2072 replies to this topic

[AplusWebMaster]

FYI...

Virus Outbreak in Progress...
- http://www.ironport.com/toc/

- http://tools.cisco.c...r...&sortType=d
Malicious PDF Attachment E-mail Messages - April 13, 2011
- http://tools.cisco.c...x?alertId=22911
Fake Photograph Link E-mail Messages - April 13, 2011
- http://tools.cisco.c...x?alertId=22924
Fake Parcel Delivery Notification E-mail - April 13, 2011
- http://tools.cisco.c...x?alertId=22696
Fake Facebook Personal Message E-mail - April 13, 2011
- http://tools.cisco.c...x?alertId=20961
Malicious United Postal Svc Delivery Failure E-mail - April 13, 2011
- http://tools.cisco.c...x?alertId=22769

Fake Scanned Document E-mail Messages - April 12, 2011
- http://tools.cisco.c...x?alertId=21429
Fake Facebook Password Reset Notification E-mail Messages - April 12, 2011
- http://tools.cisco.c...x?alertId=22907
Fake Official Letter E-mail Messages - April 12, 2011
- http://tools.cisco.c...x?alertId=22910
Fake UPS Shipment Arrival E-mail Messages - April 12, 2011 ...
- http://tools.cisco.c...x?alertId=22030

Edited by AplusWebMaster, 13 April 2011 - 05:00 PM.

[AplusWebMaster]

FYI...

Spamvertised.. campaign serving scareware
- http://ddanchev.blog...d-campaign.html
April 12, 2011 - "A currently spamvertised scareware-serving campaign is enticing end users into downloading and executing a malicious binary, which drops a scareware variant.
Sample subject: Reqest rejected (SP?)
Sample message: "Dear Sirs, Thank you for your letter! Unfortunately we can not confirm your request! More information attached in document below. Thank you Best regards."
Sample attachments: EX-38463.pdf.zip; EX-38463.pdf.exe
Detection rate:
- http://www.virustota...b932-1302746736
File name: EX-38463.pdf.exe
Submission date: 2011-04-14 02:05:36 (UTC)
Current status: finished
Result: 35/41 (85.4%)
... Upon execution downloads hdjfskh .net/ pusk .exe - 208.43.90.48...
Detection rate:
- http://www.virustota...e83c-1302681312
File name: VRB.EXE.Muestra EliStartPage v23.03
Submission date: 2011-04-13 07:55:12 (UTC)
Current status: finished
Result: 19/42 (45.2%)

Phones back..."

(More detail at the ddanchev.blogspot URL above.)

[AplusWebMaster]

FYI...

Fraud - intuit TurboTax e-mails...
- http://security.intu.../alert.php?a=29
04/15/2011 - "... fraudulent email (copy shown at the URL above)...
What we won't do
- We will -never- send you an email with a "software update" or "software download" attachment.
- We will -never- send you an email asking you for login or password information to be sent to us.
- We will -never- ask you for your banking information or credit card information in an email. We will -never- ask you for confidential information about your employees in an email.
What we'll do
- We will provide you with instructions on how to stay current with your Intuit product, and we will provide you with information on how to securely download an update from your computer.
- If we need you to update your account information, we will request that you do so by logging into your account..."

[AplusWebMaster]

FYI...

Facebook scam "My Top 10 stalkers"...
- http://community.web...-countries.aspx
19 Apr 2011 - "A new spam campaign, similar to campaigns we have seen in the past, is spreading on Facebook... It works by creating an album - “My Top 10 stalkers” - with the description "Check who views your profile @," followed by a bit.ly URL-shortened link. It then automatically uploads a photo to the app and tries to mark all the user's friends in the photo... The bit.ly link redirects the user to a page that uses JavaScript to determine the geographical location of the computer based on its IP address. Depending on the location, the page then redirects users located in specific targeted countries to the Facebook App in an attempt to further spread the infected link. The campaign is targeted at Facebook users in the United States, Canada, United Kingdom (including a specific target for Great Britain), Saudi Arabia, Norway, Germany, Spain, Slovenia, Ireland, and United Arab Emirates... Regardless of whether the JavaScript redirects the browser to the Facebook app because of its origin, all users are ultimately redirected to a scam page that tries to lure them into completing several fake surveys. Hackers use this method to try to collect personal information such as the user's home address, e-mail address, or phone number... If the user tries to navigate away from the page or close the browser, a message appears asking them to stay and complete a "SPAM-free market research survey to gain access to this special content." Special it may sound, but it is definitely not spam-free! As always, if a page forces you to Like, Share, or install an application in order to view it, DON'T..."
(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

