2072 replies to this topic

[AplusWebMaster]

FYI...

Outlook Web Access SPAM Campaign...
- http://isc.sans.org/...ml?storyid=7918
Last Updated: 2010-01-08 21:57:40 UTC ...(Version: 3) - "... an email campaign targeting OWA users that leads to malware infections... When you review the SPAM, notice the link that is displayed shows it is from our.org but the actual hyper link is to our.org .molendf.co .kr... traced the IP and am blocking it so if others get through the SPAM filter our users will not be able to get to the site... submitted the file to VirusTotal* to see what they found and it is very new..."
* http://www.virustota...1d7b-1262953493
File settings-file.exe received on 2010.01.08 12:24:53 (UTC)
Result: 16/41 (39.02%)

Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
- http://ddanchev.blog...m-campaign.html
UPDATED: January 10, 2010

Don't Update Your Email Settings
- http://www.m86securi...trace.1215~.asp
January 10, 2010

Edited by AplusWebMaster, 26 January 2010 - 12:09 PM.

[AplusWebMaster]

FYI...

Bogus IRS W-2 form leads to malware
- http://blog.trendmic...ads-to-malware/
Jan. 11, 2010 - "... spammers now are capitalizing on the upcoming tax season. Recently, Trend Micro threat analysts found spammed messages purporting to come from the Internal Revenue Service (IRS). The spammed message bears the subject, “W-2 Form update,” and informs users to update the said form because of supposed “important changes.” The W-2 form states an employee’s annual salary and total tax. The spammed message looks normal since the URLs and phone numbers in it are legitimate. This was probably done so users will not suspect anything. It also encourages users to open the attached .RTF file (Update.doc), which is supposed to be the W-2 form. When users open the .RTF file, however, they will see an embedded .PDF file. This supposedly PDF file is actually an .EXE file that uses the PDF icon. This is detected by Trend Micro as BKDR_POISON.BQA. BKDR_POISON.BQA is a component of the Darkmoon Remote Administration Tool (RAT), which enables a malicious user to execute commands on the affected system. Interestingly, this backdoor attempts to connect to a private IP address (192.168.29.1). This may be the attacker’s misconfiguration, or an attack targeting a specific internal network environment... Users are strongly advised not to open any suspicious-looking emails even though they came from a supposedly known source. It is also recommended that users verify with IRS if the email they received is legitimate or not..."

(Screenshots available at the TrendMicro URL above.)

- http://www.viruslist...logid=208188001
January 07, 2010

- http://www.us-cert.g...of_online_scams
January 13, 2010 - "... The U.S. Internal Revenue Service has issued a news release* on its website warning consumers about potential scams. These scams are circulating via fraudulent email or other online messages appearing to come from the IRS. They attempt to convince consumers to reveal personal and financial information that can be used to gain access to bank accounts, credit cards, and other financial institutions..."
* http://www.irs.gov/n...=217794,00.html

Edited by AplusWebMaster, 14 January 2010 - 11:47 AM.

[AplusWebMaster]

FYI...

40 trillion SPAM messages were sent in 2009...
- http://www.symantec....-spam-explosion
January 12, 2010

(Interesting 2001-2009 Growth chart available at the URL above.)

[AplusWebMaster]

FYI...

Banker Scams - SPAM...
- http://blog.trendmic...w-spam-victims/
Jan. 14, 2010 - "Two new spam campaigns spreading variants of the BANKER family of identity-stealing Trojans have recently emerged. The first campaign features spammed messages containing malicious links to supposed pictures. Once clicked, however, users ended up with TSPY_BANKER.OCN infections. This campaign made use of standalone files... The second campaign was more elaborate, as the involved malware (detected as TSPY_BANKER.MTX) had two components - one steals banking-related information while the other steals email account information... Both campaigns may, however, be related, as the information they steal from users end up in drop zones that are hosted on the same Web server:
* {BLOCKED}unicaobr .com/phps/procopspro .php
* {BLOCKED}unicaobr .com/working/lisinho .php
Looking for more details on webcomunicaobr .com revealed the following details:
IP: 69.162.102.130 Hosted in the USA
ASN: AS46475 LIMESTONENETWORKS Limestone Networks Inc. Primary ASN
ns1 .brasilrevenda .com
ns2 .brasilrevenda .com
Digging a little bit deeper still, three interesting pages cropped up that revealed the number of systems each contracted spammer has infected so far... a list of PHP servers where stolen information is sent... and a list of files that contained encrypted information downloaded by infected hosts..."

(Screenshots available at the TrendMicro URL above.)

[AplusWebMaster]

FYI...

