Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93098 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
2072 replies to this topic

#421 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 14 February 2011 - 06:34 PM

FYI...

Malware SPAM campaigns
- http://labs.m86secur...ramps-up-again/
February 14, 2011 - "... over the last week, we have seen the return of two familiar-looking malware spam campaigns.
* Post Express: Package Available
* United Parcel Service: Notification
While these two campaigns have similar themes, the spam originates from different spambots and has quite different payloads. The Post Express variety originates from the Asprox spambot... The UPS themed spam originates from one of the Cutwail spambot variants... VirusTotal results for the sample* are not overly helpful, show widely varying names, including banking trojan, zbot, Bredolab and Oficla. Interestingly, when we pulled out some of strings from the malware sample, we saw that it did indeed have an interest in banking... another string we found in the malware body was “Program Files\Trusteer\Rapport\bin\RapportService.exe”. Trusteer Rapport is anti-fraud software which the SpyEye banking trojan toolkit specifically has an evasion option for. Not being content with just banking data, the bot also proceeded to download a number of different files, including Waledac and Cutwail spambots, plus it also threw in this fake anti-virus software for good measure... two lessons from this brief analysis. First, similar looking campaigns are not necessarily the same. Second, installer bots such as these can lead to a swathe of different malware on the infected host."
(Screenshots available at the m86 URL above.)
* http://www.virustota...fea3-1297477589
File name: USPS_Document.exe
Submission date: 2011-02-12 02:26:29 (UTC)
Result: 32/43 (74.4%)
- http://tools.cisco.c...r...&sortType=d
February 14, 2011
___

- http://labs.m86secur...-spam-campaign/
February 15, 2011 - "... the Cutwail botnet changed its spamming theme this week. The malicious spam pretends to be from the FDIC... the spammer did not manage to configure the spam template correctly and left the from field still using the domain ups.com..."
(Screenshots available at the URL above.)
- http://www.virustota...1458-1297829427
File name: 7529534f159bb49113908071a3061aa4
Submission date: 2011-02-16 04:10:27 (UTC)
Result: 26/43 (60.5%)

:ph34r: <_< :ph34r:

Edited by AplusWebMaster, 16 February 2011 - 01:35 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

    Advertisements

Register to Remove


#422 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 15 February 2011 - 09:50 PM

FYI...

BBC - injected w/malicious iFrame
- http://community.web...cious-code.aspx
15 Feb 2011 - "The BBC - 6 Music Web site has been injected with a malicious iframe, as have areas of the BBC 1Xtra radio station Web site. At the time of writing this blog, the sites are still linking to an injected iframe... The injected iframe occurs at the foot of the BBC 6 Music Web page, and loads code from a Web site in the .co.cc TLD. The iFrame injected into the Radio 1Xtra Web page leads to the same malicious site. If an unprotected user browsed to the site they would be faced with drive-by downloads, meaning that simply browsing to the page is enough to get infected with a malicious executable. The payload is delivered to the end user only once, with the initial visit being logged by the malware authors. The code that is delivered to end users utilizes exploits delivered by the Phoenix exploit kit:
- http://community.web...loit-s-kit.aspx
A malicious binary is ultimately delivered to the end user. The VirusTotal detection* of this file is currently around 20%..."
* http://www.virustota...a6bc-1297784293
File name: 4a0ab371e6c6dd54deeab41ab1b77fa373d2face149523dfd183d669b[...].bin
Submission date: 2011-02-15 15:38:13 (UTC)
Result: 9/43 (20.9%)
There is a more up-to-date report..
- http://www.virustota...a6bc-1298083200
File name: 3810631eeaea4950d0e1bd48ec89be12
Submission date: 2011-02-19 02:40:00 (UTC)
Current status: finished
Result: 28/43 (65.1%)

:ph34r: :ph34r: :ph34r:

Edited by AplusWebMaster, 19 February 2011 - 12:00 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#423 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 17 February 2011 - 05:51 PM

FYI...

Smitnyl - MBR infector...
- http://www.f-secure....s/00002101.html
Feb. 17, 2011 - "... an MBR file system infector such as Trojan:W32/Smitnyl.A (98b349c7880eda46c63ae1061d2475181b2c9d7b), which appears to be distributed via some free file-sharing networks, seems worth a quick analysis, even if it only targets one portable executable system file and the infection is straightforward compared to common virus file infectors. Smitnyl.A first infects the MBR via raw disk access. Then it replaces it with a malicious MBR containing the file infector routine... MBR File System Infector... can bypass Windows File Protection (WFP). As WFP is running in protected mode, any WFP-protected file will be restored immediately if the file is replaced...
Userinit... is one of the processes launched automatically when the system starts, allowing the malware to execute automatically when the system starts.
Smitnyl infects Userinit from the first stage of the boot sequence. When the MBR is loaded to 0x7C00, it determines the active partition from the partition table and also the starting offset of boot sector. It then checks the machine’s file system type... Smitnyl will check for the Windows path from $ROOT down to the System32 directory, where userinit.exe is located... After decoding, it launches %temp%\explorer.exe using ShellExecute — this serves as a decoy to hide the infection. At the same time, it will execute the real explorer.exe using Winexec... there is nothing special about the final payload — it is merely a downloader. The infected userinit.exe disables 360safe's IE browser protection so that the downloader can retrieve files from the remote server http://[...].perfectexe.com/."
(More detail at the F-secure URL above.)

- http://www.urlvoid.c.../perfectexe.com
Detections: 8/19 (42%)
Status: DANGEROUS

:ph34r: <_< :ph34r:

Edited by AplusWebMaster, 17 February 2011 - 05:56 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#424 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 18 February 2011 - 07:16 AM

FYI...

Social engineering to infect with malware ...
- http://www.securityp...icle265838.html
18/02/2011 - "In the past weeks, new malicious codes that use Facebook to ensnare victims have been wreaking havoc. The recent trend for developing computer threats designed to spread by exploiting the most popular social media continues to gather pace. One of these, Asprox.N, is a Trojan that reaches potential victims via email. It deceives users by telling them that their Facebook account is being used to distribute spam and that, for their security, the login credentials have been changed. It includes a fake Word document supposedly containing the new password. The email attachment has an unusual Word icon, and is called Facebook_details.exe. This file is really the Trojan which, when run, downloads a .doc file that runs Word to make users think the original file has opened. The Trojan, when run, downloads another file designed to open all available ports, connecting to various mail service providers in an attempt to spam as many users as possible. The other, Lolbot.Q, is distributed across IM applications such as MSN and Yahoo!, displaying a message with a malicious link. This link downloads a worm designed to hijack Facebook accounts and prevent users from accessing them. If users then try to login to Facebook, a message appears informing that the account has been suspended and that to reactivate them they must complete a questionnaire, with the offer of prizes –including laptops, iPads, etc.– to encourage users to take part... PandaLabs advises all users to be wary of any messages with unusually eye-catching subjects, whether via email or IM or any other channel; and to be careful when clicking on external links in Web pages..."
- http://pandalabs.pandasecurity.com/

:ph34r: <_< :ph34r:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#425 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 23 February 2011 - 01:57 PM

FYI...

Oddjob Trojan keeps banking sessions open after victims log out
- http://www.theregist...banking_trojan/
February 22, 2011 - "... OddJob Trojan hijacks customers’ online banking sessions in real time using their session ID tokens. By keeping accounts open even after victims think they have quit, the malware creates a window for fraudsters to loot compromised accounts and commit fraud... Trusteer, the transaction security firm that discovered the malware, said it made the discovery a few months ago but is only able to report on it now following the conclusion of a police investigation. OddJob is being used by cyber-crooks based in Eastern Europe to attack their customers in several countries including the USA, Poland and Denmark... More information on the Oddjob Trojan can be found in a blog post by Trusteer here*."
* http://www.trusteer....ial...logoutâ€

:ph34r: <_<

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#426 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 24 February 2011 - 06:55 PM

FYI...

Facebook clickjacking malware - in Italian...
- http://nakedsecurity...lian-disguises/
February 22, 2011 - "Non-English speaking Facebook users shouldn't be fooled into believing that they are somehow immune from the scams and attacks that plague the social networking site. The latest few campaigns seen by SophosLabs, for instance, target Italian users of the social network... Colorful clickjacking attacks, requiring users to click on a series of rainbow-colored boxes without realizing they're authorizing other actions, are nothing new of course. As more and more criminals discover how successful attacks via Facebook can be, we can expect the tried-and-trusted techniques of the English-speaking world to be cloned elsewhere around the globe..."

:ph34r: <_<

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#427 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 26 February 2011 - 10:09 AM

FYI...

