MD5s that phoned back to the same IPs over the last couple of days..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/...44c9f35a7577a82373e202dc/analysis/1369151297/
File name: invoice copy.exe
Detection ratio: 33/47
Analysis date: 2013-05-21
___

Fake FBI Ransomware - spikes...
- http://blog.webroot.com/2013/05/23/recent-spike-in-fbi-ransomware-striking-worldwide/
May 23, 2013 - "Recently we have seen a spike of this ransomware in the wild as it appears as though its creators are not easily giving up. This infection takes your computer hostage and makes it look as though the authorities are after you, when in reality this is all just an elaborate attempt to make you -pay- to unblock your computer. Once infected, a warning similar to the one below* will take up your entire screen in such a way that you can’t get around it, thus effectively blocking you from accessing your files, programs or anything else on your computer. To further scare you into believing that you’ve been caught in illegal activity, your IP address, rough location, internet service provider, operating system and webcam image may be displayed.
* https://webrootblog.files.wordpress.com/2013/05/fbicyberdiv.png?w=869
To ensure maximum profits, the malware writers made sure that everyone understood their warning and payment instructions by localizing the infection around the world... there are variants of this infection that will encrypt your files so even after the infection is removed, documents, pictures and many other files on the hard drive will be inaccessible. Once the files are encrypted it can be very difficult or impossible to restore the original unencrypted versions. To avoid data loss, we strongly suggest periodically backing up your data...The infection executable may be located in the AppData, Temp, or User Profile directories and typically loads by adding itself to the Run keys or by modifying the Winlogon Shell entry. In some cases it may load using only a shortcut that’s placed in the Startup folder..."

:fear::fear:

 

[AplusWebMaster]

Malicious UPS SPAM, BoA phish...

FYI...

Malicious UPS Spam
- http://threattrack.tumblr.com/post/51223546153/malicious-ups-spam
24 May 2013 - "Subjects Seen:
UPS - Your package is available for pickup ( Parcel [removed] )
Typical e-mail details:
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.
You may pickup the parcel at our post office.
Please attention!
For mode details and shipping label please see the attached file.
Print this label to get this package at our post office.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you,
UPS Logistics Services.

Malicious URLs
116.122.158.195 :8080/ponyb/gate.php
50.63.222.182 /GGBG2H.exe
Malicious File Name and MD5:
UPS_Label_[removed].zip (667cf9590337d47f8c23053a8b2480a1)
UPS_Label_[removed].exe (1ef1438e2f2273ddbaf543dcdbaea5b1)
73036718.exe (c7e0c3d8b14e8755d32e27051d0e6477)

ThreatAnalyzer Report: http://db.tt/gTlNJnGy

Screenshot: https://gs1.wac.edgecastcdn.net/801...76d46d4da/tumblr_inline_mnb1xneaHb1qz4rgp.png
___

Bank of America Credentials Phish
- http://threattrack.tumblr.com/post/51224876478/bank-of-america-credentials-phish
24 May 2013 - "Subjects Seen:
Bank of America alert: Your account has been locked
Typical e-mail details:
There are a number of invalid login attempts on your account. We had to believe that, there might be some security problems on your account. So we have decided to put an extra verification process to ensure your identity and your account security.
Please click here to continue the verification process and ensure your account security.

Malicious URLs
radiojetaislame .com/images/safe5

Screenshot: https://gs1.wac.edgecastcdn.net/801...c546941c6/tumblr_inline_mnb3bo7cwo1qz4rgp.png
___

Fake Chase "Incoming Wire Transfer" SPAM / incoming_wire_05242013.zip
- http://blog.dynamoo.com/2013/05/chase-incoming-wire-transfer-spam.html
24 May 2013 - "This fake Chase "Incoming Wire Transfer" email has a malicious attachment...
Date: Fri, 24 May 2013 09:18:23 -0500 [10:18:23 EDT]
From: Chase [Chase @emailinfo.chase .com]
Subject: Incoming Wire Transfer
Note: This is a service message with information related to your Chase account(s)...

