2072 replies to this topic

[AplusWebMaster]

FYI...

SPAM/fraud aimed at credit card users...
- http://community.web...ompromised.aspx
28 Jul 2011 - "Websense... has been monitoring and tracking a recent wave of email attacks being spread and aimed at credit card users and holders. The attack comes in the form of a short email with fairly detailed text alerting the recipient that their credit card has been blocked, and that they should open the attached file to find out more. The format seems old, with the content and attached file properties being the distinctive factor. With the recent attacks and data breaches of organizations in the press, this seems to be worth the buzz as personal details and credit card details were part of the information leaked... There is less the wording within the message body and the header information with regards to sender address or connecting IP's which are listed in this blog post*... The file is also VM-Aware, as the resulting execution of a download for fake AV only works if host based analysis is used (as opposed to a guest virtual machine)..."
* http://garwarner.blo...to-fake-av.html

- http://labs.m86secur...ansaction-spam/
July 29, 2011

>> http://tools.cisco.c...x?alertId=23741
July 29, 2011
___

Sophisticated injection abuses the Twitter trend service
- http://community.web...nd-service.aspx
27 Jul 2011 - "... Websense... has detected a mass injection campaign that has infected more than 10,000 Web sites. What is surprising is the size of injected code; it’s very big – over 6,000 kbs. Surely such a large injection code can contain a lot of malicious content. The attacker used 5 layers of obfuscated methods to conceal the final redirect code. The redirect target is determined based on Twitter trend services... The redirect target is different every day, and even different at day and at night... The URL redirects customers to the Blackhole Exploit Kit where a rogue AV application will be installed. Below are IP addresses that host the Blackhole Exploit Kit.
46.165.192.232
46.20.119.80
66.135.59.143
216.155.147.12
64.150.187.129
200.35.147.150
108.59.2.202 ..."

Edited by AplusWebMaster, 29 July 2011 - 02:52 PM.

[AplusWebMaster]

FYI...

Zeus SPAM continues...
- http://garwarner.blo...-continues.html
Update: New Zeus distribution site, July 29th AM:
"We are receiving SPAM emails this morning from "nacha .org" From: addresses that direct us to this Zeus distribution site.
hxxp ://federalreserve-alert .com/transaction_report.pdf.exe
... VirusTotal report... (5 of 43) detections. Only 2 of those are calling this Zeus.
---
July 28, 2011 - "... new example of this capability in the form of the two most recent installments of a long-running "government-related" Zeus campaign.
One of the two spammed destinations is:
alert-irs .com /00000700973770US.exe MD5 = 0691a4856713edc97664e60db735747c
This malware is currently showing a (12 of 43) detection rate at VirusTotal...
The other spammed destination is:
fdic-updates .com .com /system_update_07_28.exe MD5 = 7a0303fdb809ac0c1a84123b106992c2
This malware is currently showing a (8 of 43) detection rate at VirusTotal...
Both files are 172,032 bytes in size, but currently the FDIC one is showing a dramatically wider distribution via email than the IRS one, which may be an indication of "targeting" by the latter.
The FDIC version has been seen almost 500 times, despite the fact that the campaign is less than 45 minutes old as of this writing..."
(Much more detail at the garwarner.blogspot URL above.)

> http://www.cis.uab.edu/forensics/

Edited by AplusWebMaster, 29 July 2011 - 07:20 AM.

[AplusWebMaster]

FYI...

willysy .com mass injection... more than 3.8 million pages
- http://blog.armorize...s-hit-more.html
7.31.2011 - "... As of July 31th, Google shows more than 3,410,000 (willysy) + 386,000 (exero) = 3.8 million infected pages. Note this number is for individual infected pages, -not- sites or domains. And so we've largely updated and reformatted (so new info appears at the front) the initial report*, adding to it the infection number, source IP of attack, log entries, osCommerce vulnerabilities used, and more."
* http://blog.armorize...on-ongoing.html
"... 5. Browser exploits used:
CVE-2010-0840 - Java Trust
CVE-2010-0188 - PDF LibTiff
CVE-2010-0886 - Java SMB
CVE-2006-0003 - IE MDAC
CVE-2010-1885 - HCP
6. Exploit domain:
arhyv .ru, counv .ru ...
IP: 46.16.240.18 (AS51632 Ukrain - Inet Ltd)
Related domains: xlamv .ru, vntum .ru
7. Malware URL:
hxxp ://46.16.240.18 /9VBMa76FFnB4VAYu0X5j755pMiSyVrcV?s=mdacot ..."
___

