2072 replies to this topic

[AplusWebMaster]

FYI...

Gmail phish...
- http://www.f-secure....s/00001876.html
February 8, 2010 - "... be aware of e-mails purportedly from Gmail administrators. One of our Fellows recently received a message from "The Google Mail Team" asking users to verify their account details to combat "anonymous registration of accounts"... The reply-to address is listed as 'verifyscecssze@gmail.com', which obviously isn't an official Gmail admin account. Meanwhile, the domain name gmeadmailcenter .com is registered to a Catholic church in Michigan. Just your typical phishing type message really. Gmail users who receive this e-mail can report it to the (real) Gmail team using the 'Report phishing' option in their account, or just delete it."

More phishing notes today (Screenshots provided at both URLs below):

- http://blog.trendmic...re-login-pages/
Feb. 8, 2010

- http://blog.trendmic...stomers-beware/
Feb. 8, 2010

Edited by AplusWebMaster, 08 February 2010 - 10:21 AM.

[AplusWebMaster]

FYI...

Zeus Campaign Targeted Government Departments
- http://securitylabs....x?cmpid=slalert
02.08.2010 - "Websense... has discovered a new Zeus campaign (a banking data stealing Trojan) which is now targeting government departments. Our research shows that the campaign has especially targeted workers from government and military departments in the UK and US: we found most victims' email addresses end with .gov... thousands of emails which pretend to be from the National Intelligence Council. The email subjects include:
"National Intelligence Council"
"RE: National Intelligence Council"
"Report of the National Intelligence Council"
The spoofed emails lure victims to download a document about the "2020 project"; this is actually a Zeus bot. The Web sites which host the bot look very trustworthy: one of them is a compromised organization Web site and the other is located on a popular file hosting service. The bot has rootkit capabilities and connects to C&C servers at update*snip* .com and pack*snip* .com to report back on a successful infection and to download some archives with DLLs, it also modifies the hosts file to prevent updates from popular anti-virus vendors... the anti-virus detection rate for this bot is currently at 26/40*."
* http://www.virustota...34c4-1265615954
File 2020.exe_ received on 2010.02.08 07:59:14 (UTC)
Result: 26/40 (65.00%)
(Screenshots available at the Websense URL above.)

- http://www.krebsonse...ts-gov-and-mil/
February 6, 2010 - "... The scam e-mails may seem legitimate because the name of the booby-trapped file mimics a legitimate 2020 Project report*** published by the NIC, which has a stated goal of providing US policymakers “with a view of how the world developments could evolve, identifying opportunities and potentially negative developments that might warrant policy action.” Only 16 of the 39 anti-virus scanners used by Virustotal.com detect the file** as malicious, and those that do mostly label it as a variant of the Zeus/Zbot Trojan..."
** http://www.virustota...f610-1265331501
File 2020.zip.txt received on 2010.02.05 00:58:21 (UTC)
Result: 16/39 (41.03%)
*** http://www.dni.gov/n...20_project.html

- http://www.threatexp...eecd4ba7054e138
7 February 2010

- http://www.m86securi...trace.1233~.asp
February 7, 2010 M86 Security - "... another Zeus campaign that we observed last week..."

Edited by AplusWebMaster, 09 February 2010 - 06:23 AM.

[AplusWebMaster]

FYI...

Zeus targeted attacks continue
- http://securitylabs....lerts/3550.aspx?
02.11.2010 - "Websense... has discovered a follow up attack on Zeus campaign targeting government departments. Its research shows that once again the campaign is targeting workers from government and military departments globally... The Websense ThreatSeeker Network has seen thousands of emails pretending to be from a reputable figure within the Central Intelligence Agency... The email subject is:
"Russian spear phishing attack against .mil and .gov employees"...
The spoofed emails capitalize on the last Zeus attack, and claim that installing the Windows update via the links provided will aid protection against Zeus attacks. The binary file downloaded from these links is identified as a Zeus bot and holds 35% AV detection rate*. Once again URLs in the email messages lead to a malicious file hosted on a compromised host, and also on a popular file hosting service. Once installed, the bot has identical functionality to the one mentioned in the previous alert. After The Zeus Rootkit component is installed the C&C server at update[removed].com is contacted to download an encrypted configuration file. Another data stealing component gets downloaded and installed from the same C&C in the shape of a Win32 Perl script compiled with Perl2Exe - this data-stealing component has only a 5% AV detection rate**. Then the bot starts to connect with a credential-based FTP server at pack[removed].com to upload stolen data. The Zeus bot is normally designed to steal banking credentials; however it has also been seen in targeted attacks to steal other sensitive data..."
* http://www.virustota...c476-1265856371
File KB823988.exe received on 2010.02.11 02:46:11 (UTC)
Result: 14/41 (34.15%)
** http://www.virustota...3723-1265905508
File stat.exe received on 2010.02.11 16:25:08 (UTC)
Result: 2/41 (4.88%)

(Screenshots available at the Websense URL above.)

