2072 replies to this topic

[AplusWebMaster]

FYI...

Fake Skype voicemail - Trojan SPAM ...
- http://www.theregist...gs_zeus_trojan/
28 Nov 2013 - "A spam run of fake Skype voicemail alert emails actually comes packed with malware, a UK police agency warns*. Action Fraud said the zip file attachments come contaminated with a variant of the notorious ZeuS banking Trojan. Messages typically come with the subject line “You received a new message from Skype voicemail service”. The emails contain a copyright notice and a disingenuous warning that "Skype staff will NEVER ask you for your password via email", all in a bid to appear genuine..."
* http://www.actionfra...ain-virus-nov13

- http://blog.mxlab.eu...ontains-trojan/
 

[AplusWebMaster]

FYI...
___

Fake 'planned outage' SPAM - attachment contains trojan ...
- http://blog.mxlab.eu...ontains-trojan/
Dec 2, 2013 - "MX Lab... started to intercept a new trojan distribution campaign by email with the subject “Important update. Please read”. This email is sent from the spoofed address “mail server update” and has the following body:
    Dear user!
    This is a planned Outage for our MAIL Services on Mon, 02 Dec 2013 11:30:14 +0300
    Our MailServer is currently experiencing some problems. It should be working again as usual shortly.
    If you want to keep previous saved emails
    please download and save your backup from the attached file.
    Please do not reply to this message.
    This is a mandatory notification containing information about important changes in the products you are using.

Screenshot of the message: http://img.blog.mxla...nned_outage.gif

The attached ZIP file has the name saved_mailbox_yoct_F479657BA8.zip and contains the 115 kB large file saved_mail_user_id_8349653__random_numbers__6587234.eml. The trojan is known as Trojan/Win32.Zbot, W32/Trojan.RSKY-7175, Win32/PSW.Fareit.A, Trojan.Ransom.RV or Mal/Generic-S. At the time of writing, 7 of the 47 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink* and Malwr permalink** for more detailed information.
SHA256: 8ff5f6c1e5b368c2e9de2a0d98364f9cae6560ba54874f55779b78a0f487745c
The trojan is capable of downloading files from the internet and according to Malwr it can steal information from local internet browsers and harvest credentials from FTP clients. This last one can perhaps be use to upload a virus or malware to hosts that can use this location for other campaigns.
The trojan will start a new service, make some Windows registry modifications and will make contact with hosts to download a file from:
    hxxp ://62.76.45.242/our/1.exe
    hxxp ://62.76.42.218/our/1.exe
    hxxp ://62.76.45.242/our/2.exe
    hxxp ://62.76.42.218/our/2.exe
    hxxp ://networksecurityx .hopto .org
The file 1.exe is 369kB large and is identified as W32/Trojan.RSKY-7175 or Trojan.Ransom.RV. The file 2.exe couldn’t be downloaded, the host gave us an 404 error. This executable will create a process ihre.exe on an infected system, modifies the Windows registry, change the firewall policies, installs itself to run when booting the system and collects information to fingerprint the system, peforms HTTP requests and starts servers listening on 0.0.0.0 on port 8989, 0.0.0.0 on port 2626 and 0.0.0.0 on port 0. At the time of writing, 2 of the 48 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink*** and Malwr permalink**** for more detailed information.
SHA256: 8b9ed72674c49abc1aa0ab1c94a8fa13a1b471c23e799c7cce173a67603cb407."
* https://www.virustot...sis/1385977408/

** https://malwr.com/an...WVhNzI0MGJiMzU/

*** https://www.virustot...sis/1385978531/

**** https://malwr.com/an...TNkZTJmY2JkODY/

- https://www.virustot...42/information/

- http://google.com/sa...site=hopto.org/
"... this site was listed for suspicious activity 695 time(s) over the past 90 days..."
___

Toolbar uses Your System to make BTC ...
- http://blog.malwareb...em-to-make-btc/
Nov 29, 2013 - "Potentially Unwanted Programs or PUPs as we like to call them, are things like Toolbars, Search Agents, etc. Unnecessary junk for your desktop that usually involves monitoring your surfing/shopping habits and slowing down your system with their sub-par software that ends up hurting you much more than helping. A recent and unfortunate discovery  by some of our users revealed that some of these programs do more than just cover your desktop in ads, they also steal your systems resources for mining purposes... we are taking a look at a PuP that installs a Bitcoin miner on the user system, not just for a quick buck but actually written into the software’s EULA. This type of system hijacking is just another way for advertising based software to exploit a user into getting even more cash.
> http://cdn.blog.malw...st-1024x420.png
... we received a request for assistance from one of our users about a file that was taking up 50 percent of the system resources on their system. After trying to remove it by deleting it, he found that it kept coming back, the filename was “jh1d.exe”... We did some research and found out that the file in question was a Bitcoin Miner known as “jhProtominer”, a popular mining software that runs via the command line. However, it wasn’t the miner recreating its own file and executing but a parent process known as “monitor.exe” . Monitor.exe* was created by a company known as Mutual Public, which is also known as We Build Toolbars, LLC or WBT. We were able to find out the connection between WBT and Mutual Public thanks to an entry in the  Sarasota Business Observer:
> http://cdn.blog.malw...1/WBT_is_MP.png
Another product belonging to Mutual Public is known as Your Free Proxy.
> http://cdn.blog.malw...urFreeProxy.png
Your Free Proxy uses the Mutual Public Installer (monitor.exe), obtaining it from an Amazon cloud server... We checked out this cloud server and found monitor.exe but also some additional interesting files, notably multiple types of “silent” installers and a folder called “coin-miner”... We at Malwarebytes are putting our foot down and detecting these threats as what they are, giving our users the option to remove them and never look back..."
* https://www.virustot...6353e/analysis/
File name: vti-rescan
Detection ratio: 1/48
Analysis date: 2013-11-29
 

Edited by AplusWebMaster, 02 December 2013 - 07:24 PM.

[AplusWebMaster]

FYI...

