2072 replies to this topic

[AplusWebMaster]

FYI...

My Opera Found To Host Malware
- http://threatpost.co...-malware-092410
September 24, 2010 - "... Less than a month after Google's Code hosting service was found to be hosting and serving malicious executables, a search of Opera Software's My Opera free hosting service has also turned up malicious programs, according to a researcher at Kaspersky Lab*. My Opera, a free online hosting service for users of the Opera Web browser, played host to a PHP based IRC botnet, according to a post by Dmitry Bestuzhev, a researcher at Kaspersky Lab. The bot appears to have originated in Brazil, based on an analysis of the code, though its not clear who posted it to the My Opera hosting service or when, Bestuzhev said... he reported the malicious My.Opera .com URLs to Opera Software and that the company has removed them from its site... Like other free hosting services, My.Opera .com is an ideal resource for cyber criminals looking to host their wares on domains with legitimate reputations that are also easy to access..."
* http://www.securelis...Opera_Whos_next

Edited by AplusWebMaster, 27 September 2010 - 02:22 AM.

[AplusWebMaster]

FYI...

Orkut worm - hidden iFrame - malicious JavaScript file...
- http://www.symantec....ado-orkut-users
Sep. 28, 2010 - "Over the past weekend, it was reported that a new worm was spreading amongst the Orkut user community. As a result, some of the Scrapbooks in Orkut had a hidden iframe inserted, which points to a malicious JavaScript file. This JavaScript does several things including sending a message “Bom Sabado”, meaning Good Saturday in Portuguese, with a hidden iframe to everyone on the infected user’s list of friends. The infected Orkut user is also made to join fake communities. These actions will surely turn “Bom Sabado” to “Mau Sabado ” (bad Saturday in Portuguese). Symantec Security Response detects this malicious JavaScript file as JS.Woorkut. At the end of the day, this worm doesn’t do much harm. If the attacker behind this mischief is maliciously motivated, the worm could potentially cause serious damage. We are quite sure this won’t be the last of this attack and are closely monitoring the situation. In the mean time make sure you keep your antivirus definitions up to date."

[AplusWebMaster]

FYI...

Facebook - flood of scams...
- http://www.symantec....d-scam-messages
Sep. 28, 2010 - "Facebook now has over 500 million registered users, which makes this social network (like many other social networks) a very attractive “fishing pool” for attackers. There are so many potential victims that could easily fall for any of the scattered bait. So, it does not come as a surprise that we see another scam campaign launched nearly every week... Always be wary of enticing messages, even when they appear on friends’ profiles. When you are asked to install additional applications or fill out premium surveys just to see a video or picture, it is most likely a scam and it should be fully ignored..."

[AplusWebMaster]

FYI...

ZeuS bypasses 2-factor authentication...
- http://blog.trendmic...authentication/
Sep. 29 2010 - "... certain ZeuS/ZBOT variants are now able to break into users’ bank accounts in spite of two-factor authentication systems. These are frequently used to enhance bank security. These ZeuS variants can specifically use mobile malware to defeat systems that rely on text messages sent via mobile phones on Symbian OS's. The technique behind these attacks is simple. A ZBOT variant modifies target bank sites in such a way that whenever the bank asks for an authentication code to be sent to the mobile phone or not, the user is prompted to enter that phone’s number first. The user then receives a text message containing a link to a rogue Symbian application. This piece of mobile malware, once installed, intercepts all text messages from the specific senders (e.g., banks) and forwards them to a separate number under the control of the attacker. Because the attacker has both the victim’s user name, password, and any authentication code sent over the mobile phone, he/she can conduct malicious business as if the two-factor authentication never took place. While two-factor authentication is definitely a good thing in terms of security, this attack is a reminder that it is not a cure-all that protects against all forms of information theft..."

- http://blog.fortinet...ation-defeated/
Sep 27, 2010

- http://www.securityw...-authentication
Sep 27, 2010

- http://securityblog....mobile-iii.html
Sep 25, 2010

[AplusWebMaster]

FYI...

LinkedIn SPAM campaigns continue...
- http://labs.m86secur...aigns-continue/
September 30, 2010 - "The malicious LinkedIn spam campaigns of the last few days are continuing in force. The source is the Pushdo botnet, which is back in full force following disruption to its operations last month. The campaigns mimic a LinkedIn update notification... The malicious web page displays code that includes an iframe that loads the Phoenix exploit kit, which attempts to exploit the victim’s browser... And, just in case the auto-exploit doesn’t work, the user is prompted to manually download flash_player_07.78.exe, which is none other than the Zeus (Zbot) data stealing trojan... This campaign is slicker than normal. The LinkedIn email and the Flash Player download image look convincing, signifying that these cybercriminals have taken it up a notch. Going by the number of URL hits we intercepted with our TRACEnet system, some users are falling for it too. Don’t be one of them."
(Screenshots available at the URL above.)