- http://www.google.co...c?site=AS:51632
"... last time suspicious content was found was on 2011-08-01..."

Edited by AplusWebMaster, 01 August 2011 - 06:50 AM.

[AplusWebMaster]

FYI...

Fake Flash for Mac ...
- http://www.f-secure....s/00002206.html
August 1, 2011 - "We've come across a fake FlashPlayer.pkg installer for Mac... Once installed, the trojan adds entries to the hosts file to hijack users visiting various Google sites (e.g., Google.com.tw, Google.com.tl, et cetera) to the IP address 91.224.160.26, which is located in Netherlands. The server at the IP address displays a fake webpage designed to appear similar to the legitimate Google site... Even though the page looks fairly realistic, clicking on any of the links does not take the user to any other sites. Clicking on the links does however open new pop-up pages, which are all pulled from a separate remote server... At the time of writing, the pop-up pages aren't displaying anything, though we presume they are ads of some sort. It appears that the remote server serving the pop-up pages is down. The other remote server returning fake search requests appears to be still active. We detect this trojan as Trojan:BASH/QHost.WB."
(Screenshots available at the f-secure URL above.)

[AplusWebMaster]

FYI...

'Work from home' SPAM scam floods Twitter
- http://nakedsecurity...making-adverts/
August 1, 2011 - "Compromised Twitter accounts are once again being used by criminals to spam out adverts to unsuspecting users. In the latest attack, Direct Messages (DMs) have been sent between Twitter users promoting a "make money fast" website... Clicking on the link takes the unsuspecting recipient to a website which claims, in breathless tones, to help single mothers and teenagers to make "thousands of dollars" every day... The likelihood is, however, that all that will happen is that you end up out of pocket if you invest in the site's Home Wealth Formula. Interestingly, the website tries to attempt to customise its content to appear more attractive to you. For instance, I visited the site from Sophos's British HQ in Abingdon, Oxfordshire, and the website duly described itself as the "Abingdon Business Journal" (no such publication really exists)... there will no doubt be Twitter users who trust DMs sent to them by their friends and may click on the link, and some of them may be tempted to sign-up for the scheme...
Update: ... SPAM messages are also being sent as classic messages, not just DMs..."
(Screenshots available at the Sophos URL above.)

[AplusWebMaster]

FYI...

Cisco 2Q11 Global Threat Report
- http://blogs.cisco.c...-threat-report/
August 1, 2011 - "... highlights from the Cisco 2Q11 Global Threat Report* include:
• A more than double increase in unique Web malware in the second quarter;
• Average encounter rates per enterprise peaked in March (455) and April (453);
• Companies with 5,001-10,000 employees and companies with 25,000+ employees experienced significantly higher Web malware encounters compared to other size segments;
• Brute force SQL login attempts increased significantly during the second quarter, coinciding with increased reports of SQL injection attacks throughout the period;
• Denial of Service attempts also increased during the second quarter and were observable in IPS logs;
• Global spam volumes remained fairly steady throughout the first half of 2011, while phishing increased in 2Q11, peaking at 4% of total volume in May 2011..."
* http://www.cisco.com/go/securityreport

[AplusWebMaster]

FYI...