Screenshot: https://lh3.ggpht.com/-ofvJxQkPoeA/UZ97fjaJ3pI/AAAAAAAABPM/dVBJcBLjNbI/s1600/chase.png

The attachment incoming_wire_05242013.zip contains an executable incoming_wire_05242013.exe with a detection rate of 9/47 at VirusTotal*. The ThreatTrack report** [pdf] and ThreatExpert report*** show various characteristics of this malware, in particular a callback to the following IPs and domains:
116.122.158.195
188.93.230.115
199.168.184.197
talentos.clicken1 .com
Checksums are as follows:
MD5 f9182e5f13271cefc2695baa11926fab
SHA1 b3cff6332f2773cecb2f5037937bb89c6125ec15
SHA256 0a23cdcba850056f8425db0f8ad73dca7c39143cdafc61c901c8c3428f312f2d
* https://www.virustotal.com/en/file/...dafc61c901c8c3428f312f2d/analysis/1369405971/
File name: incoming_wire_05242013.exe
Detection ratio: 9/47
Analysis date: 2013-05-24

** http://www.dynamoo.com/files/analysis_30795_f9182e5f13271cefc2695baa11926fab.pdf

*** http://www.threatexpert.com/report.aspx?md5=f9182e5f13271cefc2695baa11926fab
___

Compromised Indian gov't Web site leads to BlackHole Exploit Kit
- http://blog.webroot.com/2013/05/24/...ent-web-site-leads-to-black-hole-exploit-kit/
May 24, 2013 - "Our sensors recently picked up a Web site infection, affecting the Web site of the Ministry of Micro And Medium Enterprises (MSME DI Jaipur). And although the Black Hole Exploit Kit serving URL is currently not accepting any connections, it’s known to have been used in previous client-side exploit serving campaigns...
Sample screenshot of the affected Web site:
> https://webrootblog.files.wordpress...ked_compromised_black_hole_exploit_kit_01.png
Sample compromised URLs:
hxxp ://sisijaipur .gov.in/cluster_developement.html
hxxp ://msmedijaipur .gov.in/cluster_developement.html
Detection rate for the malicious script: MD5: 44a8c0b8d281f17b7218a0fe09840ce9 * ... Trojan:JS/BlacoleRef.W; Trojan-Downloader.JS.Iframe.czf.
Malicious domain names/redirectors reconnaissance:
888-move-stuff .com – 50.63.202.21 – Email: van2move @yahoo .com
888movestuff .com – 208.109.181.190 – Email: van2move @yahoo .com
jobbelts .com (redirector/C&C) – 98.124.198.1 – Email: aanelli @yahoo .com
More malicious domains are known to have been responding to the same IP in the past (98.124.198.1)... MD5s are also known to have phoned back to the same (redirector/C&C) IP in the past... phoning back to vnclimitedrun .in:443 (199.59.166.86). In 2012, the same IP was also seen in a malvertising campaign..."
* https://www.virustotal.com/en/file/...c5ae435fbd2a9095c2adae20/analysis/1369337259/
File name: Indian.html
Detection ratio: 24/47
Analysis date: 2013-05-23

:fear:

 

[AplusWebMaster]

Fake Citibank SPAM ...

FYI...

Fake Citibank SPAM / Statement 57-27-05-2013.zip
- http://blog.dynamoo.com/2013/05/citibank-spam-statement-57-27-05-2013zip.html
27 May 2013 - "This fake Citibank email has a malicious attachment:
Date: Mon, 27 May 2013 23:25:06 +0530 [13:55:06 EDT]
From: Millard Hinton [leftoverss75 @gmail .com]
Subject: Merchant Statement
Enclosed (xlsx|Exel file|document|file) is your Citibank Paymentech electronic Merchant Billing Statement.
If you need assistance, please (contact|message|call) your Account Executive or call Merchant Services at the telephone number listed on your statement.
PLEASE DO NOT RESPOND BY USING REPLY. This (email|mail) is sent from an unmonitored email address, and your response will not be received by Citibank Paymentech.
Citibank Paymentech will not be responsible for any liabilities that may result from or relate to any failure or delay caused by Citibank Paymentech's or the Merchant's email service or otherwise. Citibank Paymentech recommends that Merchants continue to monitor their statement information regularly...

