2072 replies to this topic

[AplusWebMaster]

FYI...

Copyright ransomware in the Wild...
- http://ddanchev.blog...ert-themed.html
April 12, 2010 - "The copyright violation alert themed ransomware campaign (Copyright violation alert ransomware in the wild; ICPP Copyright Foundation is fake*) is not just a novel approach for extortion of the highest amount of money seen in ransomware variants so far, but also, offers interesting clues into the multitasking mentality of the cybercriminals whose campaigns have already been profiled..."
* http://www.f-secure....s/00001931.html

SSDD ...
- http://isc.sans.org/...ml?storyid=8620
Last Updated: 2010-04-13 13:35:41 UTC

[AplusWebMaster]

FYI...

Fake AV on 11,000 domains...
- http://googleonlines...anti-virus.html
April 14, 2010 - "... One increasingly prevalent threat is the spread of Fake Anti-Virus (Fake AV) products. This malicious software takes advantage of users’ fear that their computer is vulnerable, as well as their desire to take the proper corrective action... We conducted an in-depth analysis of the prevalence of Fake AV over the course of the last 13 months... Our analysis of 240 million web pages over the 13 months of our study uncovered over 11,000 domains involved in Fake AV distribution — or, roughly 15% of the malware domains we detected on the web during that period. Also, over the last year, the lifespan of domains distributing Fake AV attacks has decreased significantly..."

[AplusWebMaster]

FYI...

Q1 2010: 0-day exploit deliveries...
- http://blog.scansafe...-zero-days.html
April 9, 2010 - "ScanSafe STAT has been investigating an ongoing series of attacks which has been a hotbed for zero day exploits over the first quarter of 2010. The attackers are using three layers of legitimate sites. Two layers are compromised websites used to host malicious content that is then subsequently pushed to a third layer of legitimate websites via syndicated ads. In its current rendition, the attacks are being delivered to finanical services themed websites. Previous rounds have been delivered via syndicated ads on Wikia-hosted websites and assorted game forums. The ads pull content from an attacker-planted HTML file contained in the /images directory of the compromised site. (Method of compromise is not known, but it's presumed to be a result of stolen FTP credentials)... Through the course of these attacks which began in late January, the attackers have been quick to incorporate the latest zero day du jour. These have included:
CVE-2010-0806 Internet Explorer uninitialized memory corruption vulnerability
CVE-2009-4324 "use-after-free" vulnerability in Adobe Reader/Acrobat
CVE-2009-3867 HsbParser.getSoundBank buffer overflow vulnerability in Sun Java
Mixed in with these have been an assortment of older exploits for Adobe Flash, Microsoft DirectShow, and miscellaneous Adobe Reader/Acrobat PDF exploits. Successful exploit leads to the download of a binary (also hosted on the same domain) which in observed cases has been a variant of the Bredolab trojan... Bredolab acts as a downloader agent. In the cases we've observed, this particular variant of Bredolab is downloading Zbot/Zeus. Encounters with these attacks are fairly steady and comprised 1% of all ScanSafe Web malware blocks in March (compared to Gumblar at 17%). What's particularly interesting about these attacks isn't the volume, but rather that they appear to be a vector for rapid deployment of the latest zero day exploits. And while the IP addresses and domain names for the attacker-owned sites have changed, the delivery method has remained constant."

[AplusWebMaster]

FYI...

songlyrics .com... hacked/serving exploits
- http://www.h-online....ate-978283.html
15 April 2010 - "... songlyrics .com... site appears to have been hacked by criminals who have embedded a program to download malicious code from a Russian web server... According to analysis by Wepawet... the attackers are not just exploiting the Java vulnerability, but also multiple vulnerabilities in Adobe Reader... fixed 15 vulnerabilities in Reader with update 9.3.2..."

Java JRE 6 Update 20 update released
- http://java.sun.com/...loads/index.jsp
April 15, 2010

Adobe Reader and Acrobat v9.3.2 update released
- http://www.adobe.com.../apsb10-09.html
April 13, 2010

- http://google.com/sa...songlyrics.com/
"... 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-04-17, and the last time suspicious content was found on this site was on 2010-04-14..."

