2072 replies to this topic

[AplusWebMaster]

FYI...

Red Cross site(s) hacked...
- http://www.esecurity...int.php/3898516
August 13, 2010 - "Zscaler this week uncovered a new malware scam targeting the Red Cross of Serbia, the second time in five months that hackers have zeroed in on one of the international humanitarian organization's public websites. Hackers managed to inject a malicious JavaScript file, "hxxp ://obsurewax.ru/Kbps .js" into several pages on the Red Cross of Serbia's homepage. Most antivirus software programs now prevent Internet users from accessing the site, but before being caught, the malware could have infected users' machines to capture personal information and spread even more malware and spam... Back in March, the American Red Cross East Shoreline Chapter's website* was hit by a malware campaign that used iframe injections to infect several pages with malicious code and links. Zscaler said it has already notified the Red Cross of Serbia of this latest cyber attack. The assault marks only the latest victory for cyber criminals as they launch ever more numerous efforts to penetrate users' systems and steal critical data..."
* http://research.zsca...ite-hacked.html

[AplusWebMaster]

FYI...

ZeuS targets US Military personnel
- http://blog.trendmic...tary-personnel/
Aug. 22, 2010 - "Today, we saw a malware variant created with the well known Zeus toolkit which appears to target members of the US military serving overseas. Targets of this scam will recieve an email with the following text:

Dear Bank of America Military Bank customer:
This letter is to inform you that there is an update required for your Bank of America Military Bank Account, for this reason your account has been flagged.
In order to update your account, please follow this link.
Thank you for banking with us!
Bank of America Military Bank accounts support.

Should the recipient click on the link they will be brought to a page that is almost identical to that of the real login page for the bank. However, this fake login page is actually is hosted in Russia... whatever combination the user enters, they are brought to a page hosting an Update Tool which must be installed to ensure that the users account is not locked... UpdateTool.exe is a ZeuS variant... Unfortunately, most people who fall for this scam will not even be given the oppurtunity to manually download the executable, as this attack first runs a whole suite of browser exploits at the targets first. This leaves manually downloading the file as a last resort attack vector..."

(Screenshots and more detail available at the URL above.)

[AplusWebMaster]

FYI...

Obfuscated links in emails using JavaScript
- http://techblog.avir...-javascript/en/
August 27, 2010 - "Our spam traps started to receive a bunch of Phishing emails... having no link inside. We know many tricks how to hide the URL (JavaScript, form, etc.) but this one was new: Pretending to be an invoice in HTML format, the attached HTML document displays the same content as in the mail body and immediately redirects to the fake website... The email looks quite usual for spam or Phishing on first sight, but the interesting part comes after analysing the attached HTML document. The document contains, inside the row of a table, a piece of obfuscated JavaScript code. In simple terms, the JavaScript code uses the property of each document called “location” to redirect the web browser to the fake website. The first idea coming to mind is that almost no modern email client executes JavaScript when rendering an HTML document. However, even if the email client (Outlook, Windows Mail, Thunderbird, etc.) doesn’t execute the script, the web browsers does. As soon as the user opens the attachment with a double click, the web browser opens it an gets immediately redirected to the fake website. The website wasn’t available anymore when we started to analyze the emails."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

SPAM/malware fake delivery failure msgs
- http://tools.cisco.c...x?alertId=19743
Last: August 30, 2010 - "... significant activity related to spam e-mail messages that inform the recipient about the delivery failure of a United Parcel Service (UPS) shipment. The message instructs the recipient to print a label in the attached .zip file and collect the package from a UPS office. However, the attachment actually contains a malicious .exe file that, if executed, attempts to infect the user's system with malicious code...
Subject: UPS Delivery Problem RN 26489...
Subject: UPS INVOICE NR9030102...
Subject: Fedex Item Status N7185272..."

- http://labs.m86secur...-asprox-binary/

Edited by AplusWebMaster, 01 September 2010 - 07:06 AM.