Rogue AV exploits Haiti earthquake
- http://isc.sans.org/...ml?storyid=7987
Last Updated: 2010-01-14 18:45:02 UTC - "Just when you think they couldn't possibly go any lower ... The bad guys behind the Rogue AV scam (see my old diary at http://isc.sans.org/...ml?storyid=7144 about Rogue AV) are heavily using SEO techniques to make links to their sites appear high on search engines. For example, when using Google to search for "haiti earthquake donation" top 6 hits (!) lead to compromised web sites which in turn check the referrer (they verify if you are coming from a search engine) and, if that is true, redirect you to another web site... At the moment they are redirecting to scan-now24 .com which appears to be taken down. As posted on numerous places yesterday – if you plan on donating be very careful about sites you visit."

- http://www.us-cert.g...hishing_attacks
January 14, 2010

- http://www.fbi.gov/p...quake011310.htm
January 13, 2010

- http://sunbeltblog.b...edirect-to.html
January 14, 2010 - "We continue to find hacked sites popping up on web searches for Haiti relief donations-related strings. Among other things, we’ve found a rogue security product being pushed. VIPRE detected that one as Rogues.Win32.FakeVimes... sites all -redirect- to scan-now24 .com (registered Dec. 28), which we recommend blocking...""

Edited by AplusWebMaster, 15 January 2010 - 10:37 PM.

[AplusWebMaster]

FYI...

Targeted e-mail examples relating to MS IE 0-day CVE-2010-0249
- http://securitylabs....lerts/3536.aspx
01.21.2010 - "Websense... has reports that emails linking to malicious web-based exploit code that utilizes the vulnerability CVE-2010-0249 have been sent to organizations in a targeted manner since December 2009, and the attack is still on-going. This same vulnerability was used to target Google, Adobe, and approximately 30 other companies in mid-December 2009.... Investigation has so far lead to the conclusion that these targeted attacks appear to have started during the week of 20 December 2009, and are on-going to government, defence, energy sectors and other organizations in the United States and United Kingdom. Within the malicious emails the sender's domain is spoofed to match the recipient's domain making the targeted emails more convincing to the recipient. The malicious executables that are delivered by the exploit code include hxxp ://cnn[removed]/US/20100119/ update.exe or hxxp ://usnews[removed]/ svchost.exe. These exhibit traits of an information-stealing Trojan with Backdoor capabilities. As of today only 25% of AV vendors protect against the payload according to this VT report*. Example email subjects include:
"Helping You Serve Your Customers"
"Obama Slips in Polls as Crises Dominate First Year as President"
"2010 ***** Commercial SATCOM"
"The Twelve Days of Christmas" ...
* http://www.virustota...d797-1264090078
File update-exe-.txt received on 2010.01.21 16:07:58 (UTC)
Result: 11/41 (26.83%)

>>> http://forums.whatth...=...st&p=626675

Edited by AplusWebMaster, 21 January 2010 - 11:38 PM.

[AplusWebMaster]

FYI...

40% of a month’s malware - Troj/JSRedir-AK
- http://www.sophos.co...abs/v/post/8338
January 25, 2010 - "It has been a month since we added detection for Troj/JSRedir-AK* and figures generated today show that over 40% of all web-based detections have been from this malicious code. Translating the numbers into a more human comprehensible form: 1 site every 15 secs was being detected as Troj/JSRedir-AK. The affected sites include well-known names, including:
• Energy Companies
• Retail Companies
• Automobile Club
• Hotels
...Using the JavaScript .replace the malware deobfuscates itself and dynamically writes an iframe point to a Russian website on port 8080 which serves up scripts detected as Troj/Iframe-DL. This new script will write an iframe that will attempt to load a PDF (detected as Troj/PDFJs-FY) and a file claiming to be a JPG (detected as Exp/VidCtl-A). These then will install various other malware. Troj/JSRedir-AK is a continuation of the Gumblar gang’s exploits using Russian domains instead of Chinese ones... very similar to the one we saw for Troj/JSRedir-R and the infection mechanisms seem to be the same (i.e. FTP credentials)."

(Interesting graph available at the URL above.)

* http://www.sophos.co...jjsredirak.html
"More Info... Troj/JSRedir-AK will redirect the web browser to other malicious websites."

Edited by AplusWebMaster, 25 January 2010 - 06:56 AM.

[AplusWebMaster]

FYI...

