2072 replies to this topic

[AplusWebMaster]

FYI...

... Top Web Malware in May
- http://blog.scansafe...are-in-may.html
June 1, 2010 - "Some interesting stats from May.
• 16196 unique malicious domains.
• The top ten malicious domains comprised 23% of all Web malware attacks in May 2010.
• Five of the top ten were related to attacks against GoDaddy-hosted websites, for a total of 14% of all Web malware in May 2010.
• Top Web malware was Trojan.JS.Redirector.cq, the majority of which resulted from attacks against GoDaddy-hosted websites.
• Gumblar was the second most prevalent Web malware encountered, at 7%.
• Third most prevalent Web-distributed malware encountered was Backdoor.Win32.Alureon, at 6%.
Top Ten Malicious Domains, May 2010
holasionweb .com* - 7%
www.sitepalace .com - 3%
losotrana .com* - 2%
indesignstudioinfo .com* - 2%
kdjkfjskdfjlskdjf .com* - 2%
easfindnex .org - 2%
findermar .org - 2%
76.73.33.109 - 2%
findrasup .org - 1%
zettapetta .com* - 1%
*Related to attacks against GoDaddy-hosted websites
Top Ten Web Malware, May 2010
Trojan.JS.Redirector.cq - 14%
Exploit.JS.Gumblar - 7%
Backdoor.Win32.Alureon - 6%
Exploit.Java.CVE-2009-3867.d - 3%
Trojan.JS.Redirector.at - 3%
Downloader.JS.Agent.fhx - 2%
OI.Backdoor.Win32.Autorun.cx - 2%
OI.Win32.Susp.ms - 2%
Trojan.Iframe.f - 2%
Trojan.GIFIframe.a - 2% "

[AplusWebMaster]

FYI...

Samsung Wave - infected microSD card
- http://www.engadget....d-microsd-card/
June 2, 2010 - "Did you get a Samsung Wave today, or perhaps early last week? You might not want to connect it to your computer, just in case. We're hearing anecdotal reports that the 1GB microSD card shipped with certain German units includes a nasty surprise: it automatically installs the trojan Win32/Heur using the file "slmvsrv.exe"...
Update: Samsung HQ got in touch with MobileBurn to confirm the existence of the virus in shipping S8500 Wave handsets, but said that the outbreak was confined to the German market's initial production run and all other shipments are A-OK. Still, there's no harm in disabling autorun before connecting one to your PC, eh?"

[AplusWebMaster]

FYI...

FBI Spam ? ...
419 Scam Resurfaces with FBI SPAM
- http://blog.trendmic...-out-scam-mail/
June 3, 2010 - "Cybercriminals have found yet another way to grab users’ attention. This time, they posed as members of the Federal Bureau of Investigation (FBI) from Washington D.C. to scam users with a spammed message... As in any other scam, the email sender posed as someone from a legitimate body in this attack. The sender claims to be from the FBI. The spam, meanwhile, informs the recipient that he/she is the beneficiary of US$10.5 million. The fake FBI representative then gives the recipient instructions to contact the head of the “Online Transfer Department” of the United Trust Bank London. The said head, urges the email, is the only person who can take responsibility for giving out the promised millions. It even advises the email recipient to strictly follow the instructions in order to make the claim. This, of course, is a hoax. For greater irony and to prove that cybercriminals will go for desperate measures to trick their victims, a note has even been added at the end. This informs the recipient of possible fraudsters who might attempt to deal with him/her. To avoid becoming a victim of such a scam, always pay attention to every detail in email messages you receive. One can easily distinguish what is real and what is fake via careful observation. All you need to do is to carefully observe..."

(Screenshot available at the URL above.)

[AplusWebMaster]

FYI...