[AplusWebMaster]

FYI...

iTunes v10 - Ping SPAM...
- http://www.sophos.co...nt-spam-coming/
September 2nd, 2010 - "Apple launched iTunes 10 yesterday along with their updated hardware platforms. Aside from supporting the newest generation of iPod and Apple TV devices, this new version of iTunes also introduces a new social media service branded as Ping. If you use iTunes, you should definitely update to iTunes 10 as it fixes thirteen separate vulnerabilities... apparently Apple didn't consider this when designing Ping, as the service implements no spam or URL filtering. It is no big shock that less than 24 hours after launch, Ping is drowning in scams and spams."

- http://www.newsfacto...id=003000C9B0YI
September 3, 2010 - "... Some Ping posts are attempting to trick users into believing they will receive a free iPhone if they complete online surveys. Sophos published research earlier this year demonstrating a 70 percent increase in the number of users reporting spam and malware being spread via social networks, a trend that continues to grow. It would appear that Apple missed that report..."

Edited by AplusWebMaster, 03 September 2010 - 12:36 PM.

[AplusWebMaster]

FYI...

Survey SPAM on YouTube
- http://www.sophos.co...ey-spam-youtube
September 7, 2010 - "... themes that has been coming through loud and clear in the security world for the last few months has been the use by scammers of revenue-generating surveys... mostly impacting Facebook users, where unsuspecting computer owners click on a link shared with them via the social networking site only to discover that they have to complete a survey before seeing some typically salacious content. The scammers, meanwhile, earn their crust by receiving a small commission for each survey that is completed. These survey scams, however, are not just limited to Facebook... It doesn't matter if you receive a message via Facebook, YouTube or traditional email - you should always be suspicious of unsolicited communications and think before you click."

[AplusWebMaster]

FYI...

Cybercrime strikes more than 2/3 of Internet Users
- http://www.symantec....rid=20100908_01
September 8, 2010 – "... You might be just one click away from becoming the next cybercrime victim. A new study released today from security software maker Norton reveals the staggering prevalence of cybercrime: Two-thirds (65 percent) of Internet users globally, and almost three-quarters (73 percent) of U.S. Web surfers have fallen victim to cybercrimes, including computer viruses, online credit card fraud and identity theft. As the most victimized nations, America ranks third, after China (83 percent) and Brazil and India (tie 76 percent). The Norton Cybercrime Report: The Human Impact* shines a light on the personal toll cybercrime takes... victims’ strongest reactions are feeling angry (58 percent), annoyed (51 percent) and cheated (40 percent), and in many cases, they blame themselves for being attacked. Only 3 percent don’t think it will happen to them, and nearly 80 percent do not expect cybercriminals to be brought to justice — resulting in an ironic reluctance to take action and a sense of helplessness... Despite the emotional burden, the universal threat, and incidents of cybercrime, people still aren’t changing their behaviors - with only half (51 percent) of adults saying they would change their behavior if they became a victim. Even scarier, fewer than half (44 percent) reported the crime to the police... According to the report, it takes an average of 28 days to resolve a cybercrime, and the average cost to resolve that crime is $334. Twenty-eight percent of respondents said the biggest hassle they faced when dealing with cybercrime was the time it took to solve..."
* http://cybercrime.newslinevine.com/

Cybercrime Map:
- http://i.i.com.com/c...bercrimeMap.png

[AplusWebMaster]

FYI...

'Here you have...' SPAM/virus
- http://isc.sans.edu/...ml?storyid=9529
Last Updated: 2010-09-09 21:49:06 UTC ...(Version: 2) - "We are aware of the "Here you have" malware that is spreading via email. As we find out more, we'll update this diary.
Update: 2010-09-09 21:28 UTC (JAC) There are several good writeups on the behavior of this malware see some of the references below. The spam contains a link to a document, the link looks like it is to a PDF, but is, in fact, to a .SCR file and served from a different domain from what the link appears to point to. The original file seems to have been removed, so further infections from the initial variant should not occur, but new variants may well follow. The .SCR when executed downloads a number of additional tools, one of which appears to attempt to check in with a potential controller. The name associated the controller has been sink-holed. The malware attempts to deactivate most anti-virus packages and uses the infected user's Outlook to send out its spam.
References:
http://www.virustota...4b7-1284058335#
File name: PDF_Document21_025542010_pdf.scr
Submission date: 2010-09-09 18:52:15 (UTC)
Result: 13/43 (30.2%)
http://www.threatexp...192fb46cd0cc9c9
http://www.threatexp...b974a2d9da7bc61
http://www.avertlabs...you-have-virus/

- http://sunbeltblog.b...-have-worm.html
September 10, 2010 - "... The subject line on the email was “Here you have” or “Just For you”..."