TDL rookit bypasses security on x64 Vista/Win7
- http://www.informati...endly=this-page
April 22, 2011 - "The malware state of the art continues to improve. In particular, the latest version of the TDL rootkit family - aka Olmarik, TDSS, Alureon - contains sophisticated mechanisms for bypassing security features built into 64-bit versions of Microsoft Windows Vista and Windows 7, and can download additional, standalone malware applications. The fourth version of the TDL malware first appeared* in August 2010 and contained sophisticated new techniques for defeating security measures... TDL4 can "load its kernel-mode driver on systems with an enforced kernel-mode code signing policy," meaning the 64-bit versions of Vista and Windows 7. At that point, the malware can hook directly into the Windows operating system... Since the fourth version of TDL first appeared, it's undergone numerous, incremental revisions. For example, in March 2011, a new version of TDL4 appeared that - after infecting a PC - installs the standalone Glupteba.D malware**, which can then download and execute other pieces of malware... no matter the security defense, such as driver signing, a way to defeat it can be found..."
* http://www.informati...endly=this-page

** http://resources.inf...m/tdss4-part-1/
April 19, 2011

[AplusWebMaster]

FYI...

Virus Outbreak In Progress...
- http://www.ironport.com/toc/
April 25, 2011

- http://tools.cisco.c...r...&sortType=d

Fake Microsoft Live Messenger Download Link E-mail Messages - April 25, 2011
- http://tools.cisco.c...x?alertId=23009
Fake Purchase Receipt E-mail Messages - April 25, 2011
- http://tools.cisco.c...x?alertId=23008
Malicious Program Download E-mail Messages - April 25, 2011
- http://tools.cisco.c...x?alertId=23007
Fake Malware Threat Notification E-mail Messages - April 25, 2011
- http://tools.cisco.c...x?alertId=23006
Fake UPS Shipment Error E-mail Messages - April 25, 2011
- http://tools.cisco.c...x?alertId=19743
Malicious Video Link E-mail Messages - April 25, 2011
- http://tools.cisco.c...x?alertId=21895

Fake CNO Guidance Attachment E-mail Messages - April 21, 2011
- http://tools.cisco.c...x?alertId=22996
Malicious Photo Attachment E-mail Messages - April 22, 2011 ...
- http://tools.cisco.c...x?alertId=23003

Edited by AplusWebMaster, 25 April 2011 - 01:18 PM.

[AplusWebMaster]

FYI...

$20M fraud on SMBs - Wire Transfers to China...
- http://krebsonsecuri...sfers-to-china/
April 27, 2011 - "The Federal Bureau of Investigation warned this week that cyber thieves have stolen approximately $20 million over the past year from small to mid-sized U.S. businesses through a series of fraudulent wire transfers sent to Chinese economic and trade companies located near the country’s border with Russia...
According to the alert**, the thieves used a variety of malicious software to steal victim online banking credentials, including the ZeuS Trojan, backdoor.bot and Spybot, all malware families that let the crooks steal passwords and control infected systems remotely... Earlier this year, victims at three Iowa banks lost about $2 million in a series of fraudulent wire transfers to Hong Kong. Last fall, thieves stole close to $1 million in a -single- fraudulent wire transfer from the University of Virginia to the Agricultural Bank of China. It is vital for small business owners to understand the risks they face when banking online, and to get a sense of the sophistication of today’s attackers. Unlike consumers — businesses do not have the same protection against fraud that consumers enjoy. Indeed, most companies that get hit with this type of fraud quickly figure out that their banks are under no legal obligation to reimburse them. Small business owners wondering what they can do to protect themselves should read the tips at this post*. One of the surest ways that business owners can avoid becoming the next victim is for the person handling the company’s books to bank online only from a dedicated machine — preferably one that is not Windows-based (since -all- of the malware used in the attacks to date won’t run on anything but Windows)..."
* http://krebsonsecuri...sses/#more-1991

** http://www.ic3.gov/m...rFraudAlert.pdf
26 Apr 2011 - PDF file

[AplusWebMaster]

FYI...

