2072 replies to this topic

[AplusWebMaster]

FYI...

Wachovia... spy-phishing rootkit
- http://blog.trendmic...stalls-rootkit/
Sep. 22, 2008 - "... spy-phishing scheme targeting the Fortune 500 company and 4th largest banking chain in the US, Wachovia Bank. This attack ends in the execution of a rootkit, TROJ_ROOTKIT.FX, which is a file that hides files and processes, allowing malicious attacks to run entirely beneath the radar.
Macalintal warns that he has seen the following subject headings used in this attack:
* Wachovia Connection Update Alert.
* Wachovia Connection Customer Support - Security Updates.
* Wachovia Connection upgrade warning.
* Wachovia Connection Emergency Alert System...
The malicious links download a file named SPlusWachoviadigicert.exe. Trend Micro Smart Protection Network detects this as TROJ_AGENT.AINZ. It accesses a certain URL to download another malware that in turn drops and installs TROJ_ROOTKIT.FX. This infection chain can be cut off at various points by the Smart Protection Network as we already detect the spam, the malicious links therein, and the files that are downloaded and executed on the system...
The legitimate Wachovia Security Plus link can be accessed here*, where the company discusses several security issues and precautionary methods to avoid being tricked by these types of attacks..."
* http://www.wachovia....lus/0,,,00.html

(Screenshot available at the TrendMicro URL above.)

[AplusWebMaster]

FYI...

American Airlines phish...
- http://securitylabs....lerts/3187.aspx
09.23.2008 - "Websense... has discovered a new phishing campaign targeting American Airlines AAdvantage® Program customers. Users receive an email, which is spoofed, that tries to convince the user that, if they log in and fill out a 5-question survey, they will get a $50 reward. The email provides a link that takes visitors to the phishing Web site. The email also provides a fake code which is meant to entice the user even more..."

(Screenshot available at the URL above.)

[AplusWebMaster]

FYI...

World War 3 SPAM
- http://sunbeltblog.b...war-3-spam.html
September 25, 2008 - "This is particularly nasty spam pushing a fake codec trojan... If you go to that link, you get to a very convincing site pushing a fake codec. That CNNWorld was created yesterday, hosted in Iran..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Bank fraud emails
- http://www.firstcybe.../news.asp#news1
25 September 2008 - "An increase in fraudulent activity is likely to follow the recent events in the banking sector... Customers with internet banking accounts are urged to take care if asked to respond to emails from banks which have been named as being involved in the recent takeovers and mergers. According to Director David Holman, “This is just the sort of confusion on which the fraudsters thrive. As these mergers and acquisitions continue in the banking sector, the consumer will expect to receive communications from their banks detailing name changes and giving them different websites to gain access to their internet bank accounts. Unless this is handled carefully it is a real opportunity for fraudsters to steal private information”. While many of us are wary of emails purporting to be from our banks, the latest APACs figures show that 18% of people who receive them still click through to links included in these (e)mails..."

- http://news.cnet.com...0051688-83.html
September 25, 2008

[AplusWebMaster]

FYI...

Same WW3 SPAM... more detail
- http://blog.trendmic...i-malware-spam/
Sep. 29, 2008 - "...SPAM announcing the declaration of World War III. The link provided points to a legitimate-looking CNN page with a video. However, users wishing to view this video are prompted to install an ActiveX Object... The supposed ActiveX Object is actually malware, which Trend Micro detects as TSPY_BANCOS.JN. TSPY_BANCOS.JN, like all BANCOS variants, is an info stealer that monitors the browser of the affected system. It waits for the user to access certain banking-related Web sites, then spoofs the login pages of the bank Web site to steal sensitive account information. The request to install an ActiveX Object is a popular ploy to spread malware these days, and this bogus ActiveX Object is yet another one designed to deceive the user to believe that he’s installing something useful..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

SPAM using e-mail "delivery receipt" to verify valid addresses
- http://preview.tinyurl.com/4tksdr
Sep. 30, 2008 (TrendLabs) - "...recent report of -spammers- using a feature called ‘delivery receipt request’ to verify if a certain email address exists. Delivery receipts are messages sent to the original sender of an email message to verify that the sent message has been delivered to the intended recipient. While message delivery receipt acknowledgment is indeed available in popular desktop mail clients (such as Microsoft Outlook), and can be selectively ignored, most Web email platforms automatically send a delivery receipt when requested to do so if the targeted account exists. A Microsoft page stating instructions on how to enable & use this feature in various releases of Outlook can be seen here*. In enabling this function, spammers can now send spam to a large number of addresses and subsequently filter out the legitimate ones easily — that is, if the recipient chooses to selectively acknowledge each delivery request, or simply chooses to acknowledge all messages which have this request embedded. This unwillingly places a recipient on the spammer’s list of future victims just by acknowledging receipt of the initially sent spam. The delivery receipt function is ideally a useful feature especially for people who want to be absolutely sure that there message has been received. Unfortunately, this function, like so many other supposedly reputable functions, has been used for malicious intent instead..."
* http://support.microsoft.com/kb/192929
(In Outlook: >Tools >E-mail Options >Tracking Options - choose: "Never send a response")

[AplusWebMaster]

FYI...

Rogue AV tactics...
- http://blog.trendmic...ue-to-threaten/
Oct. 2, 2008 - "October has just begun and Trend Micro threat researchers keep seeing more and more — slightly different, but yet increasingly more annoying — variations to the set of rogue AV infection signals... Fake BSOD (actually a screensaver) now sports a specific mention of the problem — an unregistered version of a certain AV product... even the fake reboot screen (also a screensaver) has text... malware criminals continue a “take no prisoners” approach to vandalizing PCs in their bid to convince victims to purchase bogus security software... Cybercriminals literally calling attention to themselves by using all visual means available to instill a sense of discomfort in users that may just be enough to get these users to fall for the act — an unfortunately common scare tactic... This variant is an ongoing iteration of the Antivirus 2009 campaign and is detected as TROJ_FAKEAV.SV..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

New YouTube malware tool
- http://blog.trendmic...e-malware-tool/
Oct. 5, 2008 - "A new hacking tool circulating in the Internet now allows malicious users to create fake -YouTube- pages designed to deliver malware. The said tool, detected by Trend Micro as HKTL_FAKEYOUT, features a user-friendly console in Spanish that a hacker may use to create a pair of Web pages that look eerily identical to legitimate -YouTube- pages.
With a little crafty social engineering, unsuspecting users may be led into the first of the fake pages, INDEX.HTML. Here, users may be disappointed to see that they cannot view their video as they need a new version of Adobe Flash Player or some plugin or codec. A link is handily provided, and clicking the link leads users to the hacker’s file of choice, which could very possibly be something malicious. A second fake page informing users that the video they were trying to view cannot be shown is then displayed. This is to make users think that nothing’s really happened, when in fact by downloading the plugin, malware may already be running in their systems.
Fake codecs remain popular masks for malware. The popularity of -YouTube- also makes it a preferred target for malware users who want to infect more users... HKTL_FAKEYOUT could be very dangerous because it is very accessible to script kiddies who could use it for their malware and hacking operations. Users are advised to always check the URLs of pages they are viewing. Also, product updates should be downloaded from the vendors themselves to ensure that these are legitimate and not malicious."

Also see:
- http://voices.washin...aker_helps.html
September 12, 2008

(Screenshots available at both URLs above.)

Edited by AplusWebMaster, 07 October 2008 - 10:19 AM.
Added link to Security Fix blog...

[AplusWebMaster]

FYI...

