SPAM frauds, fakes, and other MALWARE deliveries...
Posted 20 March 2012 - 12:01 AM
Millions of harvested US gov't and military email addresses ...
March 19, 2012 22:10
"While the sale of email addresses is nothing new, the sale of millions of US government and military e-mail addresses could bring increased attacks.
Analysis: As e-mail is a typical delivery vector for Advanced Persistent Threat and other targeted attacks, it is possible that e-mail attacks on the US government and military may increase as a result. Already, "spear phishing" techniques involving trickery and sometimes 0-day exploits are finding many victims, and this trend is likely to increase."
"... U.S. government and U.S military users whose emails have been exposed are advised to be extra vigilant for potential targeted malware attacks enticing them into downloading and executing a malicious attachment, or attempting to trick them into clicking on a client-side exploits serving link found in the emails."
Posted 22 March 2012 - 07:49 AM
2012 Data Breach Investigations Report - Verizon
March 22, 2012 - "... The report combines data from 855 incidents that involved more than 174 million compromised records, an explosion of data loss compared to last year’s 4 million records stolen. The increase is due largely to the massive breaches perpetrated by activists... Most breaches Verizon tracked were opportunistic intrusions rather than targeted ones, occurring simply because the victim had an easily exploitable weakness rather than because they were specifically chosen by the attacker. And, as with previous years, most breaches — 96 percent — were not difficult to accomplish, suggesting they would have been avoidable if companies had implemented basic security measures. Verizon noticed a difference between how large and small organizations are breached. Smaller organizations tend to be breached through active hacking, involving vulnerabilities in websites and other systems and brute force attacks. Larger companies are more often breached through social engineering and phishing attacks — sending e-mail to employees to trick them into clicking on malicious attachments and links so that the intruders can install malware that steals employee credentials. Verizon surmises that this is because larger organizations tend to have better perimeter protections, forcing intruders to use human vulnerabilities to breach these networks instead."
March 22, 2012
Edited by AplusWebMaster, 23 March 2012 - 06:31 AM.
Posted 23 March 2012 - 03:37 AM
SPAM - IRS themed e-mails w/malicious attachment
March 22, 2012 - "Cybercriminals are currently spamvertising with IRS themed emails, enticing end -and- corporate users into downloading and viewing a malicious .htm attachment.
More details: Spamvertised subject: Your tax return appeal is declined...
Malicious attachment: IRS_H11832502.htm *
Malicious iFrame URL found in the attachment...
Upon downloading and viewing the malicious attachment, an iFrame tag attempts to load, ultimately serving client-side exploits such as the Libtiff integer overflow in Adobe Reader and Acrobat (CVE-2010-0188), and Trusted method chaining remote code execution (CVE-2010-0840)... the malicious iFrame is hosted within a fast-flux botnet, and is therefore currently responding to multiple IPs, in an attempt by cybercriminals to make it harder for security researchers to take it down. End users are advised to ensure that they’re not running outdated versions of their third-party software and browser plugins, as well as to avoid interacting with the malicious emails..."
File name: IRS_U774510.htm0
Detection ratio: 13/43
Analysis date: 2012-03-23 09:17:40 UTC
Posted 25 March 2012 - 01:12 PM
1x1 pixel drive-by-malware...
ast Updated: 2012-03-25 17:04:16 UTC - "Exploit authors sometimes like to be cute... A Java archive called "fun.jar" containing an "evilcode.class" file that runs as an applet of 1x1 pixels size ... well, this can't be anything good. And it indeed isn't. This code snippet was lurking on quite a few web sites over the past days. Sending fun.jar to Virustotal shows* that only 10 of 43 anti-virus tools actually recognize the exploit code, whereas 27/43 recognize the d.exe malware file** that the exploit currently downloads and runs. Evilcode.class exploits the Java Rhino Engine vulnerability (CVE2011-3544), published back in October 2011 and affecting -all- Java Runtime Engines up to JRE 1.6_27. The exploit still seems to work well enough for the bad guys that they don't see any need to re-tool to newer exploits. In slight modification of Oracle's own words: '
* Latest: https://www.virustot...a2a38/analysis/
File name: kr.jar
Detection ratio: 11/43
Analysis date: 2012-03-26 12:09:54 UTC
** Latest: https://www.virustot...a0cf6/analysis/
File name: 60685cf9afc3e4f95097aa219ecb6da0
Detection ratio: 28/40
Analysis date: 2012-03-27 16:01:57 UTC
Critical Java hole being exploited on a large scale ...