- http://thompson.blog...-is-a-lure.html
April 14, 2010 - "... So far, it's not in any of the exploit kits, as far as we can see, but it's a given that it soon will be..."

[AplusWebMaster]

FYI...

Network Solutions hacked again
- http://blog.sucuri.n...cked-again.html
April 18, 2010 - "Network Solutions is getting hacked again. Just today we were notified of more than 50 sites hacked with... malware javascript... it is injecting this iframe from http ://corpadsinc .com/grep/ *... this time we are seeing all kind of sites hacked. From Wordpress, Joomla to just simple HTML sites...."
(More detail and updates at the URL above.)

* http://google.com/sa...corpadsinc.com/
"... Site is listed as suspicious - visiting this web site may harm your computer... The last time Google visited this site was on 2010-04-19, and the last time suspicious content was found on this site was on 2010-04-19. Malicious software includes 9 exploit(s)... this site has hosted malicious software over the past 90 days. It infected 226 domain(s)..."

- http://isc.sans.org/...ml?storyid=8647
Last Updated: 2010-04-18 21:47:10 UTC

- http://www.malwaredo...ordpress/?p=935
April 18, 2010 - "Make sure the following domains are blocked or blacklisted:
binglbalts . com
corpadsinc .com
fourkingssports .com
networkads .net
mainnetsoll .com
sources: http://ddanchev.blog...compromise.html ,
http://isc.sans.org/...ml?storyid=8647 ."

- http://krebsonsecuri...in-under-siege/
April 19, 2010
- http://stopmalvertis...customers-again
April 19, 2010

- http://forums.whatth...=...st&p=646675
Apr 10 2010

Edited by AplusWebMaster, 19 April 2010 - 04:41 PM.

[AplusWebMaster]

FYI...

Bot installs adware with FLV video player
- http://sunbeltblog.b...with-video.html
April 20, 2010 - "... investigating a botnet that auto installed FLV Direct Player. The player bundles Zugo Search adware, also known as LoudMo, on victims’ machines. FLV Direct is available freely on the web. The bot, however, uses an AutoIT script to script through the installation screens so the victim never sees the install... It also changes the victim machine’s home page to bing.zugo .com. Apparently this is some kind of affiliate operation – the malefactor affiliates get paid for installing LoudMo adware on the machines of unknowing victims and they just decided to do it wholesale with a botnet. Affiliates also are spamming heavily on Twitter (and who else knows where else) trying to get people to install the FLV Player..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Twitter SPAM in your Inbox
- http://isc.sans.org/...ml?storyid=8674
Last Updated: 2010-04-22 15:25:05 UTC - "... received several emails today "from" support@twitter .com (Of course they really aren't from support.). We are also receiving reports from our readers that they are seeing the same thing. The emails claim that you have unread messages from Twitter and contain a link that you can supposedly click on to view the messages. The links are to various locations other than Twitter. Don't be fooled. The emails are -not- from Twitter and the links are -not- at Twitter. Just a reminder NEVER click on links in emails. Always login to your account to check it out... contacted Twitter and reported the emails..."

[AplusWebMaster]

FYI...

Facebook - Koobface spreading campaign
- http://ddanchev.blog...ngs-latest.html
April 27, 2010 - "During the weekend... the Koobface gang... launched another spreading attempt across Facebook, with Koobface-infected users posting bogus video links on their walls.
> Recommended reading: 10 things you didn't know about the Koobface gang
- http://blogs.zdnet.c...ecurity/?p=5452 [February 23, 2010]

What's particularly interesting about the campaign, is that the gang is now starting to publicly acknowledge its connections with xorg .pl* (Malicious software includes 40706 scripting exploit(s), 4119 trojan(s), 1897 exploit(s), with an actual subdomain residing there embedded on Koobface-serving compromised hosts..."
* http://www.google.co...c?site=xorg.pl/
"... The last time Google visited this site was on 2010-04-29, and the last time suspicious content was found on this site was on 2010-04-29..."

[AplusWebMaster]

FYI...

