19 replies to this topic

[AplusWebMaster]

FYI...

(Please do NOT go to any of the IP's mentioned in the commentary - they should be considered dangerous. Block them maybe, but don't go there.)
- http://ddanchev.blog...e-campaign.html
March 25, 2008 - "...It appears that the latest round has been spammed two days ago, but expanding their ecosystem reveals evidence of more bankers malware on behalf of the same malicious parties. What's particularly interesting about this campaign, is that they're using a hardcoded list of already breached email accounts of mostly Brazilian users, and using it as a foundation for the distribution of the malware under the clean IP reputation - which explains why the email makes it through anti-spam filters... Basically, you have a malware campaign targeting Portuguese speaking end users, that's been emailed using Brazilian mail servers through a set of hardcoded and already breached local email acounts, it's serving fake bank logins of a Portuguese bank, whereas the malicious parties are using a Russian free web space provider, front .ru in this case as a reliable and outsourced approach to host the malware. Moreover, within several of the subdomains hosted at front.ru, there're also pages pushing bankers malware through a fake Apaixonado Big Brother Brazil 2008 pages. So you have a South American malicious party generating noise on behalf of Russia's overall bad reputation in respect to malware...
- IPs used in the C&Cs hiding behind .jpg files :
75.125.251.36
75.125.251.38
75.125.251.40
- The fake bank logins locations found within the configuration :
75.125.251.40/home/it/it.html
75.125.251.40/home/it/it2.html
75.125.251.40/home/it/iutb.html
75.125.251.40/home/br/bj1.html
- Internal hardcoded email addresses :
receiver.guzano@ gmail.com
receiver.smtp@ gmail.com
ladrao.contatos@ gmail.com
urls.file@ gmail.com
receiver.guzano@ gmail.com
The bottom line, the campaign is well organized, primarily targeting Portuguese speaking end users, is being spammed from stolen email accounts, and has its malware hosted on a Russian free web space provider..."

(Screenshots available at the ddanchev.blogspot URL above.)

[AplusWebMaster]

FYI...

- http://www.sophos.co...08/03/1243.html
30 March 2008 - "...Our data for all records processed since March 1st 2008 (so approximately 4 weeks worth of data). The data reveals almost 11,000 pages compromised with Troj/Unif-B, split across approximately 4,500 different domains. That is a fair amount of activity, approximately 150 new domains each day (and this is just what we are seeing)... For the 4,500 compromised domains, these targets fall into two categories:
1. additional attack sites. Some other site which hits the victim with exploits.
2. redirect or ‘control’ sites. Some other site, controlled by the attacker, which can be used to direct traffic (as discussed previously). Typically, these sites direct victims to one of several other attack sites (though there may be several redirects in use). There a number of prominent attacks visible in the data:
* ~30% use a renowned attack site for installing various malware including Mal/Dropper-T, Mal/EncPk-CM and Mal/EncPk-CO.
* Tibs: over 10% are redirect sites under the control of a large and well coordinated group. Numerous domains have been used by this group in recent months to install a variety of Dorf, Tibs and other malware.
* Zbot: almost 10% load exploits intended to install a member of the Mal/Zbot family.
* Gpack: approximately 5% point to a single GPack attack site, which installs malware detected as Mal/Emogen-Y.
....something recently talked about by Roger Thompson, on the Exploit Prevention Labs blog*... As speculated previously ( http://www.sophos.co...2008/02/map.png ), it is not unlikely that these sites could be used to make money by selling ‘traffic flow’ (attackers essentially paying for victims to be directed to their attack sites for a period of time)..."

* http://explabs.blogs...8/03/gpack.html
March 28, 2008 - "...It's just javascript, and thus far, we've only seen one exploit come out of it ... a mouldy, old MS06-014, although we expect there are more than that... while there is clearly more than one set of Bad Guys involved, most of them seem to being hosted by the same ISP, because the exploit IPs are similar..."

[AplusWebMaster]

FYI...

Malicious Flash Banner Ad - USATODAY.com
- http://securitylabs....lerts/3061.aspx
04.08.2008 - "Websense® Security Labs™ has received reports of a malicious Flash banner ad on USATODAY.com, a prominent news web site. The banner ad leads to the download of various spyware and ransomware, appearing as legit anti-virus scanners to the uninitiated... More details about this malicious binary from Microsoft:
http://www.microsoft.....e=Win32/Renos ..."

(Screenshots of banner ad from USATODAY at the Websense URL above.)

[AplusWebMaster]

FYI...

Flash Player version 9.0.124.0 released
- http://forums.whatth...=...st&p=452745
"...Adobe categorizes this as a -critical- update and recommends affected users upgrade to version 9.0.124.0..."

[AplusWebMaster]

FYI...

Election time in Italy, complete with Trojan
- http://preview.tinyurl.com/52adbn
April 11, 2008 - "Symantec has been notified that the Web site ladestra.info, a site related to a right-wing Italian political party, has been compromised. The Web site is hosting a malicious iframe that leads to a typical browser exploit using the Neosploit tool, which forces an infected computer to install the newest version of Trojan.Mebroot. Using elections as a channel for spreading malicious code is something we have already seen (for example, Srizbi*) and it’s now election time in Italy as well, with the vote set to happen next Sunday and Monday, April 13th and 14th, 2008. Nonetheless, unless the Mebroot gang is interested in Italian politics, I do not believe the Web site has been compromised for political reasons. We have recently seen the group uploading malicious iframes** on many different Web sites for their purposes, with complete disregard for the content..."
* http://preview.tinyurl.com/2349ds

** http://preview.tinyurl.com/yrxcym

Edited by AplusWebMaster, 12 April 2008 - 07:50 AM.