[AplusWebMaster]

FYI...

Spammers already using Google Buzz
- http://securitylabs....lerts/3551.aspx?
02.11.2010 - "... Today we saw the first spam using Google Buzz to spread a message about smoking.. The spammer is already following 237 people, and we can only imagine that he or she has sent similar messages to all of them. This particular message leads to a site hosted on a free Web hosting service talking about how to quit smoking. When Twitter was launched, it took a while before it was used to send spam and other malicious messages. In this case, it only took two days. It's clear that the bad guys have learned from their experience using social networks to distribute these type of messages. We hope that Google is geared up for dealing with the volume of spam it's bound to see on the new service. Until then, we advise users to be careful, as usual, when clicking on unknown links."
(Screenshot available at the URL above.)

The Buzz is getting LOUDER
- http://www.sophos.co...slabs/post/8641
February 11, 2010

- http://www.eset.com/...s-gmail-spyware
February 12, 2010 - "... If you have a Gmail account and don’t want to broadcast to the world who you chat with and email the most, then when you log into Gmail, immediate scroll to the bottom of the page and turn off Buzz..."

Edited by AplusWebMaster, 14 February 2010 - 11:34 AM.

[AplusWebMaster]

FYI...

Dear taxpayer – don’t
- http://sunbeltblog.b...payer-dont.html?
February 11, 2010 - "‘Tis the season for Zbot spam."

(Screenshot available at the URL above.)

[AplusWebMaster]

FYI...

IRS themed Zeus exploits...
- http://ddanchev.blog...lient-side.html
February 15, 2010 - "As anticipated, the botnet masters behind the systematically rotated campaigns dissected in previous posts, kick off the week with multiple campaigns parked on the newly introduced fast-fluxed domains. In a typical multitasking fashion, two campaigns are currently active on different sub domains introduced at the typosquatted fast-flux ones, impersonating the U.S IRS with "Unreported/Underreported Income (Fraud Application) theme", as well as a variation of the already profiled PhotoArchive campaign, using a well known "You don't have the latest version of Macromedia Flash Player" error message... researchers from M86 Security* gained access to the web malware exploitation kit..."
(More detail at the URL above.)

* http://www.m86securi...sp?article=1233
February 7, 2010 - "... It has been up and running and serving exploits for nearly a day. In this time almost 40,000 unique users have been exposed to these exploits, and the Zeus file has been downloaded over 5000 times..."

Edited by AplusWebMaster, 15 February 2010 - 09:32 PM.

[AplusWebMaster]

FYI...

The Wizard of Buzz
- http://securitylabs....Blogs/3553.aspx
02.16.2010 - "Buzz is just a new wizard in the kingdom of Google. However, it is not hard to foresee through the crystal ball that Dorothy's journey along the yellow brick road will be full of constant attacks from the Witch of malware and her spamming monkeys. The biggest problem with Google Buzz is privacy. You can read lots of blogs and articles on this already, and this blog does not intend to examine this subject. It's enough to know that with Buzz, it is too easy to follow and read other people's messages... What is worrying for us is that it's now much easier to spread spam and malicious messages than before, thanks to this super-network. Google has reacted to these issues quickly and has changed the default settings of its social network. Unfortunately there is no change for existing users, so if you have already subscribed, you still need to tweak the settings for yourself to make it secure..."

- http://www.eset.com/...s-gmail-spyware
February 12, 2010 - "... If you have a Gmail account and don’t want to broadcast to the world who you chat with and email the most, then when you log into Gmail, immediate scroll to the bottom of the page and turn off Buzz..."

- http://www.pcworld.c..._evil_twin.html

- http://www.f-secure....s/00001886.html
February 18, 2010 - "... You don't get to use free services and expect to get absolute privacy. Either you offer up some of your information for enhanced services, or you don't. Remember, Google isn't your friend. It's a business..."

Edited by AplusWebMaster, 19 February 2010 - 11:41 AM.

[AplusWebMaster]

FYI...