The attachment Statement 57-27-05-2013.zip contains a malicious executable Statement 57-27-05-2013.exe with a VirusTotal result of 12/46*. The Comodo CAMAS report and Anubis report are pretty inconclusive. The ThreatTrack report** [pdf] is more comprehensive some peer-to-peer traffic and accessing of the WAB. Simseer's prognosis*** is that this is a Zbot variant. For the record, these are the checksums involved:
MD5 0bbf809dc46ed5d6c9f1774b13521e72
SHA1 9a50fa08e71711d26d86f34d8179f87757a88fa8
SHA256 00b832b5128a7caffe8bd4a854b1e112d488acb37f3a787245d077ae0d106400
* https://www.virustotal.com/en/file/...7f3a787245d077ae0d106400/analysis/1369679734/
File name: Statement 57-27-05-2013.exe
Detection ratio: 12/47
Analysis date: 2013-05-27
** http://www.dynamoo.com/files/analysis_30823_0bbf809dc46ed5d6c9f1774b13521e72.pdf

*** http://www.simseer.com/webservices/...report.php?h=0bbf809dc46ed5d6c9f1774b13521e72

:fear:

 

[AplusWebMaster]

Something evil - malware, fab .com SPAM, Malicious Flash updates ...

FYI...

Something evil on 158.255.212.96 and 158.255.212.97
- http://blog.dynamoo.com/2013/05/something-bit-evil-on-15825521296-and.html
28 May 2013 - "The IPs 158.255.212.96 and 158.255.212.97 (EDIS GmbH, Austria) are hosting malware used in injection attacks (see this example* for fussball-gsv .de). These two** examples*** report a TDS URL pattern which is resistant to automated analysis. The domains appear to be part of a traffic exchanger system (never a good idea), but they have been used to distribute malware... In the cases where no malware has been reported it may well be because Google hasn't visited the site. The domains all have anonymous WHOIS details and have been registered in the past year or so... I can identify a couple more IPs in this cluster, and I would advise you to treat all the domains here as suspect and add them to your blocklist:
158.255.212.96
158.255.212.97
193.102.11.3
205.178.182.1..."
(More detail at the dynamoo URL above.)
* http://urlquery.net/report.php?id=2705726

** http://urlquery.net/report.php?id=2705607

*** http://urlquery.net/report.php?id=2515019
___

fab .com SPAM
[Via the WeAreSpammers blog]
- http://blog.dynamoo.com/2013/05/fabcom-spam.html
28 May 2013 - "I've never heard of fab .com before, but online comments are very negative*. Originating IP is 65.39.215.63 (Sailthru / Peer 1, US) spamvertising mailer.eu.fab .com on 63.251.23.249 (Insight Express LLC, US) which in turn leads to the main site of fab .com on 184.73.196.153 (Amazon .com, US). Avoid."
From: Fab [info@eu.fab .com]
To: donotemail @wearespammers .com
Date: 27 May 2013 17:26
Subject: Invite from jenotsxx @gmail .com to Fab
Mailing list: tm.3775.3198a5cdc7466d097e36916b482cde87.sailthru .com
Signed by: eu.fab .com
* https://www.google.co.uk/search?&q="fab.com"+spam
___

BANKER Malware hosted in compromised Brazilian gov't sites
- http://blog.trendmicro.com/trendlab...ed-in-compromised-brazilian-government-sites/
28 May 2013 - "Two Brazilian government websites have been compromised and used to serve malware since April 24. We spotted a total of 11 unique malware files being distributed from these sites, with filenames that usually include “update”, “upgrade”, “Adobe”, “FlashPlayer” or combinations thereof. Besides the different filenames, these samples also have different domains where they can connect to download other malicious files, as well as varying command-and-control (C&C) servers... 90% of the affected customers are from Brazil. Other affected countries include the United States and Angola.
> http://blog.trendmicro.com/trendlab...e/files/2013/05/BANKER_malware_percountry.jpg
The general behavior of these malicious files (detected as TROJ_BANDROP.ZIP) are similar. They drop two files: one executable file (detected as TSPY_BANKER.ZIP) and a supposed GIF file (detected as JAVA_BANKER.ZIP) file in the system’s temporary folder. The executable file modifies the Windows registry to lower system’s security settings, and ultimately loads the .GIF file. The “GIF file” is actually a Java file, loaded using the javaw.exe executable, which is part of the Java Runtime Environemnt. JAVA_BANKER.ZIP contains commands that can download and execute files from several pre-configured URLs. The downloaded files are then saved as %User Profile%\update.gif (also detected as JAVA_BANKER.ZIP) and executed. These JAR files use several open source libraries such as Java Secure Channel (JSch) and Java Native Access (JNA). These libraries and can be used for network operations, in particular connecting to an SSH server, port forwarding, file transfers among others. The final payload of JAVA_BANKER.ZIP is a .JAR file, which elevates the affected user’s administrator right. Given that the attacker has taken control of the system, modifying the victim’s admin rights enables him to modify the normal system file termsvr.dll. This .DLL is mainly used for remote desktop sessions. The malware will replace this file with %Temp%\update.gif... Compromising and using government sites to deliver malware is not an unusual practice. Earlier this month, a website of the US Department of Labor was compromised to serve zero-day Internet Explorer exploit. This tactic provides a certain social engineering leverage, as government-related sites are usually deemed safe and secure. But as this incident clearly shows, there is no sacred cow when it comes to cybercrime. Everyone is fair game..."