Fake AMEX SPAM
- http://threattrack.t...re-message-spam
Dec 3, 2013 - "Subjects Seen:
    Confidential - Secure Message from AMEX
Typical e-mail details:
    The security of your personal information is of the utmost importance to American Express, so we have sent the attached as a secure electronic file.
    Note: The attached file contains encrypted data.
    If you have any questions, please call us at 800-524-3645, option 1. Representatives are available to assist you Monday through Thursday between 8:00 a.m. and 8:00 p.m. ET and Friday between 8:00 a.m. and 6:00 p.m. ET.
    The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.
    Thank you,
    American Express

Malicious File Name and MD5:
    SecureMail.zip (2986FFD9B827B34DCB108923FEA1D403)
    SecureMail.exe (7DC5BF7F5F3EAF118C7A6DE6AF921017)

Screenshot: https://gs1.wac.edge...XMJQ1r6pupn.png

Tagged: American Express, Upatre
___

Fake eFax SPAM
- http://blog.dynamoo....-efax-spam.html
3 Dec 2013 - "These fake eFax spams are getting a bit dull. As you might expect, this one comes with a malicious attachment.
    Date:      Tue, 3 Dec 2013 15:15:03 -0800 [18:15:03 EST]
    From:      eFax Corporate [message@ inbound .efax .com]
    Subject:      Fax transmission: -5219616961-5460126761-20130705352854-84905.zip
    Please find attached to this email a facsimile transmission we have just received on your behalf
    (Do not reply to this email as any reply will not be read by a real person)

Attached is a ZIP file which in this case is called -2322693863-6422657608-20130705409306-09249.zip (with a VirusTotal detection rate of 6/48*) which in turn contains a malicious executable fax-report.exe which has an icon that makes it look like a PDF file and has a VirusTotal detection rate of 4/48**.
> http://1.bp.blogspot.../fax-report.png
Automated analysis tools... show an attempted communication with tuhostingprofesional .net on 188.121.51.69 (GoDaddy, Netherlands) which contains about 8 legitimate domains which may or may not have been compromised."
* https://www.virustot...sis/1386113630/

** https://www.virustot...sis/1386113237/
___

Fake Fax/Voice SPAM - malicious attachment
- http://blog.mxlab.eu...ontains-trojan/
Dec 3, 2013 - "... new trojan distribution campaign by email with the subject “Faxnachricht von unknown an 03212-1298305″. This email is send from the spoofed address “”WEB.DE Fax und Voice” <fax-021213-voice@webde.de>” and has the followingvery short body:
    Fax und Voice
The attached ZIP file has the name WEB.DE Fax und Voice.zip and contains the 120 kB large file WEB.DE Fax und Voice.exe. The trojan is known as TR/Dropper.VB.3500, Virus.Win32.Heur.p, Trojan.Packed.25042, Win32/TrojanDownloader.Wauchos.X, PE:Trojan.VBInject!1.64FE or Troj/Agent-AFAX. At the time of writing, 15 of the 48 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink* and Malwr permalink** for more detailed information."
SHA256: 8d2fe8b6c370c0568f93bb4eee838dc4514f2cc5578424b7376ed21e4ca9091b
* https://www.virustot...9091b/analysis/

** https://malwr.com/an...zI5OGUwZmEwZGQ/
___

Fake Mastercard SPAM - malicious attachment
- http://blog.mxlab.eu...rom-mastercard/
Dec 3, 2013 - "...  trojan distribution campaign appears with more or less the same lay out in the email that targets Mastercard holders with the subject “Important notification for a Mastercard holder”. MX Lab... intercepted these emails that are sent from the spoofed address “MasterCard” and has the following body:
    Important notification for a Mastercard holder!
    Your Bank debit card has been temporarily blocked
    We’ve detected unusual activity on your Bank debit card . Your UK Bank debit card has been temporarily blocked, please fill document in attachment and contact us
    About MasterCard Global Privacy Policy Copyright Terms of Use
    © 1994-2013 MasterCard

Screenshot: http://img.blog.mxla..._mastercard.gif

The attached ZIP file has the name MasterCard_D77559FFA7.zip and contains the 131 kB large file MasterCard_info_pdf_34857348957239509857928472389469812364912034237412893476812734.pdf.exe. The trojan is known as PasswordStealer.Fareit, Trojan-PWS/W32.Tepfer.131072.HS, PE:Malware.Obscure/Huer!1.9E03, Troj/Agent-AFAZ or Trojan.DownLoader9.22851. At the time of writing, 12 of the 48 AV engines did detect the trojan at Virus Total. Use the... Malwr permalink* for more detailed information."
* https://malwr.com/an...GQzOGQyNGM0OTU/
___

Threat Outbreak Alerts
- http://tools.cisco.c...Outbreak.x?i=77
Fake Fax and Voice Notification Email Messages - 2013 Dec 03
Fake Purchase Order Request Email Messages - 2013 Dec 03
Fake Payment Confirmation Notification Email Messages - 2013 Dec 03
Fake Shipping Order Information Email Messages - 2013 Dec 03
Fake Product Inquiry Email Messages - 2013 Dec 03
Fake Product Purchase Order Email Messages - 2013 Dec 03
Fake Meeting Invitation Email Messages - 2013 Dec 03
Fake Fax Message Delivery Email Messages - 2013 Dec 03
Fake Failed Delivery Notification Email Messages - 2013 Dec 03
Malicious Personal Pictures Attachment Email Messages - 2013 Dec 03
Fake Payment processing Notification Email Messages - 2013 Dec 03
Fake Unpaid Debt Invoice Email Messages - 2013 Dec 03
Email Messages with Malicious Attachments - 2013 Dec 03
Fake Product Order Quotation Email Messages - 2013 Dec 03
Fake Payroll Invoice Notification Email Messages - 2013 Dec 03
Email Messages with Malicious Attachments -  2013 Dec 03
Fake Financial Document Email Messages - 2013 Dec 03
(More detail and links at the cisco URL above.)
 

 

Edited by AplusWebMaster, 03 December 2013 - 06:17 PM.

[AplusWebMaster]

FYI...

Fake Amazon SPAM - malicious attachment
- http://blog.mxlab.eu...ontains-trojan/
Dec 4, 2013 - "... new trojan distribution campaign by email with the subject “order #852-9045074-5639529 or “order ID801-7322179-4122684". This email is sent from the spoofed address “”AMAZON.CO.UK” <SALES@ AMAZON .CO .UK>”and has the following body:
    Good evening,
    Thank you for your order. We’ll let you know once your item(s) have dispatched.You can view the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.
    Order Details
    Order ID266-3050394-3760006 Placed on December 2, 2013
    Order details and invoice in attached file.
    Need to make changes to your order? Visit our Help page for more information and video guides.
    We hope to see you again soon. Amazon.co.uk

The attached ZIP file has the name Order details.zip and contains the 86 kB large file Order details.exe. The trojan is known as Trojan-PWS.Fareit, Trojan.Inject.RRE, PE:Malware.FakeDOC@CV!1.9C3C or Mal/Generic-S. At the time of writing, 5 of the 46 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink* and Malwr permalink** for more detailed information.
SHA256: 0cb39edbc66388a3315b84e0aa9f95b9e58ce4aab3e3e188ba0537694956afbc."
* https://www.virustot...sis/1386150729/

