2072 replies to this topic

[AplusWebMaster]

FYI...

Facebook "Dislike button" likes Hotbar
- http://sunbeltblog.b...kes-hotbar.html
March 23, 2010 - "... It seems the tactic of offering up Firefox (but giving you something else entirely) is going to be around for a little while. Below is a site promoting a Firefox .xpi called “The Dislike Button”, designed to let you add an “I dislike this” note to Facebook posts... The domain is dislikes(dot)info. Note the “Get Firefox” button at the top... you’re given the option of downloading a setup file from Hotbar…not exactly the Firefox download you were expecting. Should the end-user install it thinking this will give them Firefox, they’re very much mistaken... What they actually get is the option to download Hotbar (and no Firefox), complete with a preticked ShopperReports checkbox... Additionally, there’s a text link further down the page asking you to “Get Firefox now” which also directs you to the Hotbar install... I think... I dislike this."

(Screenshots available at the URL above.)

Edited by AplusWebMaster, 23 March 2010 - 08:38 AM.

[AplusWebMaster]

FYI...

Skype toolbar for Outlook SCAM
- http://securitylabs....lerts/3586.aspx
03.23.2010 - " Websense... has discovered a new wave of email attacks targeting the Skype Email Toolbar. Up to now, the amount of spam is not large, but we believe it will increase. The spam email message contains a file attachment named SkypeToolbarForOutlook.zip, which could easily deceive users but is in fact a backdoor trojan that has a very low AV detection*. The spam email copies the look and feel of the legitimate application from Skype..."
* http://www.virustota...2751-1269327702
File SkypeToolbarForOutlook.exe received on 2010.03.23 07:01:42 (UTC)
Result: 6/42 (14.29%)
(Screenshots available at the Websense URL above.)

Skype SPIM (Instant Messaging SPAM)
- http://www.m86securi...trace.1289~.asp
March 26, 2010 - With over 520 million users, Skype is the most popular VoIP (Voice over IP) application available today. It provides a great service, allowing families, friends and colleagues to connect to one another through voice and video chat across the globe. However, being so popular doesn’t come without a price. The price that is paid is in the form of Skype SPIM (Instant Message Spam). These messages are pushed out to a large percentage of Skype users on a regular basis. The SPIM messages can range from the common pharmaceutical product spam, to fake OEM software, investment scams, replica bags and watches, and adult dating site spam..."
(More detail and screenshots at the URL above.)

Edited by AplusWebMaster, 27 March 2010 - 04:40 AM.

[AplusWebMaster]

FYI...

ZBOT variants targeting European Banks
- http://blog.trendmic...european-banks/
March 23, 2010 - "... new ZBOT variant mainly targeting four European countries’ banking systems in Italy, England, Germany, and France. Trend Micro detects this variant as TROJ_ZBOT.BYP. It targets major consumer European Banks and financial institutions with high-profile clientele. The targeted companies include the major UniCredit Group Subsidiary Bank of Rome; U.K.-based Abbey National (more commonly known as Abbey); Hong Kong’s HSBC; Germany’s leading IT service provider in the cooperative financial system, the FIDUCIA Group; and one of France’s largest retail banks, Crédit Mutuel... The ZeuS toolkit enables cybercriminals to create and customize their own remote-controlled malware. The infected machine then becomes part of the criminal ZeuS botnet. ZBOT variants are information stealers specializing in robbing online banking information from victims and sending back the information to its command-and-control (C&C) server. At its most basic level, ZeuS has always been known for engaging in criminal activities, as it signals a new wave of online criminal business enterprises wherein different organizations can cooperate with one another to perpetrate outright online theft and fraud... The domains used by TROJ_ZBOT.BYP are both hosted on the same server, which is located in Serbia under a registered name. The IP address used and its registered name are both well-known for being part of FAKEAV-hosting domains and previous Canadian pharmacy spam campaigns..."
- http://threatinfo.tr...Connection.html
"... Since 2007... Trend Micro has seen over 2,000 ZBOT detections and the numbers continue to rise..."