Undetectable Facebook Scams
- http://www.pcworld.c...book_scams.html
Apr 28, 2010 - "... recently received two Facebook e-mail notifications... Nothing was obviously wrong with the e-mail messages, which said that my friend had tagged a photo of me and then commented on it. But something about a reference to an app named "Who stalks into your profile" just didn't feel right. So I checked it out. I dug into the e-mail header to make sure that it was from Facebook - it was. A search for the app's name didn't turn up any warnings. The app's installation page didn't give me any obvious clues, either. Still, I let my paranoia have its day, and I sat on the app. Sure enough, it was a scam, and an ingenious one. When anyone installed the supposed stalker app, it first created a photo montage of friends' images and then commented on that montage. Facebook duly sent out "your friend tagged a photo of you" messages, effectively advertising the scam app, which was created to generate illicit online ad revenue. Facebook, with its millions of users, has become a major target for online crooks who try to use malicious apps for everything from phishing to spam to a first step toward installing more dangerous malware onto your PC..."

[AplusWebMaster]

FYI...

New Yahoo! Messenger worm
- http://www.symantec....-messenger-worm
May 2, 2010 - "... new Yahoo! Messenger worm doing the rounds. Potential victims receive instant messages from contacts in their list, containing a link claiming to be a photo, which in reality points to a malicious executable... The page at the end of the link is basic and does not employ any exploits in order to install the worm, it relies solely on social engineering to trick victims into believing they are opening a picture from a friend, while in fact they run the worm... When the link is clicked, the default browser is redirected to the worm executable, which has a misleading name. Please note the file extension is actually “.exe”. In order to run, the worm still needs the user’s action to open/run the file. Once run, the worm copies itself to %WinDir%\infocard.exe, then it adds itself to the Windows Firewall List, stops the Windows Updates service and sets the following registry value so that it runs every time the system boots:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\“Firewall Administrating” = “%WinDir%\infocard.exe”
Then it looks for the Yahoo! Messenger application on the system, and sends out links to the worm to everyone in the contact list. It may also download and execute other malicious files. When run the first time, the worm will open a new page to the following address, so some photos eventually appear to the user, in order to mask the infection: browseusers.myspace .com/Browse/Browse.aspx Symantec detects and remediates this threat as W32.Yimfoca..."
(Screenshots available at the Symantec URL above.)

- http://www.internetn...Users Trust.htm
May 7, 2010 - "... This latest socially engineered malware scam first appears as a friendly invite from a contact in a user's Yahoo Messenger account. What appears to be a smiley-faced invite to take a gander at some new photos is actually the first step down the slippery slope to becoming a botnet..."

Edited by AplusWebMaster, 08 May 2010 - 10:56 AM.

[AplusWebMaster]

FYI...

Fake HijackThis Toolbar from Facebook
- http://www.symantec....oolbar-facebook
May 2, 2010 - "SPAM emails... have been doing the rounds on the Internet hoping to lure recipients into downloading a Facebook toolbar... the file is neither a Facebook toolbar nor HijackThis. It's a malware detected by Symantec software as Trojan.Dropper..."

(Screenshots available at the URL above.)

- http://blog.trendmic...serves-malware/
May 9, 2010

Edited by AplusWebMaster, 10 May 2010 - 05:14 AM.

[AplusWebMaster]

FYI...

Phish/fraud via FedEx delivery...
- http://isc.sans.org/...ml?storyid=8734
Last Updated: 2010-05-03 13:53:05 UTC - "... got a fedex envelope with an unexpected check over 2'850$, with him as recipient... called the issuing bank... and found out that the account against which the check was drawn had zero funds. The way this works is that the bad guys follow up the first letter with a second, where they apologize for the mistake, ask the victim to "wire back" 2500$ and "keep the 350$ for your trouble". If you go ahead with this, by the time the check bounces, you have wired the money, and wired money is gone or at least very very hard to get back. Given that the crooks incur quite some expense and risk in this scenario (fedex isn't cheap and often traceable back to the source) they must still be making a killing out of this scam. The second scheme is phishing via old-fashioned paper mail. You get a letter stating that "for security reasons" calling the bank now requires a pin code, included below. Follows a pin code of a length and complexity that makes it unlikely anyone would want to remember it, and two lines down, the helpful comment that the pin code can be changed by calling 1-800-whatever. You do so, and here's what happens next:
Voice: Please enter your account number, followed by the pound key [you type]
Voice: Please enter your current telephone access code [you type in the access code in the letter]
Voice: This access code is incorrect. Please try again. [you type - correctly again]
Voice: This access code is incorrect. Please hold for an operator. [you hold]
Operator: XYZ Bank, my name is QRS, how may I help you [you explain]
Operator: To identify you, we have to ask a couple of security questions. What are the last four digits of your social security number ?
Yep. You get the drift. After this exchange, they have everything they need. Lesson learned: Do not ever call "your bank" on a telephone number included in a letter, email or left on your voice mail. Get to know some employees at the bank branch you do business with, and call them with any questions you might have. Recognizing someone's voice beats a "security pin code" any day."