- http://krebsonsecuri...to-zeus-trojan/
Sept 28, 2010
- http://www.virustota...7e65-1285599788
File name: 655823
Submission date: 2010-09-27 15:03:08 (UTC)
Result: 4/43 (9.3%)
[There is a more up-to-date report (29/43) for this file.]
- http://www.virustota...7e65-1285857284
File name: ZeuS_binary_4f56196d437be7e1bfecefb92b83872d.exe
Submission date: 2010-09-30 14:34:44 (UTC)
Result: 29/43 (67.4%)

Edited by AplusWebMaster, 01 October 2010 - 01:12 AM.

[AplusWebMaster]

FYI...

iTunes store - SPAM campaign
- http://pandalabs.pan...-spam-campaign/
10.01.10 - "Right after LinkedIn Spam Campaign, we saw a brand new Spam Campaign impersonating iTunes Store. The e-mail appears to arrive from on behalf of iTunes Store and is an exact copy of the official iTunes Store Receipt e-mail... The whole purpose of the email is not to show what you have purchase from iTune Store, is to let you to click “Report a Problem” and lead you to a fake Adobe Flash installer... The exe file is actually connecting to some .ru web site to download some other files..."
(Screenshots available at the URL above.)

- http://www.esecurity...s-Customers.htm
October 5, 2010 - "... the new scam discovered this week starts with an unsolicited email with the subject, "Your receipt #" followed by a random number. The sender's address claims to be "iTunes Store" and spoofs the address donotreply@itunes[dot]com. Within the email is a bogus iTunes receipt complete with formatting and syntax that makes it pretty clear that it's not from Apple's popular online music store, including the alleged "unit price" and "order total." In the example provided on the AppRiver security blog*, the math didn't add up and the charges for the bogus purchases were several hundred dollars, a figure that would likely raise suspicion among even the most naïve Internet users. The problem, however, is that when users click on any of the links contained within the email, they're redirected to one of 100 or more domains ending in .info where the malicious Zeus Trojan malware is then installed on their PCs or mobile devices..."
* http://blogs.apprive...r-your-purchase

Edited by AplusWebMaster, 06 October 2010 - 05:03 PM.

[AplusWebMaster]

FYI...

Browser exploits delivered as HTML attachments
- http://blog.urlvoid....tml-attachment/
October 6, 2010 - "We have logged more than 300 email messages with attached various HTML files containing obfuscated javascript code that is used to redirect the users to download malicious executable files that install the ZBot banking trojan. We also noticed that some HTML files have redirected us to external urls containing web browsers exploit kits with the intent to exploit few IE, FF, PDF and Java vulnerabilities, in order to install (the) TDSS rootkit..."
(Screenshots and email/SPAM subjects at the URL above.)

[AplusWebMaster]

FYI...

3.5B malicious URLs... 1H-2010 Threat Report
- http://blog.trendmic...-threat-report/
Oct 6, 2010 - "... Threat Report for the first half of the year. The report focuses on the global trends in online threats that we have seen.
• Threat Trends: Europe became the largest source of spam globally in the first half of the year... Commercial, scam-based, and pharmaceutical/medical SPAM accounted for 65 percent of the total number of SPAM worldwide. HTML SPAM was the most common kind of SPAM.
• We saw significant growth in the number of malicious URLs, which increased from 1.5 billion at the start of the year to over 3.5 billion by June...
• Trojans accounted for about 60 percent of the new patterns... The majority of Trojans lead to data-stealing malware...
• India and Brazil were identified as the countries with the greatest number of computers that became part of botnets. These bots are used to distribute malware, to perpetrate criminal attacks, and to send out SPAM.
• The education sector was the most targeted industry... Nearly half of all malware infections occurred within schools and universities...
• The ZeuS and KOOBFACE malware families were among the most prolific... Hundreds of new ZeuS variants are seen... every day and this is not likely to change in the near future... the KOOBFACE botnet has become the largest social networking threat to date...
• In the first half of 2010, a total of 2,552 vulnerabilities were reported... These vulnerabilities facilitated “drive-by” threats wherein all that is necessary to become infected is to -visit- a compromised website..."

- http://blog.urlvoid....r-blackhat-seo/
July 15, 2010

Edited by AplusWebMaster, 09 October 2010 - 09:42 AM.

[AplusWebMaster]

FYI...

DOWNAD/Conficker II ?...