Twitter malicious SPAM - password reset...
- http://community.web...sword-spam.aspx
03 Jun 2010 07:18 PM - "Websense... has detected a spam posing as a Twitter Password Reset Notification. We have seen about 55,000 instances of this malicious spam email so far... The spam contains a link to a compromised Web site that, when clicked or pasted into the browser, prompts the user to download a malicious executable named password.exe. The executable turns out to be a rogue AV called Protection Center Safebrowser. What distinguishes this rogue AV from the others is that it actually displays on the user's desktop some of the malicious files it installs. This makes the attack notification more believable. The attack is detected as Trojan.Generic.Win32 (SHA:0b00649c14b96219dd080a0ce6492c4d04c7f45c) and is currently recognized by 19 of the 41 engines on Virus Total*..."
* http://www.virustota...9332-1275590333
File 204bec9018693bba6200c0280cf4366e9 received on 2010.06.03 18:38:53 (UTC)
Result: 19/41 (46.34%)

(Screenshots available at the Websense URL above.)

[AplusWebMaster]

FYI...

SPAM campaigns send millions of emails
- http://community.web...st-weekend.aspx
7 Jun 2010 - "Websense... detected 3 spam campaigns with millions of emails...
• Confirm Twitter password, and Twitter security model setup ...
• Facebook account deactivated, or invited by somebody famous ...
• Outlook Setup Notification ...
The statistics... show that spam increased by 15,700 daily on average during the weekend, compared to work days..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

ZeuS SPAM attack spoofs IRS, Twitter, Youtube
- http://krebsonsecuri...witter-youtube/
June 9, 2010 - "Criminals have launched an major e-mail campaign to deploy the infamous ZeuS Trojan, blasting out spam messages variously disguised as fraud alerts from the Internal Revenue Service, Twitter account hijack warnings, and salacious Youtube.com videos. According to Gary Warner, director of research in computer forensics at the University of Alabama, Birmingham, this latest attack* appears to be an extension of a broad malware spam campaign that began at the end of May. The fake IRS e-mails arrive with the tried-and-true subject line “Notice of Underreported Income,” and encourage the recipient to click a link to review their tax statement. All of the latest e-mails use a variety of URL shortening services... Warner said anti-virus detection for this malware is extremely low: Only three out of 40 different anti-virus products detected the file as malicious**, yet none of those currently identify it for what it is: Another new version of the ZeuS Trojan. These broad attacks usually are quite successful, and in the past they have been used to great effect by the same criminal gangs that have been stealing tens of millions of dollars from small to mid-sized businesses..."
* http://garwarner.blo...erreported.html
June 08, 2010

** http://www.virustota...dc96-1276042845
File 1276042605.tax-statement.exe received on 2010.06.09 00:20:45 (UTC)
Result: 3/40 (7.50%)

[AplusWebMaster]

FYI...

SCAMS - Gulf oil spill ...
- http://www.ftc.gov/b...rts/alt058.shtm
06/09/2010 - "... The Federal Trade Commission... cautions consumers and businesses to be on the alert for fraudulent activity related to the explosion aboard the Deepwater Horizon drilling rig and the resulting spill – and to report their experiences to federal and state authorities. British Petroleum (BP) leased the rig, which was owned and operated by Transocean. The FTC says it’s likely that scammers will use e-mails, websites, door-to-door collections, flyers, mailings and telephone calls to make contact and solicit money. Some may claim they’re raising money for environmental causes or offer fraudulent services – like remediation services – related to the oil spill. Others may claim they can expedite loss claims for a fee. Still others may knock on your door and talk about placing booms or checking for oil on your property. Chances are they’re trying to gain your trust to get inside your home or get access to your personal information. The FTC says that at the very least, you will want to do some homework before making a donation or entering into an agreement for services..."
- http://www.ftc.gov/charityfraud/

(More detail at -both- FTC URLs above.)

Also see:
- http://www.avertlabs...rketing-window/

- http://www.infosecur...alware/168.aspx
June 7, 2010 - "... Attempting to play the video on these fake pages prompts the user to install a ‘media codec’ which then infects the machine with malware... fake YouTube pages are well crafted and look almost identical to the real site. By using websites like YouTube, cyber criminals are taking advantage of a users’ inherent trust in the site and are able to infect more machines. Each page claims to have a “Hot Video” associated with anything from the Gulf Oil Spill to the NBA Playoffs. Google search results show 135,000 of these infected pages at the time of writing..."

