2072 replies to this topic

[AplusWebMaster]

Same (kind of) stuff, same day...

Election result SPAM malware #2
- http://securitylabs....lerts/3230.aspx
11.05.2008 - "... further activity from malware authors using the news of the U.S. Presidential campaign outcome as bait to attract users into executing malicious executables. So far we have over 25,000 emails through our systems... In a very quick response to the outcome of the U.S. Presidential attacks we have now seen both localized and globalized attacks... Clicking on the link leads the user to a purposely registered domain which advises the user that they need to install the latest version of Adobe Flash player before the video can be viewed. The malicious Web site actually links to a file called 'adobe_flash.exe' with MD5 47C86509A78DC1EDB42F2964BEA86306. This is a Trojan Downloader packed with ASPack. Upon execution, a RootKit is installed on the compromised machine, and data is sent to multiple command and control servers..."

Also see:
- http://garwarner.blo...s-as-obama.html
November 05, 2008

- http://www.f-secure....s/00001530.html
November 5, 2008

- http://sunbeltblog.b...al-malware.html
11.05.2008

(Screenshots available at all URLs above.)

Edited by AplusWebMaster, 05 November 2008 - 04:33 PM.

[AplusWebMaster]

FYI...

SPAM from ‘US Treasury’ ...redirects to malicious sites
- http://blog.trendmic...alicious-sites/
November 9, 2008 | 11:52 pm - "Spammed email messages -supposedly- from The United States Federal Reserve Bank warn their recipients of a “large-scaled phishing attack” affecting several banks and credit unions... The email message gives details on the supposed phishing attack and adds that the US Tresury Department has also monitored a high level of illegal wire transfers. Having told recipients that, the email message then informs them of restrictions imposed on federal wire transfers as part of security measures being taken by concerned government agencies. The message helpfully gives some links where users can get more detailed information. But instead of being directed to a legitimate website, those who click are led to .org domains with names completely different from the websites of the Federal Reserve Bank, the Treasury Department, or the Federal Deposit Insurance Corporation... Other related attacks that use the names of legitimate government organizations or mask themselves as security measures include the following:
* ‘Treasury Optimizer’ Updates Systems With Malware
* Storm Goes Economic
* Fake IRS Web Sites Found (Again)
Users are advised to refrain from clicking links in unsolicited email messages. It is best to go directly to the website of the concerned organization for more information..."

(Screenshot available at the URL above.)

[AplusWebMaster]

FYI...

SPAM - huge drops with McColo demise...
- http://marshal.com/t...asp?article=815
November 13, 2008 - "Yesterday, MCColo Corp, the company responsible for hosting the control servers for several of the biggest spam botnets was taken offline*. Srizbi, Rustock, Mega-D and Pushdo botnets, as well as several others, all had control servers hosted on McColo’s network. Last week these four botnets accounted for over 80 percent of all spam. In addition to botnet control servers, McColo was also known to host malicious software, fake antivirus and child pornography websites... Today, spam has significantly decreased and three of the major botnets, Mega-D, Srizbi and Rustock have almost completely stopped sending spam. Our daily spam volume index showed a massive drop over the last two days... We do not expect this drop in spam to continue for long; often the people or groups responsible for the malicious activity simply move to a new host and continue as normal. Nevertheless, such a dramatic decline in spam, however short-lived, is good news indeed and represents another blow for the cyber criminals."
* http://asert.arborne...es-mccolo-gone/
November 12, 2008

> http://forums.whatth...ves_t96868.html

Edited by AplusWebMaster, 13 November 2008 - 04:00 PM.

[AplusWebMaster]

FYI...

PayPal SPAM warns of fraud - installs Worm instead
- http://blog.trendmic...s-worm-instead/
Nov. 18, 2008 - "A new fake PayPal email message is being spammed — this time, it is not the typical PayPal phishing email that everyone is accustomed to. Instead of including links asking for the recipient’s personal information, this spammed message asks users to open a .ZIP attachment... It informs recipients that their PayPal accounts were hacked, and that some fraudulent activity may have occurred. As part of security measures, “PayPal” is asking users to review the “report” in the .ZIP file and then contact the company if anything unusual is discovered. The attachment that arrives with this spam, however, does not contain a report or any similar information. Inside the .ZIP archive is a worm that infects the recipient’s computer upon execution..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