- https://kc.mcafee.co...=...7&actp=LIST
Last Modified: September 09, 2010 - "... confirmation that some customers have received large volumes of spam containing a link to malware, a mass-mailing worm identified as VBMania. The symptom reported thus far is that the spam volume is overwhelming the email infrastructure. Static URLs in the email link to a .SCR file. McAfee recommends that customers filter for the URL on gateway and email servers, and block the creation of .SCR files on endpoint systems..."

- http://www.symantec....-you-have-virus
September 10, 2010 - "... the huge volume of traffic can actually take down servers...
1. Outbreak detection: Identify that an active outbreak is occurring because of the volume of traffic generated by the same malicious email
2. Internal mail filtering: Block all internal traffic of the "Here you Have" email* using Content Filtering
3. Mail store / inbox cleanup: Seek out and eliminate the "Here you Have" email from Mail Stores and end user inboxes..."
(Suggested add: "Just For you")

- http://www.symantec....-you-have-virus
September 10, 2010 - "... the huge volume of traffic can actually take down servers...
1. Outbreak detection: Identify that an active outbreak is occurring because of the volume of traffic generated by the same malicious email
2. Internal mail filtering: Block all internal traffic of the "Here you Have" email* using Content Filtering
3. Mail store / inbox cleanup: Seek out and eliminate the "Here you Have" email from Mail Stores and end user inboxes..."
(Suggested add: "Just For you")

- http://www.symantec....m-here-you-have
September 9, 2010 - "... confirmed reports of a worm spreading through email under the subject "Here you have". The mail to the unsuspecting recipient claims to be providing a document available through a URL. The URL is spoofed and actually points to a malicious binary being hosted on a different server..."

- http://community.web...g-as-a-PDF.aspx
10 Sep 2010 - "... When the user clicks and follows the link, a malicious file is downloaded, which further spreads the email campaign by pillaging the user's Outlook address book. This makes the attack more convincing as the source of the email could be legitimate and trusted..."

- http://www.theregist...worm_spreading/
10 September 2010 - "... McAfee said multiple variants of the worm appear to be spreading, so it's not yet clear that the malicious screensaver is hosted by a single source."

- http://www.symantec....eatconlearn.jsp
9/10/2010 - "The ThreatCon is currently at Level 3: High. The ThreatCon has been raised to Level 3 due to increased activity. Symantec is observing a new threat spread through a socially engineered email attack. The email convinces the recipient to follow a link to open a malicious binary (disguised as a PDF)..."

- http://www.virustota...04b7-1284133892
File name: csrss.exe
Submission date: 2010-09-10 15:51:32 (UTC)
Result: 32 /43 (74.4%)

- http://blogs.technet...rm-visal-b.aspx
10 Sep 2010 4:40 PM

- http://www.microsoft...ges/visal-b.png
Charted - Sep. 10, 2010 18:59 GMT

Edited by AplusWebMaster, 11 September 2010 - 11:49 AM.

[AplusWebMaster]

FYI...

“Here you have” worm linked...

- http://www.securewor...hreats/visal-b/
September 22, 2010 - "... Prevention:
In addition to network-based monitoring and detection, CTU recommends the following steps to help protect your organization from this and future threats.
• Avoid clicking links in email messages...
• Disable AutoRun...
• Limit user privileges...
• Secure WMI...
• Update host and gateway antivirus product signatures...
• Think twice before allowing your web browser to remember your passwords for you..."

- http://pandalabs.pan...onic-jihadists/
Sep 10

- http://www.darkreadi...cleID=227400137
Sept. 10, 2010

- http://ddanchev.blog...earch-into.html
September 11, 2010

- http://www.computerw...e_you_have_worm
September 12, 2010

- http://www.theregist..._you_have_worm/
13 September 2010

- http://www.symantec..../...-99&tabid=2

Edited by AplusWebMaster, 27 September 2010 - 05:36 AM.