Q4 '09 web-based malware data and trends
- http://blog.dasient....and-trends.html
January 26, 2010 - "... the way malware is being distributed is undergoing a fundamental shift, with more attackers focusing on "drive-by downloads" from legitimate sites that have been compromised, or from sites designed specifically for malicious purposes. In nearly all the variations on this kind of attack, no user action is required for the infection to occur, beyond loading the site in a browser - and there are very few signs that malicious code has been downloaded... Based on the telemetry data we've gathered from the web, we estimate that more than 560,000 sites and approximately 5.5 million pages were infected in Q4'09, compared with more than 640,000 sites and 5.8 million pages in Q3'09. By the end of the year, we had identified more than 100,000 web-based malware infections... we saw a more significant drop in the number of infected sites than we did in the number of infected pages because each infection tended to spread to a larger number of pages on each site... more than four of every 10 sites infected in the quarter were reinfected within a space of three months... the file names most often used in drive-by downloads included things like "setup.exe," "update.exe" (which was used in the Google attack), and "install_flash_player.exe"... In previous years, a drive-by download would often initiate 10 or more extra processes, ostensibly in an attempt to maximize the return from each infected endpoint. In response, the search providers and anti-virus vendors who scan the web for infected sites began using the number of extra processes initiated as a signal that the webpage might be malicious. But in Q4'09, the average number of extra processes initiated was just 2.8 -- enough for a downloader and perhaps one or two pieces of malware. Clearly, attackers are getting smarter about the way they structure their attacks, opting for a smaller fingerprint on an infected machine in exchange for a greater likelihood of evading detection..."

Edited by AplusWebMaster, 26 January 2010 - 01:35 PM.

[AplusWebMaster]

FYI...

Death hoax from hacks - actor Johnny Depp
- http://blog.trendmic...99s-death-hoax/
Jan. 27, 2010 - "News involving celebrity deaths (real or hoax) have a habit of spreading across the Internet like wildfire, sensationalizing bits of information to entice readers. So, it is easy to see why pranksters and cybercriminals exploit the fact that people love gossip. So when rumors of Johnny Depp’s supposed death due to a car crash broke out, it did not take long before cybercriminals took advantage of the supposed reports to spread malware via their usual blackhat search engine optimization (SEO) tactics... While most hoaxes come in the form of spammed messages, this particular scam involved the creation of several malicious sites where rigged search results led to, which led curious readers to system infections rather than to more information on Depp’s alleged death... Once users click the embedded links, however, they will be redirected to a video entertainment site that claims to host footage of Depp’s accident... Upon playing the supposed video, users will be prompted to download a codec in order to watch it, which is actually a malicious file detected by Trend Micro as TROJ_DLOADER.GRM. When executed, TROJ_DLOADER.GRM connects to a remote site to download a malicious file. It then displays a professional-looking graphical user interface (GUI) promoting a bogus software called DriveCleaner 2006 before opening a window that shows the software—an executable file—installation’s progress... never underestimate the speed at which an Internet hoax spreads. Whether seasoned Web surfer or first timer, it does not matter, it is always advisable to keep your guard up. Cybercriminals want profit. So, the more successful an attack, the more money they make..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Top 50 - Badware - by number of reported URLs
- http://stopbadware.org/reports/asn
Daily Change ...

How to interpret this data
- http://stopbadware.o...ion#asn_reports

Sample chart
- http://stopbadware.o...ports/asn/15169

Google Diagnostics
- http://www.google.co...c?site=AS:15169
"Of the 723306 site(s) we tested on this network over the past 90 days, 6982 site(s), including, for example, mkdorrjvb.blogspot.com/, denisa8357.blogspot.com/, miriam8998.blogspot.com/, served content that resulted in malicious software being downloaded and installed without user consent..."

[AplusWebMaster]

FYI...

Valentine’s Day SPAM/scams begin...
- http://blog.trendmic...-from-spammers/
Feb. 1, 2010 - "February has already begun, which means Valentine’s Day is close at hand. As usual, spammers will definitely hype up their malicious activities. It is only the first day of the so-called “love month” but we have already seen at least two SPAM samples leveraging one of the most-celebrated special occasions when people flock to websites that advertise gifts they can give to their loved ones... Every special occasion and/or holiday is, in today’s threat-laden Internet landscape, not just a time for people to celebrate but also a time for spammers to scam unwitting users with their devious scams... Spammed messages come in many forms and with varying payloads, some redirect users to sites that sell anything and everything under the sun, most especially pharmaceutical and replica items; some lead to links to malicious or malware-ridden sites; some lead to sites that advertise bogus promotions; and some carry malware as attachments..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Google Job app - malicious response
- http://securitylabs....x?cmpid=slalert
2/1/2010 - "Websense... has discovered a new malicious spam campaign that spoofs Google job application responses. The messages look very well written and are so believable that they are probably scrapes from actual Google job application responses. Typically, spam has grammatical errors or spelling mistakes that make the messages obviously unofficial and act as red flags. The text of these messages, however, has no such mistakes, making them much more believable - especially if the target really has applied for a job with Google. The From: address is even spoofed to fool victims into believing the message was sent by Google. The messages have an attached file called CV-20100120-112.zip that contains a malicious payload. This is where the message gets suspicious, because the contents of the .zip file have a double extension ending with .exe. The attackers attempt to hide the .exe extension by preceding it with .html or .pdf, followed by a number of spaces and then the .exe extension. The .exe file (SHA1:80366cde71b84606ce8ecf62b5bd2e459c54942e) has little AV coverage* at the moment..."
* http://www.virustota...7440-1265043648
File document.htm_____________________ received on 2010.02.01 17:00:48 (UTC)
Result: 10/40 (25.00%)

(Screenshot available at the Websense URL above.)