View Bank of America demo ...Owned.
- http://asert.arborne...g-got-big-fast/
November 27, 2008 - "The Obama spam and malcode gang is back at it with a new fast flux phishing and malcode ruse. This time it’s a demo from the Bank of America that requires the classic “Flash Upgrade”. At the peak I was seeing 400 unique URLs for this run an hour. The URLs were unique strings, possibly for tracking purposes or possibly to stress URL blacklists. But, when you look more closely you see they are just a handful of domain names. This is a lot like the Rock Phish of old. The malcode download routine is very typical. If you don’t follow the lure, a meta-refresh will get ya... The malcode is tiny, but downloads hxxp ://silviocash .com/usp.exe, aka Paparus or Urlsnif. Driver file, rootkitted, and now the box will send info from IE (ie form data) to the hacker. Owned..."
* http://garwarner.blo...unt-do-not.html

(Screenshots available at both URLs above.)

[AplusWebMaster]

FYI...

Christmas malicious SPAM already...
- http://securitylabs....lerts/3248.aspx
11.27.2008 - "Websense... has discovered that malware authors are already using Christmas themes this year as a social engineering tactic, in an effort to gain control over compromised machines. This campaign uses email messages in the form of e-greetings, leading to supposed animated postcards. These actually lead to a Trojan backdoor that has been distributed in previous malicious spam campaigns. The email messages, spoofed to appear as though they have been sent from postcards.org, display an animated Christmas scene. A URL link within the email leads to a malicious file called postcard.exe hosted on various servers, including those in the .com TLD space. Once executed, a backdoor is created by the malware author enabling access and control over the resources of the compromised machine. Control is conducted over IRC, communicating with ircserver.*snip*.la. During the install process an image called xmas.jpg is displayed to the user as a distraction technique..."

(Screenshot available at the URL above.)

[AplusWebMaster]

FYI... more holiday SCAMS...

- http://blog.trendmic...s-phish-fillet/
Nov. 29, 2008 - "Phishers always think out of the box, thinking of ways to fool victims into falling for their phishing schemes. Now... we’ve found a new twist - one that involves the popular fast-food chain McDonald’s. The phishing page displays a fake Member Satisfaction Survey, and for the customer to take the bait, it promises $75 credit to the customer’s account..."

- http://blog.trendmic...-files-hostage/
Nov. 28, 2008 - "...Just recently... a new version of the GPcode ransomware has surfaced... It drops several files which are also detected as TROJ_RANDSOM.A. After which, it searches and encrypts files found on any readable and writable drive on the system, rendering them inaccessible (without the encryption key). It also changes the file name of the encrypted files, by adding the .XNC extension. It also drops the file READ THIS.TXT in each folder that contains an encrypted file. This file informs the victim that the files have been encrypted, and that a decrypting tool must be purchased to decrypt the files. Email addresses are also included in the text file, which the victim must contact to obtain the decryption tool. Accordingly, the perpetrator of this crime demands £200 (US$307) for the decryption services... Users are strongly advised to back up their files so as not to be victimized by ransomware."

(Screenshots available at both URLs above.)

Edited by AplusWebMaster, 30 November 2008 - 06:56 AM.

[AplusWebMaster]

FYI...

McDonald's and Coca-Cola - malicious holiday Coupons and Promotions
- http://securitylabs....lerts/3250.aspx
12.02.2008 - "Websense... has discovered another infectious holiday email making the rounds. Victims are receiving messages promoting a coupon from McDonald's or a holiday promotion from the Coca-Cola company. Both messages include a .zip attachment that contains either coupon.exe or promotion.exe. The malicious files (SHA1 ca973b0e458f0e0cca13636bd88784b80ccae24d) are Trojan Droppers, but have low anti-virus detection at the moment. The McDonald's email claims to present their latest discount menu, and states that the attached coupon should be printed. The Coca-Cola email states that the attachment has details about their new online game and a chance to win Coca-Cola drinks for life..."
(Screenshots available at the URL above.)

(More Screenshots):
- http://blog.trendmic...-worm-carriers/

Edited by AplusWebMaster, 03 December 2008 - 06:32 PM.

[AplusWebMaster]

FYI...

