2072 replies to this topic

[AplusWebMaster]

FYI...

TDSS malware/rootkit autostart...
- http://blog.trendmic...hnique-of-tdss/
Dec. 20, 2010 - "... Samples of a new TDSS variant, WORM_TDSS.TX, use the infamous LNK vulnerability (first brought to public attention by Stuxnet) to propagate... There are two techniques that TDSS uses for its autostart routines:
• Randomly choosing a system driver file (normally seen in %Windows%\System32\Drivers), modify its resource section, and use this to directly read hard disk sectors, and assemble its DLL file for its main malware behavior.
• Modifying the Master Boot Record (MBR) and use this to directly read hard disk sectors, and assemble its DLL file for its main malware behavior...
TDSS targets BootExecute applications that are started by the Session Manager (smss.exe) before invoking the initial command (Winlogon in Windows XP) and before various subsystems were started. User-mode applications are not yet running at this point. Because they run so early, there is significant restriction on BootExecute applications: they must be native applications. In this context, “native” means that only the Windows NT Native API, resident in ntdll.dll, is available. At this stage, the Win32 subsystem, composed of the kernel-mode win32k.sys component and the user-mode client/server runtime CSRSS have not yet been started by SMSS. Not even the Kernel32 library is usable by BootExecute applications..."
(More detail and flowchart available at the URL above.)

TDSS infection count (alias: TDL3, Alureon)
- http://blog.trendmic...ction-count.jpg

- http://support.kaspe...p;qid=208280684
2010 Dec 17

- http://blog.urlvoid....ty-of-software/
December 19, 2010

Edited by AplusWebMaster, 22 December 2010 - 04:44 AM.

[AplusWebMaster]

FYI...

ZeuS variant returns ...
- http://blog.trendmic...-for-christmas/
Dec 23, 2010 - "... A spammed message, purportedly from the Executive Office of the President of the United States, spreads holiday cheer with a message and links to what is supposedly a greeting card. Clicking the link, however, leads users to a website injected with malicious iFrame tags, which Trend Micro detects as HTML_IFRAME.SMAX. Viewing the malicious HTML page leads to the download of a .ZIP file, which contains the malware detected as TSPY_ZBOT.XMAS... This particular variant exhibits routines that ZeuS version 1.x are known for. Apart from the typical information theft routines, it modifies HOSTS files to prevent affected victims from accessing AV-related websites. The technique of using important events to lure potential victims to open the spam mail is not new either. While some targeted victims may have an idea that the these types of messages could be malicious, some people simply rely on their antivirus programs. The cybercriminals behind this attack took advantage of this fact by ensuring that the file is heavily packed and is not yet detected by most AV programs, leaving unknowing users vulnerable..."

- http://isc.sans.edu/...l?storyid=10138
Last Updated: 2010-12-23 23:00:10 UTC - "... reports of some targeted emails from 'The White House'..."

[AplusWebMaster]

FYI...

Malware Domains 2234.in, 0000002.in & co
- http://isc.sans.edu/...l?storyid=10165
Last Updated: 2010-12-29 00:04:58 UTC - "... recent increase of malicious sites with ".in" domain names. The current set of names follow the four-digit and seven-digit pattern. Passive DNS Replication like RUS-CERT/BFK shows that a big chunk of these domains currently seems to point to 91.204.48.52 (AS24965) and 195.80.151.83 (AS50877). The former Netblock is in the Ukraine (where else), the latter likely in Moldavia. Both show up prominently on Google's filter (AS24965, AS50877), Zeustracker, Spamhaus (AS24965, AS50877) and many other sites that maintain filter lists of malicious hosts. A URL block system that can do regular expressions comes in pretty handy for these - \d{4}\.in and \d{7}\.in takes care of the whole lot, likely with minimal side effects, since (benign) all-numerical domain names under ".in" are quite rare. If you're into blocking entire network ranges, zapping 91.204.48.0/22 and 195.80.148.0/22 should nicely take care of this current as well as future badness..."
[ 91.204.48.* / 195.80.148.* ]

- http://cidr-report.o...port?as=AS24965

- http://cidr-report.o...port?as=AS50877

Edited by AplusWebMaster, 28 December 2010 - 09:13 PM.

[AplusWebMaster]

FYI...

Beware of strange web sites bearing gifts ...
- http://isc.sans.edu/...l?storyid=10168
Last Updated: 2010-12-29 22:02:52 UTC - "... a recent wave of Java exploits to several addresses in the same 91.204.48.0/22 netblock**. The latest exploits in this case start with a file called "new.htm", which contains obfuscated code... The good news is that "host.exe" already has pretty decent anti-virus coverage on VirusTotal*... all the user has to do is click "Run" to get owned. The one small improvement is that the latest JREs show "Publisher: (NOT VERIFIED) Java Sun" in the pop-up, but I guess that users who read past the two exclamation marks will be bound to click "Run" anyway ..."
- http://isc.sans.edu/...s/d-img3(1).jpg

* http://www.virustota...f9d8-1293650723
File name: host.exe
Submission date: 2010-12-29 19:25:23 (UTC)
Result: 31/43 (72.1%)

** http://isc.sans.edu/...l?storyid=10165
Last Updated: 2010-12-29 00:04:58 UTC

Edited by AplusWebMaster, 30 December 2010 - 12:37 PM.

[AplusWebMaster]

FYI...

Android trojan found in wild - NEW
- http://blog.mylookou...geinimi_trojan/
December 29, 2010 - "A new Trojan affecting Android devices has recently emerged in China. Dubbed “Geinimi” based on its first known incarnation, this Trojan can compromise a significant amount of personal data on a user’s phone and send it to remote servers... Geinimi is also the first Android malware in the wild that displays botnet-like capabilities. Once the malware is installed on a user’s phone, it has the potential to receive commands from a remote server that allow the owner of that server to control the phone..."

- http://www.h-online....ta-1162008.html
30 December 2010 - "... If you get your apps from obscure sources, you will want to be careful not to give them unlimited rights, which the apps request upon installation; instead contact the vendor to see what rights are actually needed."

- http://isc.sans.edu/...l?storyid=10186
Last Updated: 2010-12-31 09:47:01 UTC

Edited by AplusWebMaster, 31 December 2010 - 04:23 AM.

[AplusWebMaster]

FYI...

New Year SPAM - Storm/Waledac...
- http://community.web...rm-waledac.aspx
31 Dec 2010 09:50 PM - "... emails mentioned were an early campaign done by what's now believed to be Storm v3 or Waledac v2. As our friends over at ShadowServer mention**... The URL in the email leads to lots of different sites, all compromised, where the user is immediately redirected using a <meta refresh> tag... A few other noteworthy things about this attack:
• The domains it uses to serve the malware are fast-fluxing which means that when you request the URL it redirects to you a different IP address every time
• The file itself is either server-side generated or just updated very frequently
• AV coverage is pretty bad* ..."
* http://www.virustota...b57e-1293849911
File name: flash-006.exe
Submission date: 2011-01-01 02:45:11 (UTC)
Result: 7/42 (16.7%)

** http://forums.whatth...=...st&p=702989

Edited by AplusWebMaster, 02 January 2011 - 07:37 AM.

[AplusWebMaster]

FYI...

Xvid video fakes... TRON previews...
- http://sunbeltblog.b...uts-galore.html
January 04, 2011 - "... hunting for some TRON action on the internet may end in frustration, surveys and installs aplenty. For example, hd-movies(dot)biz gives us a fairly standard “Fake advert on Youtube/hit you with a survey” scam... You might not want to bother... Clicking the player underneath the banner splash takes you to browserdl(dot)com/xvid_dl/ which wants you to install a program... XvidSetup.exe... there isn’t any TRON action going down once the end-user has installed ClickPotato, ShopperReports, QuestBrowser and blinkx Beat..."

[AplusWebMaster]

FYI...

NeoSploit exploit kit - dynamic obfuscation...
- http://labs.m86secur...it-exploit-kit/
January 4, 2011 - "... dynamic obfuscation still makes it much harder for security vendors to block this type of attack... Not only has the Neosploit team upgraded their obfuscation techniques, they’ve also put a lot of thought into the architecture of the toolkits backend. Unlike other exploit kits, where the authors sell the toolkit itself (in some cases the source code is encrypted and could work only under a certain domain), the users of the Neosploit Exploit Kit don’t need to have the source code or even the compiled version of the tool. The Neosploit backend is activated only by the team itself and the users just receive access to use it, effectively establishing a business model of Malware-as-a-Service... it is being maintained and adjusted to keep up with security trends to allow it to stay ahead of the curve."
(More detail available at the m86 URL above.)

How hacks profit...
- http://blog.trendmic...ility-img1a.jpg
2011-01-06

Edited by AplusWebMaster, 07 January 2011 - 07:56 AM.

[AplusWebMaster]

FYI...

Facebook scam - again...
- http://nakedsecurity...preads-virally/
January 6, 2011 - "Thousands upon thousands of Facebook users have been hit by a new survey scam spreading virally across the social network. Messages claiming to be users' first ever Facebook status updates are being posted on users' walls by a rogue application... Here's what some typical messages look like:
My 1st St@tus was: "[random message]". This was posted on [random date]
Find your 1st St@tus @ [LINK]
Other versions read:
My 1st status was: '[random message]' Posted on [random date]
Find out what your 1st status is at [LINK]
If you click on the link you are taken to a rogue Facebook application, which asks you to give it permission to access your profile, which includes giving it the ability to post from your account in your name... it's only intention is to drive as many people as possible into sharing the link (which can vary - we have seen several examples) further and further across Facebook, earning the scammers money..."

[AplusWebMaster]

FYI...

Facebook weekend worm...
- http://www.theregist...hoto_chat_scam/
10 January 2011 - "A new worm that spreads using a photo album chat message lure began proliferating across Facebook over the weekend. The photo lure is used to hoodwink potential users into downloading a malicious file, which appears in the guise of a photo viewing application. Victims are prompted to click a "View Photo" button... users who fell for the scam became infected by malware, dubbed Palevo-BB* by net security firm Sophos. The malware attempts to generate a message to the victim's Facebook contacts, continuing the infection cycle. Facebook responded by purging the malicious application.
Similar social engineering trickery is much more commonly used to hoodwink users into completing worthless surveys, possibly handing over personal details in the process or signing up to expensive text message services. Survey scams have become almost a daily pest on Facebook. For example, one survey scam** lure doing the rounds over the weekend falsely offered a news update of the death of famous rapper Tupac Shakur. The use of social engineering trickery to spread malware instead of simply tricking users into filling out worthless surveys suggests that cybercrooks might be upping the ante. The latest Palevo-BB worm is not the first malware strain to use Facebook as an infection avenue. The most prolific social engineering network worm to date has been the infamous Koobface worm, a strain of malware used to deliver potential victims to scareware scam portals or carry out click fraud..."
* http://nakedsecurity...-koobface-worm/

** http://nakedsecurity...t-facebook-scam

- http://labs.m86secur...preads-rapidly/
January 11, 2011

Edited by AplusWebMaster, 14 January 2011 - 06:16 PM.

[AplusWebMaster]

FYI...

SPAM cannons on holiday
- http://isc.sans.edu/...l?storyid=10255
Last Updated: 2011-01-12 04:06:34 UTC - "... There was a clear reprieve in spam delivered over the 2010 year end holiday season for various reasons. SpamCop.net* shows a decisive break in spam delivery that resumed action late Sunday... we wanted to share with you some corresponding DShield data... shows unwanted connections, which should be a good sample representation of infected systems. There is a slight dip which can be attributed to the holiday season or a "weekend drop" type of decline. It does not indicate spam cannons have been replaced by more lucrative malicious channels, nor have the botnets taken a break either..."

* http://www.spamcop.n....shtml?spamweek

- http://www.spamcop.n...shtml?spammonth

- http://krebsonsecuri...ock-of-rustock/
January 5, 2011

- http://www.symantec....rge-pharma-spam
10 Jan 2011

Edited by AplusWebMaster, 12 January 2011 - 02:52 AM.