- http://blog.trendmic...ownadconficker/
Oct 7, 2010 - "... This threat, detected as PE_LICAT.A, uses a domain generation algorithm, a technique last seen in WORM_DOWNAD/Conficker variants. This technique allows the file infector to download and execute malicious files from various servers on the Internet. Like WORM_DOWNAD, PE_LICAT.A generates a list of domain names from which it downloads other malicious files. The domain name generation function is based on a randomizing function, which is computed from the current UTC system date and time. This particular randomizing function returns different results every minute... whenever a file infected by PE_LICAT.A is executed, the malware generates a pseudorandom domain name, with the exact value depending on the system’s time. It then tries to connect to the said domain name. If it is successful, it downloads and executes the file at that pseudorandom URL. If not, it tries up to 800 times, generating a “new” URL every time. This helps ensure that the malware will be able to keep itself updated and even if one or more domains are taken offline, others can take its place..."
- http://blog.trendmic...zeus-confirmed/
Oct 8, 2010 - "... We have been able to isolate a copy of the main file infector, which we detect as PE_LICAT.A-O... It injects itself into the Explorer.exe process, which has two effects. First, it becomes memory resident. Secondly, any file executed afterwards becomes infected with malicious code and is detected as PE_LICAT.A. We have looked into the pseudorandom domains that LICAT uses to download files from. Every time PE_LICAT.A is executed it attempts to download files from these domains, trying to do so a maximum of 800 times... Our monitoring indicates that most of these domains have not been registered. A small number have been registered, and although some of the sites these actually lead to are currently inaccessible, some are still alive and active... These domains appear to link PE_LICAT and ZeuS. Several of the domains that PE_LICAT was scheduled to download files from in late September are confirmed to be known ZeuS domains in that period... Another domain was hosted on an ISP that has seen significant levels of ZeuS-related activity in the past, and is a known haven for cybercrime... The downloader file shows certain behavior often associated with ZeuS..."

- http://blog.trendmic...mated-analysis/
Updated... Oct. 14, 2010

Edited by AplusWebMaster, 15 October 2010 - 09:39 AM.

[AplusWebMaster]

FYI...

LinkedIn attack also spread Bugat trojan...
- http://www.darkreadi...cleID=227701191
Oct. 12, 2010 - "... while Zeus, indeed, is the undisputed king of financial fraud malware today, a handful of other banking Trojans in the wings are slowly and quietly gaining ground. The Bugat Trojan is one such malware family that has been overshadowed by Zeus, and it turns out it was also distributed in the recent LinkedIn phishing attack - not just Zeus, as some experts had believed. Amit Klein, CTO at Trusteer, says his firm spotted Bugat spreading in the attacks. "There were a lot of malicious payloads being distributed, but the interesting one that we kept seeing was Bugat," Klein says. The LinkedIn phishing attack last month, which was considered the largest-ever such attack, sent LinkedIn members email messages reminding them of messages in their accounts, and included a malicious URL that directed them to a phony site that installed the Bugat executable, according to Trusteer researchers. Bugat was initially discovered in February by SecureWorks* and has some features similar to those found in banking Trojans Zeus and Clampi, but with a few twists. It uses an SSL-encrypted command-and-control (C&C) infrastructure using HTTP-S, and also steals FTP and POP credentials in those sessions. It was originally distributed via the Zbot botnet that spreads the pervasive Zeus. Then there's Carberp**, a banking Trojan that was first spotted spreading in May and now appears to be morphing into an even more sophisticated piece of malware, according to researchers at TrustDefender Labs. It disables other Trojans on the machine it infects and can run without administrative privileges. It also goes after Windows Vista and Windows 7, as well as XP..."
* http://www.securewor...-is-discovered/

** http://www.trustdefe...-in-the-making/
Oct. 6, 2010

- http://blog.trendmic...ls-information/
Oct. 14, 2010

Edited by AplusWebMaster, 15 October 2010 - 09:39 AM.

[AplusWebMaster]

FYI...

Hijacked MS network pushes Canadian pharmacy
- http://www.theregist...t_ips_hijacked/
12 October 2010 - "For the past three weeks, internet addresses belonging to Microsoft have been used to route traffic to more than 1,000 fraudulent websites maintained by a notorious group of Russian criminals, publicly accessible internet data indicates. The 1,025 unique websites — which include seizemed .com, yourrulers .com, and crashcoursecomputing .com — push Viagra, Human Growth Hormone, and other pharmaceuticals though the Canadian Health&Care Mall. They use one of two IP addresses belonging to Microsoft to host their official domain name system servers, search results from Microsoft’s own servers show. The authoritative name servers have been hosted on the Microsoft addresses since at least September 22... The Register independently verified his findings with other security experts who specialize in DNS and the take-down of criminal websites and botnets. By examining results used with an internet lookup tool known as Dig, short for the Domain Information Groper, they were able to determine that 131.107.202.197 and 131.107.202.198 — which are both registered to Microsoft — are housing dozens of DNS servers that help convert the pharmacy domain names into the numerical IP addresses that host the sites. The most likely explanation, they say, is that a machine on Microsoft's campus has been programmed to do so, probably after it became infected with malware... A Microsoft spokeswoman said she was investigating the findings and expected to provide a statement once the investigation was completed..."