SPAM - Malicious attachment / references real MS advisory
- http://securitylabs....lerts/3252.aspx
12.08.2008 - "The fraudulent email message references a real Microsoft Security Advisory 951306 (also known as CVE-2008-1436). The email provides instructions in both French and English. When the email's malicious attachment (MSC003-WIN.scr) is run, it connects via IRC to a BOT Controller, [removed]dns .be. This connection is not through the default port, but through port 81. The application binds to startup, ensuring it will be run automatically when the computer is restarted (as instructed in the email). The SHA1 of MSC003-WIN.scr is 2056c9fa1b97fca775cc7a01768fb39818963a94. Major antivirus vendors are -not- detecting the malicious attachment."

(Screenshot available at the URL above.)

[AplusWebMaster]

FYI...

IE 7 exploit... attacks using Doc files
- http://preview.tinyurl.com/5wfx74
December 17, 2008 - (AvertLabs.com) - "... Malware authors have been coming up with innovative mechanisms to leverage this exploit to social engineer the not so tech-savvy internet users. One of the most prominent and unique techniques adopted by the malware authors involves a Microsoft word document being sent out [SPAM] to an unsuspecting user. Upon opening the word document the embedded ActiveX control... is instantiated and executed... The control then makes a request to the webpage hosting the IE 7 exploit. The charm with this approach is that the exploit is downloaded and run without the knowledge or permission of the user. To the unsuspecting user it will just appear as yet another normal Doc file..."

[AplusWebMaster]

FYI...

Another holiday, another e-card run - Waledec
- http://asert.arborne...rd-run-waledec/
December 21, 2008 - "But this time it’s not Storm, nor does it even seem at all like Storm. This one is dubbed Waldec. Infection strategy: entice email users to come to the website and get a greeting card. No graphics, but it will entice you anyhow. “Daniel just mailed to you an Online greeting card.” Thanks, Daniel!
Subject lines I’ve seen in our spamtraps:
• Merry Christmas greetings for you
• You have received an eCard
The website you go to says, “Merry Christmas”, and “If you don’t see your greeting card, just click here to download it.”. Here comes /ecard.exe, as always, via a meta-refresh. No HTTP browser exploits on the site. This is hosted on a fast flux network... The ecard.exe binary is pretty much malcode, as you would expect... Pretty weak detection when we look via VirusTotal*. Two vendors dubbed it Waledec...
• Microsoft 1.4205 2008.12.20 Trojan:Win32/Waledac.A
• NOD32 3709 2008.12.20 a variant of Win32/Waledac ..."

* http://www.virustota...68a029cbc1e27f5

[AplusWebMaster]

FYI...

Christmas e-card malware...
- http://isc.sans.org/...ml?storyid=5557
Last Updated: 2008-12-26 03:12:19 UTC ...(Version: 2) - "... over the last (few) days there has been an increase in malicious Christmas cards distributing the Waledac worm. The e-mails consist of a hyperlink to a "Christmas card"... The user will need to click on either button, get a Security Warning and will need to accept the fact that an executable is being run... Some of the domains that were reported to us by readers (thanks Mike and the Shadowserver foundation) include:
bestchristmascard .com
blackchristmascard .com
cheapdecember .com
christmaslightsnow .com
decemberchristmas .com
directchristmasgift .com
freechristmassite .com
freechristmasworld .com
freedecember .com
funnychristmasguide .com
holidayxmas .com
itsfatherchristmas .com
justchristmasgift .com
livechristmascard .com
livechristmasgift .com
superchristmasday .com
superchristmaslights .com
whitewhitechristmas .com
yourchristmaslights .com
yourdecember .com
Note that this list is still very much incomplete. We may post updates.
For now, we recommend:
• Blocking the download of 'ecard.exe', or the affiliated domains on your corporate proxy;
• Ensure that your anti virus and anti spam solutions are updated frequently as the AV vendors build coverage for this new threat. Given the mass mailing nature, spam protection is likely to be the first to pick up on this...
Arbor Networks has an interesting blog entry* up on the flux tactics involved with this threat here. For further data on the worm itself, visit Symantec's writeup**."
(Screenshot available at the ISC url above.)

* http://asert.arborne...rd-run-waledec/

** http://www.symantec....e...-99&tabid=2

- http://blog.trendmic...ooding-inboxes/
Dec. 26, 2008

Edited by AplusWebMaster, 26 December 2008 - 07:39 PM.

[AplusWebMaster]

FYI...