Spamvertised "Successfull Order..." leads to scareware
- http://ddanchev.blog...der-977132.html
April 28, 2011 - "A currently ongoing malware campaign is impersonating Bobijou Inc for malware-serving purposes.
Sample subject: "Successfull Order 977132"
Sample message: "Thank you for ordering from Bobijou Inc.This message is to inform you that your order has been received and is currently being processed.
Your order reference is 901802. You will need this in all correspondence. This receipt is NOT proof of purchase. We will send a printed invoice by mail to your billing address. You have chosen to pay by credit card. Your card will be charged for the amount of 262.00 USD and “Bobijou Inc”...
Sample attachments: Order_details.zip ...
Detection rates...
* http://www.virustota...b904-1303915483
File name: Order details.exe
Submission date: 2011-04-27 14:44:43 (UTC)
Result: 24/40 (60.0%)
There is a more up-to-date report...
- http://www.virustota...b904-1303987793
File name: 1
Submission date: 2011-04-28 10:49:53 (UTC)
Result: 34/42 (81.0%)

>>> Upon execution phones back to: kkojjors.net/f/g.php - 95.64.9.15...
variantov.com/pusk.exe - 94.63.149.26...
** http://www.virustota...5a05-1303916125
File name: pusk.exe
Submission date: 2011-04-27 14:55:25 (UTC)
Result: 4/41 (9.8%)
There is a more up-to-date report...
- http://www.virustota...5a05-1303939887
File name: hew.exe.VIR
Submission date: 2011-04-27 21:31:27 (UTC)
Result: 11/41 (26.8%)

[AplusWebMaster]

FYI...

Malicious SPAM on the rise...
- http://labs.m86secur...increase-again/
April 29, 2011 - "... our stats show the bot herders are gearing up again with the proportion of spam with malware attachments rising*, although still not as high as the peaks we saw mid last year... After the bot herders took a brief Easter break, they are back to sending new waves of malicious spam. The first spam campaign was sent by the Cutwail botnet earlier this week. The email claims to be an invoice from Bobijou Inc. – an online jewellery brand. There is a chance that people might fall into this trap especially as it claims money on your credit card was involved. But take a closer look at the subject line: Successfull Order 3677718, that wrong spelling should easily alert you that this email is a scam... Another malicious spam campaign originating from the Donbot botnet that came in later this week. It uses a common, uncreative theme with subject line like, “my hot pic : )“, “my naked pic is attached“, etc. The Donbot botnet’s spam output is on the rise and this is the first time we have seen it spreading malicious attachments... In addition, this week we have been seeing more of the Asprox botnet’s “Spam from your Facebook account” campaign, that preys on peoples fears about the security of their Facebook accounts. This campaign first came out last year, illustrating that the bot herders behind Asprox often cycle their spam campaigns between UPS, DHL, FEDEX and iTunes Gift Certificate among others... The attachment is a Trojan that aims to seed the Asprox bot executable in the infected host, which is then used for spamming purposes..."
* http://labs.m86secur...liciousSpam.png

[AplusWebMaster]

FYI...

Facebook Scam... leads to Adware
- http://labs.m86secur...eads-to-adware/
May 1, 2011 - "... we observed a new type of scam, this one leveraging Facebook’s new social plugin for websites that allow for comments. This is being exploited by scammers to get their rogue websites visible on users’ news feeds... There are various flavors of the scam making the rounds. However, the newest one to make the rounds focuses on a familiar Apple product: the iPhone. With rumors circulating about the iPhone 5, loyal Apple followers are drawn to the various news articles that cover these stories... The report claims to be from Wired News and has one of those headlines that is used to lure a user into clicking on the link... Once a user clicks on the link, they are -redirected- to a random .info site. There have been over 10 of these in circulation for this particular scam. Before the user can click on anything, they are asked to answer a CAPTCHA-like verification form... Unlike most Facebook scams of late, at the end of this rainbow, there is no survey scam. Instead, the users are prompted to download an executable file. The executable file is videogameboxinstaller.exe and it is dubious in nature, as it it downloads other pieces of software... PageRage notes in its terms above that it will display ads to the end user. Sounds like Adware? Four antivirus vendors agree*, flagging this as Adware.Yontoo... "
* http://www.virustota...2b4a-1304294930
File name: pagerage.exe
Submission date: 2011-05-02 00:08:50 (UTC)
Result: 4/41 (9.8%)

[AplusWebMaster]

FYI...