[AplusWebMaster]

FYI...

Q4-2010 - Top 50 Bad Hosts and Networks
- http://hostexploit.c...e-activity.html
12 January 2011 - "... The emphasis this quarter is on the repeat offending of some hosting providers... VolgaHost AS29106 is no stranger to the Top 50 reports, having been in the top 10 for the entire 6 months prior to this quarter. And yet the effective badness levels have continued to rise to now take the #1 rank. Particularly prevalent on VolgaHost are Zeus servers and infected web sites. On the theme of repeat offenders, it has been a disappointing quarter for eNom AS21740, the domain Registrar arm of Demand Media. Ever willing to give credit where due, HE praised, in the last quarter report, what seemed to be a genuine attempt on eNom’s part to ‘clean-up’. Sadly, however, this effort appears to have been short lived. eNom is back up to ranking #3 from #7 in Q3, having previously been #1. In the Badware sector eNom is once again top of the pile as #1 Bad Host. HE’s view is that the majority of hosts do a good job at keeping their servers clean. So why then are there hosts such as VolgaHost, eNom and Ecatel AS29073 (displaced from #1 down to #2), all of whom display enduring levels of cybercriminal activities on their servers?... Perhaps the attitude of hosting providers is best summed up by Andre' M. Di Mino (Co-Founder & Director of The Shadowserver Foundation) in his foreword to the report:
"The majority of network and hosting providers are very concerned about their reputation and will respond in rapid fashion when notified of malicious activity. Others are content to let such activities flourish. In any case, it is important to highlight those providers where malicious activity is rampant, and raise general public awareness." - Andre' M. Di Mino
HE’s Q4 2010 Report exposes the persistent nature of some of the more dubious activities hosted by a few providers such as:
• INTERIAPL (PL) AS16138 #1 for Current Events (exploit kits etc) since June 2010.
• DATA ELECTRONICS (IE) AS13100 #1 for Exploit Servers in the last 2 reports.
An example of the lack of due diligence allowing bad habits to return can be seen with Brazilian Cyberweb Networks AS28299. This hosting provider had dropped down to #228 in Q3 2010, from #9 in Q2 as a result of ‘cleaning-up’. Recent increased levels of botnets and phishing, however, has bounced this provider back up to #21. The HE Q4 2010 Report recognizes the genuinely hard effort made by hosts and providers intent on ‘cleaning up’. The ‘Most Improved Hosts’ section displays those deserving of praise and approval for their achievements. For example: CTC-CORE-AS (RU) AS44237 #29 in Q3 now #27,204. An improvement of 99% to almost negligible levels of badness. The vast majority of hosts do provide a safe and relatively clean Internet experience for their customers. Approximately only 6% of the 36,371 public ASes (Autonomous Systems) display levels of badness that give cause for concern through ineffective abuse procedures and a tolerance of cybercriminal friendly activities. The HE quarterly reports continue to display the results of the monitoring ‘bad’ hosts in anticipation of a cleaner and safer Internet experience for all users..."

Edited by AplusWebMaster, 12 January 2011 - 12:46 PM.

[AplusWebMaster]

FYI...

Death by PowerPoint...
- http://nakedsecurity...door-infection/
January 12, 2011 - "... The malware comes as a file called Real kamasutra.pps.exe (the old double-extension trick). In other words, you may think you are directly opening a PowerPoint slideshow, but in fact you're running an executable program. The PowerPoint slide deck... is then dropped onto your Windows PC as a decoy while malware silently installs onto your computer as AdobeUpdater.exe, alongside some other components (called jqa.exe and acrobat.exe). Because of this, when you click on the file you do get to see a real PowerPoint presentation, but in the background a backdoor Trojan (no sniggering at the back please..) called Troj/Bckdr-RFM is installed which allows hackers to gain remote access to your computer. Once they have broken into your computer, they can use it to relay spam around the world, steal your identity, spy on your activities, install revenue-generating adware or launch denial of service attacks. Remember - don't rush to click on unknown files, you could be opening yourself up to all kinds of unwanted attention."

