FYI...
Fake MS email phish delivers Zeus via Java vuln ...
- https://isc.sans.edu/diary.html?storyid=14020
Last Updated: 2012-09-01 - "Thanks to Susan Bradley for reporting this to ISC.
We're receiving multiple reports of a phishing campaign using the template from a legitimate Microsoft email regarding Important Changes to Microsoft Services Agreement and Communication Preferences.
The legitimate version of this email is specific to a services agreement seen here*, per a change to Microsoft services as of 27 AUG. The evil version of this email will subject victim to a hyperlink that will send them to a Blackhole-compromised website, which will in turn deliver a fresh Zeus variant... (evil) email including the following header snippet:
Received: from [101.5.162.236] ([101.5.162.236]) by
inbound94.exchangedefender .com (8.13.8/8.13.1) with ESMTP id q7VFDPjO029166
A legitimate header snippet:
Received: from smtpi.msn .com ([65.55.52.232]) by COL0-MC3-F43.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900)
101.5.162.236 is in China, 65.55.52.232 is Microsoft. The legitimate email will include a hyperlink for http://email.microsoft.com/Key-9850301.C.DLs15.C.KK.DlNkNK , which points to the above mentioned services agreement.
(Obfuscated to protect the innocent): The phishing mail will instead include a hyperlink to the likes of allseasons****.us, radiothat****.com, and likely a plethora of others. I assessed radiothat****.com and was redirected to 209.x.y.14 which is running the very latest Blackhole evil as described on 28 AUG by Websense in this post**.
Source code review of the web page served included <applet/code="ndshesa.ndshesf"/archive="Leh.jar"><param/nam=123 name=uid value="N013:011:011:04:037:061:061:047:034:076:074:0102:076:074:
047:047:047:074:067:053:061:04:074:04:013:04:075:054:071:034:067:053:
034:034:02:065:071:034"/></applet>
The VirusTotal link for Leh.jar is here(3), and the VirusTotal link for the Zeus variant offered is here(4)...
Contemplate disabling Java(5) until the -next- update(6) is released..."
* http://windows.microsoft.com/en-US/windows-live/microsoft-services-agreement
** http://community.websense.com/blogs...ava-0-day-added-to-blackhole-exploit-kit.aspx
3) https://www.virustotal.com/file/251...d0c09b185b5ae68705c8406210148358bc9/analysis/
File name: Leh.jar
Detection ratio: 8/42
Analysis date: 2012-09-01 05:28:51 UTC
4) https://www.virustotal.com/file/98b...3dd9c5ceb5e04b9320c55645/analysis/1346461231/
File name: updateflashplayer.exe
Detection ratio: 6/42
Analysis date: 2012-09-01 01:00:31 UTC
5) http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/
6) https://isc.sans.edu/diary.html?storyid=14017
___
101.5.162.236
101.5.0-255.*
inetnum: 101.5.0.0 - 101.5.255.255
netname: TSINGHUA-CN
country: CN
origin: AS4538
http://www.google.com/safebrowsing/diagnostic?site=AS:4538
... 231 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2012-09-02, and the last time suspicious content was found was on 2012-09-02... We found 27 site(s)... that infected 743 other site(s).
___
- https://krebsonsecurity.com/2012/08/java-exploit-leveraged-two-flaws/
"... If you want to test whether you’ve successfully disabled Java, check out Rapid7's page, http://www.isjavaexploitable.com/ ."
:sad:
Fake MS email phish delivers Zeus via Java vuln ...
- https://isc.sans.edu/diary.html?storyid=14020
Last Updated: 2012-09-01 - "Thanks to Susan Bradley for reporting this to ISC.
We're receiving multiple reports of a phishing campaign using the template from a legitimate Microsoft email regarding Important Changes to Microsoft Services Agreement and Communication Preferences.
The legitimate version of this email is specific to a services agreement seen here*, per a change to Microsoft services as of 27 AUG. The evil version of this email will subject victim to a hyperlink that will send them to a Blackhole-compromised website, which will in turn deliver a fresh Zeus variant... (evil) email including the following header snippet:
Received: from [101.5.162.236] ([101.5.162.236]) by
inbound94.exchangedefender .com (8.13.8/8.13.1) with ESMTP id q7VFDPjO029166
A legitimate header snippet:
Received: from smtpi.msn .com ([65.55.52.232]) by COL0-MC3-F43.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900)
101.5.162.236 is in China, 65.55.52.232 is Microsoft. The legitimate email will include a hyperlink for http://email.microsoft.com/Key-9850301.C.DLs15.C.KK.DlNkNK , which points to the above mentioned services agreement.
(Obfuscated to protect the innocent): The phishing mail will instead include a hyperlink to the likes of allseasons****.us, radiothat****.com, and likely a plethora of others. I assessed radiothat****.com and was redirected to 209.x.y.14 which is running the very latest Blackhole evil as described on 28 AUG by Websense in this post**.
Source code review of the web page served included <applet/code="ndshesa.ndshesf"/archive="Leh.jar"><param/nam=123 name=uid value="N013:011:011:04:037:061:061:047:034:076:074:0102:076:074:
047:047:047:074:067:053:061:04:074:04:013:04:075:054:071:034:067:053:
034:034:02:065:071:034"/></applet>
The VirusTotal link for Leh.jar is here(3), and the VirusTotal link for the Zeus variant offered is here(4)...
Contemplate disabling Java(5) until the -next- update(6) is released..."
* http://windows.microsoft.com/en-US/windows-live/microsoft-services-agreement
** http://community.websense.com/blogs...ava-0-day-added-to-blackhole-exploit-kit.aspx
3) https://www.virustotal.com/file/251...d0c09b185b5ae68705c8406210148358bc9/analysis/
File name: Leh.jar
Detection ratio: 8/42
Analysis date: 2012-09-01 05:28:51 UTC
4) https://www.virustotal.com/file/98b...3dd9c5ceb5e04b9320c55645/analysis/1346461231/
File name: updateflashplayer.exe
Detection ratio: 6/42
Analysis date: 2012-09-01 01:00:31 UTC
5) http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/
6) https://isc.sans.edu/diary.html?storyid=14017
___
101.5.162.236
101.5.0-255.*
inetnum: 101.5.0.0 - 101.5.255.255
netname: TSINGHUA-CN
country: CN
origin: AS4538
http://www.google.com/safebrowsing/diagnostic?site=AS:4538
... 231 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2012-09-02, and the last time suspicious content was found was on 2012-09-02... We found 27 site(s)... that infected 743 other site(s).
___
- https://krebsonsecurity.com/2012/08/java-exploit-leveraged-two-flaws/
"... If you want to test whether you’ve successfully disabled Java, check out Rapid7's page, http://www.isjavaexploitable.com/ ."
:sad:
Last edited: