2072 replies to this topic

[AplusWebMaster]

FYI...

Work-At-Home Scams...
- http://www.ic3.gov/m...009/090203.aspx
February 3, 2009 - "Consumers need to be vigilant when seeking employment on-line. The IC3 continues to receive numerous complaints from individuals who have fallen victim to work-at-home scams. Victims are often hired to "process payments", "transfer funds" or "reship products." These job scams involve the victims receiving and cashing fraudulent checks, transferring illegally obtained funds for the criminals, or receiving stolen merchandise and shipping it to the criminals. Other victims sign up to be a "mystery shopper", receiving fraudulent checks with instructions to cash the checks and wire the funds to "test" a company's services.
Victims are told they will be compensated with a portion of the merchandise or funds. Work-at-home schemes attract otherwise innocent individuals, causing them to become part of criminal schemes without realizing they are engaging in illegal behavior. Job scams often provide criminals the opportunity to commit identity theft when victims provide their personal information, sometimes even bank account information to their potential "employer." The criminal/employer can then use the victim's information to open credit cards, post on-line auctions, register Web sites, etc., in the victim's name to commit additional crimes..."

- http://www.fbi.gov/p...scams020309.htm
February 4, 2009

Edited by AplusWebMaster, 14 February 2009 - 12:48 PM.

[AplusWebMaster]

FYI...

4chan.org Malware .gif files...
- http://isc.sans.org/...ml?storyid=5821
Last Updated: 2009-02-07 21:51:03 UTC - "A Storm Center subscriber has just submitted malware embedded in .gif image files, downloaded from the image site 4chan.org. For the sake of expediency, and because this person did such a good write up, here is the analysis provided:

"The *.gif files were found (on) the "random" board of the image board site 4chan. The files contain a large picture with instructions to save the file with a .jse extension and run it. The *.out files are the result of applying scrdec to the gifs to reveal the encoded script. It appears to:
1) copy itself somewhere as 'sys.jse'
2) add itself to a Run key in the registry
3) a) fetch the index to 4chan's /b forum
b ) download the first image
c) save it as 'j.jse'
d) attempt to run 'j.jse'
4) construct a POST request containing the image as payload
5) upload itself as a new post on 4chan
6) point an instance of IE at site it came from
(3)-(6) are in an infinite loop."

To the subscriber who did the legwork on this one, my thanx for the excellent work... will provide more data as it develops."

Edited by AplusWebMaster, 07 February 2009 - 06:19 PM.

[AplusWebMaster]

FYI...

Waledac new variant - Valentine's Day Theme
- http://securitylabs....lerts/3299.aspx
02.09.2009 - "... new spammed variant continues to use the Valentines theme. Once a user opens the URL in the spammed message, he is redirected to a site with 2 puppies and a love heart to give a Valentines theme. The user is then enticed to download a Valentines kit to prepare a present for a loved one, which is a new Waledac variant. This variant has a very low AV detection rate..."
- http://www.trustedso...am-on-the-Loose
(Screenshot of spammed email available at both URLs above.)

Waledac Domain (Block) List - Updated 02-10-2009 - 4:21 UTC
- http://www.shadowser...dac_domains.txt

- https://forums.syman.../article-id/239
02-09-2009 - "Up until recently, Waledac’s main purpose had been to peddle performance-enhancing pharmaceuticals by sending large runs of unsolicited mail to thousands of unwilling recipients. Today we noticed a shift in this trend. In addition to sending large volumes of spam, Waledac is now distributing misleading applications. In our testing we noticed that the misleading application that is installed this time around is MS AntiSpyware 2009..."

Edited by AplusWebMaster, 11 February 2009 - 08:05 AM.
Added Shadowserver list/updated URL...

[AplusWebMaster]

FYI...

Skype Valentine SPAM lure
- http://securitylabs....lerts/3305.aspx
02.12.2009 - "Websense... has spotted an emerging malicious spam lure, masquerading as a message from Skype. The spammed message uses Skype's logos and themes, posing as a Valentine promotion. With two days to go before Valentine's day, the fake promotion entices the user into sending a free Valentine video message to a loved one. The proposed video link in the message leads to a malicious compressed archive file named valentine.exe... Earlier today we noticed that the same group were sending out spoofed-Hallmark e-greetings and now they have recently switched to this spoofed-Skype video card campaign..."

(Screenshots of a spammed email available at the URL above.)

[AplusWebMaster]

FYI...

WALEDAC Valentine SPAM variants on the rise...
- http://blog.trendmic...e-malware-love/
Feb. 13, 2009 - "... A recently reported case of malware-related SPAM contains a short Valentine’s message — and with an embedded URL that leads to malicious content... The malicious file is actually a WALEDAC variant detected... WALEDAC variants* have been previously served through e-card spam..."
(Screenshots available at the URL above.)

Search Results for 'WALEDAC' - MALWARE and GRAYWARE List
* http://preview.tinyurl.com/akubv6
...42 records match your query

Waledac Tracker Summary Data
- http://www.sudosecur...ledac/index.php
2009-02-14

Edited by AplusWebMaster, 14 February 2009 - 08:19 AM.

[AplusWebMaster]

FYI...

Re-resurgence of .cn URL SPAM
- https://forums.syman.../article-id/148
02-17-2009 - "As discussed in the Symantec State of Spam Report* for February, URLs with the “.cn” country code top level domain (ccTLD) have become a popular ingredient in spam messages. A top-level domain (TLD) is the part of a domain name that follows the final dot of any domain name. A ccTLD is a top-level domain generally reserved or used by a country or a dependent territory. According to the February report, URLs with .cn ccTLDs accounted for approximately 32% of all URLs seen during that period. However, we saw a noticeable decrease in this particular technique starting around the end of January with levels dropping down to 7%. On February 12, we once again observed a revival approaching similar levels as was seen in January—these levels are currently sitting around 29%. The URLs are applied to various kinds of spam attacks, but one of the more popular versions uses legitimate messages such as newsletters and replaces the existing URLs with .cn URLs to peddle spam products..."
* http://www.symantec....d=state_of_spam
___

SPAM Attacks on Job Seekers
- https://forums.syman.../article-id/147
02-17-2009 - "With the worsening economic situation, unemployment figures have risen worldwide. This has led millions of people to search for jobs, using whatever resources they can find. One of the most common is online job search sites. Email alerts from recruitment agencies are anxiously viewed for future job prospects and hopes dashed when rejection letters are received. Malicious code writers are making use of this opportunity to distribute their malware. Symantec has recently observed emails with malicious attachments, informing the recipient of a job rejection and including an attached copy of their purported application. These emails pose as though they have been sent from a genuine recruitment agency... The attached zip file “copy of your CV.zip” contains an executable file, detected as Hacktool.Spammer by Symantec Antivirus. Hacktool.Spammer is a program that hackers use to attack mail boxes by flooding them with email. It can be programmed to send many email messages to specific addresses. It will be difficult to ignore emails from job agencies, but we can definitely be cautious of file types, particularly executables (.exe). -Any- email with this type of application extension should be considered suspicious, particularly if it's coming from an unknown sender. We have also seen job offer attacks with an intention of harvesting email addresses. If the recipient clicks on any of the links found in the message, the spammer gets a confirmation that the email address is a live account. This account can then be targeted in a spam campaign at a later date. Clicking an "unsubscribe" link also yields the same results, because in the action of unsubscribing you are confirming the account is a live address..."

[AplusWebMaster]

FYI...

Anti-virus-1 new rogue anti-spyware...
- http://www.bleepingc...virus-1-removal
February 18, 2009 - "Anti-virus-1 is a new rogue anti-spyware program from the same family as Antivirus 2010 and Antivirus 360. This program is promoted primarily through two methods. The first is through the use of advertisements that pretend to be online anti-malware scanners. These advertisements go through what appears to be a scan of your machine and then when finished, state that your computer is infected and that you should download Anti-virus-1 to protect yourself. Remember, though, that this is just an advertisement and it has no way of knowing what is running on your computer. The second method that is used to promote this rogue is through the use of Trojans. When certain Trojans are installed on your computer they will display security alerts stating that your computer is infected or that you have some other security risk. When you click on these alerts, it will download and install Anti-virus-1 onto your computer... When Anti-virus-1 is installed it will configure itself to start automatically when Windows starts. It will also modify your C:\Windows\System32\drivers\etc\hosts file so that when you visit certain sites you will be go to a site under the malware developer's control rather than the legitimate site you were expecting to go to. This allows them to show you information that further promotes the Anti-virus-1 program. When the program is started it will automatically scan your computer and then display a list of infections that cannot be removed unless you first purchase the program... Tools Needed for this fix: Malwarebytes' Anti-Malware* ..."
* http://download.blee.../mbam-setup.exe

(Screenshots and more detail available at the first URL listed above.)

[AplusWebMaster]

FYI...

eBay Auction Tool Web Site Infected With Malware
- http://preview.tinyurl.com/d6a9xm
Feb. 23, 2009 PC World - "A Trojan horse lurking on servers belonging to Auctiva.com, a Web site offering eBay auction tools, infected people's PCs last week. The problem became very public when Google's malware warning system kicked in as people tried to browse the site, saying Auctiva was infected with malware. Google will display an interstitial page warning people of certain Web sites known to contain malware. "It appears the reason these virus alert warnings started showing up on our site is because some of our machines were injected with malware originating in China," according to a post on Auctiva's community forum... It appears that the malware targeted Microsoft's Internet Explorer browser... "Found eight Trojans on my system that seemed to have snuck through my on-access protection, or maybe because, like a fool, I clicked 'ignore the warning' to get to Auctiva's front page," wrote one user on Auctiva's forum. If Google displays a warning about a dangerous Web site, it still gives people the option of browsing to the site. Auctiva said it was working with Google to ensure the warning is not displayed now that it has cleaned up its servers. However, people who browsed Auctiva between Thursday and Saturday afternoon until 2 p.m. Pacific time should ensure their machines are not infected..."

[AplusWebMaster]

FYI...

eWeek Hacked with drive-by download - Anti-Virus-1...
- http://securitylabs....lerts/3310.aspx
02.24.2009 - " Websense... has discovered that the eWeek.com Web site is serving malicious advertisements (malvertisements) to visitors...
Update 2/24/09 - eWeek has informed us that the problem has been rectified. We have verified that the Web site is now safe. eWeek.com is the online version of the popular business computing magazine. When users browse to the home page of eWeek, a malvertisement hosted on the DoubleClick advertisement network performs a redirect to a malicious Web site through a series of iframes. This causes a redirect to one of two files on hxxp ://[removed]inside .com/ - Either a pdf document containing exploit code is served, or index.php redirects to the rogue ad-server. With no user interaction, a file named "winratit.exe" (MD5: A12DA1D62B7335CBE6D6EA270247BBC1) is installed in the user's temporary files folder. Two additional files are dropped onto the user's machine and are bound to startup. The host file is also modified so that if the user tries to browse to popular software download sites to remedy the infected machine, s/he is instead directed to a malicious Web site offering further rogue AV downloads. The name of the rogue AV application is Anti-Virus-1. If the user chooses to register the rogue AV, a connection is made to hxxp ://[removed]-site .info/ which has been setup to collect payment details..."

[AplusWebMaster]

FYI...

Rogue Facebook apps...
- http://blog.trendmic...in-just-a-week/
Feb. 26, 2009 - "In a second attack, extremely reminiscent of the one that took place this weekend*, Facebook users have once again been victimized by cybercriminals. Reports started surfacing this afternoon of yet another rogue Facebook application posting notifications to user profiles... The link in the notification led on to an application named f a c e b o o k - - closing down!!! which, once installed, would proceed to spam all of the affected user’s friends with the same message. It may also harvest personal information along the way... Prevention of rogue applications with extremely dubious intent to propagate freely within the site is needed. Users are advised to exercise extreme caution when surfing..."
* http://blog.trendmic...o-blackhat-seo/

(Screenshots available at both URLs above.)

[AplusWebMaster]

FYI...

New Koobface worm variant spreading on Facebook
- http://blog.trendmic...ng-on-facebook/
March 1, 2009 - "I just received a Facebook message from a friend; it was a pretty standard one that is beginning to look familiar to a lot of us I am sure. What surprised me though, was the page that the link led to. On the face of it is a very familiar looking spoofed version of YouTube, complete with bogus comments from “viewers”... Take a second look though, the link had taken me to a site supposedly hosting a video posted by the same person that I had received the Facebook message from. In fact not only was the malicious landing page displaying his name, it had also pulled the photo from his Facebook profile... Clicking the Install button redirects to a download site for the file setup.exe which is the new Koobface variant detected as WORM_KOOBFACE.AZ. It is hosted on an IP address in another part of the world, and in the last hour, we’ve seen 300+ different unique IP addresses hosting setup.exe and we’re expecting more. All seen IP addresses hosting the said malicious file are now detected as HTML_KOOBFACE.BA. Analysis by our engineers reveal that WORM_KOOBFACE.AZ propagates through other social networking sites as well..."
(Screenshots available at the URL above.)

- http://www.us-cert.g...cial_networking
March 4, 2009 - "...malicious code spreading via popular social networking sites including myspace.com, facebook.com, hi5.com, friendster.com, myyearbook.com, bebo.com, and livejournal.com. The reports indicate that the malware, named Koobface, is spreading through invitations from a user's contact that include a link to view a video. If the users click on the link in this invitation, they are prompted to update Adobe Flash Player. This update is not a legitimate Adobe Flash Player update, it is malicious code..."

Edited by AplusWebMaster, 08 March 2009 - 12:13 PM.
Added USCERT advisory...

[AplusWebMaster]

FYI...

Fake job ads up 345%...
- http://www.informati...cleID=215800622
March 5, 2009 - "Job seekers beware. Identity thieves are looking to steal personal information from those searching for employment. Fake job ads are up 345% over the past three years, according to the U.K. Association for Payment Clearing Services, and the Identity Theft Resource Center (ITRC)* warns that would-be workers should be careful about providing personal information to purported employers..."
* http://preview.tinyurl.com/2j6y3b

[AplusWebMaster]

FYI...

Scams - Economic Stimulus email and websites...
- http://www.us-cert.g...ail_and_website
March 5, 2009 - "... economic stimulus scams circulating. These scams are being conducted through both email and malicious websites. Some of the email scam messages request personal information, which can then be used for identity theft. Other email scam messages offer to deposit the stimulus funds directly into users' bank accounts. If users provide their banking information, the attackers may be able to withdraw funds from the users' accounts. The website scams entice users by claiming that they can help them get money from the stimulus fund. These websites typically request payment for their services. If users provide their credit card information, the attackers running the malicious sites may make unauthorized charges to the card, or charge users more than the agreed upon terms..."
- http://ftc.gov/opa/2...imulusscam.shtm

Edited by AplusWebMaster, 06 March 2009 - 07:13 AM.

[AplusWebMaster]

FYI...

New rogue: Antispyware Pro 2009
- http://sunbeltblog.b...e-pro-2009.html
March 08, 2009

New rogue: Malware Defender 2009
- http://sunbeltblog.b...ender-2009.html
March 06, 2009 - "Malware Defender 2009 is a new rogue security product and a clone of System Guard 2009..."

(Screenshots available at both URLs above.)

Tornado Malware Kit
- http://atlas.arbor.n...ndex#1440121766
March 06, 2009 - "...This is a specific instance of such a drive by kit but demonstrates the current technology that is being sold and delivered on the Internet.
Analysis: These kits have been in used for well over a year and are responsible for many of the drive by downloads we see on the Internet these days.
Source: http://www.securewor...do-malware-kit/
March 5, 2009 - "...Tornado is a Russian web-attack kit used by hackers to compromise as many machines as possible. “Out of the box,” it comes with 14 exploits..."

Edited by AplusWebMaster, 08 March 2009 - 06:31 AM.

[AplusWebMaster]

FYI...

Fake Windows Support SPAM... Info-Stealer
- http://blog.trendmic...n-info-stealer/
Mar 9, 2009 - "... Spammed email messages were found pretending to come from Microsoft Windows Support and claiming that Microsoft Service Pack 1 and Service Pack 2 have been discovered to have an error that can damage the computer’s software or even the hardware. These messages encourage users to download and install a file in order to fix the problem. When users click the download button they are redirected to a site and are asked to download a file which Trend Micro detects as TROJ_DLOADER.CUT... TROJ_DLOADER.CUT connects to a certain URL to download another malicious file, which in turn is detected by Trend Micro as TSPY_BANKER.MCL. TSPY_BANKER.MCL monitors the affected user’s online transactions and steals banking related information. Not too many TSPY_BANKER variants have been reported to be related to notable attacks recently, and this incident may pretty much mark the end of the hiatus. Users are advised to ignore spammed messages and, more importantly, to never click links embedded in these messages..."

(Screenshot available at the URL above.)