Edited by AplusWebMaster, 24 March 2010 - 05:23 AM.

[AplusWebMaster]

FYI...

Fake Apple App Store Malicious SPAM
- http://securitylabs....lerts/3587.aspx
03.24.2010 - "Websense... has discovered that Apple's App Store has become the latest target for email attacks and spam. App Store is the service provided by Apple Inc. as a platform to purchase and download applications for iPhone®, iPod touch®, and iPad™. The attack comes in the form of a fake invoice email. With Apple's App Store being one of the most popular shopping platforms for multimedia, this kind of App Store invoice email is familiar to users and tends to be received frequently. As demonstrated here, cyber-criminals clearly jump at a chance to spread their spam using any available means. The content in this campaign resides on compromised Web sites and serves a combination of pharmaceutical spam along with exploits that are delivered in the background. Some of the messages serve only pharmaceutical spam and some combine spam with exploits. In the example below, clicking the link in the message redirects the user to a site with a single link labeled "visit". In the background, a known exploit pack called "Eleonore" is delivered to the user's machine. If the user clicks on the link, they are redirected to a "Canadian Pharmacy" Web site. In this particular attack instance the file dropped by the exploit pack has 29% detection rate*..."
* http://www.virustota...75ae-1269442230
File updates.exe received on 2010.03.24 14:50:30 (UTC)
Result: 12/41 (29.27%)

(Screenshots available at the Websense URL above.)

- http://blog.trendmic...he-apple-store/
Mar. 25, 2010

Edited by AplusWebMaster, 25 March 2010 - 07:26 AM.

[AplusWebMaster]

FYI...

Pictures Ruse Used to SPAM Zeus/Zbot
- http://blog.trendmic...to-spread-zbot/
Mar. 24, 2010 - "... fresh wave of spammed messages that were used to spread another ZBOT variant of the infamous ZeuS botnet. These messages warned users that a “jerk” posted photos of them and contained a link to the said images... the spammed messages appear to be from innocent users that the recipients presumably knew. In addition, they were also signed or at least had the sender’s name at the end of the message. In the sample above, the sender’s name has been blurred to protect his/her identity. Combined, this may lead users to believe the message is legitimate. However, the link does not go to any legitimate social-networking or photo-hosting site. Users were instead prompted to download a “photo archive”. In addition, the download page also contains a malicious iframe, which leads to a website that previously hosted the Phoenix Exploit’s Kit, which was designed to take advantage of vulnerabilities in several popular applications like Adobe Flash, Internet Explorer (IE), Microsoft Office, and Mozilla Firefox..."

(Screenshots available at the URL listed above.)

- http://threatinfo.tr...030210-ZBOT.xml

- http://ddanchev.blog...e-exploits.html
March 24, 2010 - "... Updates will be posted as soon as new developments emerge. Consider going through the 'related posts', to catch up with the gang's activities for Q1, 2010..." ("Related posts" listed there)

Edited by AplusWebMaster, 24 March 2010 - 08:39 PM.

[AplusWebMaster]

FYI...

Closer look on Swizzor
- http://techblog.avir...-on-swizzor/en/
March 25, 2010 - "We were analysing a recent version of Swizzor – an Adware which Avira detects as TR/Dldr.Swizzor.Gen – and after getting past the first encryption layers of the software, we stumbled over a few interesting strings in the malware. Quite obviously it installs a browser helper object (BHO, an Internet Explorer plug-in) which does some form of search hijacking. In case users get infected with Swizzor, they usually experience a -redirected- start page and a few pop-ups with advertisements for online poker or potency pills... Different Swizzor samples contain also different messages and links. Also, the malware is highly polymorphic. The Swizzor sample also contains a lengthy list of URLs which it blocks within the windows hosts file by redirecting them to localhost (127.0.0.1). Interestingly, those URLs all point to FakeAV or RogueAV... Also we see reports by users on the net which are victim of a Swizzor infection and didn’t download such “sponsored software” knowingly, but installed it for example with the “Windows Live Messenger” -add-on “Windows Live Plus! Messenger” where users can choose whether to install the “sponsor software” or not. Always keep an open eye whether the software you are going to install really is free or installs further stuff to your computer. You should find hints pointing to such add-ons in the EULA of the software."