:fear:

 

[AplusWebMaster]

Ruby on Rails attack, Fake Citibank emails serve malware...

FYI...

Ruby on Rails attack installs bot ...
- http://h-online.com/-1872588
29 May 2013 - "Over the past few days, criminals have increasingly attempted to compromise servers via a security hole in the Ruby on Rails (RoR) web application framework. Successful intruders install a bot that waits for further instructions on an IRC channel. On his blog*, security expert Jeff Jarmoc reports that the criminals are trying to exploit one of the vulnerabilities described by CVE-2013-0156**. Although the holes were closed back in January, more than enough servers on the net are probably still running an obsolete version of Ruby... The bot appears in the process list as "– bash". When launched, it also creates a file called /tmp/tan.pid to ensure that only one instance of the bot will be executed. Those who run a server with Ruby on Rails should always make sure to have the current RoR version installed. The current versions of Ruby on Rails are 3.2.13, 3.1.12 and 2.3.18."
* http://jarmoc.com/blog/2013/05/28/ror-cve-2013-0156-in-the-wild/
"... Exploit activity is reportedly sourcing from * 88.198.20.247 * 95.138.186.181 * 188.190.126.105..."

** https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0156 - 7.5 (HIGH)

*** http://rubyonrails.org/download

- http://weblog.rubyonrails.org/releases/

- http://atlas.arbor.net/briefs/index#-789014484
Elevated Severity
May 30, 2013 - "... Monitoring for outbound connections to IRC ports on cvv4you .ru, 188.190.124.120, 188.190.124.81 is recommended to find compromised systems that may still be at risk..."
___

Fake Citibank emails serve malware ...
- http://blog.webroot.com/2013/05/29/...illing-statement-themed-emails-serve-malware/
May 29, 2013 - "Over the past week, the cybercriminals behind the recently profiled ‘Citibank Merchant Billing Statement‘ themed campaign, resumed operations, and launched yet another massive spam campaign impersonating Citibank, in an attempt to trick its customers into executing the malicious attachment found in the fake emails...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress...tibank_merchant_billing_statement_malware.png
Detection rate for the malicious executable – MD5: 0bbf809dc46ed5d6c9f1774b13521e72 * ... Trojan-Spy.Win32.Zbot.lvpo.
Once executed, the sample starts listening on port 12674. It then drops the following MD5s on the affected hosts:
MD5: 6044cc337b5dbf82f8746251a13f0bb2
MD5: d20d915dbdcb0cca634810744b668c70
MD5: 758498d6b275e58e3c83494ad6080ac2 ...
It then phones back to the following C&C servers:
78.161.154.194 :25633
186.29.77.250 :18647
190.37.115.43 :29609
187.131.8.1 :13957
181.67.50.91 :27916
8.161.154.194
186.29.77.250
190.37.115.43
187.131.8.1
181.67.50.91
84.59.222.81
211.209.241.213
108.215.44.142
122.163.41.96
99.231.187.238
89.122.155.200
79.31.232.136
142.136.161.103
63.85.81.254
98.201.143.22
110.164.140.144
195.169.125.228
190.83.222.173
96.29.242.234
178.251.75.50
199.21.164.167
180.92.159.2
213.43.242.145
94.240.224.115
2.187.51.145
208.101.114.115
50.97.98.134
41.99.119.243
197.187.33.59
79.106.11.64
178.89.68.255
190.62.162.200
165.98.119.94
94.94.211.18 ..."
(More details at the webroot URL above.)
* https://www.virustotal.com/en/file/...112d488acb37f3a787245d077ae0d106400/analysis/
File name: Statement 57-27-05-2013.exe
Detection ratio: 32/47
Analysis date: 2013-05-29
___