More "Fake AV" Incarnations Making The Rounds
- http://isc.sans.org/...ml?storyid=5584
Last Updated: 2008-12-30 01:39:49 UTC - "Using obfuscated javascript techniques, more "Fake Anti Virus" malware is continuing to present itself to unsuspecting Internet users - in the hopes of gaining an installation through the use of rather effective, social engineering methods. Some of the latest incarnations observed in the past 24 hours continue to maintain low levels of AV detection (less than 15% based on VirusTotal analysis)... In terms of propagation, getting a "hit" from this malware is as easy as entering a series of search terms on your favorite search engine, and unluckily picking a search result that delivers nothing more than the misleading introductory screen and fake anti-virus pop-up alerts (with their associated "D-level" english grammar). Should you unfortunately find yourself victim to this, remember to not click anywhere on the screen, but instead use "Task Manager - Applications" to terminate the victimized web browser session."

[AplusWebMaster]

FYI...

- http://www.shadowser...lendar.20081231
31 December 2008 - "...A new trojan, which has been called a Waledac variant, appeared in recent weeks hyping up Christmas e-cards with nice inviting e-mails leading you to cute website that you can get your e-card at... Lately the website has been peddling either "ecard.exe" or "postcard.exe" for download. But the fun does not end there. There's a nice little JavaScript reference pointing to "google-analysis.js" which has some nasty excitement embedded into it. The JavaScript currently loads a page from the domain "seocom .mobi" which in turns attempts to exploit the user and install a trojan which gets its commands from the same site. It is ultimately instructed to download and install the same Waledac trojan.
Fast-flux Domains
These e-mail lures have involved several different domains of which all are part of a fast flux network... The best option is to block the domains. The following is a list of all of the domains known to Shadowserver to be associated with the Waledac trojan: ...( see the Shadowserver URL above for the list of domains ) ...the trojan is fairly loud and starts beaconing right away to seeded hosts... we suspect the network is using some form of strong encryption for this communication...
Storm Worm?
Right! You are not the only one thinking this. In fact a lot of people are drawing similar comparisons. There are a ton of differences, but there's also a bunch of similarities for sure. Here's a few similarities we along with our fellow collaborators/security researchers have come up with:
• Fast-flux Network (domains are fast fluxing and name servers frequently change IPs)
• Several Name Servers per Domain (ns[1-6].<waledac.domain>)
• Use of Nginx (sure lots of people use it, but hey it's a similarity)
• Spreading through e-mail and Holiday Themes
• Use of "ecard.exe" and "postcard.exe" (both previously used by Storm)
• Drive-by Exploit in Domains (Storm previously used Neosploit) ...
Prevention and Detection
The first step as always is -not- click the links from your e-mail. This will keep you relatively safe and Waledac free... Your next step is to block the above listed domains. There will surely be new ones added to the mix in the future, but blocking this will definitely help in the near term. Antivirus being up to date can't hurt either..."

[AplusWebMaster]

FYI...

Twitter-Facebook Phishing...
- http://isc.sans.org/...ml?storyid=5623
Last Updated: 2009-01-04 15:45:09 UTC - "Several readers have sent us information about a phishing attempt based on Twitter and possibly Facebook. It looks like the twitter folks have it well under control*, but as always with your Internet experience, vigilance and skepticism are your friends..."
* http://blog.twitter....e-phishing.html
January 03, 2009

- http://preview.tinyurl.com/73gm9n
01/05/2009 cgisecurity.net - ""Days after a wave of phishing attacks fooled thousands of Twitter users, it appears that another security hole has been found by...someone... The Fox tweet was deleted an hour after it was posted, so the password may not have been changed... This can't be good for Twitter. It will be good for the people calling for more secure, standards based authentication on Twitter and elsewhere around the web."
- readwrite web
From Twitter's blog: http://blog.twitter....ng-madness.html
"...The issue with these 33 accounts is different from the Phishing scam aimed at Twitter users this weekend. These accounts were compromised by an individual who hacked into some of the tools our support team uses to help people do things like edit the email address associated with their Twitter account when they can't remember or get stuck. We considered this a very serious breach of security and immediately took the support tools offline. We'll put them back only when they're safe and secure"..."

- http://blog.trendmic...er-or-facebook/
Jan. 5, 2009

Edited by AplusWebMaster, 06 January 2009 - 10:00 AM.