** https://malwr.com/an...zYzNDlhY2ZhY2Q/

79.187.164.155 - PL
- https://www.virustot...55/information/

- http://blogs.apprive...or-the-Holidays
Dec 03, 2013 - "... floods of -fake- Amazon.com "Order Details" notifications are hitting our filters... They are out in full force."
Screenshot: http://blogs.apprive...resized-600.png
___

Fake Amazon.co.uk SPAM / Order details.zip
- http://blog.dynamoo....detailszip.html
4 Dec 2013 - "This -fake- Amazon spam comes with a malicious attachment:
    Date:      Wed, 4 Dec 2013 11:07:00 +0200 [04:07:00 EST]
    From:      "AMAZON.CO.UK" [SALES@  AMAZON .CO .UK]
    Subject:      order ID718-4116431-2424056
          Good evening,  Thanks for your order. We'll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.  
        Order Details
          Order ID757-7743075-1612424  Placed on December 1, 2013 Order details and invoice in attached file.
           Need to make changes to your order? Visit our Help page for more information and video guides.  
           We hope to see you again soon.   Amazon. co .uk

Attached is a ZIP file Order details.zip which in turn contains a malicious executable Order details.exe which has a VirusTotal detection rate of 15/49*. Automated analysis tools... are fairly inconclusive, but do show some apparent traffic to 79.187.164.155 (TP, Poland) plus the creation of a key HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Start WingMan Profiler to run the malware at startup."
* https://www.virustot...sis/1386166395/
___

Fake Royal Mail SPAM - malicious attachment
- http://blog.mxlab.eu...tained-package/
Dec 4, 2013 - "... Today’s campaign is slightly different and carrying a new variant of the trojan. This email is send from the spoofed address “RoyalMail Notification”, the SMTP from address on server level is now noreply@ royalmail .com, the subject has changed to “ATTN: Lost / Missing package” and has the following body:
    Mail – Lost / Missing package – UK Customs and Border Protection
    Royal Mail has detained your package for some reason (for example, lack of a proper invoice, bill of sale, or other documentation, a possible trademark violation, or if the package requires a formal entry) the RM International Mail Branch holding it will notify you of the reason for detention (in writing) and how you can get it released.
    Please fulfil the documents attached.

Screenshot: http://img.blog.mxla...2_royalmail.gif

The attached ZIP file has the name RoyalMail_ID_D6646FD113.zip and contains the 82 kB large file Royal-Mail_Report_03485734895374895637249865238746532649573245.pdf. The trojan is known as TR/Crypt.Xpack.32532, Trojan.DownLoader9.22851, Trojan.Win32.Inject (A), Trojan.Win32.Inject.gtgw, PWSZbot-FMU!4948180CFBA9, Trojan.Agent.ED or Troj/DwnLdr-LEX. This executable will create a process on an infected system, modifies the Windows registry, change the firewall policies, installs itself to run when booting the system, it can steal information from local internet browsers, harvest credentials from FTP clients, collects information to fingerprint the system, peforms HTTP requests and starts servers listening on 0.0.0.0 on port 6274, 0.0.0.0 on port 2865 and 0.0.0.0 on port 0 (note that the ports in use have changed in this new variant).
At the time of writing, 8 of the 47 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink* and Malwr permalink** for more detailed information.
SHA256: 36edcd915f489fcac41d9a8db210db74fb35ccb03c4b86575f0bfa55a8655d66.
UPDATE: The message now comes with subject “Warning: Lost/Missing package” and contains the file RoyalMail_Report_IDEEAA87302A.zip. Once extracted the file Royal_report_4935865497637856239875696597694892346545692354.pdf.exe is available. At the time of writing, 3 of the 49 AV engines did detect the trojan at Virus Total.
Use the Virus Total permalink*** or Malwr permalink**** for more detailed information.
SHA256: 1c264ebf37829848920221b067ef13ad90968b332c91cc04a5f58cb9a0dcc4db."
* https://www.virustot...sis/1386160116/

** https://malwr.com/an...jRhYzYyN2FkYWY/

*** https://www.virustot...sis/1386167663/

**** https://malwr.com/an...jkzYzg3N2I4OWE/
___

Fake Dept of Treasury SPAM / FMS-Case.exe
- http://blog.dynamoo....-notice-of.html
4 Dec 2013 - "This spam says Salesforce.com at the top but the rest is allegedly from some US Government department or other (pay attention people!). Anyway, it has a malicious attachment.
    Date:      Wed, 4 Dec 2013 08:24:02 -0500 [08:24:02 EST]
    From:      "support@salesforce.com" [support@ salesforce .com]
    Subject:  Department of Treasury Notice of Outstanding Obligation - Case CWK8SSU4K6CN852
    Important  please review and sign the attached document!
    We have received notification from the Department of the Treasury,
    Financial Management Service (FMS) that you have an outstanding
    obligation with the Federal Government that requires your immediate
    attention.
    In order to ensure this condition does not affect any planned
    contract or grant activity, please review and sign the attached document and if
    you are unable to understand the attached document please call FMS at 1-800-304-3107
    to address this issue.  Please make sure the person making the telephone call has the
    Taxpayer Identification Number available AND has the authority/knowledge
    to discuss the debt for the contractor/grantee.
    Questions should be directed to the Federal Service Desk ...

Attached is a file FMS-Case-CWK8SSU4K6CN852.zip which in turn contains a malicious executable FMS-Case.exe which has a VirusTotal detection rate of 7/49*. Automated analysis tools... show an attempted connection to worldofchamps .com on 198.1.78.171 (Websitewelcome, US) and a download from [donotclick]deshapran .com/img/deshp.exe on 182.18.143.140 (Pioneer eLabs, India). This second part has a VirusTotal detection rate of 6/47**, although automated analysis tools are inconclusive***. I recommend blocking -both- those domains."
* https://www.virustot...sis/1386170174/

** https://www.virustot...sis/1386170947/

*** https://malwr.com/an...TE0MTlmMDU0NTY/
___

Job SCAMS - "british-googleapps .com" (and other googleapps .com domains)
- http://blog.dynamoo....-and-other.html
4 Dec 2013 - "This following spam email is attempting to recruit money mules:
    From:     arwildcbrender@ victimdomain .com
    to:     arwildcbrender@ victimdomain .com
    date:     4 December 2013 07:49
    subject:     Employment you've been searching!
    Hello, We have an excellent opportunity for an apprentice applicant to join a rapidly expanding company.
    An at home Key Account Manager Position is a great opportunity for stay at home parents
    or anyone who wants to work in the comfort of their own home.
    This is a part time job / flexible hrs for European citizens only,This is in view of our not having a branch office presently in Europe,
    also becouse of paypal and ebay policies wich is prohibit to work directly with residents of some countries.
    Requirements: computer with Internet access, valid email address, good typing skills.
    If you fit the above description and meet the requirements, please apply to this ad stating your location.
    You will be processing orders from your computer. How much you earn is up to you.
    The average is in the region of 750-1000 GBP per week, depending on whether you work full or part time.
    Region: United Kingdom only.
    If you would like more information, please contact us stating where you are located and our job reference number - 42701-759/3HR.
    Please only SERIOUS applicants.
    If you are interested, please reply to: Gene@british-googleapps .com

Sample subjects include:
Employment you've been searching!
Career opportunity inside
Job ad - see details! Sent through Search engine...
british-googleapps .com is registered with completely fake details and uses a mail server on 50.194.47.186 (Comcast Business, US) to process mail. There are several other similar domain names being used for the same scam... In addition to those, all these following IPs and domains are in use by the scammers either now or recently. All the domains are registered through scam-friendly Chinese registrar BIZCN to ficticious registrants.
50.194.47.186 - US
175.67.90.27 - CN
95.94.135.113 - PT
220.67.126.175 - KR ..."
(Many URLs listed at the dynamoo URL above.)
 

Edited by AplusWebMaster, 04 December 2013 - 10:33 AM.

[AplusWebMaster]

FYI...

Bogus Firefox and Media Player downloads - 89.248.164.219 and 217.23.2.233
- http://blog.dynamoo....164219-and.html
5 Dec 2013 - "The IPs 89.248.164.219 (Ecatel, Netherlands) and 217.23.2.233 and (Worldstream, Netherlands) appear to be hosting some sort of -bogus- Firefox* and Media Player** downloads. (You can see the VirusTotal reports here*** and here****). All the domains in use appear at first glance to be genuine but are basically some sort of typosquatting. A full list of all the subdomains I can find are at the end of the blog, but in the meantime I recommend using the following blocklist:
89.248.164.219
217.23.2.233 ..."
(Long list of URLs at the dynamoo URL above.)
* http://urlquery.net/....php?id=8165658

** http://urlquery.net/....php?id=8165615

*** https://www.virustot...19/information/

**** https://www.virustot...33/information/

Bogus Browser Update ...
- http://www.webroot.c...rowser-updates/
Dec 5, 2013 - "... a currently active malicious campaign, relying on redirectors placed at compromised/hacked legitimate Web sites, for the purpose of hijacking the legitimate traffic and directly exposing it to multi mobile OS based malicious/fraudulent content. In this particular case, a -bogus-  “Browser Update“, which in reality is a premium rate SMS malware.
Sample screenshot of the landing page upon automatic redirection:
> https://www.webroot....wser_Update.png
Landing page upon redirection: hxxp ://mobleq .com/e/4366
Domain name reconnaissance: mobleq .com – 91.202.63.75 ...
Detection rates for the multi mobile platform variants:
MD5: a4b7be4c2ad757a5a41e6172b450b617 –  * HEUR:Trojan-SMS.AndroidOS.Stealer.a
MD5: 1a2b4d6280bae654ee6b9c8cfe1204ab – ** Java.SMSSend.780; TROJ_GEN.F47V1117
MD5: 2ff587ffb2913aee16ec5cae7792e2a7 – *** ..."
* https://www.virustot...19fce/analysis/

** https://www.virustot...sis/1386176451/

*** https://www.virustot...sis/1386176560/

- https://www.virustot...75/information/
___

Something evil on 192.95.1.190
- http://blog.dynamoo....-192951190.html
5 Dec 2013 - "It looks like there is some sort of exploit kit on 192.95.1.190 (OVH, Canada) [example*] spreading through injection attacks although at the moment I can't reproduce the issue. In any case, I would recommend -blocking- that IP... Some of the subdomains in use are listed here**..."
(More dot biz URLs listed at the dynamoo URL above.)
* https://www.virustot...a79f3/analysis/

** http://pastebin.com/JREzW6vm

- https://www.virustot...90/information/
 

Edited by AplusWebMaster, 05 December 2013 - 11:58 AM.

[AplusWebMaster]

FYI...

Malware sites to block 9/12/2013
- http://blog.dynamoo....ck-9122013.html
9 Dec 2013 - "These malicious sites and IPs are related to this attack (thanks to the folks at ThreatTrack Security for the tip). Although a lot of the sites are not currently resolving, those that are up are hosted on 37.59.254.224 and 37.59.232.208 which are a pair of OVH IPs suballocated to:
organisation:   ORG-RL152-RIPE
org-name:       R5X .org ltd
org-type:       OTHER
address:        Krasnoselskaja 15-219
address:        346579 Moscow
address:        RU
abuse-mailbox:  abuse@ r5x .org
mnt-ref:        OVH-MNT
mnt-by:         OVH-MNT
source:         RIPE # Filtered
R5X .org IPs have featured a couple of times before here [1] [2] so I would suggest -blocking- any that you find. I'll do some research on those soon, but in the meantime I would recommend blocking the following IPs and domains. Domains that are already flagged by Google are highlighted.
37.59.232.208/28
37.59.254.224/28 ..."
(Many URLs listed at the dynamoo URL above.)
1] http://blog.dynamoo....ng-evil-on.html

2] http://blog.dynamoo....6319512826.html

- http://google.com/sa...c?site=AS:16276
"... over the past 90 days, 4217 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-12-09, and the last time suspicious content was found was on 2013-12-09..."
___

Fake Billing Invoice malware spam
- http://blog.dynamoo....ng-invoice.html
9 Dec 2013 - "This fairly terse spam email comes with a malicious attachment:
    Date:      Mon, 9 Dec 2013 20:32:19 +0800 [07:32:19 EST]
    From:      Accounts Payable TNT [accounts.payable@ tnt .co .uk]
    Subject:      TNT UK Limited Self Billing Invoice 5321378841
    Download the attachment. Invoice will be automatically shown by double click.

Attached is an archive file called TNT UK Self Billing Invoice.zip (VirusTotal detection rate 6/49*) which in turn contains a malicious executable TNT UK Self Billing Invoice.exe (detection rate 6/47**) which has an icon that makes it look like a PDF file.
> https://lh3.ggpht.co...E/s1600/tnt.png
Automated analysis tools... show an attempted connection to 2dlife .com on 5.9.182.220 (JoneSolutions.Com, Philippines). I can see only two domains on this server, the other one being 2dlife .fr so I would assume that both are compromised and blocking access to this IP address is the way to go."
* https://www.virustot...sis/1386602037/

** https://www.virustot...sis/1386602000/

- https://www.virustot...20/information/
___

Multi-hop iframe campaign - client-side exploit malware
- http://www.webroot.c...loits-part-two/
Dec 9, 2013 - "... The campaign is not only still proliferating, but the adversaries behind it have also (logically) switched the actual hosting infrastructure... currently active malicious iframe campaign that continues to serving a cocktail of (patched*) client-side exploits, to users visiting legitimate Web sites... Domain names reconnaissance:
hxxp ://www3.judtn3qyy1yv-4.4pu .com – 188.116.34.246
hxxp ://www1.gtyg4h3.4pu .com – 188.116.34.246
find-and-go .com – 78.47.4.17
... malicious scripts, dropped malicious files..."
(More detail at the webroot URL above.)
* http://www.zdnet.com...s-debunked/7026

- https://www.virustot...46/information/
 

Edited by AplusWebMaster, 09 December 2013 - 05:45 PM.

[AplusWebMaster]

FYI...

Evil network: R5X .org / OVH
- http://blog.dynamoo....r5xorg-ovh.html
10 Dec 2013 - "Russian web host R5X .org has featured on this blog a few times before, but I took the opportunity to look at it a little more closely... Out of 300 domains that I found hosted now or recently in R5X .org's space (rented from OVH), 177 (59%) are flagged as malicious by Google, and 230 (77%) are flagged as spam or malware by SURBL. MyWOT ratings indicate that there are no legitimate sites in the IP address ranges I checked. R5X .org doesn't have a network of its own but it rents IPs from OVH. I have identified several small netblocks which I strongly recommend that you -block-  although there may be others.
37.59.232.208/28
37.59.254.224/28
46.105.166.68/30
46.105.166.96/30
178.33.208.208/30
192.95.7.8/30
192.95.41.88/29
192.95.46.132/30
198.27.103.204/30
198.27.96.132/30 ...
A list of all the domains I can find, current IP addresses, MyWOT rating, the Google prognosis  and SURBL codes can be found here* [csv] else I recommend using the following blocklist:
37.59.232.208/28
37.59.254.224/28
46.105.166.68/30
46.105.166.96/30
178.33.208.208/30
192.95.7.8/30
192.95.41.88/29
192.95.46.132/30
198.27.103.204/30
198.27.96.132/30 ..."
(More detail at the dynamoo URL above.)
* http://www.dynamoo.c...les/r5x-org.csv
___

"EUROPOL" scareware / something evil on 193.169.87.247
- http://blog.dynamoo....ng-evil-on.html
10 Dec 2013 - "193.169.87.247 ("PE Ivanov Vitaliy Sergeevich", Ukraine) is currently serving up scareware claiming that the victim's PC is -locked- using the following domains:
a1751 .com
b4326 .com
d2178 .com
f1207 .com
h5841 .com
k6369 .com
The -scareware- is multilingual and detects the country that the visitor is calling from. In this case I visited from the UK and got the following:
> http://3.bp.blogspot...600/europol.png
... The text varies depending on the country the visitor is in... The bad guys use subdomains to obfuscate the domain somewhat, so instead of just getting f1207 .com (for example), you get europol.europe .eu.id176630100-8047697129.f1207 .com instead which looks a little more official. You can see some more examples here*... 193.169.87.247 forms part of 193.169.86.0/23 AS48031 which has a so-so reputation according to Google, it does look like there are a lot of legitimate sites in the neighbourhood as well as these malicious ones.
Recommended blocklist:
193.169.87.247
a1751 .com
b4326 .com
d2178 .com
f1207 .com
h5841 .com
k6369 .com
Update: a similar attack has also taken place on 193.169.86.250 on the same netblock."
* https://www.virustot...47/information/

- https://www.virustot...50/information/

- http://google.com/sa...c?site=AS:48031
"... over the past 90 days, 206 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-12-09, and the last time suspicious content was found was on 2013-12-09..."
___

Fake Amazon .co.uk order SPAM / AM-ORDER-65HNA1972.exe
- http://blog.dynamoo....m-am-order.html
10 Dec 2013 - "This -fake- Amazon spam has a malicious attachment:
    Date:      Tue, 10 Dec 2013 11:19:03 +0200 [04:19:03 EST]
    From:      blackjacksxjt@ yahoo .com
    Subject:      order #822-8266277-7103199
    Good evening,
    Thank you for your order. We�ll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.
    Order Details
    Order #481-0295978-7625805 Placed on December 8, 2013
    Order details and invoice in attached file.
    Need to make changes to your order? Visit our Help page for more information and video guides.
    We hope to see you again soon. Amazon .co .uk

Screenshot: http://techhelplist....s-10dec2013.png

Attached is an archive file AM-ORDER-65HNA1972.zip (VirusTotal detections 9/47*) which in turn contains a malicious executable AM-ORDER-65HNA1972.exe (VirusTotal detections 9/49**) which has an icon to make it look like some sort of document.
> https://lh3.ggpht.co...mazon-order.png
Automated analysis tools seem to be timing out... indicating perhaps that it has been hardened against sandbox analysis."
* https://www.virustot...sis/1386690407/

** https://www.virustot...sis/1386690064/
 

Edited by AplusWebMaster, 10 December 2013 - 03:58 PM.

[AplusWebMaster]

FYI...

Fake WhatsApp SPAM / IMG003299.zip
- http://blog.dynamoo....u-pic-spam.html
11 Dec 2013 - "This -fake- WhatsApp message has a malicious attachment.
    Date:      Wed, 11 Dec 2013 18:29:19 +0700 [06:29:19 EST]
    Subject:      Your friend has just sent you a pic
    Hi!
    Your friend has just sent you a photograph in WhatsApp. Open attachments to see what it is.

Screenshot: https://lh3.ggpht.co...00/whatsapp.png

Attached to the email is an archive IMG003299.zip (VirusTotal detections 7/43*) which in turn contains a malicious executable IMG003299.exe (VirusTotal detections 9/49**). Automated analysis tools... don't reveal very much about the malware in question however."
* https://www.virustot...sis/1386767572/

** https://www.virustot...sis/1386767585/
___

Fake Wells Fargo SPAM / WF_Docs_121113.exe
- http://blog.dynamoo....s121113exe.html
11 Dec 2013 - "This fake Wells Fargo spam has a malicious attachment:
    Date:      Wed, 11 Dec 2013 17:03:26 +0100 [11:03:26 EST]
    From:      Kerry Pettit [Kerry.Pettit@ wellsfargo .com]
    Subject:      FW: Important docs
    We have received this documents from your bank, please review attached documents.
    Kerry Pettit
    Wells Fargo Accounting
    817-295-1849 office
    817-884-0882 cell Kerry.Pettit@ wellsfargo .com
    Investments in securities and insurance products are:
    NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE ...

Attached to the email is a ZIP file starting with WF_Docs_ and ending with the first part of the recipient's email address, inside that is a ZIP file with the date encoded into the filename WF_Docs_121113.exe. VirusTotal detections for the ZIP are 6/49* and are 6/47** for the EXE.
Automated analysis... shows an attempted connection to hortonnovak .com on 194.28.87.121 (Hostpro, Ukraine). There is only one site that I can see on this IP, so I would recommend blocking one or the other or -both- of them."
* https://www.virustot...sis/1386779806/

** https://www.virustot...sis/1386779808/

- https://www.virustot...21/information/
___

Facebook Phishing and Malware via Tumblr redirects
- https://isc.sans.edu...Redirects/17207
Last Updated: 2013-12-11 13:43:23 UTC - "... The initial bait is a message that you may receive from one of your Facebook friends, whose account was compromised. The message claims to contain a link to images that show a crime that was committed against the friend or a close relative of the friend. The image below shows an example, but the exact message varies. The images then claim to be housed on Tumblr.
> https://isc.sans.edu... 9_37_46 PM.png
 The Tumblr links follow a pattern, but appear to be different for each recipient. The host name is always two or three random English words, and the URL includes a few random characters as an argument. The preview of the Tumblr page lists some random words and various simple icons. Once the user clicks on the link to the Tumblr page, they are immediately redirected to a very plausible Facebook phishing page, asking the user to log in. The links I have seen so far use the "noxxos .pw" domain, which uses a wildcard record to resolve to 198.50.202.224 ...  The fake Facebook page will ask the user for a username and password as well as for a "secret question". Finally, the site attempts to run a java applet (likely an exploit, but haven't analyzed it yet), and the site attempts to run a java applet (likely an exploit, but haven't analyzed it yet), and the user is sent to a Youtube look-alike page asking the user to download and install an updated "Youtube Player". The player appears to be a generic downloader with mediocre AV detection.
-  https://www.virustot...sis/1386730327/
(was 3/42 when I first saw it. Now 10/42 improved). As an indicator of compromise, it is probably best right not to look for DNS queries for "noxxos .pw" as well as connections to 198.50.202.224 ..."

- https://www.virustot...24/information/
___

NatWest Banking Phish
- http://threattrack.t...t-banking-phish
Dec 11, 2013 - "Subjects Seen:
    Account Alert !
Typical e-mail details:
    Dear <removed>
    Your password was entered incorrectly more than 5 times.
    Because of that , our security team had to suspend your accounts and all the funds inside.
    Your account access and the hold on your funds will be released as soon as you verify your information.
    Review Your Account Activity
    We are sorry for this inconvenience but this is a security measure which we must apply to ensure your account safety.
    If you have already confirmed your information then please disregard this message
    Thanks for choosing NatWest UK
    NatWest Security Team

Malicious URLs: didooc .co .uk/images/stories/android/index.php
149.255.62.19 - https://www.virustot...19/information/

Screenshot: https://31.media.tum...zkSB1r6pupn.png
 

Edited by AplusWebMaster, 11 December 2013 - 09:58 PM.

[AplusWebMaster]

FYI...

Top 5 Most Dangerous Email Subjects ...
- http://community.web...-countries.aspx
11 Dec 2013 - "...  the top five subject lines in worldwide phishing emails are the following: (Based on research conducted 1/1/13-9/30/13)
1. Invitation to connect on LinkedIn
2. Mail delivery failed: returning message to sender
3. Dear <insert bank name here> Customer
4. Comunicazione importante
5. Undelivered Mail Returned to Sender
The list above portrays how cybercriminals are attempting to fool recipients into clicking a malicious link or downloading an infected file by using business-focused and legitimate-looking subject lines. Scammers will use any means necessary to increase the likelihood of an inspire-to-click campaign...
> http://community.web..._2D00_550x0.jpg
___

Fake tech support scams/SPAMs on YouTube
- http://blog.malwareb...-like-warnings/
Dec 12, 2013 - "... In a twisted new variant, crooks are calling out to all antivirus / anti-malware customers and urging them to fix their computers now. One such account was spamming -YouTube- with hundreds of videos, all using a computer-generated voice and personalized for each AV/Anti-Malware company:
> http://cdn.blog.malw.../12/vendors.png
... The company behind this scam is “My Tech Gurus” (http ://www.mytechgurus .com):
> http://cdn.blog.malw.../12/website.png
Once on the phone, I am quickly directed to a remote technician and instructed to hang the call to pursue the support session directly through the chat window on my computer:
> http://cdn.blog.malw...hatsession1.png
... If the ‘technician’ were honest, she would tell me there is absolutely nothing wrong with this computer... Instead she wastes no time in making up fake errors... here is the ‘technical’ explanation:
> http://cdn.blog.malw.../thedetails.png
Of course, fixing those ‘errors’ is not going to be free:
> http://cdn.blog.malw...2013/12/pay.png
... most of their website’s traffic comes from… India:
> http://cdn.blog.malw...13/12/india.png
...  we encourage everyone to report each incident. We have created a guide* for victims that describes the variations of scams and what to do in each case. It may seem like a never-ending battle, but at the end of the day, if we’ve managed to save even just one person, then we can feel confident we’re doing the right thing..."
* http://blog.malwareb...-support-scams/
___

Fake FedEx SPAM - Malware Emails
- http://www.hoax-slay...are-email.shtml
Dec 12, 2013 - "Email purporting to be from delivery company FedEx claims that a package delivery could not be completed because important information was missing. Recipients are instructed to click a link to verify their identity or risk having the package returned to sender...  invites users to download "verification manager" software. If downloaded and run, the bogus "verification manager" will install malware on the user's computer:
From: FedEx UK
Subject: Package for you
SHIPPING CONFIRMATION
Dear [email address removed]
We have a package for you!
Unfortunately some important information is missing to complete the delivery.
Please follow the link to verify your identity:
verify your identity now!
You have 24 hours to compleate the verification! Otherwise the package will be returned to sender!
Order confirmation number: 56749951703
Order date: 03/12/2013
Thank you for choosing FedEx...
> http://www.hoax-slay...y-malware-1.jpg
... Those who fall for the ruse and click the link will be taken to a -bogus- website tricked up to resemble a genuine FedEx webpage. Once on the page, they will be instructed to download and install a piece of software called the "FedEx Verification Manager", as shown in the following screenshot:
> http://www.hoax-slay...y-malware-2.jpg
... following the instructions will not install a verification manager as claimed. Instead, it will install a trojan on the victim's computer..."
___