Phishermans special: Bank Failures, Mergers, and Takeovers
- http://www.ftc.gov/b...rts/alt089.shtm
October 2008 - "If the recent changes in the financial marketplace have you confused, you’re not alone. The financial institution where you did business last week may have a new name today, and your checks and statements may come with a new look tomorrow. A new lender may have acquired your mortgage, and you could be mailing your payments to a new servicer. Procedures for the banking you do online also may have changed. According to the Federal Trade Commission (FTC), the nation’s consumer protection agency, the upheaval in the financial marketplace may spur scam artists to phish for your personal information.
Phishers may send attention-getting emails that look like they’re coming from the financial institution that recently acquired your bank, savings and loan, or mortgage. Their intent is to collect or capture your personal information, like your credit card numbers, bank account information, Social Security number, passwords, or other sensitive information. Their messages may ask you to “update,” “validate,” or “confirm” your account information..."

(More detail at the URL above.)

[AplusWebMaster]

FYI...

Blogspot under push by malware authors
- http://sunbeltblog.b...re-authors.html
October 13, 2008 - "We’ve seen a number of new blogs on Blogspot today that push malware, pushing various search keywords...
Examples:
buzzwocdco. blogspot. com
iberianiceaande. blogspot. com
semtmbmshmenf. blogspot. com
These sites push fake codecs which generally make ones life quite miserable."

(Screenshot available at the URL above.)

[AplusWebMaster]

FYI...

MS e-mail spoofs with malware
- http://blogs.technet...th-malware.aspx
October 13, 2008 - "... While malicious e-mails posing as Microsoft security notifications with attached malware aren’t new (we’ve seen this problem for several years) this particular one is a bit different in that it claims to be signed by our own Steve Lipner and has what appears to be a PGP signature block attached to it. While those are clever attempts to increase the credibility of the mail, I can tell you categorically that this is -not- a legitimate e-mail: it is a piece of malicious spam and the attachment is malware. Specifically, it contains Backdoor:Win32/Haxdoor... we never, ever, ever send attachments with our security notification e-mails. And, as a matter of company policy, Microsoft will never send you an executable attachment. If you get an e-mail that claims to be a security notification with an attachment, delete it. It is always a spoof..."

[AplusWebMaster]

FYI...

MSN Messenger used as lure in malicious SPAM
- http://securitylabs....lerts/3206.aspx
10.14.2008 - "Websense... has discovered a new malicious spam lure that uses the threat of a virus to encourage users to download a malicious Trojan. The email explains that by downloading the application linked within the email, users can protect themselves against a virus that spams messages to a user's contacts. The email offers an update to Live Messenger Plus - this is actually a Trojan (md5: 5F1D2521F6949F8B71B9FF93C17A8BE2). Antivirus detection rate is low... The URLs provided in the email redirect the user to a two-stage downloader named dsc.scr. As a distraction for the user, a dialog box is displayed explaining that the user will be redirected to msn.com.br. A browser then opens pointing to this site... A scheduled task is then created, and modifications are made to autoexec.bat to disable GBPlugin and other tools promoted by Brazilian banks to protect against such keyloggers and other malware..."

Hi5 "Add Friend" malicious SPAM
- http://securitylabs....lerts/3205.aspx
10.13.2008 - "Websense... has discovered a new malicious, visual social-engineering spam campaign masquerading as official emails sent by the popular Web 2.0 social-networking site Hi5. The email comes in Spanish language, and is -spoofed- to appear as if it comes from the domain hi5.com, an official domain used by Hi5 for their outbound emails when notifying their users of an event. It is common for Hi5 to send an email to notify their users when another Hi5 user adds them as a friend on the social network. However, the spammers embedded malicious links and a fake friend photograph in order to entice the recipient to click on them, which leads to a download of a Trojan horse (md5: 5f6b089f0048e6510c78bb38a3909b9c). The malicious application aims to steal confidential logins for a popular Mexican bank. A-V detection of this banker Trojan is low... A fake Hi5 friend request is included in the body of the email. We have previously alerted on a similar attack relating to Facebook "add friend" Malicious Spam. This clearly indicates that spammer and malware authors are increasingly targeting Web 2.0 sites to carry out their attacks..."