University of Illinois CS department compromised
- http://blog.dynamoo.com/2013/05/university-of-illinois-cs-department.html
29 May 2013 - "There's a bunch of malware sites infesting University of Illinois CS department machines in the 128.174.240.0/24, range, mostly pointed out in this post. Compromised machines are tarrazu.cs.uiuc .edu, croft.cs.illinois .edu, tsvi-pc.cs.uiuc .edu, mirco.cs.uiuc .edu, ytu-laptop.cs.uiuc .edu, node3-3105.cs.uiuc .edu and they are on the following IPs with the following malicious domains (I would recommend blocking the whole /24):
128.174.240.37 ...
128.174.240.52 ...
128.174.240.53 ...
128.174.240.74 ...
128.174.240.153 ...
128.174.240.213 ..."

(More domains listed at the dynamoo URL above.)

Update: the University says that this was a single machine on the network which has now been cleaned up.
___

Malware sites to block 29/5/13
- http://blog.dynamoo.com/2013/05/malware-sites-to-block-29513.html
29 May 2013 - "These domains and IP addresses are connected to this malware spam run* and belong to a group I call the "Amerika" gang (because they tend to use fake US addresses for their WHOIS details but really seem to be Russian). It's quite a long set of lists: first there is a list of malware domains, then a list of malicious IPs and their web hosts, followed by a plain recommended blocklist list of IPs for copy-and-pasting... You might notice something odd going on at the University of Illinois in the 128.174.240.0/24 range. Hmm...
Recommended IP blocklist:
5.175.155.183
37.131.214.69
41.89.6.179
42.62.29.4
50.193.197.178
54.214.22.177
62.109.28.0/22
77.237.190.0/24
82.50.45.42
91.93.151.127
91.193.75.0/24
94.249.208.228
95.43.161.50
99.61.57.201
103.7.251.36
109.169.64.170
112.196.2.39
114.4.27.219
114.247.121.139
115.28.35.163
122.160.51.9
128.174.240.0/24
140.117.164.154
151.1.224.118
159.253.18.0/24
162.209.12.86
166.78.136.235
177.5.244.236
178.20.231.214
178.209.126.87
181.52.237.17
183.82.221.13
186.215.126.52
188.32.153.31
190.106.207.25
192.154.103.81
192.210.216.53
197.246.3.196
201.65.23.153
201.170.148.171
204.45.7.213
208.68.36.11
210.61.8.50
212.179.221.31
213.113.120.211
217.174.211.1
222.200.187.83 ..."
(More detail at the dynamoo URL above.)
* http://blog.dynamoo.com/2013/05/amazoncom-spam-federal-credit-unioncom.html
___

- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Scanned Document Attachment E-mail Messages - 2013 May 29
Malicious Personal Pictures Attachment E-mail Messages - 2013 May 29
Fake Electronic Payment Cancellation E-mail Messages - 2013 May 29
Fake Invoice Statement Attachment E-mail Messages - 2013 May 29
Fake Sample Product Offering E-mail Messages - 2013 May 29
Fake Bank Account Statement E-mail Messages - 2013 May 29
Fake Order Invoice Notification E-mail Messages - 2013 May 29
Fake Billing Statement E-mail Messages - 2013 May 29
Fake Credit Card Fraud Alert E-mail Messages - 2013 May 29
Fake Bank Deposit Notification E-mail Messages - 2013 May 29
Fake Payment Transfer Notification E-mail Messages - 2013 May 29
Fake Purchase Order Request E-mail Messages - 2013 May 29
Fake Product Quote Inquiry E-mail Messages - 2013 May 29
(Links with more detail available at the cisco URL above.)

:fear::fear:

 

[AplusWebMaster]

Fake ADP Funding Notification, Ironport Threat Outbreak Alerts ...

FYI...