I've won three million Euros from Bill Gates!
- http://nakedsecurity...rom-bill-gates/
January 13, 2011 - "... I had no idea that the Bill and Melinda Gates Foundation, which normally fights poverty around the world and promotes healthcare, even ran a lottery - let alone that I had entered... Counting isn't this emailer's strong point either. He's managed to attach a grand total of 69 files to this email telling me about my windfall. Eventually I found the right one, entitled LOTTERY BILL GATES FOUNDATION.docx..." [NOT]

[AplusWebMaster]

FYI...

New Koobface Campaign Spreading on Facebook
- http://community.web...n-facebook.aspx
14 Jan 2011 - "Websense... has detected a new Koobface campaign spreading on Facebook. The campaign is spreading via direct messages sent from compromised accounts... One of the tactics employed by the Koobface gang is to attempt to obfuscate the malicious URL that is linked in each message... this is done by adding "hpPg" just before the valid URL link--an obvious attempt to avoid detection by security software and by the Facebook security team. The addition at the start of the URL makes it unclickable, but this is unlikely to stop determined users from copying and pasting the link directly into the browser. Another tactic is the use of open redirects on the facebook.com domain itself. This gives the URL a more credible look (social engineering), as well as helping it pass basic security checks. Usually, Facebook alerts users if they're about to browse to a link outside of its domains, but no alert is triggered in this case... the open redirect on facebook.com points to a bit.ly shortened link. The redirector at bit.ly points to a compromised Web site controlled by Koobface. The compromised site checks whether the request was referred from facebook.com. If it was, then it serves a dynamically generated script that further redirects to a malicious site. The malicious site requires "a missing Flash plug-in" in order to play a "video," a.k.a., a variant of the Koobface worm. At the time of writing, the variant had a 23% detection rate*..."
* http://www.virustota...0ffe-1294946291
File name: setup6440.exe
Submission date: 2011-01-13 19:18:11 (UTC)
Current status: finished
Result: 10/42 (23.8%)
There is a more up-to-date report ...
- http://www.virustota...0ffe-1295019657
File name: setup606699.exe
Submission date: 2011-01-14 15:40:57 (UTC)
Result: 16/43 (37.2%)

[AplusWebMaster]

FYI...

Rogue Facebook apps can now access your home address and mobile phone number
- http://nakedsecurity...e-phone-number/
January 16, 2011 - "... third party application developers are now able to access your home address and mobile phone number. Facebook has announced that developers of Facebook apps can now gather the personal contact information from their users... Facebook is already plagued by rogue applications that post spam links to users' walls, and point users to survey scams that earn them commission - and even sometimes trick users into handing over their cellphone numbers to sign them up for a premium rate service. Now, shady app developers will find it easier than ever before to gather even more personal information from users... The ability to access users' home addresses will also open up more opportunities for identity theft, combined with the other data that can already be extracted from Facebook users' profiles... advice to you is simple: Remove your home address and mobile phone number from your Facebook profile now. While you're at it, go through our step-by-step guide for how to make your Facebook profile more private*..."
* http://www.sophos.co...t-settings.html

Zodiac sign survey SCAM...
- http://nakedsecurity...ly-on-facebook/
January 16, 2011 - "A scam has spread far and wide across Facebook this weekend, posted on many users' Facebook pages claiming that they have discovered that their zodiac sign has changed. Messages include:
The Zodiac Signs changed in 2011.
I was a [ZODIAC SIGN] now I'm a [ZODIAC SIGN]
Find out your new zodiac sign @ [LINK]
... and
OMG They changed the Zodiac Signs !!
I'm now a [ZODIAC SIGN].. (was a [ZODIAC SIGN] before!)
To find yours, use [LINK]
If you make the mistake of clicking on the link shared from your friend's Facebook account, then you are taken to an interim page showing the signs of the zodiac floating in outer space... If you do give it permission then the application will be able to grab some of your personal data, as well as post messages to your wall in order to share them virally with your Facebook friends..."

- http://sunbeltblog.b...al-profile.html
January 17, 2011

Edited by AplusWebMaster, 18 January 2011 - 07:17 AM.