Scammers offer "Live Support"
- http://www.informati...cleID=222900276
Feb. 13, 2010 - "... The Live PC Care "virus scan" screen now includes a yellow online support button that affords those reluctant to part with their money the opportunity to banter with fraud support. "If a potential victim clicks on the online support button they are brought to a live support chat session," said Symantec security researcher Peter Coogan in a blog post*. "The authors of Live PC Care have taken advantage of a legitimate freeware live chat system called LiveZilla. This system allows Live PC Care victims to chat online with so-called 'support agents.'" Based on the interactions between Symantec researchers and the live support people, Coogan says that there really are people answering questions, and not automated scripts. Their goal, he says, is to allay suspicions and encourage the belief that the fake malware detected needs to be repaired. Coogan says that the involvement of live support people shows just how big the business of fake antivirus scams has become. Symantec says that between July 1, 2008 and June 30, 2009, 250 different fake antivirus programs made 43 million installation attempts. The company says that the cost of being victimized can go beyond the $30 to $100 price for useless software to include additional fraud arising from credit card theft."
* http://www.symantec....v-talking-enemy

Trojan.FakeAV
- http://www.symantec..../...-99&tabid=2
Updated: October 10, 2007 5:08:11 PM
Type: Trojan
Infection Length: 7,680 bytes
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

Edited by AplusWebMaster, 17 February 2010 - 08:54 PM.

[AplusWebMaster]

FYI...

Symantec ThreatCon...
- http://www.changedet...nlearn_log.html
... changes: 2010-02-19 05:28 "... Symantec is aware of several reports of a strain of Zeus dubbed 'Kneber'. The Zeus exploit toolkit is often used in campaigns that have no specific target. The goal is often to infect as many systems as possible. This strain is reported to harvest personal information from the victim that attackers can use for financial gain. Customers are advised to ensure that antivirus products are up to date. Symantec detects this threat as Trojan.Zbot.
Trojan.Zbot
http://securityrespo...-011016-3514-99
Zeus Toolkits...
> http://www.symantec....meware-toolkits
August 25, 2009

- http://blog.threatfi...bed-kneber.html
February 18, 2010

- http://www.netwitnes.../feb182010.aspx
February 18, 2010

- http://www.f-secure....s/00001887.html
February 19, 2010

- http://www.krebsonse...nown-as-botnet/
February 19, 2010

Edited by AplusWebMaster, 21 February 2010 - 07:22 AM.

[AplusWebMaster]

FYI...

Zeus exploit svr morphs in the Wild...
- http://ddanchev.blog...lient-side.html
UPDATED: Saturday, February 20, 2010 - "The client-side exploit serving iFrame directory has been changed to 91.201.196.101 /usasp11/in.php, with another typosquatted portfolio of domains currently being spamvertised.

Detection rates: update.exe - Trojan.Zbot - Result: 25/40 (62.5%) (phones back to trollar.ru /cnf/trl.jpg - 109.95.114.133 - Email: bernardo_pr@inbox.ru); file.exe - Trojan.Spy.ZBot.12544.1 - Result: 26/41 (63.42%); ie.js - JS:CVE-2008-0015-G - Result: 14/40 (35%); ie2.js - Exploit:JS/CVE-2008-0015 - Result: 17/40 (42.5%); nowTrue.swf - Trojan.SWF.Dropper.E - Result: 24/41 (58.54%); pdf.pdf - Exploit.JS.Pdfka.bln - Result: 11/41 (26.83%); swf.swf - SWF/Exploit.Agent.BS - Result: 8/40 (20%)..."

(More detail at the ddanchev URL above.)

[AplusWebMaster]

FYI...

New Twitter Worm making the rounds
- http://blog.trendmic...m/twitter-worm/
Feb. 24, 2010 - "A new Twitter worm is making the rounds. If you receive a direct message from a “friend” that contains the following message:
“This you????”
It is likely malicious. Clicking the link, http: //twitter.login.{BLOCKED}home.org/login/, will -redirect- you to a sub page of the said domain. You will then be prompted to log in to your Twitter account... Once you log in, your credentials will be stolen and all of your followers will receive a direct message from you with a link to the same site, allowing the worm to further propagate. Doubtlessly, at some point in the future, the cybercriminals behind this attack will use the same stolen credentials to send out other malicious content from a huge number of compromised Twitter accounts. So remember, think before you click!..."

(Screenshots available at the URL above.)

- http://www.f-secure....s/00001893.html
February 25, 2010 - "... phrases such as "This you??" or "LOL is this you" are linking victims towards a Twitter login phishing page. If the bait is taken and victim enters their password, Twitter's infamous "fail whale" is displayed and the user is returned to their account. They might not even realize that their account details have been compromised..."

- http://sunbeltblog.b...ues-thanks.html
February 25, 2010

Edited by AplusWebMaster, 25 February 2010 - 04:58 PM.

[AplusWebMaster]

FYI...

