2072 replies to this topic

[AplusWebMaster]

FYI...

Another "Digital Certificate" malware campaign
- http://isc.sans.org/...ml?storyid=6499
Last Updated: 2009-06-01 16:21:12 UTC - "... a "Bank of America Digital Certificate Updating" scheme is used, where a victim of the luring email is directed to a fake website... Using the <Update Certificate> button here will net you a piece of Malware that has approximately 30% AV coverage (as indicated by VirusTotal). A quick analysis of said malware shows probable signs of, suprise-suprise, Waledac..."

(Screenshot available at the URL above.)

[AplusWebMaster]

FYI...

Twitter hit with rogue anti-virus scam
- http://www.theregist...r_malware_scam/
2 June 2009 - "Twitter users over the weekend were the target of a scam that tried to infect them with rogue anti-virus software and other malware, in what is one of the first times the micro-blogging site has been hit by a known for-profit attack, a security researcher said. The problem started after a flurry of tweets directed users to a website promising "Best Video." The site appeared to offer content from YouTube, but behind the scenes, the site delivered a PDF document designed to infect those using vulnerable versions of Adobe's Reader program. Victims then received an urgent warning that their systems were infected and needed to cleaned using fraudulent security software... The scam promoted a piece of rogue anti-virus software dubbed System Security."

- http://www.viruslist...logid=208187734
June 01, 2009 - "... fake program called "System Security" is being promoted... Most likely the cyber criminals behind this attack simply used the stolen credentials of those phished accounts to tweet the messages... If the trends we've seen on other social platforms are any indicator for Twitter then we can only expect an increase in attacks."
(Screenshots available at the URL above.)

- http://pandalabs.pan...nds-Attack.aspx
11 June 09 - "... cyber criminals have been targeting Twitter users by creating thousands of messages (tweets) embedded with words involving trending topics and malicious URLs. If the URLs were accessed, the victims would arrive at a rogueware website designed to trick them into thinking that their computer is infected, therefore justifying the need to purchase the fake software offered. Since the initial discovery, we have been keeping a close eye on this attack, but the malicious tweets continue... The ease of carrying out this type of attack leaves us to believe that this will not go away anytime soon... "

Edited by AplusWebMaster, 17 June 2009 - 07:07 AM.

[AplusWebMaster]

FYI...

More Blackhat SEO "scareware" campaigns
- http://ddanchev.blog...ont-end-to.html
June 08, 2009 - "... they've got no customers but the cybercriminals themselves maintaining a portfolio of over 7,000 adult related keywords which they have been using for blackhat SEO campaigns across thousands of automatically registered - CAPTCHA recognition outsourced - Blogspot accounts since February, 2009... Not only is life4info .info or dirsite .com a bogus free hosting provider, but the campaigns hosted by them are interacting with our "dear friends" at AS30407; VELCOM .com which Spamhaus describes as "N. American base of Ukrainian cybercrime spammers" - and with a reason."

(Screenshots and more detail available at the URL above.)

[AplusWebMaster]

FYI...

Malicious SPAM - Air France plane crash
- http://securitylabs....lerts/3417.aspx
06.11.2009 - "Websense... has detected a new malicious spam campaign pretending to deliver legitimate news updates about the Air France plane crash ( http://news.bbc.co.u...cas/8078147.stm ). The spam campaign is in Portuguese, and includes a link to view the first videos from the crash site. The link to the video leads to a Trojan Downloader file named: Video_AirFrance_447.com. If a user runs the file, it downloads a malicious executable file masquerading as an image from [removed].org/imgs/like2.jpg. The malware registers a password-stealing BHO component on the system masquerading as a McAfee SiteAdvisor component with this GUID: {9387b8b2-5508-11de-8729-c56f55d89593}. The GUID is linked to the malicious installed DLL file named mcieplg.dll under the system32 directory (%windir%\system32\mcieplg.dll). AV detection rates on this file are very low*..."
* http://www.virustota...6914-1244673584

(Screenshots available at the Websense URL above.)