["This machine has no brain.
...... Use your own."]

[AplusWebMaster]

FYI... "Welcome to: Completely fake Banking online"...

Corporate Identity Theft
- http://www.f-secure....s/00001945.html
May 3, 2010 - "For online criminals, it's easy to gain access to stolen bank accounts and credit cards. What's much harder is to empty those accounts without getting caught. For this, criminals need money mules: individuals who are recruited to move the money. In many cases these individuals have no idea they are working for organized crime. When phishing and banking trojan victims realize they've lost their money, the tracks will lead to the money mules — not the real criminals. an example of an active money mule recruiting campaign. This one is done in the name of a company called Finha Capital... The website looks fairly credible and quick web search shows that indeed, there is a real company with this name, and it has been operating for decades... The problem is, finha-capital .com has nothing to do with Finha Capital Oy. The site is completely fake. The only reason the website finha-capital .com has been created is to use it as a front end to hire gullible end users to do online payments and to move money for the criminals. These guys are using the reputable brand of an existing company to fool people into their scam. And it's not just Finha Capital... Lessons to be learned?
• Realize that identity theft happens to companies as well as to individuals.
• If somebody offers you a work-for-home position that's too good to be true, it probably is.
• Do not move money for others.
• Check that you're really speaking with who you think you're speaking."

(Screenshots available at the F-secure URL above.)

[AplusWebMaster]

FYI...

iTunes giftcard Phish/SCAM ...
- http://sunbeltblog.b...s-giftcard.html
May 05, 2010 - "... should the victim hit “Download program”, they’re taken to the endless advert loop of doom from the fake Facebook Hack website*. All in all, a rather horrible thing to fall for – so don’t!"
* http://sunbeltblog.b...ck-website.html
May 05, 2010

(Screenshots available at both URLs above.)

- http://community.web...lware-spam.aspx
7 May 2010
** http://www.virustota...69ea-1273193875
File ITUNES_C.EXE received on 2010.05.07 00:57:55 (UTC)
Result: 8/41 (19.51%)

- http://www.sophos.co...arries-malware/
May 10, 2010

Edited by AplusWebMaster, 10 May 2010 - 08:53 AM.

[AplusWebMaster]

FYI...

Malicious .SWF file may trigger a DoS attack
- http://blog.trendmic...r-a-dos-attack/
May 7, 2010 - "... Shockwave Flash (.SWF) file that displays an image and downloads a worm with code capable of initiating a denial-of-service (DoS) attack. The file detected as SWF_PALEVO.KK is hosted on a malicious site and runs whenever users access the site. Once loaded, it displays a screenshot of a YouTube video. The said image, however, is embedded with a malicious link... Clicking the image leads users to a malicious site (http://www.{BLOCKED}...er10.0.45.2.exe) to download a file detected by Trend Micro as WORM_PALEVO.KK. Upon execution, the worm displays a fake dialog box purporting to be an Adobe Flash Player installation with instructions in French. Clicking -any- of the given choices leads to the execution of the malware on the affected system... Apart from infecting users’ systems, however, WORM_PALEVO.KK can also initiate a DoS attack that can disable a website, shut down a network, or disrupt a service. This attack is initiated by a remote server that is controlled by a malicious user. The worm receives commands from the remote server to perform several actions such as downloading other malware, downloading updates of itself, and launching a SYN flood attack against target systems. It can also spread and infect a large number of systems since it propagates using MSN Messenger and peer-to-peer (P2P) applications. The variants WORM_PALEVO.KK and SWF_PALEVO.KK are detections related to the the Mariposa botnet. Users are strongly advised -against- visiting suspicious-looking sites and clicking the links and images found in them..."