Rapid relief for osCommerce administrators...
- http://h-online.com/-1324235
17 August 2011
___

willysy osCommerce now over 6M infected pages - Mass Injection ongoing...
- http://blog.armorize...ion-over-6.html
8.03.2011 - "... With the number of infected pages now over 6 million, we've again updated our initial report on this willysy mass injection incident*..."
* http://blog.armorize...on-ongoing.html

-
Uploaded by ArmorizeTech on Aug 3, 2011
"... recorded when infection number reached 6 million pages..."
___

Is That a Virus in Your Shopping Cart?
- https://krebsonsecur...-shopping-cart/
August 5, 2011
___

- http://h-online.com/-1317410
3 August 2011
- http://h-online.com/-1323427
16 August 2011

- http://www.usatoday....e-hacking_n.htm
"... A single criminal gang using computer servers located in the Ukraine is responsible for the latest twist in converting legit web sites into delivery mechanisms for 'driveby downloads'..."

Edited by AplusWebMaster, 18 August 2011 - 08:22 AM.

[AplusWebMaster]

FYI...

HTran and APT ...
- http://www.securewor.../threats/htran/
August 3, 2011 - "... 'not surprising that hackers using a Chinese hacking tool might be operating from IP addresses in the PRC. Most of the Chinese destination IPs belong to large ISPs, making further attribution of the hacking activity difficult or impossible without the cooperation of the PRC government.
Conclusion: Over the past ten years, we have seen dozens of families of trojans that have been implicated in the theft of documents, email and computer source code from governments, industry and activists. Typically when hacking or malware traffic is reported on the Internet, the location of the source IP is not a reliable indicator of the true origin of the activity, due to the wide variety of programs designed to tunnel IP traffic through other computers. However, occasionally we get a chance to peek behind the curtain, either by advanced analysis of the traffic and/or its contents, or due to simple programmer/user error. This is one of those cases where we were lucky enough to observe a transient event that showed a deliberate attempt to hide the true origin of an APT. This particular hole in the operational security of a certain group of APT actors may soon be closed, however it is impossible for them to erase the evidence gathered before that time. It is our hope that every institution potentially impacted by APT activity will make haste to search out signs of this activity for themselves before the window of opportunity closes."
(More detail at the secureworks URL above.)

- https://www.computer..._trail_to_China
August 4, 2011 - "... attackers gained access to RSA's network by convincing a small number of the company's employees to open malware-infected Excel spreadsheets. The spreadsheets included an exploit for a then-unpatched vulnerability in Adobe's Flash Player. Later attacks on the defense contractor Lockheed reportedly utilized information obtained in the RSA hack... Joe Stewart uncovered the location of the malware's command servers by using error messages displayed by a popular tool called "HTran," which Chinese hackers often bundle with their code. HTran bounces traffic between multiple IP addresses to mask the real identity of the order-giving servers, making it appear, for instance, that the C&C servers are in the U.S. when they are not... more than 60 malware families he's found that were custom-made for RSA-style attacks..."

Edited by AplusWebMaster, 04 August 2011 - 02:08 PM.

[AplusWebMaster]

FYI...

Malware variants turn UAC off ...
- https://blogs.techne...st-malware.aspx
3 Aug 2011 - "... more and more malware opening a new front and turning UAC off itself. Malware does this to prevent users from seeing UAC prompts on every reboot for their payloads. The Sality virus family, Alureon rootkits, Rogue antivirus like FakePAV, Autorun worms, and the Bancos banking Trojans all have variants turning UAC off. So many are doing this that Microsoft Security Essentials, Windows Intune, and Forefront Endpoint Protection now uses behavior monitoring to find software that manipulates UAC settings, and the MMPC is finding brand new malware disabling UAC regularly. The key factor here is that for malware to successfully turn UAC off, the malware must itself be elevated to run as administrator. This elevation either requires an exploit in a service with administrator access, UAC to already be turned off, or a user clicking "OK" on a UAC prompt to allow the malware to elevate. Unfortunately, many Windows users have disabled UAC. While malware was mostly avoiding UAC altogether, legitimate software was also being rewritten to not require elevation prompts, so there are fewer UAC prompts than ever to wrangle, which should make it easier to spot any suspicious activity... UAC is not intended as malware protection, but it's another layer of security to help improve the safety of Windows. If you've been attacked from malware, please check the UAC setting in the control panel to see if it's been tampered*..."
* http://windows.micro...ntrol-on-or-off

[AplusWebMaster]

FYI...