Ransomware a successor of scareware?
- http://community.web...-ransomway.aspx
24 Feb 2011 - "... We dare to say it is not. Both malware groups try to convince the victim that there is no way to avoid paying money, although the approach is very different. With scareware the victims at least have a chance to resist the social engineering offering the only solution and work on the cleaning process on their own. With ransomware this chance hardly exists at all. Yes, there are many similarities and it is likely the same people stand behind both types of malware groups. However, in one case there is a "seller" offering the "products and services"; in the other one an extorter asking for ransom. Even though both are illegal and dishonest, the approach is different.
Restoration and Protection: Restoration of data or access depend on the kind of malware. In some cases it is possible to download a utility and clean the infected system, in other cases to replace malicious parts with clean ones. Unfortunately, there is no means to bypass malware such as Gpcode. Therefore the only protection is to keep up-to-date backups stored -off- the machine all the time..."
-

:blink:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#428 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 28 February 2011 - 10:35 AM

FYI...

UK - malvertising attack...
- http://www.theregist...light_uk_sites/
28 Feb. 2011 - "Several highly trafficked UK sites – including the website of the London Stock Exchange – served malware-tainted ads as the result of a breach of security by a third-party firm they shared in common. Surfers visiting auto-trading site Autotrader.co.uk and the cinema site Myvue.com were also exposed to the attack, which stemmed from a breach at their common ad provider, Unanimis, rather than at any of the three sites themselves. Unconfirmed reports suggest eBay.co.uk was also affected. The malicious ads made several concealed redirects before dropping surfers on a portal pimping rogue anti-virus (AKA scareware)... Websense** confirmed the attack on Monday, saying it had been tracking the progress of the attack over recent days..."
* http://www.highsever...by-malware.html

** http://community.web...lvertizing.aspx

:ph34r: <_<

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#429 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 01 March 2011 - 05:19 AM

FYI...

Morgan Stanley security breach...
- http://www.bloomberg...hit-google.html
2011-02-28 - "Morgan Stanley experienced a “very sensitive” break-in to its network by the same China-based hackers who attacked Google Inc.’s computers more than a year ago, according to leaked e-mails from a cyber-security company working for the bank. The e-mails from the Sacramento, California-based computer security firm HBGary Inc., which identify the first financial institution targeted in the series of attacks, said the bank considered details of the intrusion a closely guarded secret... The HBGary e-mails don’t indicate what information may have been stolen from Morgan Stanley’s databanks or which of the world’s largest merger adviser’s multinational operations were targeted... a spokeswoman for the New York-based bank, which unlike Google didn’t disclose the attacks publicly, declined to comment on them specifically... The hackers successfully implanted software designed to steal confidential files and internal communications, according to dozens of HBGary e-mails that detail efforts to plug the holes. One e-mail, dated June 19, said that the attackers may be the same ones who had hit a U.K.-based defense contractor and discusses hacking software called Monkif, which can be used by intruders to remotely orchestrate a sophisticated form of cyber attack known as an ‘advanced persistent threat’ or APT..."
- http://blog.damballa.com/?p=341

:ph34r: :ph34r: <_<

Edited by AplusWebMaster, 01 March 2011 - 05:27 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#430 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 01 March 2011 - 11:33 AM

FYI...

"You have received a gift..." of malware...
- http://blog.mxlab.eu...ead-to-malware/
March 1, 2011 - "... new trojan distribution campaign by email with the subject “You have received a gift from one of our members !” The email is sent from the spoofed address “gifts@freeze.com”, while the SMTP from address is “_www@pictry.loc”... The URL in the email leads to hxxp:// www .i-tec .it/gift.pif and this malicious file is 844kB large... A Backdoor.IRCBot is installed allowing to open a backdoor to the infected computer, combined with Trojan.RunKeys that will make sure that trojans are started up when the computer boots... malware will make a connection with a remote IRC server..."
(Screenshots and more detail available at the MXLabs URL above.)

- http://tools.cisco.c...r...&sortType=d

:ph34r: <_< :ph34r:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

    Advertisements

Register to Remove


#431 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 02 March 2011 - 08:25 AM

FYI...

Twitter survey SCAM...
- http://nakedsecurity...ire-on-twitter/
March 2, 2011 - "A rogue application has caught Twitter users off their guard today, with thousands of people duped into clicking on links believing that it will reveal how many hours they have spent on Twitter... However, if you click on the bit.ly link being used in the message you are taken to a page which attempts to connect a rogue application called "Time on Tweeter" with your Twitter account. The application instantly tweets a message to your Twitter feed, claiming that you have also spent 11.6 hours on Twitter... spreading the link virally, and then directs you to a page which presents a revenue-generating survey on behalf of the scammers. Affected users should revoke the application's access to their Twitter account immediately..."
(Screenshots available at the Sophos URL above.)