[AplusWebMaster]

FYI...

Fake lawsuit notification Attack
- http://www.f-secure....s/00001917.html
March 25, 2010 - "A few of days ago, we encountered an e-mail with a malicious RTF attachment. It was sent with a supposed lawsuit notification message. The e-mail didn't mention any company by name and took a shotgun, rather than targeted, approach... At this point, it appears that the attachment has been replaced by hyperlink pointing to the Marcus Law Center... It is difficult to determine whether or not the MLC site is compromised or just completely bogus. Their Our Firm page text borrows heavily from a New York lawyer's site, but that could just be a case of "honest" plagiarism. In any case, our browsing protection feature is now blocking the sub-directory hosting the malicious file as unsafe. The RTF file includes an embedded object that acts as a trojan dropper (Trojan-Dropper:W32/Agent.DIOY) and it drops a downloader (Trojan-Downloader:W32/Lapurd.D), which then attempts to connect to a server located in Southern China. The earlier attachment that we saw also attempted to connect to a server in China. Updated to add: SANS diary reports* that a number of .edu sites have also received a similar message. The domain, touchstoneadvisorsonline .com, is hosting the same RTF (.doc) file. .."
* http://isc.sans.org/...ml?storyid=8497
Last Updated: 2010-03-25 13:30:36 UTC - "An email is being sent out warning the recipient of a "Copyright Lawsuit filed against you." We received a copy here and a number of .EDUs have reported it's receipt... Currently only a few AV solutions detect the initial document:
- http://www.virustota...0d87-1269486837 ..."
File r439875.doc-25mar10 received on 2010.03.25 03:13:57 (UTC)
Result: 7/42 (16.67%)

- http://isc.sans.org/...ml?storyid=8506
Last Updated: 2010-03-26 14:19:15 UTC
> http://www.virustota...c8ee-1269619641
File suit.exe received on 2010.03.26 16:07:21 (UTC)
Result: 21/42 (50.00%)

- http://www.us-cert.g...suit_email_scam
March 26, 2010 - "... messages may contain malicious attachments or web links. If a user opens the attachment or follows the link, malicious code may be installed on the user's system..."

- http://ddanchev.blog...gainst-you.html
March 29, 2010

Edited by AplusWebMaster, 30 March 2010 - 09:30 AM.

[AplusWebMaster]

FYI...

Zeus wants to do your taxes
- http://isc.sans.org/...ml?storyid=8503
Last Updated: 2010-03-25 20:44:53 UTC ...(Version: 2) - "... received reports of suspicious emails claiming to be from the IRS. It's a common scheme to get a user to click and run an executable. It looks like zeus/zbot to me...The email looks something like...
Subject: Underreported Income Notice
Taxpayer ID: <recipient>-00000198499136US
Tax Type: INCOME TAX
Issue: Unreported/Underreported Income (Fraud Application)
Please review your tax statement on Internal Revenue Service (IRS) website (click on the link below):
Internal Revenue Service
hxxp ://www.irs.gov.assewyx .co.uk/fraud.applications/application/statement.php?
The download in this particular link was "tax-statement.exe"..."

Child Tax Credit... Phishing Bait
- http://www.symantec....w-phishing-bait
March 25, 2010 - "... fraudulent email has an HTML attachment named #1924819299.pdf.htm..."

- http://www.us-cert.g..._phishing_scams
March 26, 2010 - "... tax season malware campaign. This malware campaign may be using malicious code commonly known as Zeus or Zbot..."

- http://www.irs.gov/p....html?portlet=5
"... The IRS does -not- initiate taxpayer communications through e-mail..."

Edited by AplusWebMaster, 27 March 2010 - 06:39 AM.

[AplusWebMaster]

FYI...