[AplusWebMaster]

FYI...

More malware 4 U today...

- http://www.pcworld.c..._why_worry.html
13 Sep 2010 - "... gives SEOs more opportunities to apply their expertise than ever before..."

- http://www.symantec....-attackers-back
13 Sep 2010 - "... we were quite certain that the gang behind Trojan.Hydraq hadn't gone away. It looks like they are back..."

- http://community.web...challenges.aspx
13 Sep 2010 - "... PDF obfuscation that we have recently seen in a mass injection..."

[AplusWebMaster]

FYI...

Recent SPAM / fakes ...
- http://tools.cisco.c...Outbreak.x?i=77
Threat Outbreak Alert: Fake Fax Notification E-mail Messages...
September 14, 2010
Threat Outbreak Alert: Fake Craigslist Ticket E-mail Messages...
September 14, 2010
Threat Outbreak Alert: Fake Online Poker Winner Notification E-mail Messages...
Updated! September 13, 2010
Threat Outbreak Alert: Fake Trojan Analysis E-mail Messages...
September 13, 2010
Threat Outbreak Alert: Fake Western Union Money Transfer Notification E-Mail Messages...
September 13, 2010
Threat Outbreak Alert: Fake iToken Update E-mail Messages...
Updated! September 11, 2010 ...

- http://sunbeltblog.b...fall-where.html
September 15, 2010 - "... another Facebook scam... adware-infected games and job search help..."

Edited by AplusWebMaster, 15 September 2010 - 12:28 PM.

[AplusWebMaster]

FYI...

Zeus malicious email msgs...
- http://community.web...ds-to-zeus.aspx
15 Sep 2010 - "Websense... has detected another wave of Zeus malicious email messages. This campaign is related to the familiar "pharma" spam messages that we see everyday, with one exception. This campaign combines an HTML or ZIP attachment with a social engineering technique, similar to what we normally see in malicious email campaigns. For example, the message may state that $375 has been sent to a mail recipient's account, and include a link to view the transaction in the recipient's account. Opening the attachment results in a compromised user machine via an obfuscated JavaScript in the attached HTML file. So far, we have seen this type of email with subjects like "Labels and such" and "Greetings from Rivermark Bill Payer!"... In the case of an HTML attachment, criminals use obfuscated JavaScript. Content is encrypted with a commercially available HTML obfuscation tool... For email messages that have ZIP attachments, the ZIP file has coverage in VirusTotal - 5/43*. The "label.zip" file contains "label.exe" which is a copy of Zeus. The malware copies itself to "C:\Documents and Settings\user\Application Data\Ewca\refef.exe" and tries to access two sites located in the .ru zone..."
(There is a more up-to-date report (12/43) for this file.)
* http://www.virustota...7303-1284603849
File name: e7023277449d3df3ed1af4ff757b1f7e
Submission date: 2010-09-16 02:24:09 (UTC)
Result: 12/43 (27.9%)

Zeus: http://searchsecurit...1431252,00.html
"... Because a Trojan built with a Zeus toolkit is so adaptable, variations of Zeus Trojans are often missed by anti-virus software applications. According to a report by security vendor Trusteer, 77% of the PCs infected with Zeus Trojans have up-to-date anti-virus software..."

Edited by AplusWebMaster, 16 September 2010 - 03:45 AM.

[AplusWebMaster]

FYI...

Songlyrics.com compromised/injected...
- http://community.web...cious-song.aspx
16 Sep 2010 - "... Websense... has detected that the popular site Songlyrics.com (with approximately 200,000 daily page views and 2,000,000 unique visitors) is compromised and injected with obfuscated malicious code... Once a user accesses the main page of the song lyrics site, injected code redirects to an exploit site loaded with the Crimepack exploit kit. Attempted exploits result in a malicious binary (VT 39.5%*) file that's run on the victim's computer. Once infected, the machine becomes another zombie-bot in the wild... It appears that the majority of pages served by Songlyrics.com are compromised..."
(Screenshots and more detail available at the Websense URL above.)