Spam Campaign delivers Liftoh Downloader
- http://www.securewor...toh-downloader/
12/12/13 - "... researchers analyzed an ongoing spam campaign that uses the "UPS delivery notification tracking number" lure to infect unsuspecting users. While UPS-related spam emails are common, this particular campaign has been observed since October 2013 and uses exploit-laden documents to deliver its payload. The initial delivered payload is the Liftoh downloader trojan, which in turn downloads additional malware as a secondary payload onto the victim's system... the spam email containing a link to a malicious "Rich Text Format" (RTF) file. The malicious RTF is attached to the email, disguised as a .doc file.
> http://www.securewor...ts.liftoh.1.png
... The spoofed sender is <auto-notify @ ups . com> or <auto @ ups . com>, but the headers reveal some of the actual senders (see Table 1). Some of the hosts listed in Table 1 may have appeared in DNS blacklisting lists such as SpamhausDBL, PSBL, SURBL, and SORBS, and some hosts are offline as of this publication. These hosts might have been compromised and used for SMTP relays, or could be part of a “use-and-throw” attacker-owned spam infrastructure... researchers observed the following domains in spam recipient email addresses:
    gicom . nl
    mvdloo . nl
    cneweb . de
    yahoo . fr
    helimail . de
    online . fr
    tq3 . co. uk
    excel . co. jp
    smegroup . co . uk
    fujielectric . co . jp
    st-pauls . hereford . sch . uk
The RTF file contains exploits for patched vulnerabilities CVE-2012-0158 (MSCOMCTL.OCX RCE vulnerability) and CVE-2010-3333 (RTF stack buffer overflow vulnerability). Opening the RTF file drops and launches an empty document file in the user's %TEMP% folder with filename "cv.doc". Successful execution of the exploit code drops the Liftoh downloader malware onto the victim's system. This malware was observed spreading via Skype and other instant messenger applications in May 2013. Liftoh also downloaded the Phopifas worm as a secondary payload... event monitoring shows organizations in the following market verticals have been affected by Liftoh:
    Banking
    Manufacturing
    Healthcare
    Legal
    Credit unions
    Retail
    Technology providers
... It is very likely that the threat actors will switch to other delivery mechanisms in the future that use social engineering techniques to maximize infection yields. It is also likely that the threat actors may leverage the Liftoh downloader to deliver a variety of other malware as secondary payloads..."
(More detail at the secureworks URL above.)
___

64-bit ZeuS - enhanced with Tor - banking malware
- https://www.secureli...hanced_with_Tor
Dec 11, 2013 - "The more people switch to 64-bit platforms, the more 64-bit malware appears. We have been following this process for several years now. The more people work on 64-bit platforms, the more 64-bit applications that are developed as well. Sometimes these include some very specific applications, for example, banking applications... If someone wants to hack into an application like this and steal information, the best tool for that would also be a 64-bit agent. And what’s the most notorious banking malware? ZeuS, of course – the trendsetter for the majority of today’s banking malware... we spotted a 32-bit ZeuS sample maintaining a 64-bit version inside... Whatever the intentions were of the malware author that created this piece of ZeuS – be it a marketing ploy or the groundwork for some future needs – a pure 64-bit ZeuS does finally exist, and we can conclude that a new milestone in the evolution of ZeuS has been reached. Moreover, this sample has revealed that another distinct feature has been added to ZeuS functionality - ZeuS malware has the ability to work on its own via the Tor network with onion CnC domains, meaning it now joins an exclusive group of malware families with this capability."
 

Edited by AplusWebMaster, 12 December 2013 - 05:37 PM.

[AplusWebMaster]

FYI...

Fake Amazon order SPAM
- http://threattrack.t...nfirmation-spam
Dec 13, 2013 - "Subjects Seen:
    Your Amazon.com order HZ1517235
Typical e-mail details:
    Good day,
    Thank you for your order. We?ll let you know once your item(s) have dispatched.You can view the status of your order or make changes to it by visiting Your Orders on Amazon.com.
    Order Details
    Order WD4202401 Placed on December 9, 2013
    Order details and invoice in attached file.
    Need to make changes to your order? Visit our Help page for more information and video guides.
    We hope to see you again soon. Amazon .com

Malicious File Name and MD5:
    ORDER_JB46238.zip (765FD2406623781F6F9EB4893C681A5B)
    ORDER_JB46238.exe (26E57BDE90B43CF6DAE6FD5731954C61)

Screenshot: https://gs1.wac.edge...ZhzU1r6pupn.png

Tagged: Amazon, Wauchos
___

Bitcoin stealing SPAM
- http://www.arbornetw...-stealing-spam/
Dec 12, 2013 - "The rise in Bitcoin values seems to have caused an equal increase of Bitcoin -spam- as malware authors attempt to make money off the many new market participants. One site that was spammed to me three times in one day is bitcoin-alarm .net. I ignored it the first two times, but they must have really wanted me to look at it, so who am I not to oblidge.
> http://www.arbornetw...logo-300x36.png
The site promises a tool to notify you of market changes by SMS, without ever mentioning any nefarious behaviour. YouTube videos teach you what Bitcoin is, and how to install this free tool. They even provide a link so you can donate to the author, although it appears no one has chosen to do so. This I have to download.
> http://www.arbornetw...pScreenshot.png
The download BitcoinAlarm.exe (MD5: edfa12d4a454b0eb786bbe92050ab88a) had just 1 hit on VirusTotal* when I first scanned it... This free utility is nothing more than malware with very low detection rate being spammed to anyone that might have a Bitcoin sitting around. When I checked the domain with urlvoid it had zero ‘bad’ reports and was -not- blacklisted... On a recheck BitcoinAlarm.exe’s detection is up to 14 of 49 scanners, and the download link appears to return 404..."
* https://www.virustot...573a0/analysis/

82.221.129.16
- https://www.virustot...16/information/
___

Fake - Halifax Bank Phishing Scam
- http://www.hoax-slay...-phishing.shtml
Dec 13, 2013 - "... The email is -not- from Halifax. Links in the message open a -fake- website that contains web forms designed to steal the recipient's account login details, credit card data and other personal information...
> http://www.hoax-slay...-phishing-1.jpg
... According to this message, which purports to be from UK bank, Halifax, third party intrusions have been detected on the recipient's account and, as a result, the account has been limited for security reasons. Supposedly, to restore access, the account holder must confirm his or her identity and verify that the account has not been used for fraud. The email instructs the recipient to access a "validation form" by clicking a link... Halifax customers who fall for the lies in the scam email and click the link will be taken to a -fake- website designed to look like the real Halifax site and asked to login:
> http://www.hoax-slay...-phishing-2.jpg
Next, they will be asked to provide name and contact information:
> http://www.hoax-slay...-phishing-3.jpg
And, on a final form, they will be asked to provide their card details:
> http://www.hoax-slay...-phishing-4.jpg
After the final form is completed, victims will be automatically redirected to the genuine Halifax website and, at least until the criminals begin using the stolen information, they may remain unaware that they have just been scammed. Using the information provided on the fake forms, the scammers can hijack genuine Halifax accounts, lock out their rightful owners and commit banking and credit card fraud. The bank has published information about Halifax phishing scams, including how to report any that you receive, on its website*..."
* http://www.halifax.c...reats/phishing/
 

Edited by AplusWebMaster, 13 December 2013 - 01:55 PM.