Goal.com serving malware
- http://blog.armorize...ng-malware.html
5.02.2011 - "Goal.com receives 232,116 unique visitors per day according to compete.com, 215,989 according to checksitetraffic.com, and ranks 379 globally on alexa.com. Recently between April 27th to 28th, it was detected by HackAlert to be actively serving malware (drive-by downloads). From what we've observed, we believe the attacker has a way into goal.com's system and was only testing during this time. This is our technical report.
Summary
A. From what we've collected, parts of goal.com seem to have been compromised allowing the attacker to manipulate content at will. A backdoor may exist to allow the attacker continuous control of goal.com's content.
B. During this time we've observed different malicious scripts injected into goal.com, leading us to believe that this isn't a one-time mass SQL injection attempt. We've also not found the injected content to appear in other websites.
C. The malicious domains include:
1. pxcz .cz .cc, which is neither being flagged by any antivirus blacklist nor by Google SafeBrowsing.
2. opofy7puti .cz .cc, which is neither being flagged by any antivirus blacklist nor by Google SafeBrowsing.
3. justatest .cz .cc, which is neither being flagged by any antivirus blacklist nor by Google SafeBrowsing.
> This further suggests that this is an attack targeted at goal.com
D. Duration was between April 27th to 28th. The attacker seemed to be testing their injections and was picked up by our scanners.
E. Browser exploits used during this "test-drive" included: CVE-2010-1423 (Java), CVE-2010-1885 (MS help center HCP), CVE-2009-0927 (PDF), and CVE-2006-0003 (MS MDAC).
F. The g01pack exploit pack was being used. It includes a fake admin page which is used as a honeynet for security researchers--to allow the attacker to observe who is studying their malicious domains.
G. The exploit codes were well mutated. We don't mean well "obfuscated," because in addition to obfuscation, the primitive form of the exploit itself has been mutated well so as to avoid detection.
H. Malware served was packed with UPX and modifies setupapi.dll and sfcfiles.dat. When we first submitted it to VirusTotal, 4 out of 41 antivirus vendors were able to flag it.
I. The malware connects to the following domains:
1. testurl .ipq .co:80 (in UK), which again, is neither flagged by any antivirus blacklist nor by Google SafeBrowsing
2. 74.125.47.99 :80 (US), which reverses back to coldgold .co .uk, and which again, isn't blacklisted by any, including Google SafeBrowsing.
Details:
3. banderlog .org, not flagged by antivirus / Google SafeBrowsing, but has some records on clean-mx.de..."

(More detail and screenshots available at the blog.armorize URL above.)

[AplusWebMaster]

FYI...

Osama alive scam - Twitter
- http://www.theregist...e_twitter_scam/
24 May 2011
___

Osama RTF Exploit
- http://www.f-secure....s/00002154.html
May 5, 2011
- http://web.nvd.nist....d=CVE-2010-3333
- http://web.nvd.nist....d=CVE-2010-3334
- http://web.nvd.nist....d=CVE-2010-3335
CVSS v2 Base Score: 9.3 (HIGH)
- http://www.microsoft...n/MS10-087.mspx
• V2.1 (April 12, 2011): Announced that the security update for Microsoft Office 2004 for Mac (KB2505924) offered in MS11-021, MS11-022, and MS11-023 also addresses the vulnerabilities described in this security bulletin.
- http://www.microsoft...n/MS11-021.mspx
> CVE-2011-0097, CVE-2011-0098, CVE-2011-0101, CVE-2011-0103, CVE-2011-0104, CVE-2011-0105, CVE-2011-0978, CVE-2011-0979, CVE-2011-0980
- http://www.microsoft...n/MS11-022.mspx
> CVE-2011-0655
- http://www.microsoft...n/MS11-023.mspx
> CVE-2011-0107, CVE-2011-0977
___

SPAM - Osama dead pics
- http://www.symantec....s-osama-s-death
3 May 2011 - "The first spam using the news of Osama Bin Laden’s death was seen in the wild within three hours of the event—Symantec reported this spam activity along with other spam samples in a blog entitled “Osama Dead” is No Longer a Hoax. As anticipated, we started observing a rise in malicious and phishing attacks... The links in this spam email dump Downloader onto the victim’s machine, which in turn downloads the actual malware. Further analysis of these attacks shows that most of the malicious attacks have originated from Brazil, Europe, and the U.S... Spammers are making an effort to not only push the messages into users’ inboxes, but also getting them to open and install the executable payload... The phishing site shows an auto-running Bin Laden related video in an iframe and asks the user to click on a link to download a “complete” video. Clicking on that link forces the download of an .exe file..."