Fake update utilities...
- http://www.theregist..._update_trojan/
29 March 2010 - "Miscreants have begun creating malware that overwrites software update applications from Adobe and others. Email malware that poses as security updates from trusted companies is a frequently used hacker ruse. Malware posing as update utilities, rather than individual updates, represents a new take on the ruse... recently detected Fakeupver trojan establishes a backdoor on compromised systems while camouflaging its presence by posing as an Adobe update utility. The malware camouflages itself by using the same icons and version number as the official package... "... malware is written in Visual Basic, faking such popular programs as Adobe, DeepFreeze, Java, Windows, etc. In addition, on being executed, they immediately turn on the following services: DHCP client, DNS client, Network share and open port to receive hacker’s commands..."

[AplusWebMaster]

FYI...

Fake Facebook AV
- http://www.f-secure....s/00001920.html
March 29, 2010 - "Facebook-specific antivirus application sound like a good idea? Maybe not. One of our analysts saw this particular application claiming to be an antivirus wreak havoc on his Friends list. Of course, there is no such thing... If a Friend looking through the photos then clicks on the app's (apparently randomly generated) link... you might end up with a series of albums... Once installed on one Friend's account, this application tags 20 Friend into a picture... You can find more information about this, including instructions on how to remove the tags on the photos, at FacebookInsider*.
Updated to add: Examples include Antivirus in Focebook and F'acebook antivirus.
Notice the -misspelling- of Facebook in both names. Facebook is already in the process removing and preventing such rogue apps."

(Screenshots available at the URL above.)

* http://thefacebookin...m-your-friends/

[AplusWebMaster]

FYI...

SPAM site registrations flee China for Russia - A Little Sunshine
- http://www.krebsonse...ina-for-russia/
March 31, 2010 - "... In early January 2010, and indeed in the months leading up to the new year, the percentage of domains advertised in spam registered in the .cn space dwarfed the number of .ru spam-related domains, according to figures gathered by the University of Alabama at Birmingham. But by mid-January, the number of .cn spam domains began to fall off dramatically, while the number of .ru spam domains increased markedly, UAB found (see graphic*). Gary Warner, director of research in computer forensics at UAB Birmingham, said a sizable share of spam-related new domain registrations continue to come through the .com space — which is served by hundreds of domain name registrars. But he said the biggest bulk registrations for spam domains routinely came out of .cn, particularly those associated with rogue online pharmacies. “The .com never had the volumes of abuse you’d see at one time in .cn, where you’d typically have one guy registering hundreds or thousands of spam domains every day,” Warner said. There is a decent chance that the spammers will move to another country-code registrar soon. Beginning April 1, Russia’s Coordination Center for domain registration will require individuals and businesses applying for a .ru address to provide a copy of a passport or legal registration papers. Warner said he’s looking forward to seeing a similar exodus from Russia in the weeks ahead. “I’m excited about the prospects of seeing the [number of] .ru spam domains going down just like we saw with China,” he said... ISC’s spam traps had identified more than 10,000 unique domain names being advertised in spam. More than 1,870 of those domains were tied to recently registered rogue pharmacies, and of those, 491 were registered in the .com space, while 18 were from .cn and 1,366 were at .ru Web sites..."
* http://www.krebsonse...03/cnruspam.jpg

[AplusWebMaster]

FYI...

Korea: 31% of malware origins - March 2010
- http://sunbeltblog.b...-spikes-in.html
April 07, 2010 - Number of infected computers spikes in Korea - "Hong Kong-based security firm Network Box reported that Korea was the country of origin for 31.1 percent of the malware on the Internet in March*. In February the country only pumped out 8.9 percent, leading researchers to theorize that there has been a huge increase in infected machines there pushing out phishing spam. Network Box includes phishing in its calculations of monthly malware statistics. They also include North and South Korea as one country in their categories, but say the lack of public computers in the North means that South Korea is the country of origin for the bulk of the statistic. The US was second on the list at 9.34 percent..."
* http://www.infosecur...lware-threats-/

- http://response.network-box.com/

[AplusWebMaster]

FYI...