Severity: High Severity
Published: Wednesday, March 28, 2012 19:20
Java security vulnerability patched in February is now being used widely by criminals to install malware.
Analysis: Patch! Watch for outdated Java on the network as the presence of old Java User-Agents is often a sign that a system has been exploited and Java is now doing the attackers bidding, typically downloading something evil.
Edited by AplusWebMaster, 30 March 2012 - 03:50 AM.
Posted 28 March 2012 - 11:54 AM
MacOS X targeted w/MS Office exploit in the wild...
March 27, 2012 - "... The doc files seem to exploit MS09-027 and target Microsoft Office for Mac. This is one of the few times that we have seen a malicious Office file used to deliver malware on Mac OS X... An attacker who successfully exploits this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
> When the victim opens the malicious Word file using Office for Mac, the shellcode writes the malicious payload on disk and executes it, and then opens a benign office file... The C&C server this time is:
- 2012 .slyip .net: 220.127.116.11
18.104.22.168 – 22.214.171.124
Black Oak Computers Inc – New York – 75 Broad Street...
> The second trojan found is a new one never seen. We have found several versions compiled for different architectures (ppc, i386..). We have also found a version that has paths to debugging symbols... The C&C domain resolves to:
- freetibet2012 .xicp .net: 126.96.36.199
188.8.131.52 – 184.108.40.206
China Unicom Beijing province network...
All the samples we have found have 0/0 rate antivirus detection, it includes the malicious doc files..."
March 29, 2012 - "... These Word documents exploit a Word vulnerability that was corrected in June, 2009, but also take advantage of the fact that many users don’t update such software. Word 2004 and 2008 are vulnerable, but the latest version, Word 2011 is not. Also, this vulnerability only works with .doc files, and not the newer .docx format..."
Edited by AplusWebMaster, 02 April 2012 - 04:44 AM.
Posted 02 April 2012 - 07:36 PM
Blackhole exploits ...
April 2, 2012 - "... an exploit for CVE-2011-0559*, which is one of the two Flash exploits being used by Blackhole currently. Compared to other exploits, this one has been used by Blackhole for quite some time and yet the coverage using different security products is very low**.
With very -low- antivirus coverage, -no- Metasploit module, and PoCs being extremely difficult to find, this increases the chances of exploitation. Blackhole targets to exploit Adobe Flash 10.0 and earlier versions, 10.1, and 10.0.x (where x is later than 40). The vulnerability has been patched since March 2011. Detection has been added to F-Secure Anti-Virus as Exploit:W32/CVE-2011-0559.A..."
* http://web.nvd.nist....d=CVE-2011-0559 - 9.3 (HIGH)
Last revised: 01/27/2012
March 29, 2012 - "... over the past 12-18 months we have seen Blackhole become the most prevalent and notorious of the exploit kits used to infect people with malware..."
Posted 03 April 2012 - 05:03 AM
Android bot attacks rooted smartphones
3 April 2012 - "Antivirus company NQ Mobile has discovered a variant of the DroidKungFu Android malware called DKFBootKit* that targets users who have rooted their smartphones. The malware piggybacks on apps that would otherwise ask for root privileges anyway – and, once the user has agreed, sets up camp deep in the smartphone's boot sequence and replaces commands such as ifconfig and mount to help ensure it is started early in the boot sequence..."
"... DKFBootKit makes use of the granted root privilege for other malicious purposes, namely comprising the system integrity... the malware itself contains a bot payload that phones home to several remote C&C servers and waits for further commands...
1) Only download applications from trusted sources...