(Screenshots available at both URLs above.)

[AplusWebMaster]

FYI...

Bogus spammed email eTickets - Continental Airlines...
- http://blog.trendmic...kes-a-worm-fly/
October 20, 2008 - "...Be careful when booking flights online or opening emails about your “online flight ticket”—or you could crash-land on a heap of malware trouble. TrendLabs researchers caught spammed email messages featuring bogus eTickets supposedly from Continental Airlines, the fourth-largest airline in the U.S. The message thanks the recipient for availing of a new service called “Buy flight ticket Online” and provides account details (even a password). Then it makes the recipient simply print out the attached “purchase invoice and plane ticket” before they use these, and they’re off! How convenient!... The attachment is named E-TICKET.ZIP, which in turn contains the file E-TICKET.DOC.EXE. “It’s the old double-extension trick to hopefully fool the user to double-click the attachment”... Trend Micro detects the file contained in the zipped attachment as WORM_AUTORUN.CTO. This worm propagates via removable drives and accesses websites to download other possibly malicious files. It also displays the icon of files related to Microsoft Word to avoid easy detection and consequent removal... The phrase "Your credit card has been charged" will just add more worry for the user, convincing him more to examine (read: double-click) the ‘flight details’... This seems to be a renewed campaign, as we first saw it in late August — only the featured airline then was Northwest Airlines, and the spam attachment led to rogue AV installation instead of a worm. Since then, the transaction fee has gone up; Northwest supposedly charged almost $700 while Continental about $915. And JetBlue Airways, it would seem, “charged” even more..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Malicious BBB Certificate SPAM
- http://securitylabs....lerts/3213.aspx
10.22.2008 - "Websense... has discovered another round of malicious BBB spam today. The spam contains a spoofed -From- address to look as if the message was sent by the Better Business Bureau. The message uses social engineering tactics to entice readers to follow a link in the message in order to "register new software and update contact information". We have seen tens of thousands of these messages coming in since noon today. Also of note is that, from the format of these messages and the resulting links, this looks like it was done by the same group that has been spamming out malicious phishes targeting customers of Bank of America, Wachovia, Royal Bank, and others. Clicking on the link takes the victim to a page which -looks- like the BBB site. The site stresses that a digital certificate should be used while browsing the BBB site. It then provides a prompt to download a file called "TrustedBBBCertificate.exe" which is actually a Trojan Downloader (SHA-1 dcefc1fb912d7bb536de3e66d9c5c6c8465f0790). When this file is executed, it takes the victim to another Web page, which is hosted on another malicious domain, for the "Certificate Registration". This secondary site also tries to get the victim to download "TrustedBBBCertificate.exe"..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Election result SPAM malware
- http://securitylabs....lerts/3229.aspx
11.05.2008 - "Websense... has discovered that malware authors are capitalizing on the recently announced results of the 2008 US Presidential election. Malicious email lures are being sent promising a video showing an interview with the advisors to the recently elected US President. The email actually contains links to a file called 'BarackObama.exe' hosted on a compromised travel site at hxxp://*snip*.com/web/BarackObama.exe. This file is a Trojan Downloader with MD5 9720d70a5da9ca442ecf41e9269f5a27. Upon execution files called system.exe and firewall.exe are dropped into the system directory. A phishing kit is unpacked locally, and the dropped files are bound to startup. The hosts file is also modified. Major anti-virus vendors* are not detecting this Trojan Horse..."
(Screenshots available at the URL above.)

* http://www.virustota...9b58053a00bc4e2
11.05.2008 19:58:04 (CET) - Result: 14/36 (38.89%)
Per: http://voices.washin...n_obama_wi.html

Edited by AplusWebMaster, 05 November 2008 - 08:44 PM.