Edited by AplusWebMaster, 15 June 2010 - 07:02 AM.

[AplusWebMaster]

FYI...

More World Cup scams, SPAM, etc...

- http://sunbeltblog.b...-off-bench.html
June 14, 2010

- http://www.symantec....dult-video-site
June 13, 2010

- http://www.sophos.co...oslabs/?p=10015
June 11, 2010

- http://www.symantec....end-user-survey
June 10, 2010- "... best practices:
• Don’t open unsolicited e-mails or social media messages purporting to contain special offers or extraordinary deals related to the World Cup, and especially don’t click on any links in such messages.
• If an online offer appears to be too good to be true, it probably is. Scammers often try to make their bogus offers sound so great that they would be nearly impossible to pass up…if they were real that is.
• Be careful about what “official” social networking accounts you follow, such as those that appear to be created by World Cup teams or players. Often, cybercriminals will create accounts posing to be someone they’re not.
• When searching for online video of the World Cup, avoid sites you’ve never heard of before and if you’re told you must update your media player before viewing a video, be very cautious as this might be a ploy by attackers to get you to download malware..."

- http://pandalabs.pan...p-bhseo-attack/
06/9/10

Edited by AplusWebMaster, 14 June 2010 - 01:15 PM.

[AplusWebMaster]

FYI...

Twitter - PDF exploit SPAM run... in progress
- http://sunbeltblog.b...on-twitter.html
June 15, 2010 - "There appears to be a bit of a mad dash to infect people by the boatload on Twitter, with a variety of different messages being sent to random targets... account endlessly says “Wow, a marvelous product”. Click the link, and you might be redirected to some sort of paid movie service... If you’re unlucky, however, you’ll end up at a URL such as fqsmydkvsffz(dot)com/tre/vena(dot)html, where PDF exploits await... phrases used for this spamrun include:
Wow, An incredible Product
Wow, A shocking Discovery
Watch This
I Just Cant Beleive This
Wow, A stunning Product
Wow, A Revolutionary Product
Wow, A fascinating Site
This isn't the first malicious spamrun on Twitter, and it certainly won't be the last. With that in mind, it might be best to avoid random links sent to you from strangers. You never quite know what’s at the other end."

[AplusWebMaster]

FYI...

.gov site hosts Phish - UK banks
- http://sunbeltblog.b...uk-banking.html
June 16, 2010 - "... something rather nasty on the Central Department .gov portal which can be found at central(dot)gov(dot)py... fourteen different banking / financial services phishes including Barclays, Abbey, Northern Rock, Halifax and Lloyds TSB. Clearly, someone is desperate to get their hands on as many UK banking credentials as possible. These phishes are all online at the moment although some appear to be flagged in browsers such as Firefox. We’ve contacted the hosts and hopefully all of the above will be offline shortly."

(Screenshots available at the Sunbelt blog URL above.)

[AplusWebMaster]

FYI...

GoDaddy Scam/Phish/Spam
- http://isc.sans.edu/...ml?storyid=9043
Last Updated: 2010-06-21 23:20:29 UTC - "A number of readers (and myself included) have received an email claiming to be from GoDaddy. The email is grammatically correct, and appears quite genuine. The subject is "GoDaddy.com Order Confirmation" and interestingly the images within the HTML are pulled from imagesak.godaddy.com, excepting one which came from "hxxp ://img.securepaynet.net/bbimage.aspx?pl=somecodeandmyemailaddress". The links in the emails I have seen point to "hxxp ://dextersss-com-ua.1gb.ua/zzx.htm" among others. The phishing site and IP address and domain registration are in the Ukraine."

[AplusWebMaster]

FYI...