Facebook SCAM again - fake Ikea page...
- http://www.computerw...d?taxonomyId=17
April 9, 2010 - "... latest example of a new and pernicious trend on the social-networking site as scammers - usually disreputable online marketers trying to earn review by generating Web traffic - have flooded Facebook with these fake gift card pages over the past months. In late March, a similar $1,000 Ikea gift card scam took in more than 70,000 victims, and just last week another scam Facebook page offering a $500 Whole Foods gift certificate was widely reported. Friday's scam page had taken in more than 37,000 users by 11:30 a.m. Pacific Time, offering them a $1,000 gift certificate in exchange for promoting Ikea to their friends. At that time, the page was gaining new fans at the rate of about 5,000 per hour. The promotion, the page said, was only available for one day. To participate, users must become a fan of the fake Ikea page, hosted on Facebook, and then invite all their friends to become fans. They are then directed to an affiliate marketing page hosted by GiftDepotDirect .com, where they are asked personal information such as name, address, date of birth and home telephone number. After that step, the victim is told to sign up for two online marketing offers - these ones with legitimate Web sites such as Netflix and CreditReport .com - in order to claim the gift card. The promised cards in these scams never show up..."

[AplusWebMaster]

FYI...

Wordpress blogs hit by ‘Networkads.net’ hack
- http://krebsonsecuri...rkads-net-hack/
April 9, 2010 - "A large number of bloggers using Wordpress are reporting that their sites recently were hacked and are redirecting visitors to a page that tries to install malicious software. According to multiple postings on the Wordpress user forum and other blogs, the attack doesn’t modify or create files, but rather appears to inject a Web address — “networkads .net/grep” — directly into the target site’s database, so that any attempts to access the hacked site redirects the visitor to networkads .net. Worse yet, because of the way the attack is carried out, victim site owners are at least temporarily locked out of accessing their blogs from the Wordpress interface. It’s not clear yet whether the point of compromise is a Wordpress vulnerability (users of the latest, patched version appear to be most affected), a malicious Wordpress plugin, or if a common service provider may be the culprit. However, nearly every site owner affected so far reports that Network Solutions is their current Web hosting provider... A scan of the file delivered by that redirect shows rather poor detection by most anti-virus products: Virustotal.com found that only 7 out of 39 anti-virus products detected it as malicious*...
The following how-to-repair instructions appear to have worked for a number of Network Solutions customers hit by this attack.
- Log in to your site at networksolutions.com
- Using Network Solution’s MySQL admin console, browse to the wp_options table and change the value for “siteurl” to your blog’s URL . For example: “http://example.com/wordpress”.
- Edit wp_config.php to override value of SITEURL (this way even if the database value is altered, it gets overridden by the config value.
Still, that fix may only be temporary ..."
* http://www.virustota...e777-1270828595
File 8d2c18111ad5d4815c4b610c0fa30043e received on 2010.04.09 15:56:35 (UTC)
Result: 7/39 (17.95%)

- http://google.com/sa...networkads.net/
"Site is listed as suspicious - visiting this web site may harm your computer...
last time Google visited this site was on 2010-04-09, and the last time suspicious content was found on this site was on 2010-04-09... Malicious software includes 29 exploit(s), 4 trojan(s)..."

- http://blog.sucuri.n...-wordpress.html
April 10, 2010

Alert: WordPress Blog & Network Solutions
- http://blog.networks...work-solutions/
Update: 04/10/2010

- http://blog.trendmic...ear-compromise/
Apr. 11, 2010

Edited by AplusWebMaster, 11 April 2010 - 06:55 PM.

[AplusWebMaster]

FYI...

Facebook game Farm Town serving "malvertisement"...
- http://www.theregist..._malicious_ads/
12 April 2010 - "... Facebook game with more than 9 million users... Farm Town..."

>>> http://msmvps.com/bl...12/1763312.aspx
Apr 12 2010 18:55 - "... screenshot of the malvertisement... (leads to) run-of-the-mill fake antivirus software..."
- http://msmvps.com/bl...12/1763300.aspx
Apr 12 2010 16:45