[AplusWebMaster]

FYI...

Twitter mass password reset due to phishing
- http://isc.sans.org/...ml?storyid=8137
Last Updated: 2010-02-02 21:47:04 UTC - "Twitter is sending out a large number of e-mails, asking users to reset their passwords. It appears a large number of passwords got compromised in a recent phishing incident (mine included). When I received the message at first, I considered the e-mail a phishing attempt in itself. But all the links appeared to be "good". If you receive an e-mail like this, I recommend the following procedure:
1. delete the e-mail
2. go to twitter by entering the link in your browser. Best:
use https://www.twitter.com (httpS not http)...
3. change your password.
4. do not reuse the password, do not use a simple password scheme (like "twitterpassword" and "facebookpassword")
I know it is hard. A lot of people will advice against writing the password down, or using a "password safe" application. But considering the risks, I am tend to advise people to rather write down the passwords or use a password safe application compared to using bad / repeating passwords."

Reason #4132 for Changing Your Password
- http://status.twitte...g-your-password
Feb. 2, 2010 - "... We strongly suggest that you use different passwords for each service you sign up for; more information on how to keep your Twitter account safe can be found here: http://twitter.zende...1/entries/76036 ."

Edited by AplusWebMaster, 03 February 2010 - 01:50 PM.

[AplusWebMaster]

FYI...

Q3-Q4 2009 - Malware in more than 1 in 10 Search Results...
- http://preview.tinyurl.com/yadn9uj
Feb 04, 2010 - "The second half of 2009 saw malware authors focus their efforts to ensure they drove victims straight to them. In contrast to the first half of the year where mass injection attacks like Gumblar, Beladen and Nine Ball promoted a sharp rise in the number of malicious Web sites, Websense Security Labs observed a slight (3.3 percent) decline in the growth of the number of Web sites compromised. Instead, attackers replaced their traditional scattergun approach with focused efforts on Web 2.0 properties with higher traffic and multiple pages. Over the six month period, Search Engine Optimization (SEO) poisoning attacks featured heavily, and Websense Security Labs research identified that 13.7 percent of searches for trending news/buzz words lead to malware. In addition, attackers continued to capitalize on Web site reputation and exploiting user trust, with 71 percent of Web sites with malicious code revealed to be legitimate sites that had been compromised... During the second half of 2009 Websense Security Labs discovered:
• 13.7 percent of searches for trending news/buzz words (as defined by Yahoo Buzz & Google Trends) lead to malware
• 95 percent of user-generated comments to blogs, chat rooms and message boards are spam or malicious
• 35 percent of malicious Web attacks included data-stealing code
• 58 percent of data-stealing attacks are conducted over the Web
• 85.8 percent of all emails were spam
• an average growth of 225 percent in malicious Web sites ..."

[AplusWebMaster]

FYI...

Fake Firefox update site pushes adware
- http://www.infosecur...adware/126.aspx
03/02/2010 - "Since its’ release on January 21st, the newest version of the Firefox web browser has received a great deal of attention. In just a short time it has achieved over 30 million downloads. Adware pushers are capitalizing on the success of Firefox, packing ad serving software in with the program in an effort to increase their reach. Purveyors of spyware and adware will try to take advantage of well known programs, illegitimately bundling their software into the install of the popular software. These programs are also commonly referred to as Potentially Unwanted Programs (PUPs) whose content is not necessarily malicious, but is almost never wanted by the user. These types of software are often used to collect information about the user without the users’ knowledge or consent. The latest example is found on the fake Firefox download site... (screenshot at the URL above). The page is cleverly disguised with the appearance of a legitimate Firefox download site and could easily fool many users hoping to upgrade... Taking a closer look reveals clues to the fraudulent page. While the page advertises version 3.5 the newest version is actually 3.6. There are also misspellings such as “Anti-Pishing” in the title of the security section. Victims of this scam install the “Hotbar” toolbar by Pinball Corp, formerly Zango. Not only are users subject to the annoying toolbar, they're also barraged with pop-up ads and host to a new Hotbar weather application running in the system tray... Users looking to upgrade Firefox should go to the real download site at http://getfirefox.com ..."

- http://www.theregist...refox_download/
3 February 2010

Edited by AplusWebMaster, 08 February 2010 - 06:52 AM.