More-Zeus-client-side-exploits-serving-iFrame ...in the Wild...
- http://ddanchev.blog...lient-side.html
SECOND UPDATE for Wednesday, February 24, 2010 - Another portfolio of new domains is being spamvertised, using the old PhotoArchive theme. The client-side exploits serving iFrame directory has been changed to 91.201.196.101 /usasp33/in.php currently serving CVE-2007-5659; CVE-2008-2992;CVE-2008-0015; CVE-2009-0927 and CVE-2009-4324.
Sample detection rates: update.exe - Trojan-Spy.Win32.Zbot.gen - Result: 10/42 (23.81%); file.exe - Trojan-Spy.Win32.Zbot.gen - Result: 10/42 (23.81%). Samples phone back to the same C&C where samples from previous campaigns were also phoning back to - trollar.ru /cnf/trl.jpg..."

(More detail at the URL above.)

- http://web.nvd.nist....d=CVE-2007-5659
"... Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier allow remote attackers to execute arbitrary code via a PDF file..."
- http://web.nvd.nist....d=CVE-2008-2992
"... Stack-based buffer overflow in Adobe Acrobat and Reader 8.1.2 and earlier allows remote attackers to execute arbitrary code via a PDF file..."
- http://web.nvd.nist....d=CVE-2008-0015
"... MS09-032... MS09-037..."
- http://web.nvd.nist....d=CVE-2009-0927
"... Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to execute arbitrary code..."
- http://web.nvd.nist....d=CVE-2009-4324
"... Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code..."

- http://blog.trendmic...-juice-on-zeus/
Mar. 4, 2010 - "... ZeuS has been entrenched in the cybercriminal business for a long time now and has continuously evolved and improved. Given the vast number of toolkit versions readily available in the underground, the features ZeuS possesses to thwart both antivirus and other security solutions, as well as efforts by the security industry, ZeuS will continue to be used by cybercriminals to steal personal information and even people’s identities..."

Edited by AplusWebMaster, 06 March 2010 - 08:45 AM.

[AplusWebMaster]

FYI...

VirusTotal - fake rogue site
- http://sunbeltblog.b...ustotalcom.html
February 26, 2010 - "VirusTotal.com [ http://en.wikipedia..../VirusTotal.com ] is a brilliant site that helps both public and researchers alike determine if an executable file they have is potentially malicious or not... somebody decided to cash in on the good name of the site with the following domain:
virus-total(dot)in
...we have some Rogue Antivirus advertising in the house, to the tune of “Your computer is infected by viruses” complete with the now familiar fake image of your drives and folders... Should you download and run the executable file offered up by the site, you’ll end up with the rogue Security Tool on your system... the REAL domain for VirusTotal is http://www.virustotal.com/ . Don’t fall for this scam!"

(Screenshots available at the Sunbeltblog URL above.)

[AplusWebMaster]

FYI...

MS warns: fake Security Essentials
- http://www.theregist...sentials_rogue/
26 February 2010 - "Microsoft has warned Windows users to be on their guard against a piece of rogue antivirus software passing itself off as Microsoft Security Essentials. Security essentials 2010 is a piece of software Microsoft said installs a fake virus scanner on your machine and monitors and blocks processes it doesn't like. The software will also block access to websites of antivirus and malware companies and flag up a warning message. You can see the list of blocked sites here*... Adding insult to injury, Security essentials 2010 charges you to scan and remove files on your machine, claiming the version you will have initially downloaded is just a trial edition. Microsoft's Security Essentials is available without charge to PC users running a genuine copy of Windows..."
* http://www.microsoft...:Win32/Fakeinit

[AplusWebMaster]

FYI...

Rogue Facebook app propagates via users
- http://securitylabs....Blogs/3563.aspx
02.26.2010 - "The latest scam targeted at Facebook users hit the public today. The rogue app, which comes in many variants of "Who is checking your profile?", has improved its technique beyond the previous attacks we've seen. Rather than spreading a single app that Facebook can easily block, it tricks users into propagating the exploit by creating a brand new Facebook application that hands over the controls to the bad guys. The attack starts with a friend, whom you trust, posting a link on your wall, asking you who is checking your profile. It also entices you by telling you that your friend is viewing your profile. The draw itself has been around for a long time, and the idea of being able to tell which users have looked at your profile is an attractive proposition. But Facebook policy and the API itself prevent this capability, which means that all applications that promise this feature are bogus... The most important thing for Facebook users to remember is that clicking “Allow” authorizes an application, and by doing so you are giving it the proverbial “keys to the kingdom.” Do not add any applications that you do not trust..."

(More detail and screenshots at the Websense URL above.)