(There is a more up-to-date report (21/43) for this file.)
* http://www.virustota...fb01-1284689796
File name: addeedd60b7be1fb234aceaf2eef824e
Submission date: 2010-09-17 02:16:36 (UTC)
Result: 21/43 (48.8%)
___

Facebook / Youtube - compromised webpages
- http://www.theinquir...omised-webpages
Sep 17 2010- "... AVG is warning users of social notworking services to be on their guard after its research uncovered the 20,000 odd compromised pages, 11,701 of which are on the world's largest social network, Facebook. The insecurity outfit also found that Youtube has 7,163 compromised pages..."
- http://www.avg.com/u...mcr7.ndi-232491

Edited by AplusWebMaster, 17 September 2010 - 09:28 AM.

[AplusWebMaster]

FYI...

Cutwail SPAM cocktail
- http://labs.m86secur...-spam-cocktail/
September 21, 2010 - "... we have regularly observed spam campaigns where an HTML attachment contains obfuscated JavaScript redirect code. The Pushdo botnet’s spamming component, Cutwail, has been the culprit behind these types of malicious campaigns. Many different themes and subject lines have been used, such as the following:
America’s Got Talent
Apartment for rent
Shipping Notifications
Labels and such
Invoice for Floor Replacement
Delivery Status Notification (Failure)
Welcome Letter
NFL Picks Week 2
... and other random subjects including... one that uses celebrity names... The attached HTML source code is an obfuscated JavaScript... many variations... After de-obfuscating the JavaScript, we can see the payload which, depending on the sample, varies between redirecting to Fake AV landing pages, Canadian Pharmacy or to pages that host an exploit that attempts to install the Zeus Bot... At the same time, Cutwail is also emitting other malicious spam campaigns, but with ZIP attachments. Extracting the ZIP contains an executable no other than the Sasfis/Oficla Trojan. When we ran a sample, the Trojan was tasked to download a Fake AV downloader... Despite multiple attempts to take down Pushdo’s infrastructure, the gang behind this botnet are resilient... Pushdo’s spam volume has bounced back to levels similar to that before the takedown (representing about 10% of total spam), signifying that the gang’s business is back on track. So expect more malicious spam campaigns, exploits, and social engineering to come..."
(Screenshots available at the URL above.)

- http://blog.webroot....-flood-inboxes/
September 22, 2010

Edited by AplusWebMaster, 24 September 2010 - 08:14 AM.

[AplusWebMaster]

FYI...

Russian Pro-Spam Registrars
- http://labs.m86secur...pam-registrars/
September 22nd, 2010 - "Since CNNIC, China’s domain regulator, introduced stricter rules for domain registration at the end of last year, spammers have moved on to the Russian .ru TLD to register their spam domains. Similar rules that were apparently made effective on April 1st for Russian registrars do not seem to have had the same effect. Every day we see a continuous stream of newly registered .ru domains in spam email. In fact, in the last month one third of all unique domains we have seen in spam have been .ru domains. This is the highest proportion of any TLD, with .com the second highest accounting for just under one third of spammed domains. Nearly all of these .ru domains are registered though two registrars, Naunet and Reg.ru (also known as NAUNET-REG-RIPN and REGRU-REG-RIPN)... In the last month from spam alone we have seen over 4000 .ru domains registered through Naunet. These are hosting a variety of spam web sites including Ultimate replica, Dr Maxman, online casinos, Via grow and Eurosoft software. We have also seen over 1800 domains registered through Reg.ru in spam over the last month, all of which lead to Canadian pharmacy websites. Reg.ru actually has a feature to register up to 600 domains at once, pretty useful for a spammer... We have however seen domains registered with both of these registrars used as controllers for the Zeus crimeware kit. And recently, Naunet was used to register domains used as control servers for the Asprox botnet, although these were done on a much smaller scale than the spam domains. Several anti-spam groups have already pointed out these registrars as the source of Russian spam domains and that these registrars often ignore requests to suspend illegal domains. With domain blacklisting being a popular anti-spam measure, a continuous supply of fresh domains is vital for any spam operation. These sorts of registrars are making the business of spamming that much easier."