[AplusWebMaster]

FYI...

Fake MSRT...
- http://preview.tinyurl.com/l28pj7
June 12 2009 CA Security Advisor blog - "CA ISBU Research Lab receives a large number of malicious samples on a daily basis, many of which are found to be Rogue Antivirus applications belonging to the extremely prevalent malware family, Win32/FakeAV... this variant imitates Microsoft Windows Malicious Software Removal Tool (MSRT), as well as promoting Microsoft Office upgrade and other trusted Antivirus products.
Fake Microsoft MSRT Warnings
When the installation package is executed, it will display the fake alert in the system tray... Then, it will display the fake GUI for Microsoft Windows Malicious Software Removal Tool scanning your system and it will display the scan result... (also) imitates the Windows Security Center..."

(Screenshots available at the URL above.)

Edited by AplusWebMaster, 12 June 2009 - 01:08 PM.

[AplusWebMaster]

FYI...

SPAM - Fake EULAs, fixtools...
- https://forums2.syma.../article-id/276
06-12-2009 - "... SPAM (message) noted that Symantec was working with Microsoft to create a patch for "Conflicker." According to the spam message, Conficker is also called "Troj/Brisv.A"... The spam is accompanied by a file named "remtool_conf.exe." The spammers have taken an extra step ahead of just spreading their Trojans. This file is actually a Symantec fixtool for Trojan.Brisv bundled with the Trojan. So, when someone runs this file they actually run the Symantec Brisv fixtool, along with the Trojan completing its task. In this case, the dropped Trojan contacts a remote site in order to download another piece of malware, which is currently detected by Symantec products as Suspicious.MH690.A... We gave the infection a run on a test machine. Almost immediately we saw our own EULA... Running the email attachment did a few things–it dropped the original (signed) Symantec Trojan.Brisv fixtool into a temporary folder; it dropped a Trojan into the same folder; and, it ran the original fixtool. One can see that this is indeed Symantec’s own legitimate fixtool. But, the Trojan file "webexplorer.exe" is basically a downloader. It contacts a remote site in order to download another file called "winupdate.exe". As you’ve guessed, that is also a Trojan and is currently detected as Suspicious.MH690.A... If you have a need to run a Symantec fixtool, go to the Symantec website* and download it for free..."
* http://www.symantec....emovaltools.jsp

(Screenshots available at the first Symantec URL above.)

[AplusWebMaster]

FYI...

Rogue AV hosted in USA...
- http://sunbeltblog.b...right-here.html
June 15, 2009 - "Contrary to popular belief, not all malware is hosted in Eastern Europe or China. In fact, there’s a whole bucketload of malware hosted in Scranton, PA. Here are malware domains associated with IP 64.191.92.197..."

(Long list and screenshots available at the URL above.)

[AplusWebMaster]

FYI...

- https://forums2.syma.../article-id/200
06-15-2009 - "It may not be encouraging news for scammers, but users are slowly but surely adopting a see-and-delete approach for the usual fake stories related to lotteries, dormant bank accounts, an inheritance of huge wealth, and relatives of deceased or exiled political leaders sharing their millions. However, lately the trends seem to show that news stories involving current events are being piggybacked or manipulated by scammers to trap users into falling for fraudulent offers... Another recent scam we have been monitoring involves an event resembling the highly rated television reality show Big Brother, which began on June 4 in the UK. Scammers have been inviting recipients to participate in their Big Brother World to be held on July 12 in London, UK... Scammers claim to be a Big Brother agent and will furnish the competition details once users respond to the mailed invitation. Users will need to reply with the application type along with their full name, address, age, and telephone number. Even a casual look at the email reveals several spelling mistakes that start right from the subject line and continue on throughout the message, including using “price” instead of “prize” in the mail body. We would recommend that users follow the usual practice of ignoring [and deleting] such unsolicited emails..."

(Screenshot of scam e-mail available at the URL above.)

[AplusWebMaster]

FYI...

Fake MS Update SPAM...
- http://blog.trendmic...cal-info-theft/
June 22, 2009 - "... Close to the weekend, we identified SPAM claiming to be a Microsoft Outlook and Outlook Express critical update that “offers the highest levels of stability and security.” A tricky difference here is that all the links in the email (the links to Contact Us, Privacy Statement, Trademarks, and Terms of Use) are legitimate–except one. The URL where the “critical update” may be downloaded looks legitimate, but hovering over the hyperlink (or checking the source code of the mail) reveals a totally different destination... For content security experts this already bears the marks of an email-based cyber-criminal attack. True enough, the URL leads to the download of a file (detected as TROJ_ZBOT.BTS) that on its execution it accesses a website to download a .bin file with information referring to where the Trojan can download an updated copy of itself, and where to send stolen data. The list also contains compromised websites targeted for stealing information. Our engineers confirm that the list was containing several names of banking institutions, among other social networking targets like Facebook and MySpace, and media sites YouTube and Flickr. The list can be viewed here*. Note that the said list may be changed at any time. How does the scam work? Whenever the user visits any of the monitored sites, the Trojan starts logging keystrokes. It then saves gathered information (which presumably includes sensitive information like user name and password, credit card information, etc.) in a file and then sends the file to a dedicated server via HTTP POST..."
* http://preview.tinyurl.com/qrbt7m

(Screenshots available at the Trendmicro URL above.)

> http://www.microsoft.com/protect/yourself/...ng/msemail.mspx

Edited by AplusWebMaster, 23 June 2009 - 06:52 AM.

[AplusWebMaster]

FYI...

Nonstop site re-infections
- http://securitylabs....Blogs/3425.aspx
06.24.2009 - "We recently published an alert* about the Ethiopian Embassy site being compromised... This isn't the first time the site has been compromised. In March of 2009, we noticed an iframe injection pointing to hxxp://[REMOVED]vv.com/index.php. The domain was also serving virus-infected files in other locations, including hxxp://[REMOVED]vv.com/unic/1.exe, a Trojan [see VirusTotal report**]... Attackers are in control and re-compromising the site over and over, potentially infecting visitors with malicious code at any time. These attacks are somewhat of a trend. We've documented a number of compromised embassy sites in the past, illustrating how malware delivery occurs through Web sites..."
* http://securitylabs....lerts/3423.aspx

** http://www.virustota...05a9-1240536959
"File 5143155606c013934a4601648e310800aff688c2.EXE ..."

(Screenshots and more detail available at the Websense URL above.)

[AplusWebMaster]

FYI...

Zbot In Your Inbox
- http://www.marshal8e...trace.1005~.asp
June 24, 2009 - "A password stealing Zbot (ZeuS bot) Trojan has been increasingly spammed throughout the previous two weeks. We believe the spam originates from the Pushdo botnet. The spam template varies from time to time, mostly using subject lines such as “You have received a Greeting ecard ”, “Statement request”, “Microsoft outlook update”, “Postal Tracking” and may come either as an attachment or a link in the message body... Zbot attempts to download a file named "djwl.bin". This file is an encrypted configuration file..."
(Screenshots available at the URL above.)

Also see: http://www.abuse.ch/?p=1192
March 20, 2009

[AplusWebMaster]

FYI...

SPAM runs exploit celebrity deaths
- http://www.theregist...son_death_spam/
26 June 2009 - "Spammers have wasted no time exploiting the shock death of Michael Jackson to run an email harvesting campaign. Security watchers warn that malware-laced email themed around the death of the King of Pop and Charlie's Angels star Farrah Fawcett, who also died on Thursday, are likely to follow..."

- http://securitylabs....lerts/3426.aspx
06.26.2009
- http://www.virustota...0ce4-1246012313
File michael_1_.gif received on 2009.06.26 10:31:53 (UTC)
...Result: 5/41 (12.20%)
- http://www.virustota...2ff9-1246029869
File Michael.Jackson.videos.scr received on 2009.06.26 15:24:29 (UTC)
...Result: 10/41 (24.39%)

- http://www.sophos.co...oslabs//?p=5035
June 26, 2009

Edited by AplusWebMaster, 26 June 2009 - 11:41 AM.
Added Websense, Virustotal links...

[AplusWebMaster]

FYI...

MSN IM - Pushdo variant...
- http://blog.trendmic...jacksons-death/
June 26, 2009 - "... a slew of malicious links related to Michael Jackson’s last moments in the hospital before his death are now being proliferated in the wild via the instant messaging (IM) application, MSN... When recipients of such messages click on any of these links, they are then prompted to save a file named PIC-IMG029-www.hi5.com.exe (with the MD5 checksum of 031429fc14151f94c8651a3fb110c19b), instead of being led to an image site or gallery. Initial analysis shows that the said file is a variant of the SDBOT family...
Update - 27 June 2009: The botnet is said to push the templated messages through an IRC to the client to be spammed... The malware responsible for this is detected as WORM_IRCBOT.GAT. It opens a certain port on the affected system then listens for remote commands. Kharouni reports that commands to download certain files are received and executed by the affected system, ultimately leading to the download a PUSHDO variant. PUSHDO is a botnet responsible for a huge amount of spam activity..."

(Screenshot available at the URL above.)

[AplusWebMaster]

FYI...

More celebrity malware...
- http://www.f-secure....s/00001709.html
June 29, 2009 - "There have been a couple of malware attacks that have tried to use the news coverage of the death of Michael Jackson as the lure to get people infected. Last night we saw this one: a file called Michael-www.google.com.exe. This file was distributed through a site called photos-google.com and possibly also through photo-msn.org, facebook-photo.net and orkut-images.com. Do not visit these sites. When executed, Michael-www.google.com.exe drops files called reptile.exe and winudp.exe. These are IRC bots with backdoor capability. The file also shows this fake error message..."
(Screenshot available at the F-secure URL above.)

- http://www.sophos.co...m-hits-inboxes/
July 1, 2009 - "... we have encountered a mass-mailing worm that spams out messages with the following characteristics:
Subject: Remembering Michael Jackson
Attached file: Michael songs and pictures.zip
The email, which claims to come from sarah@michaeljackson.com, says that the attached ZIP file contains secret songs and photos of Michael Jackson. opening the attachment exposes you to infection - and if your computer is hit you will be spreading the worm onto other internet users. Besides spreading via email, the malware is also capable of spreading as an Autorun component on USB memory sticks (an increasingly common trend for malware as use of these devices has become more and more popular). Sophos detects the malware proactively as Mal/ZipMal-B and Mal/VB-AD, and recommends that users of other anti-virus products ensure that their defences are properly updated..."

Edited by AplusWebMaster, 02 July 2009 - 06:33 AM.

[AplusWebMaster]

FYI...

Torrentreactor site compromised
- http://securitylabs....lerts/3430.aspx
07.01.2009 - "Websense... has detected that Torrentreactor, one of the oldest and most reliable torrent search engines on the Web, has been compromised and injected with malicious code. The site has been injected with an IFrame leading to a site laden with exploits. The exploits on the payload site include Internet Explorer (MDAC) and Microsoft Office Snapshot Viewer, as well as Acrobat Reader and Adobe Shockwave. If the user's browser is successfully exploited, a malicious file is downloaded and run from the exploit site. The malicious file has an extremely low AV detection rate*. The file (MD5: 24bd24f8673e3985fc82edb00b24ba73) is a Trojan Downloader and connects to a Bot C&C server at IP 78.109.29.116. After connecting to the IP, the file downloads a Rootkit installer from the same IP..."
* http://www.virustota...b2b7-1246425266
File rncsys32.exe received on 2009.07.01 05:14:26 (UTC)
Result: 2/41 (4.88%)

- http://www.theregist...reactor_breach/
1 July 2009 - "... The malicious file in the latest compromise communicates with a server at 78.109.29.116, an IP address that web searches suggest has ties to the Russian Business Network..."

Edited by AplusWebMaster, 02 July 2009 - 06:09 AM.