2) Never accept application requests from unknown sources...
3) Be alert for unusual behavior on the part of mobile phones and be sure to download a trusted security application that can scan the applications being downloaded onto your mobile device..."
(More detail at the URLs above.)
Apr 04, 2012
... About 29,400,000 results
Edited by AplusWebMaster, 09 April 2012 - 06:47 AM.
Posted 03 April 2012 - 08:33 PM
Credit Card fraud/malware attacks Facebook users
April 03, 2012 - "... new configuration of the Ice IX malware that attacks Facebook users after they have logged in to their account and steals credit card and other personal information... discovered a “marketing” video used by the creators of the malware to demonstrate how the web injection works. The global reach and scale of the Facebook service has made it a favorite target of fraudsters... This latest attack uses a web injection to present a fake web page in the victim’s browser. The form requests the user provide their cardholder name, credit/debit card number, expiry date, CID and billing address. The attackers claim the information is needed to verify the victim’s identity and provide additional security for their Facebook account... This pop up* presents virtually the same message used in the Ice IX configuration our researchers discovered and analyzed. The only difference is the version in the video requests a social security number and date of birth, in addition to the information mentioned earlier... We contacted Facebook to advise them that they would be mentioned in this blog. Facebook requested that we pass on some information about their site’s security measures. Here’s a summary of their response:
i) Facebook actively detects known malware on users' devices to provide Facebook users with a self-remediation procedure including the Scan-And-Repair malware scan. To self-enroll in this check point please visit – on.fb.me/AVCheckpoint
ii) Please advise your readers to report to Facebook any spam they find on the Facebook site, and remember Facebook will never ask for your credit card, social security, or any other sensitive information other than your username and password while logging in."
"... Part of this site was listed for suspicious activity 336 time(s) over the past 90 days... Of the 113053 pages we tested on the site over the past 90 days, 186 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-04-03, and the last time suspicious content was found on this site was on 2012-04-03. Malicious software includes 63 trojan(s), 62 exploit(s), 60 scripting exploit(s). Successful infection resulted in an average of 7 new process(es) on the target machine... Malicious software is hosted on 138 domain(s)... 28 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site... Over the past 90 days, facebook.com appeared to function as an intermediary for the infection of 56 site(s)... It infected 8 domain(s)..."
Edited by AplusWebMaster, 04 April 2012 - 03:32 AM.
Posted 06 April 2012 - 04:30 AM
Olympic SPAM arrives...
Apr 5, 2012 - "... Users dreaming of watching the closing ceremonies of the London 2012 Olympics live may find the said offer hard to resist as Visa Golden Space is supposedly inviting users to join a lottery for a chance to win a travel package for the said event. Note that the said offer is non-existent. We also spotted a malware that arrives as a file named Early Check-In 2012 London Olympics.doc. This file, detected as TROJ_ARTIEF.XPL, exploits the RTF Stack Buffer Overflow Vulnerability found in several versions of Microsoft Office components. If it’s successful, it drops several other -malware- on your system, which Trend Micro detects as TROJ_DROPHIN.A and TROJ_PHINDOLP.A. This is not the first scam that uses this event to get users clicking. As early as 2008, Trend Micro has spotted a spammed message purporting to be a lottery drawn by the London 2012 Olympics committee. In May 2011, we also reported on a -spam- campaign that used London 2012 Olympics as bait. In addition, our social engineering e-guide mentions seasons and events as jump off points used by crooks. Online deals that look like they’re too good to be true, suspicious email messages promoting great but non-existent offers are also some of the tools used to lure users. All these tactics may lead to you inadvertently giving out your personal information, or for malware to be downloaded on your computer. Your personal information is not worth the risk of a chance to win a non-existent chance to win a lottery. Before clicking on that email link, investigate."
Fake AT&T wireless bill links to malware
Apr 5, 2012 - "Large outbreaks of phony AT&T wireless emails* have been distributed in the last 2 days. The emails describe very large balances ($943 in example), that are sure to get aggravated customers clicking on the included links... Every link in the email leads to a different compromised site that has malware hidden inside. In the example below** this means -9- (!) different URLS – most emails with links to email limit themselves to one or two links.