Fake ADP Funding Notification - Debit Draft
- http://threattrack.tumblr.com/post/51739676575/adp-funding-notification-debit-draft
May 30, 2013 - "Subjects Seen:
ADP Funding Notification - Debit Draft
ADP Invoice Reminder
Typical e-mail details:
Your Transaction Report(s) have been uploaded to the web site:
https :/ /www.flexdirect. adp .com/client/login.aspx
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
Thank You,
ADP Benefit Services

Malicious URLs
www .primolevi .gov.it/andromeda/index.html
annbrauner .com/yeltsin/index.html
www. omegaservice .it/ulcerate/index.html
www. sweethomesorrento .it/unwell/index.html
www. italtrike .tv/tomboys/index.html
kalimat.egyta .com/swearer/titan.js
www. asitecsrl .com/servicemen/ethic.js
www. mbbd .it/dzerzhinsky/bewilders.js
4rentcoloradosprings .com/news/cross_destroy-sets-separate.php

Screenshot: https://gs1.wac.edgecastcdn.net/801...dd8c59d82/tumblr_inline_mnmkcb1bxv1qz4rgp.png
___

Fake ADP SPAM / 4rentconnecticut .com and 174.140.171.233
- http://blog.dynamoo.com/2013/05/adp-spam-4rentconnecticutcom-and.html
30 May 2013 - "These fake ADP spams lead to malware on 4rentconnecticut .com:
Date: Thu, 30 May 2013 12:41:28 -0500 [13:41:28 EDT]
From: "ADPClientServices @adp .com" [ADPClientServices @adp .com]
Subject: ADP Funding Notification - Debit Draft
Your Transaction Report(s) have been uploaded to the web site:
https ://www.flexdirect .adp.com/client/login.aspx
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
Thank You,
ADP Benefit Services
====================
Date: Thu, 30 May 2013 08:45:16 -0800 [12:45:16 EDT]
From: ADP Inc [ADP_FSA_Services @ADP .com]
Subject: ADP Invoice Reminder
Your latest ADP Dealer Services Invoice is now available to view or pay online at ADP Online Invoice Management .
To protect the security of your data, you will need to enter your ID and password, then click on Access your Online Invoice Management account.
Total amount due by May 31, 2013
$26062.29
If you have already sent your payment please disregard this friendly reminder and Thank you for choosing ADP.
Questions about your bill?
Contact David Nieto by Secure Mail.
Note: This is an automated email. Please do not reply.

The link in the email goes to a legitimate -hacked- site and then tries to load three different scripts, currently:
[donotclick]kalimat.egyta .com/swearer/titan.js
[donotclick]www.asitecsrl .com/servicemen/ethic.js
[donotclick]www.mbbd .it/dzerzhinsky/bewilders.js
From there the victim is directed to the main malware landing page at [donotclick]4rentconnecticut .com/news/cross_destroy-sets-separate.php on 174.140.171.233 (DirectSpace LLC, US). A look at URLquery shows many suspect URLs on this server* and VirusTotal also reports several malicious URLs**. It appears that every single domain on this server has been compromsed. Blocking the IP address is the easiest way to mitigate against this problem..."
* http://urlquery.net/search.php?q=174.140.171.233&type=string&start=2013-05-15&end=2013-05-30&max=50
** https://www.virustotal.com/en/ip-address/174.140.171.233/information/
___

Fake NewEgg .com SPAM / 174.140.171.233
- http://blog.dynamoo.com/2013/05/neweggcom-spam-174140171233.html
30 May 2013 - "This fake NewEgg.com spam leads to malware on 174.140.171.233:
Date: Thu, 30 May 2013 16:06:12 +0000 [12:06:12 EDT]
From: Newegg [info @newegg .com]
Subject: Newegg.com - Payment Charged...

Screenshot: https://lh3.ggpht.com/-m_EUbjfZItE/Uae8YrA4CZI/AAAAAAAABPs/iNxxtEdGGnc/s1600/newegg2.png

The malicious payload is any one of a number of domains hosted on 174.140.171.233 which is also being used in this attack*. Blocking the IP is the easiest way to protect against the malicious sites hosted on that server."
* http://blog.dynamoo.com/2013/05/adp-spam-4rentconnecticutcom-and.html
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Bank Report Summary E-mail Messages - 2013 May 30
Fake Scanned Document Attachment E-mail Messages - 2013 May 30
Fake Contract Document Information E-mail Messages - 2013 May 30
Fake Product Supply Quote E-mail Messages - 2013 May 30
Fake Electronic Payment Cancellation E-mail Messages - 2013 May 30
Malicious Attachment E-mail Messages - 2013 May 30
Fake Business Complaint Notification E-mail Messages - 2013 May 30
Fake Payroll Report E-mail Messages - 2013 May 30
Fake Product Supply Request E-mail Messages - 2013 May 30
(Links and more detail at the cisco URL above.)