- http://krebsonsecuri...onsecurity-com/
October 13, 2010

Edited by AplusWebMaster, 13 October 2010 - 03:20 PM.

[AplusWebMaster]

FYI...

MS network used by Pill gang in attack...
- http://krebsonsecuri...onsecurity-com/
October 13, 2010 / Update, 7:34 p.m. ET - "Christopher Budd, Microsoft’s response manager for trustworthy computing, sent this statement via email: “Microsoft became aware of reports on Tuesday, October 12, 2010, of a device on the Microsoft network that was possibly compromised and facilitating spam attacks. Upon hearing these reports, we immediately launched an investigation. We have completed our investigation and found that two misconfigured network hardware devices in a testing lab were compromised due to human error. Those devices have been removed and we can confirm that no customer data was compromised and no production systems were affected. We are taking steps to better ensure that testing lab hardware devices that are Internet accessible are configured with proper security controls.”
- http://www.theregist...irms_ip_hijack/
14 October 2010

[AplusWebMaster]

FYI...

More malicious SPAM emails...

Fake UPS shipment error e-mail messages...
- http://tools.cisco.c...x?alertId=19743
Last Published: October 19, 2010... the attachment actually contains a malicious .exe file that, if executed, attempts to infect the user's system with malicious code...

Fake Photograph sharing e-mail messages...
- http://tools.cisco.c...x?alertId=21608
... significant activity on October 18, 2010... informs the recipient to follow URLs to view the photos. However, the URLs could redirect to a malicious .exe file that, upon execution, attempts to infect the recipient's system with malicious code...

Fake Chat invitation e-mail messages...
- http://tools.cisco.c...x?alertId=21588
Last Published: October 18, 2010... text in the e-mail message instructs the recipient to open the attachment to view the photograph. However, the attachment is a malicious .exe file...

Fake UPS ZIP Attachments Spreads Oficla Trojan
- http://blog.urlvoid....-oficla-trojan/
October 20, 2010

Fake Video Link E-Mail Messages...
- http://tools.cisco.c...x?alertId=21648
Last Published: October 27, 2010

Edited by AplusWebMaster, 28 October 2010 - 05:39 AM.

[AplusWebMaster]

FYI...

Kaspersky site hit by hacks - again...
- http://news.techworl...hit-by-hackers/
20 October 10 - "Scammers who try to trick victims into downloading fake antivirus software can strike almost anywhere. On Sunday they hit the website of Kaspersky Lab, a well-known antivirus vendor. Someone took advantage of a bug in a Web program used by the Kasperskyusa.com website and reprogrammed it to try and trick visitors into downloading a fake product, Kaspersky confirmed Tuesday. Kaspersky didn't identify the flaw, but said it was in a "third-party application" used by the website. "As a result of the attack, users trying to download Kaspersky Lab's consumer products were redirected to a malicious website," the antivirus vendor said. The website caused a pop-up window to appear that simulated a virus scan of the user's PC, and offered to install an antivirus program that was in fact bogus... According to Kaspersky, its website was redirecting users to the rogue antivirus site for about three-and-a-half hours Sunday... This isn't the first time Kaspersky has had to audit its websites after an incident. In February 2009 a hacker was able to break into the company's US support site after discovering a Web programming flaw..."

[AplusWebMaster]

FYI...

Employees circumvent security controls via Webmail, file sharing...
- http://www.darkreadi...cleID=227900492
Oct. 21, 2010 - "... According to Palo Alto Networks*, personal Webmail (such as Gmail, Hotmail, and Yahoo Mail), instant messaging, and peer-to-peer and browser-based file-sharing apps were used in 96 percent of the enterprises, and those apps made up nearly one-fourth of all bandwidth. The bad news is that most of these apps are unmonitored and not controlled by the enterprise, which leaves the organization open to attack or data leakage, the report says. Workers' Facebook activity is more voyeuristic, with 69 percent of Facebook traffic on these organizations being used for viewing Facebook pages, while Facebook apps make up about 4 percent of traffic and posts, only about 1 percent of traffic... There were 114,000 log instances of Conficker infections** among Palo Alto customers... Web- or browser-based file-sharing now constitutes 96 percent of file sharing, according to the data, with apps including Skydrive, USendIt, RapidShare, and DocsStock. BitTorrent remains the most popular peer-to-peer file-sharing program in use in companies..."
* http://www.paloalton...aur-report.html

** http://www.conficker...cfeyechart.html

Edited by AplusWebMaster, 12 November 2010 - 04:29 PM.