The index.html file tries to exploit at least the following known vulnerabilities:
Libtiff integer overflow in Adobe Reader and Acrobat – CVE-2010-0188
Help Center URL Validation Vulnerability – CVE-2010-1885
Recipients who are unsure whether the email they have received is genuine or not (the malicious version is a very accurate copy) should mouse-over the links. Genuine emails from AT&T will include AT&T website links. For example the “att.com” link will be the same in both places that it appears in the email – unlike the malicious version which uses 2 very different URLs. The fully functional homepage of one of the compromised sites is shown below. For more information about compromised websites see Commtouch’s report*** compiled in association with StopBadware."
Verizon-themed SPAM emails lead to ZeuS
March 29, 2012
Edited by AplusWebMaster, 08 April 2012 - 06:09 AM.
Posted 07 April 2012 - 04:25 AM
Fake HP scan SPAM email leads to malware
6 April 2012 - "Another fake HP scan spam email leading to malware. This one follows the new technique of putting a malicious HTML (HP_Scan.htm) file inside a ZIP file to reduce the risk of it being blocked, and then it has multiple payload sites to try to get a higher infection rate. Nasty.
'Date: Fri, 6 Apr 2012 08:29:34 +0200
From: "Hewlett-Packard Officejet 70419A" [JaysonGritten@ estout .com]
Subject: Scan from a Hewlett-Packard ScanJet #02437326
Attached document was scanned and sent
to you using a Hewlett-Packard HP Officejet 45211A.'
The payload can be found at:
hxxp :// 220.127.116.11 :8080/navigator/jueoaritjuir.php
hxxp :// 18.104.22.168 :8080/navigator/jueoaritjuir.php
hxxp :// 22.214.171.124 :8080/navigator/jueoaritjuir.php
hxxp :// 126.96.36.199 :8080/navigator/jueoaritjuir.php
... Anti-virus detection* is pretty poor at the moment...."
File name: HP_Scan.htm
Detection ratio: 10/42
Analysis date: 2012-04-06 10:24:37 UTC
March 31, 2012
File name: Invoice_NO_Mailen.htm
Detection ratio: 21/42
Analysis date: 2012-04-02 05:40:03 UTC
Edited by AplusWebMaster, 08 April 2012 - 06:04 AM.
Posted 09 April 2012 - 06:34 AM
EU tax invoice trojan...
April 8, 2012 - "... started to intercept a new trojan distribution campaign by email with the subject “invioce” and is sent from the spoofed address “European Commissions’s Office<email@example.com>” and has the following body:
Please open the attached file for your income tax invoice.From the European
Commission’s office .This message is for all the European Union citizens.
Note: European Union citizens Tax invoices are provided Once a year.
please refer to your tax Confirmation email. Attachment: Tax Invoice.
For Better Understanding.
Mr Jeff Black
The attached file is named invoice.exe and is approx. 170 kB large. The trojan is known as a variant of Win32/Injector.PWG (NOD32), W32/Obfuscated.D!genr (Norman), Trojan.Win32.Generic.pak!cobra ( VIPRE). At the time of writing, only 6 of the 42 AV engines did detect the trojan at Virus Total*..."
File name: invoice.exe
Detection ratio: 9/41
Analysis date: 2012-04-08 12:05:55 UTC
Posted 12 April 2012 - 04:39 AM
Dutch phishing emails target domains in Belgium/Netherlands
April 10, 2012 - "... increase of phishing emails, compared to the previous days, weeks and month, in the Dutch language that is sent to domains .be and .nl in Belgium and the Netherlands. The phishing emails are sent on behalf of ABN Amro and ING.
Here are some subjects for ING phishing emails:
- Mijn ING Breidt
- Belangerijk Mijn ING Nieuws
- Je hebt 1 ongelezen beveiligd Alert.