Fake Firefox update email...
- http://nakedsecurity...-email-malware/
August 8, 2011 - "... email which was spammed out this weekend pretending to be an advisory about a new update to the popular Firefox web browser... no surprises here. The link downloads an executable file, which bundles together an installer for Mozilla Firefox 5.0.1 -and- a password-stealing Trojan horse. Sophos already detected the Trojan horse as Troj/PWS-BSF... Firefox automatically updates itself - so you should never have to act upon an email like this. If you want to manually look for the latest update, simply open Firefox and go to the Help menu and select About Firefox..."

[AplusWebMaster]

FYI...

LinkedIn box to Uncheck...
- https://brandimpact....ck-on-linkedin/
August 10, 2011 - "Apparently, LinkedIn has recently done us the “favor” of having a default setting whereby our names and photos can be used for third-party advertising. A friend forwarded me this alert (from a friend, from a friend…) this morning. Devious. And I expect that you, like me, don’t want to participate... graphic shows you how to Uncheck The Box*... Nice try, LinkedIn. But, no thanks!
*UPDATE: After you finish with Account, check the new default settings under E-mail Preferences (such as Partner InMails); and Groups, Companies & Applications (such as Data Sharing with 3rd-party applications). It’s a Facebook deja vu!
* https://brandimpact....edin_social.png

> http://www.theregist...ivacy_stuff_up/

[AplusWebMaster]

FYI...

Zeus SPAM campaign...
- http://blogs.apprive...s-the-tax-angle
August 10, 2011 - "The past couple of days we have been seeing a fairly large Zeus-laden campaign hitting our filters. These emails are also taking on a few different personas, the majority of which being the Internal Revenue Service. The other two, to a lesser extent, are the Federal Reserve, and the Nacha Electronic Payments Association which is a non-profit group that provides the rules and regulations for electronic transactions such as insurance premiums and mortgage loans. The group claims to have one of the largest and safest payment systems in the world. This may be true, but these imposters are anything but... Zeus is currently the most frequently seen pieces of malware circulating through interwebs. It works its way onto victim machines, and installs malicious software that siphons off bank account credentials. In this campaign in particular we have seen over 1 million pieces of these caught in our filters, at an average rate of around 1 every 2 seconds. Each of the emails contain a link to a remotely hosted file. The domains on which they're hosted are: irs-report-file .com, nacha-transactions .com, irs-tax-reports .com, federal-taxes .us, irs-alerts-report .com, federalresrve .com, files-irs-pdf .com, nacha-files .com, and nacha-security .com. The filenames vary depending on the facade being used. These include: wire-report.pdf.exe, your-tax-report.pdf.exe, 00000700955060US.pdf.exe, alert-report.pdf.exe, tax_00077034772.pdf.exe, transaction_report.pdf.exe, and 3029230818209.pdf.exe..."
(Screenshots available at the appriver URL above.)

[AplusWebMaster]

FYI...

SPAM - Virus Outbreak In Progress
- http://www.ironport.com/toc/
August 15, 2011

> http://tools.cisco.c...r...&sortType=d

Website Profile Inquiry E-mail Msg...
- http://tools.cisco.c...x?alertId=23906
Misleading Tourism E-mail Msgs...
- http://tools.cisco.c...x?alertId=23905
Fake Personal Photo Attachment E-mail Msgs...
- http://tools.cisco.c...x?alertId=23881
Fake Blocked Credit Card Notification E-mail Msgs...
- http://tools.cisco.c...x?alertId=23820

[AplusWebMaster]

FYI...

Updates:

Attacks Against Timthumb.php in the Wild...
- http://blog.sucuri.n...ng-scanned.html
August 17, 2011 - "We are seeing large scale attacks against the vulnerable timthumb.php script in the wild. Thousands of sites are getting compromised... please verify them for the TimThumb script. If they contain the script ensure it is updated immediately. Attacks in the wild: We are seeing many attacks in the wild, basically they scan all these plugins and themes, then attempt to compromise the site..."
(More detail at the URL above.)