:ph34r: <_<

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#432 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 07 March 2011 - 04:40 PM

FYI... "SCAM of the Day" - it's almost that bad...

Facebook SCAMS prolific...
- http://nakedsecurity...o...amp;x=0&y=0
March 7, 2011, March 5, 2011, March 3, 2011, March 2, 2011, etc...

:ph34r: <_< :ph34r:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#433 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 08 March 2011 - 04:28 AM

FYI...

SWF embedded JavaScript
- http://blogs.technet...ipt-in-swf.aspx
7 Mar 2011 - "... Since the beginning of this year, 89% of the targets were in South Korea with 75% of them specifically in Seoul. Here’s a chart with a breakdown by unique machines in the months January and February of this year (there has been no activity in March):
- http://www.microsoft...es/JASWI-0b.jpg
Attack attempts by unique machines in the months January and February of 2011
... The malware Trojan:SWF/Jaswi.A is unlike other SWF malware; other SWF malware typically calls “getURL <website address>” within an ACTION tag in order to visit a malicious website link without user consent... Trojan:SWF/Jaswi.A contains an embedded malicious JavaScript that initiates a legal Windows API call to trigger the payload... the legal function ExternalInterface.call() has been made to complete a procedure of initiating JavaScript injection... Internet Explorer vulnerability CVE-2010-0806 has been abused! This particular exploit affects Microsoft Internet Explorer versions 6, 6+SP1 and 7, and could allow a remote attacker to execute arbitrary code... The file “uusee.exe” from the obfuscated URL shown above is actually a prevalent password stealer in China... the embedded JavaScript technique used in the malicious SWF... appears to be a trend and may become a popular method..."

:ph34r: <_<

Edited by AplusWebMaster, 08 March 2011 - 04:30 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#434 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 08 March 2011 - 10:19 AM

FYI...

Malvertisements - a plague...
- http://threatpost.co...end-2010-030711
March 7, 2011 - "... The Dasient Q4 Malware Update* reported that more than one million Web sites were infected in the last quarter of 2010. That period saw a 25% growth in malicious advertisements from the previous quarter, as attackers found ways to sneak malicious code into widely used syndicated online ad networks. Its a trend that security experts see accelerating in 2011, as malicious advertisements, sometimes referred to as 'malvertisements,' crop up on high profile sites, said Neil Daswani, Chief Technology Officer at Dasient. Daswani said that, overall, his company saw a 100% increase in the amount of malicious advertising from the third- to fourth quarters, 2010. However, much of that was due to an expansion of the sites Dasient monitored, with an increasing focus on so-called 'remnant' ad networks, which aggregate 'remnant' advertisements from direct marketers, who often have little oversight about where the ads appear... In recent weeks, well-ranked sites such as Autotrader .co.uk, cinema site Myvue .com and londonstockexchange .com were reported to have served up malicious advertisements. Malicious ads are commonly used to display pop up messages with links that will take users to a drive by download Web site download rogue anti virus programs or other threats..."
* http://blog.dasient....ignificant.html

:ph34r: <_<

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#435 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 11 March 2011 - 02:02 PM

FYI...

Virut malware spreads with warez ..
- http://techblog.avir...rut-malware/en/
March 11, 2011 - "W32/Virut.ce is one of the most widespread pieces of malware which can be found on infected computers. This file infector gets massively spread bundled with illegal software (warez). The virus is infecting executable files using latest techniques which make detecting and treating those files particularly difficult. On the current threat landscape we see more server-side polymorphic malware, infecting executable files is not as popular as a few years ago. During the last years emulation techniques have become better which makes detection of polymorphic malware much easier. The authors of the virus weren’t put off by the difficulties they faced in trying to infect executable files. But W32/Virut.ce is not only infecting executable files, the virus also includes a backdoor using the IRC protocol. This allows attackers to download and run further malware from the Internet which can (as example) steal information. The server to which the malware connects is a pre-defined IRC server, the channel is called “virtu”..."
- http://techblog.avir....Virut_.ce_.pdf
(PDF, 1 MB)

:ph34r: :wall:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Related Topics



5 user(s) are reading this topic

0 members, 5 guests, 0 anonymous users