Lenovo Support website loads malicious IFrame, infects visitors with Trojan
- http://cyberinsecure...rs-with-trojan/
June 22, 2010 - "The support site of leading Chinese PC manufacturer Lenovo has been compromised by unknown attackers who injected a rogue IFrame into the pages over the weekend. Security researchers warn that unwary visitors looking for drivers are exposed to several exploits that install the Bredolab trojan onto their computers. According to a report from Vietnamese antivirus vendor Bkis, the pages have been infected since at least Sunday afternoon. However, some users have been reporting getting antivirus warnings when visiting Lenovo’s download website since Saturday. The IFrame points to an exploit kit hosted on a domain called volgo-marun .cn. After performing several checks to determine what vulnerable software they had installed on their computer, the visitors were served with exploits targeting older versions of Internet Explorer, Adobe Reader or Adobe Flash player... At the moment, the malicious executable is detected by only ten of the 41 antivirus products listed on VirusTotal. The entire download.lenovo .com subdomain has been blacklisted by Google’s Safe Browsing service. This means that Firefox or Chrome users should see malware warnings when opening resources hosted on it... Even though the malicious .cn domain appears to be dead at the moment, it could return back online at any time. Therefore, users are advised to stay clear of the Lenovo support website for a couple of days, until the manufacturer has a chance to clean it up and plug the hole that allowed the compromise in the first place."

[AplusWebMaster]

FYI...

"Account Verification" - Malicious SPAM
- http://community.web...rification.aspx
22 Jun 2010 - "Websense... has detected a malicious spam outbreak with the Subject line "Account Verification". As of June 22, we have counted more than 100,000 of these messages. The attack message is disguised as coming from Digg.com. It asks the recipient to verify their Digg.com account. Clicking the "Password change" link in the email body redirects the user to malicious websites... There are two malicious links in the payload. The first link redirects the user to a site that prompts the user to download a Trojan file (29% detection)*. The second link (in an iframe) redirects the user to a site laden with exploits..."
* http://www.virustota...c061-1277203516
File D38C95FD009D21A46235010C3C9F0A00DCC1E9F6.exe received on 2010.06.22 10:45:16 (UTC)
Result: 12/41 (29.27%)

(Screenshot available at the Websense URL above.)

[AplusWebMaster]

FYI...

Targeted attacks with Excel files
- http://www.f-secure....s/00001975.html
June 24, 2010 - "... fresh set of attacks done with XLS files... This is some sort of personnel list. Like the other examples here, it drops and runs a backdoor when viewed... An apparent agenda... a list of organizations... A budget file... FIFA World Cup 2010 match schedule... The exploit in these files targets Excel Pointer Offset Memory Corruption Vulnerability CVE-2009-3129*. As you can see, such attack files can look like perfectly normal and credible document files..."
* http://web.nvd.nist....d=CVE-2009-3129
CVSS v2 Base Score: 9.3 (HIGH)
MS09-067

(Screenshots available at the F-secure URL above.)

Edited by AplusWebMaster, 24 June 2010 - 07:47 AM.

[AplusWebMaster]

FYI...

DHS site - iFrame injection...
- http://www.pcmag.com...,2365796,00.asp
06.28.2010 - "... The home page links to http://blog.dhs.gov/ , which doesn't exhibit any malicious behavior. The malicious part of the Web page is an iframe inserted at the very end of the file after the </html>:
...http ://internetcountercheck .com/?click=9435343... This is obviously injected code and I'm guessing it has gone unnoticed because DHS no longer uses this blog. Incidentally, Kaspersky Internet Security calls the link "Trojan-Clicker.HTML.IFrame.agb"... Roger Thompson of AVG, author of its Linkscanner tools, was online. I asked him for help in deciphering the messages. Internetcountercheck .com was a big deal in malware distribution in early 2009, but it hasn't showed up on the threat board at all lately. Google's analytics still classify the site as suspicious* (the main reason I got the warning I got) and there still seem to be injections going on, but I think this is from old malware. The current content at internetcountercheck .com appears innocuous. Roger guesses that the domain lapsed and someone else is currently parking it. It's registered to some guy in Prague... Not a "cyber emergency," to coin a phrase, but it speaks ill of the people in charge of security for the site. These are the same people who some want to police your ISP, your bank, and other vendors on whom you rely..."
* http://www.google.co...untercheck.com/