:fear::fear:

 

[AplusWebMaster]

Fake Vodafone SPAM, Medfos sites to block...

FYI...

Fake Vodafone SPAM serving malware in the wild ...
- http://blog.webroot.com/2013/05/31/...erving-spam-campaign-circulating-in-the-wild/
May 31, 2013 - "We have just intercepted yet another spamvertised malware serving campaign, this time impersonating Vodafone U.K., in an attempt to trick the company’s customers into thinking that they’ve received an image. In reality, once users execute the malicious attachments, their PCs automatically join the botnet operated by the cybercriminal...
Detection rate for the malicious executable – MD5: 4e148480749937acef8a7d9bc0b3c8b5 * ... VirTool:Win32/Obfuscator.ACP; Backdoor.Win32.Androm.sed.
Once executed, the sample creates an Alternate Data Stream (ADS) –
C:\Documents and Settings\User\Application Data\dbgbshes\habeegeg.exe:Zone.Identifier, as well as installs itself at Windows startup.
It then creates the following files on the affected hosts:
C:\Documents and Settings\User\Application Data\dbgbshes\habeegeg.exe
C:\DOCUME~1\User\LOCALS~1\Temp\IMG.JPEG.exe
C:\WINDOWS\Registration\R000000000007.clb
C:\WINDOWS\system32\wbem\wbemdisp.TLB ...
It then phones back to the following C&C server:
hxxp ://85.143.166.158 /fexco/com/index.php ..."
* https://www.virustotal.com/en/file/...a093b159c55b24d1b9963cf7187e9338678/analysis/
File name: IMG 9857648740.JPEG.exe
Detection ratio: 29/47
Analysis date: 2013-05-29

- http://centralops.net/co/DomainDossier.aspx
85.143.166.158
canonical name webcluster.oversun.clodo .ru.
addresses 62.76.181.230 * 62.76.181.229
inetnum: 85.143.164.0 - 85.143.167.255
descr: 192012, St.Petersburg
country: RU
___

Medfos sites to block 31/5/13
- http://blog.dynamoo.com/2013/05/medfos-sites-to-block-31513.html
31 May 2013 - "The following domains and IPs are currently being used as C&C servers by the Medfos family of trojans* (this** one*** in particular):
84.32.116.110
85.25.132.55
173.224.210.244
184.82.62.16
188.95.48.152 ...
The domains listed are used in conjunction with hundreds of subdomains. Blocking the main domain will be the best approach, else the ones that I have been able to determine are listed here****."
* http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Medfos

** https://www.virustotal.com/en/file/...f3bad1f078086ff9492441642c82c7fb399/analysis/

*** http://www.threatexpert.com/report.aspx?md5=5b609450d101ff9ba921cabf331d1e39

**** http://pastebin.com/L9UuMAC7
___

USSR old domain name attracts cybercriminals
- https://www.nytimes.com/aponline/2013/05/31/world/europe/ap-eu-soviet-hacker-haven.html
May 31, 2013 AP - "... the .su Internet suffix assigned to the USSR in 1990 has turned into a haven for hackers who've flocked to the defunct superpower's domain space to send spam and steal money... other obscure areas of the Internet, such as the .tk domain associated with the South Pacific territory of Tokelau, have been used by opportunistic hackers... The most notorious site was Exposed .su, which purportedly published credit records belonging to President Barack Obama's wife, Michelle, Republican presidential challengers Mitt Romney and Donald Trump, and celebrities including Britney Spears, Jay Z, Beyonce and Tiger Woods. The site is now defunct. Other Soviet sites are used to control botnets — the name given to the networks of hijacked computers used by criminals to empty bank accounts, crank out spam, or launch attacks against rival websites. Internet hosting companies generally eliminate such sites as soon as they're identified. But Swiss security researcher Roman Huessy, whose abuse.ch blog* tracks botnet control sites, said hackers based in Soviet cyberspace can operate with impunity for months at a time. Asked for examples, he rattled off a series of sites actively involved in ransacking bank accounts or holding hard drives hostage in return for ransom — brazenly working in the online equivalent of broad daylight..."

* https://www.abuse.ch/?p=3581

:fear: