2072 replies to this topic

[AplusWebMaster]

FYI...

Payment Request SPAM contains malware
- http://blog.trendmic...ntains-malware/
Nov. 18, 2009 - "TrendLabs researchers received spammed messages purporting to have come from various companies such as eBay, J.P. Morgan Chase and Co., and Colgate-Palmolive, among others. The email bore the subject, “Payment request from,” and informs users about a certain recorded payment request... The spammed message even gave users two options—to either ignore the email if the payment request has been made or to download the attached .ZIP file and install the inspector module to decline the said payment request. If the user does not make any transaction, he/she still needs to download the attachment just to cancel the payment request. The attached .ZIP file is, of course, not an inspector module but an .EXE file (module.exe) detected by Trend Micro as TROJ_AGENTT.WTRA. Users are advised to be wary before opening -any- attached files even if they come from known sources. It is also best to verify emails you receive from any company first just to be sure it is legitimate..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

FDA targets online pharmacy counterfeits
- http://www.theregist...harmacy_action/
20 November 2009 - "The US Food and Drug Administration said it has completed a sweep of illegal online pharmacies that targeted 136 websites that appeared to be illegally selling drugs to American consumers... Websites peddling Viagra, steroids and other pharmaceuticals have emerged as a major source of spam over the past few years. In addition to clogging inboxes, the sites can put customers' health at risk because the drugs are frequently counterfeits. According to a study released in August, almost 90 percent of online drugstores advertised on Microsoft's Bing search engine violated federal and state laws... The FDA said the notices* sent to service providers and registrars may give them grounds to terminate service to their customers."
* http://www.fda.gov/N...s/ucm191330.htm

> http://www.fda.gov/F...s/ucm048396.htm

- http://forums.whatth..._...st&p=611190

Edited by AplusWebMaster, 21 November 2009 - 06:25 AM.

[AplusWebMaster]

FYI...

SPAM/phish/malware Zbot all-in-one
- http://www.pcgenius....malware-attack/
November 24, 2009 — "Email security experts at Red Condor issued a warning about the latest spam campaign that contains a phishing ploy and a malware threat. The email requests that recipients click on a link in the body of the email to update the “security mode” of their email box. Users that click on the link are taken to a web site that recommends that they update to the latest version of the Macromedia Flash Player by downloading “flashinstaller.exe.” The executable is actually a banking Trojan that is known to disable firewalls, steal sensitive financial data and provide hackers with remote access capabilities. The malware is more commonly known as Win32:Zbot-MGA (Avast), W32/Bifrost.C.gen!Eldorado (F-Prot), PWS-Zbot.gen.v (McAfee) or PWS:Win32/Zbot.gen!R (Micorsoft). The spam campaign was detected late on November 20, 2009, and within the first six hours, Red Condor had blocked more than 500,000 emails..."

[AplusWebMaster]

FYI...

SSA phishing messages link to malicious code
- http://www.us-cert.g...ting_via_social
November 24, 2009 - "US-CERT is aware of public reports of malicious code circulating via phishing email messages that appear to come from the Social Security Administration. The messages indicate that the users' annual Social Security statements may contain errors and instruct users to follow a link to review their Social Security statement. If users click this link, they will be -redirected- to a seemingly legitimate website that prompts them for their Social Security number. If users enter their Social Security number and continue to the next page, they will be given an option to generate a statement. If users attempt to generate a statement, malicious code may be installed on their systems. This malicious code attempts to collect online banking traffic to gain access to the users' bank accounts..."

- http://www.m86securi...trace.1188~.asp
Screenshots...

[AplusWebMaster]

FYI...

Another ZBOT SPAM run
- http://blog.trendmic...-zbot-spam-run/
Nov. 27, 2009 - "... another ZBOT spam campaign. The emails bear subjects such as “your photos” and “some jerk has posted your photos.” They inform the recipients that someone has posted their photos without their permission on a site and has sent the link to their friends. The recipient is intended to believe that the “sender” is acting as a “good samaritan,” emailing the one who supposedly posted the said pictures. The URL, of course, points to a website that distributes a malware detected by Trend Micro as TSPY_ZBOT.CJA... When executed TSPY_ZBOT.CJA connects to several websites to download another malicious file detected as TROJ_DROPR.KB. The spyware also has rootkit capabilities that enable it to hide its processes. ZBOT/ZeuS is one of the most notorious botnets with regard to identity, financial, and information theft. Users are strongly advised not to open emails from unknown sources..."

(Screenshots available at the URL above.)

Edited by AplusWebMaster, 27 November 2009 - 10:24 AM.

[AplusWebMaster]

FYI...

Koobface using Christmas theme
- http://securitylabs....lerts/3505.aspx
11.30.2009 - "Websense... has discovered that the Koobface malware campaign is now using a Christmas theme. Recent developments by Koobface have included use of Google Reader. The Koobface Web site offers a video posted by 'SantA'. The usual ruse of requiring a codec to watch the video is used, to encourage the user to install and run a file called setup.exe (SHA1:a2046fc88ab82abec89e150b915ab4b332af924a). This file is currently detected by 16 out of 41 antivirus products according to VirusTotal*. On the compromised Facebook page the user is presented with a link to ch[removed]cher .ch which is a compromised site in Switzerland. The user is -redirected- to one of several Koobface Web sites through a malicious Flash movie file hosted on the compromised site. If the user runs the infected file, the worm will automatically login to their Facebook, Myspace, and several other social networking sites and send messages to all their friends..."
* http://www.virustota...48af-1259587988
File setup.exe received on 2009.11.30 13:33:08 (UTC)
Result: 16/41 (39.02%)

(Screenshots available at the Websense URL above.)

[AplusWebMaster]

FYI...

Zeus bot SPAM fakes CDC request
- http://www.symantec....tches-swine-flu
December 1, 2009 - "... the Zeus bot crew... latest offering comes in the guise of an email purporting to come from the CDC (Center for Disease Control). The email contains a link to a bogus Web page that is made to look like an official CDC page... The content of the page asks you to create a profile that will then enable you to get the H1N1 flu vaccine... The subject lines used in the emails are quite variable; for example, the following have been seen:
• Instructions on creation of your personal Vaccination Profile
• Governmental registration program on the H1N1 vaccination
• Your personal Vaccination Profile
The domain used in these email links has the format of online.cdc.gov.[RANDOM CHARS].[TLD NAME].im
For example:
• online.cdc.gov.yhnbad.com.im
• online.cdc.gov.yttt4r.org.im
• online.cdc.gov.yhnbam.co.im
As is usually the case with these campaigns, the URL that is supposed to be a document actually leads to an executable file. This one is named vacc_profile.exe* and is detected by Symantec as Infostealer.Banker.C. Incidentally, the URL is also “personalized” with the email address of the recipient to make it look that little bit more authentic and less like mass-mailed spam..."

(Screenshots available at the Symantec URL above.)

- http://ddanchev.blog...-swine-flu.html
December 02, 2009

* http://www.virustota...c227-1259719511
File vacc_profile.exe received on 2009.12.02 02:05:11 (UTC)
Result: 14/41 (34.15%)

- http://www.threatexp...d12da03f4f376ad
1 December 2009

- http://www.us-cert.g...ign_circulating
December 2, 2009

Edited by AplusWebMaster, 02 December 2009 - 03:21 PM.

[AplusWebMaster]

FYI...

Malware - Facebook pwd reset SPAM
- http://isc.sans.org/...ml?storyid=7729
Last Updated: 2009-12-10 18:09:17 UTC - "... email today purporting to be from Facebook, which of course had an attachment. The file was Facebook_Password_833fd.zip*, which unzipped to be Facebook_Password_833fd.exe. The zip file is in fact a zip file, and the exe is in fact MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit (according to the file command). The subject line is "Facebook Password Reset Confirmation. Customer Support"... Which is an attempt to get you to first open the attachment, unzip the file, and then run the executable content... First set of Virustotal results were 20/41 today at 01:30:12 (UTC) https://www.virustot...b322-1260408612 when I ran it again at 17:49:06 (UTC) they were up to 26/41 detection. It is a dropper which subsequently downloads and executes other badness.
Facebook does not send out passwords in attached files. If you have forgotten your password on Facebook reset it here: http://www.facebook.com/reset.php if you cannot login to your account (someone else has taken it over) go to this page: http://www.facebook....php?topic=login, which also has this advisory on it:
"Fake password reset emails
Some users have received fake password reset emails with attachments that contain viruses. Do not click on these emails or download the attachment. Also, please note that Facebook will -never- send you a new password as an attachment. To learn more visit our Security page:
http://www.facebook.com/security ..."

Edited by AplusWebMaster, 10 December 2009 - 01:15 PM.

[AplusWebMaster]

FYI...

Phish for FTP pwd's...
- http://www.symantec....ftp-credentials
December 11, 2009 - "... attackers are targeting the FTP credentials of websites. The messages appear to come from various trusted Web hosting providers. So far we have observed that users of over 100 Web hosting providers are being targeted by this attack. The attackers asks users to click on the link provided in the spam message, which will lead the users to open an “FTP access confirmation” page where the FTP credentials of the recipients are stolen. Attackers use a phishing cPanel page to do this (cPanel* is a Web hosting administration tool)... The phishing URL contains a user’s email address and the domain name of a Web hosting service provider. Once FTP credentials are entered and submitted by clicking the “Confirm FTP Access” button, users are directed to their hosting site that is specified in a “service=” tag. Example:
http ://cpanel.[removed]. me.uk/scripts/cpanel-ftp-confirmation.php?session=[removed]&email=[removed]&service=[hosting domain name]
Giving up FTP details may lead to a further loss of confidential data, the hosting of illegal websites (child pornography sites, phishing sites, etc.), and/or delivery of malware to the victim's computer by the attacker..."
* http://www.cpanel.net/



Visa targeted by ZBOT phish/SPAM
- http://blog.webroot....-zbot-phishers/
December 11, 2009 - "... targeting Visa with a fake email alert that leads to a page hosting not only a Trojan-Backdoor-Zbot installer, but that performs a drive-by download as well. This is the second time in less than a month that malware distributors have targeted Visa... we saw a similar scam involving links to bunk Verified By Visa Web pages... malware distributors are using fraudulent transaction warnings as a method to infect users with a keylogger capable of stealing their credit card information when the victim enters it into a shopping Web site, but Visa doesn’t issue these kinds of warnings—the Visa-card-issuing bank warns customers of suspected fraud themselves, and they never do anything with that level of urgency via email... As in earlier iterations of this scam, Zbot isn’t just interested in transaction details or Website logins. Zbot also steals the login credentials for virtually every Windows FTP client application — the tools that Web designers and other website administrators use to upload files to Web sites. FTP logins are far more valuable, because it gives the malware distributors another means to spread their code onto the Web. If you’ve been wondering why so many otherwise legitimate Web sites seem to be getting hacked, and having malicious code uploaded to Web sites belonging to small businesses, private individuals, and others, this is why: Zbot is taking those passwords, and handing them off to people who trade not only in malicious code, but in abusing the good reputations of legitimate Website owners or the people who help manage them.
Don’t be a victim: Don’t follow the link in the message. Don’t download the “statement” on the page. If you see a page that looks like the screen above*, immediately kill your browser and scan your computer for Zbot. The drive-by download component of this scam means you could be infected merely by visiting the page using a vulnerable browser. Most importantly, if you suspect a credit card fraud report email may be real, pick up the telephone and call the number on the back of your card."
* Screenshot available at the Webroot URL above.

- http://www.m86securi...trace.1207~.asp
December 14, 2009

Edited by AplusWebMaster, 15 December 2009 - 05:03 AM.

[AplusWebMaster]

FYI...

ZBOT targets Facebook again (with SPAM)
- http://blog.trendmic...facebook-again/
Dec. 15, 2009 - "ZBOT has currently been spotted engaging in another spam run targeting Facebook yet again. By clicking the link embedded in the email, users will land on a Facebook phishing page. This time, however, the phishing page contains an iframe that points to a Web exploit toolkit. This exploit toolkit can deliver a variety of exploits, depending upon the user’s browser and OS. For users of Firefox, the toolkit will push a .PDF file (detected by Trend Micro as TROJ_PIDIEF.PAL) to exploit a known vulnerability in Collab.getIcon. If the user is not infected via the exploit toolkit, ZBOT is still left with the social engineering aspect. After a user enters credentials into the phishing page, the user is led to a download page of updatetool.exe -or- the ZBOT binary (detected as TSPY_ZBOT.CCB)..."
(Screenshot available at the URL above.)

DHL - SPAM appears to have come from known courier DHL
- http://blog.trendmic...gifts-old-spam/
Dec. 15, 2009 - "BREDOLAB set out on a spam rerun just in time for the holidays. This recent run is similar to the laptop delivery note spam run we reported in August. This time, however, the spammed message appears to have come from known courier, DHL. The spammed message makes it appear as though the users have received a notification from DHL, alerting them about an error in shipping a certain package. The message also prompts the users to open an attached file. The attached file DHL_package_label_cfb35.exe is detected as TROJ_BREDOLAB.CB. The dynamics of this spam run, although relatively old and simple, could still pack a punch, especially now that we are well within that part of the holiday season where most people do their gift shopping. People who may have purchased a laptop online and are expecting it to come through the mail are prone to being victimized by this attack..."
(Screenshot available at the URL above.)

Edited by AplusWebMaster, 15 December 2009 - 11:44 AM.

[AplusWebMaster]

FYI...

SPAM - Christmas e-cards...
- http://blog.trendmic...-from-spammers/
Dec. 25, 2009 - "Spammers are clearly putting the holidays to (their) good use, as they have made Christmas just another reason to spread malware. Trend Micro threat analysts recently received a spammed message purporting to come from 123greetings.com, a legitimate site that users can access to send e-cards to family and friends. The email message even sported the site’s logo... However, upon further investigation of the spammed message’s header, we noticed that the sender’s IP address did not match that of the legitimate 123greetings.com site... The spammed message urges the user to download and open the .ZIP file attachment, which is actually an .EXE file detected by Trend Micro as WORM_PROLACO.Z, in order to view the greeting card... To keep your system malware-free this festive season, do -not- open unsolicited email messages..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Fox Sports site - injected with malicious code
- http://securitylabs....lerts/3516.aspx?
12.29.2009 - Malicious Web Site / Malicious Code - "Websense... has detected that the Fox Sports site has been compromised and injected with malicious code... Our research shows that the site has been injected with two pieces of malicious code. One of them is the latest Gumblar campaign, and the other redirects individuals to a malicious Web site, whose link was unreachable at the time of this alert. The ThreatSeeker Network has detected that thousands of Web sites have been compromised by the latest Gumblar campaign. The Gumblar page is highly obfuscated. After deobfuscation, the page uses PDF and Flash exploits to run malware in order to control a victim's computer. In addition, a piece of VBScript is executed to download malware..."

(Screenshots available at the Websense URL above.)

[AplusWebMaster]

FYI...

New year related malware...
- http://www.f-secure....s/00001847.html
December 31, 2009 - "The first signs of New Year malware for this year were already sighted a while back, but the current one we're seeing in circulation wishes "Happy New Year 2010" and points to a fast flux domain site which serves up Trojan-Downloader:W32/Agent.MUG. This particular trojan will try to install further malware, though the content it's pointing to seems to not yet be online, at least at the time of this post. Be careful when reading electronic happy New Year's wishes also this year..."

[AplusWebMaster]

FYI...

SCAM spreading on Facebook and SEO...
- http://securitylabs....lerts/3518.aspx?
01.05.2010 - " Websense... has discovered several spam messages on Facebook that trick the user into visiting BINSSERVICESONLINE(dot)INFO. When the link in the message is clicked, the Web site -redirects- the user to an online scam site similar to the one we published in the blog Google Scam Kits* in mid-December. The use of Facebook to distribute links that lead to Google scam kits is fairly new, and is sure to trick some users into buying the kits. A lot of users have apparently received this message, as it quickly became a popular search string on Google. As we've seen in the past, there are criminal groups monitoring the popular search terms on Google and other search engines to start their own malicious attacks, so it didn't take long until we started seeing Google search results for BINSSERVICESONLINE leading to rogue AV products. Note that the two attacks are done by separate groups of criminals. One group started the spam attacks on Facebook and another started manipulating Google results..."
* http://securitylabs....Blogs/3512.aspx

(Screenshots available at the Websense URL above.)

[AplusWebMaster]

FYI...

Rogue AV - Data Doctor 2010 encrypted files...
- http://sunbeltblog.b...d-files-we.html
January 06, 2010 - "Our analyst Dimiter Andonov has developed a tool to decrypt files encrypted by Data Doctor 2010 that at least one blog reader found very useful:
http://www.sunbeltse.../DownLoads.aspx
Update 01/07:
We've just posted a page with detailed directions for using the Data Doctor 2010 file decrypter:
http://www.sunbeltse.../DownLoads.aspx ..."

- http://www.f-secure....s/00001850.html
January 8, 2010