Here are some subjects for the ABN AMRO Bank:
- Beveiliging Message Alert van ABN AMRO Bank
- 2012 ABN AMRO VERIFICATIE ..."
(Examples of complete phish text at the URL above.)
Posted 12 April 2012 - 04:56 AM
Android "GoldDream" malware server still alive
12 Apr 2012 - "Many anti-virus vendors have reported on and dissected the suspicious and malicious Android "GoldDream" malware threat. The C&C server (lebar .gicp. net)... hosts this -malware-... this C&C server is still alive after several months and is still serving users with "GoldDream" malware... Websense... has blocked the malware server sites, out of the 19 vendors listed by VirusTotal*... The malware site mainly targets users in China, masquerading as a normal Android apps distribution site. The site makes use of a fake certificate and registration... information to lure more customers, and is placed at the bottom of the listed app sites in a bid to advertise itself as a good reputation site... We have analyzed all the available free Android apps on the site (23 in total). 18 of these apps contain "GoldDream" malware. These are normal game apps which are re-packaged to include malicious code... We strongly suggest that users refrain from downloading and installing apps from untrusted 3rd party sources..."
Normalized URL: http ://lebar .gicp .net/
Detection ratio: 1/25
Analysis date: 2012-04-12 09:32:49 UTC
"... 222 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-04-12, and the last time suspicious content was found on this site was on 2012-04-12. Malicious software includes 206 scripting exploit(s), 121 exploit(s), 30 trojan(s). Successful infection resulted in an average of 2 new process(es) on the target machine. Malicious software is hosted on 90 domain(s)... 92 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site... This site was hosted on 15 network(s) including AS32475 (SINGLEHOP), AS4134 (China Telecom backbone), AS4837 (CNC)... Over the past 90 days, gicp.net appeared to function as an intermediary for the infection of 13 site(s)... It infected 9 domain(s)..."
... canonical name - gicp .net
Recommended add to BLACKLIST
Edited by AplusWebMaster, 12 April 2012 - 08:32 AM.
Posted 12 April 2012 - 09:23 AM
Ransomware - multiple types/discoveries
Apr 12, 2012 - "We have encountered a ransomware unlike other variants that we have seen previously. A typical ransomware encrypts files or restricts user access to the infected system. However, we found that this particular variant infects the Master Boot Record (MBR), preventing the operating system from loading. Based on our analysis, this malware copies the original MBR and overwrites it with its own malicious code. Right after performing this routine, it automatically restarts the system for the infection take effect..."
(More detail at trendmicro URL above.)
April 12, 2012 - "We are receiving reports of a ransom trojan, it's been circulating during the last two days. When first run on the system, the ransomware will iterate all folders on the system. Every document, image, and shortcut (.lnk) file found will be encrypted and appended with an extension of .EnCiPhErEd. In each folder it will drop a text file called "HOW TO DECRYPT.TXT" which contains instructions on how to proceed. The bandit is demanding 50€. It drops a copy of itself in the system's temp folder with a random name. It creates registry entries to associate the .EnCiPhErEd extension with itself, so that the temp folder copy will be launched whenever those files are run, in order to demand the decryption password. After five attempts it will no longer accept passwords. And it then deletes itself, leaving your data encrypted. Our threat hunters think that the source of this ransomware may be from inserted malicious tags in sites, particularly in forums..."
(More detail at f-secure URL above.)
Posted 13 April 2012 - 06:25 AM
Android malware poses as Angry Birds...
April 12, 2012 - "Android malware authors have seized an opportunity to infect unsuspecting smartphone users with the launch of the latest addition to the immensely popular "Angry Birds" series of games. SophosLabs recently encountered malware-infected editions of the "Angry Birds Space" game which have been placed in -unofficial- Android app stores. Please note: The version of "Angry Birds Space" in the official Android market (recently renamed "Google Play") is *not* affected... With the malware in place, cybercriminals can now send compromised Android devices instructions to download further code or push URLs to be displayed in the smartphone's browser. Effectively, your Android phone is now part of a botnet, under the control of malicious hackers..."
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users