- http://community.web...-dead-pics.aspx
04 May 2011 03:26 PM - "Messages inviting users to see the "real photos" of Osama Bin Laden's remains made the rounds in the email realm today, in addition to the Facebook scams and malware recently spread via Twitter abusing the same topic... Clicking on the provided link prompts the user to download a file called FOTOS.Terroris.zip, which is fairly detected by AV engines*."
* http://www.virustota...6b1a-1304596429
File name: Fotos.exe.vir
Submission date: 2011-05-05 11:53:49 (UTC)
Result: 30/42 (71.4%)

- http://www.us-cert.g...n_laden_s_death
May 2, 2011
___

Osama malware scams spread to Facebook
- http://www.theregist..._malware_scams/
3 May 2011

Edited by AplusWebMaster, 24 May 2011 - 01:00 PM.

[AplusWebMaster]

FYI...

Goal.com serving malware - updated...
- http://blog.armorize...ng-malware.html
Updates - "... The chain of infection is:
1. goal .com, includes iframe to pxcz .cz .cc
2. pxcz.cz.cc iframes to justatest .cz .cc
3. justatest .cz .cc runs the exploit pack g01pack, serves exploits based on visitor's browser type
4. exploit compromises browser, downloads malware from justatest .cz .cc
5. malware links to testurl .ipq .co (UK), 74.125.47.99 :80 (US, coldgold .co .uk), and banderlog .org...
> A unique feature of this exploit pack is the inclusion of a fake admin / stats page. This page supports common id / password combinations like admin / admin to trick security researchers into believing that they've obtained access to the exploit pack's admin page... Once logged in, the researcher is presented with a fake infection stats page. In reality, this allows the attacker to gain insights into who has identified the malicious domain, and is conducting investigation...
The exploit codes were well mutated. We don't mean well "obfuscated," because in addition to obfuscation, the primitive form of the exploit itself has been mutated well so as to avoid detection..."
___

Goal.com spreading malware again: "Security Shield" fake anti-virus
- http://blog.armorize...ware-again.html
5.17.2011

Edited by AplusWebMaster, 22 May 2011 - 06:28 AM.

[AplusWebMaster]

FYI...

New bank trojan - "Sunspot"...
- http://www.trusteer....-fraud-platform
11 May 2011 - "... identified a little known Windows malware platform that has been in circulation for some time, but was never previously recognized for its financial fraud capabilities. We named it Sunspot. It is currently targeting North American financial institutions and has already achieved SpyEye and Zeus–like infection rates in some regions. There are confirmed fraud losses associated with Sunspot, so the threat is real... In addition to Sunspot, Trusteer alone also has discovered several malware platforms over the past 18 months including Silon, OddJob and several others. Sunspot targets 32-bit and 64-bit Windows platforms from Windows XP through Windows 7, and is capable of installing in non-administrator and administrator accounts. Once installed, it targets Internet Explorer and Firefox browsers. This is a very modern malware platform with sophisticated fraud capabilities... According to a Virus Total analysis, only nine of 42 anti-virus programs tested, or 21%, currently detect Sunspot. It can carry out man-in-the-browser attacks including web injections, page grabbing, key-logging and screen shooting (which captures screenshots of the mouse vicinity as a user types his/her password on a virtual keyboard)... We traced the Sunspot Command and Control Server (C&C) hostname to a domain registered in Russia. Once installed, Sunspot is started either by "rundll32.exe" via HKCU\Software\Microsoft\Windows\CurrentVersion\Run or via HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components. It uses CBT hooking to load its DLL into the browser (Internet Explorer/Firefox). Inside the browser it hooks several Wininet/NSPR4/user32 functions for web injections, page grabbing and key-logging... The take away for financial institutions from Sunspot remains the same. A layered security approach that combines server-side and client-side zero day attack protection is the most effective way to protect users against crime ware, since anti-virus programs are lagging way behind in their ability to detect these programs."

Edited by AplusWebMaster, 11 May 2011 - 10:23 AM.

[AplusWebMaster]

FYI...

Multiple Facebook scams...
- http://www.theregist...revention_scam/
12 May 2011 - "... junk messages on Facebook is been used to bait a new scam doing the rounds on the social network. Prospective marks in receipt of the fraudulent messages are invited to "verify" their account in order to "prevent spam". Recipients who respond to the message by clicking on a link end up sharing it on their wall as well as spreading highly obfuscated JavaScript... A full write-up of the scam, including images of the offending messaging, can be found in a blog post by Sophos here*..."
* http://nakedsecurity...ly-the-opposite
May 12, 2011

- http://www.f-secure....s/00002157.html
May 12, 2011

- http://isc.sans.edu/...l?storyid=10870
Last Updated: 2011-05-12 08:38:17 UTC
- http://blog.trendmic...ok-application/

Edited by AplusWebMaster, 12 May 2011 - 04:06 PM.