WordPress sites with .htaccess hacked
- http://blog.sucuri.n...ess-hacked.html
August 17, 2011 - "The TimThumb.php vulnerability is causing a lot of WordPress sites to get compromised with the superpuperdomain .com and superpuperdomain2 .com remote JavaScript injection... many of the sites we are analyzing, the .htaccess file is also getting modified to redirect search engine and organic traffic to some Russian domains..."
(More detail at the URL above.)
___

WordPress plugin vuln - compromised WordPress blogs...
- http://community.web...he-effects.aspx
15 Aug 2011 - "... code injected into WordPress Web sites. At first we saw the injected domain name hxxp: //superpuperdomain .com/ injected at the foot of compromised WordPress blogs. This code appears to have been delivering advertisements to end users via redirects to search engines. Last Friday, we saw a slight adaptation within the injected code. This time, browsers to compromised sites led to the domain hxxp: //superpuperdomain2 .com/, which seemingly was a placeholder for more nefarious malicious activity... The research team over at Sucuri Security also noticed the same over the weekend. Their blog is here*..."
* http://blog.sucuri.n...mthumb-php.html
August 11, 2011 - "... large number of WordPress sites compromised with a malicious JavaScript loading from superpuperdomain .com/count.php. That JavaScript redirects visitors that were going to the WordPress site to fake search engines... This script basically loads a bunch of encoded JavaScript that redirects the user to upliftsearch .com, filmannex .com and other “search engines” full of ads. On the sites we’ve analyzed, they were hacked through the timthumb.php vulnerability** that was published a few days ago. The attackers are also creating a bunch of backdoors to maintain their access to the hacked sites... This is not a vulnerability in WordPress, it is a vulnerability found in various WordPress themes that include TimThumb! You have to make sure that you are using an updated theme, and from a legitimate source..."
> http://blog.sucuri.n...om-malware.html
August 15, 2011 - "... malware infection that has been affecting thousands of WordPress sites with the vulnerable timthumb.php script... acts as a backdoor, so they can control the site and add more injections/malware whenever they want. If you are running WordPress, check if your theme (or plugin) have this timthumb.php script. If it has, update or remove it now! You can also scan it here to see if it is infected:
- http://sitecheck.sucuri.net "

** http://forums.whatth...=...st&p=743909
4 August 2011

Edited by AplusWebMaster, 18 August 2011 - 08:41 AM.

[AplusWebMaster]

FYI...

SPAM - Virus Outbreak In Progress
- http://www.ironport.com/toc/
August 17, 2011

- http://tools.cisco.c...r...&sortType=d
Fake Parcel Delivery Failure Notification E-mail Msgs...
- http://tools.cisco.c...x?alertId=23917
Fake Digital Telegram Notification E-mail Msgs...
- http://tools.cisco.c...x?alertId=23946
Fake Invoice Payment Notification E-mail Msgs...
- http://tools.cisco.c...x?alertId=23915
Fake Mobile Communication E-mail Msgs...
- http://tools.cisco.c...x?alertId=23916
Fake Traffic Ticket E-mail Msgs... *
- http://tools.cisco.c...x?alertId=23945
Fake Personal Photo Attachment E-mail Msgs...
- http://tools.cisco.c...x?alertId=23881
Fake Antivirus Update E-mail Msgs...
- http://tools.cisco.c...x?alertId=23931
Malicious Changelog Attachment E-mail Msgs...
- http://tools.cisco.c...x?alertId=23588
___

- http://nakedsecurity...ake-dhl-emails/
August 18, 2011

* http://sunbeltblog.b...d-speeding.html
August 18, 2011

* http://nakedsecurity...ly-spammed-out/
August 17, 2011

- http://nakedsecurity...ed-credit-card/
August 15, 2011

Malicious SPAM volume chart - last 28 days
- http://community.web...abs/5226.S4.png
18 Aug 2011

Edited by AplusWebMaster, 19 August 2011 - 05:18 AM.