Fake Police 'Suspect' SPAM
1 Oct 2014 - "... the New York City police have finally tracked me down for eviscerating that spammer in Times Square.
From: ALERT@ police .uk [ALERT@ police-uk .com]
Date: 1 October 2014 08:49
Subject: Homicide Suspect - important
Bulletin Headline: HOMICIDE SUSPECT
Sending Agency: New York City Police
Sending Location: NY - New York - New York City Police
Bulletin Case#: 14-49627
Bulletin Author: BARILLAS #1264
Sending User #: 56521
The bulletin is a pdf file. To download please follow the link below ...
Weirdly, the message comes from a police .uk email address and the link goes to a driving school in Australia. And it comes from 188.8.131.52 which is an IP address in Kansas City. Perhaps the biggest anomaly is the file that is downloaded, a ZIP file called file-viewonly7213_pdf.zip which contains an executable file-viewonly7213_pdf.scr which is (as you might guess) malicious with a VirusTotal detection rate of 2/55*. The Anubis report** shows that the malware phones home to santace .com which is probably worth blocking or monitoring. Other analyses are pending. I've also seen the same payload promoted through a "You've received a new fax" spam, and no doubt there will be others during the course of the day."
Something evil on 184.108.40.206
1 Oct 2014 - "... what exploit kit this is I cannot determine, but there's something evil on 220.127.116.11 (Keyweb, Germany) which is using hijacked GoDaddy-registered subdomains to distribute carp**. It's definitely worth -blocking- this IP. The source looks like some sort of malvertising, but I have incomplete data..."
Fake 'Booking Cancellation' SPAM
1 Oct 2014 - "... a -mass- of these purporting to be from uktservices .com ("UK Travel Services"), but in fact it is a -forgery- and does -not- come from them at all - they are -not- responsible for sending the spam and their systems have -not- been compromised.
From: email@ uktservices .com
Date: 1 October 2014 14:01
Subject: Booking Cancellation
Your booking at 13:15 on 1st Oct 2014 has been Cancelled.
Here is a link to your updated bookings view...
All the emails are somewhat mangled, but the first link in the email (not the uktservices .com link) goes to what appears to be an exploit kit... In -all- cases, those pages forward to a malicious page at: [donotclick]18.104.22.168 :8080/njslfxqqw9. The IP of 22.214.171.124 belongs to EDIS GmbH in Austria, and I suspect it has been hacked through an insecure Joomla installation. I haven't been able to identify which exploit kit it is as it it has been hardened against analysis, but you can guarantee that this -is- malicious in some way or another..."
More Fake Invoice SPAM
1 Oct 2014 - "'Invoice 08387 from Them Digital' pretending to come from Jason Willson <jason@ themdigital .co.uk> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
There are actually about 15 different sizes and repackaged versions of this malware that I have seen so far today. All have the same zip file name but the contents inside are named differently, Some will be caught by antivirus generic detections and some won’t, so be careful & watch out. Use your eyes and intuition and don’t rely on yoiur antivirus to protect you from these types of malware
Todays Date: Them Digital Invoice 08387.pdf.zip: Extracts to: ThemDigital_Invoice_42559029506452623.pdf.exe | Current Virus total detections: 9/55**. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
Fake 'Cashbuild Copied invoices' SPAM - PDF malware
1 Oct 2014 - "'Cashbuild Copied invoices' pretending to come from billing@ cashbuild .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
get copies of invoices. We will not be able to pay them. Please send clear invoices
1 October 2014: copies_908705.zip ( 10kb): Extracts to: copies_908705.exe
Current Virus total detections: 0/55* This Cashbuild Copied invoices is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
GNU bash vulns...
Updated: Oct 1 2014*
Original Entry Date: Sep 24 2014
- https://web.nvd.nist...d=CVE-2014-6271 - 10.0 (HIGH)
- https://web.nvd.nist...d=CVE-2014-6277 - 10.0 (HIGH)
- https://web.nvd.nist...d=CVE-2014-6278 - 10.0 (HIGH)
- https://web.nvd.nist...d=CVE-2014-7169 - 10.0 (HIGH)
- https://web.nvd.nist...d=CVE-2014-7186 - 10.0 (HIGH)
- https://web.nvd.nist...d=CVE-2014-7187 - 10.0 (HIGH)
* ... archive entries have one or more follow-up message(s)...
DoubleClick abused - malvertising
30 Sep 2014 - "Last week we uncovered a large-scale malvertising* attack involving Google’s DoubleClick and Zedo that affected many high-profile sites**... another incident where DoubleClick is part of the advertising chain has happened again... the publisher is trusting them to only allow ‘clean’ ads. Many popular sites were caught in the cross-fire including examiner . com... they can be widespread in an instant by leveraging the advertising networks’ infrastructure. alicious ads are displayed to millions of visitors who do -not- actually need to click them to get infected:
... Flash-based redirection: ad looks legit but hides a silent redirection to an exploit page. Once again, no user interaction is required to trigger the -redirection- and anyone running an outdated Flash plugin is at risk of getting exploited... It is the infamous CryptoWall*** (hat tip @kafeine) ransomware that encrypts your files and demands a ransom..."
Edited by AplusWebMaster, Today, 11:48 AM.