[AplusWebMaster]

FYI...

Malware Spam uses Geolocation to Mass Customize Filename
- https://isc.sans.edu...l?storyid=17222
Last Updated: 2013-12-14 15:16:44 UTC - " Malicious e-mails usually fall into two groups: Mass-mailed generic e-mails, and highly customized spear phishing attempts. In between these two groups fall e-mails that obviously do more to "mass customize" the e-mail based on information retrieved from other sources. E-mails that appear to come from your Facebook friends, or malware that harvests other social networks like Linkedin to craft a more personalized message... received one e-mail... falls into the third category. The sender went through the trouble to craft a decent personalized message, trying to make me install some Spyware. In this example, the e-mail advised me of a new "WhatsApp" message that may be waiting for me. The e-mail looks legit, and even ithe link is formed to make it look like a voicemail link with the little "/play" ending:
> https://isc.sans.edu... 9_48_56 AM.png
... the executable you are offered as you download the emails. The downloaded file is a ZIP file, and the file name of the included executable is adjusted to show a phone number that matches the location of the IP address from which the e-mail is downloaded... anti-malware coverage is -bad- according to Virustotal [1]. Anubis doesn't show much interesting stuff here, but I wouldn't be surprised if the malware detected that it ran in an analysis environment [2]. Interestingly, it appears to pop up Notepad with a generic error message..."
[1] https://www.virustot...sis/1387029444/
[2] http://anubis.isecla...d4d2750b1a52b0a

A few variants...
- http://blog.dynamoo....u-pic-spam.html
11 Dec 2013

- http://www.webroot.c...-users-malware/
Nov 22, 2013
 

Edited by AplusWebMaster, 14 December 2013 - 01:06 PM.

[AplusWebMaster]

FYI...

Bogus Firefox add-on joins PC's to botnet - drive-by malware
- http://krebsonsecuri...hack-web-sites/
Dec 16, 2013 - "An unusual botnet that has ensnared more than 12,500 systems disguises itself as a legitimate add-on for Mozilla Firefox and forces infected PCs to scour Web sites for vulnerabilities that can be used to install malware... The botnet, dubbed “Advanced Power” by its operators, appears to have been quietly working since at least May 2013. It’s not clear yet how the initial infection is being spread, but the malware enslaves PCs in a botnet that conducts SQL injection attacks on virtually any Web sites visited by the victim... SQL injection attacks take advantage of weak server configurations to inject malicious code into the database behind the public-facing Web server. Attackers can use this access to booby-trap sites with drive-by malware attacks, or force sites to cough up information stored in their databases. Although this malware does include a component designed to steal passwords and other sensitive information from infected machines, this feature does not appear to have been activated on the infected hosts. Rather, the purpose of this botnet seems to be using the compromised Windows desktops as a distributed scanning platform for finding exploitable Web sites. According to the botnet’s administrative panel, more than 12,500 PCs have been infected, and these bots in turn have helped to discover at least 1,800 Web pages that are vulnerable to SQL injection attacks.
The fraudulent Firefox add-on:
> http://krebsonsecuri...2/sql-addon.png
The malicious code comes from sources referenced in this Malwar writeup* and this Virustotal**  entry... On infected systems with Mozilla Firefox installed, the bot code installs a browser plugin called “Microsoft .NET Framework Assistant”... The malicious add-on then conducts tests nearly every page the infected user visits for the presence of several different SQL injection vulnerabilities..."
(More detail at the krebsonsecurity URL above.)
* https://malwr.com/an...Tg5YjdkMjM3MDA/

- https://malwr.com/

**  https://www.virustot...3cb8a/analysis/

- https://addons.mozil...ox/blocked/i508
Blocked on December 16, 2013...
"Microsoft .NET Framework Assistant (malware) has been blocked for your protection.
Why was it blocked?
    This is -not- the Microsoft .NET Framework Assistant created and distributed by Microsoft. It is a -malicious- extension that is distributed under the same name to trick users into installing it, and turns users into a botnet that conducts SQL injection attacks on visited websites..."

- https://www.virustot...43/information/
2013-12-18
- http://google.com/sa...ic?site=AS:8560
___

More Fake Amazon order SPAM ...
- http://www.hoax-slay...s-malware.shtml
Dec 16, 2013 - "... The email is -not- from Amazon and the attached file does not contain order details. Instead, the attached .zip file harbours a malicious .exe file that, if opened, can install a trojan on the user's computer...
> http://www.hoax-slay...ware-2013-1.jpg
... Amazon did -not- send the email and the attached .zip file does not contain order details as claimed. If opened, the .zip file reveals a .exe file. And, if users run this .exe file, a trojan may be installed on their computers... such trojans can harvest personal and financial information such as account login data from the compromised computer and send it to criminals waiting online. It may also allow the criminals to take control of the infected computer. The criminals hope that at least a few recipients, who have not made any recent Amazon orders, will be panicked into opening the attachment in the mistaken belief that a purchase has been made in their names... users who have recently bought items on Amazon might be tricked into opening the attachment in the belief that the file it contains pertains to their order..."
___

Bitcoin price hike spurs Malware, Wallet Theft
- http://blog.trendmic...e-wallet-theft/
Dec 16, 2013 - "The past few weeks have been rather exciting for Bitcoin owners and speculators, with prices peaking at over $1200 per BTC... This is giving rise to more Bitcoin-related threats. Victims are now being used either to “mine” Bitcoins; in addition the Bitcoin wallets of existing users are now tempting targets for theft as well. From September to November, feedback from the Smart Protection Network indicated that more than 12,000 PCs globally had been affected by Bitcoin-mining malware:
> http://blog.trendmic.../12/bitcoin.jpg
... Bitcoin is promoted as being “anonymous”, but in a way nothing could be further from the truth. Because all Bitcoin transactions are public, it is possible to see all the transactions a user has made. Therefore, given enough circumstantial evidence, it may be possible to get the identity of a user... while Bitcoin may be a product of the 21st century, at the same time it is something that has been around for centuries – cash. The same caution and prudence that applies to handling cash should be applied here as well."
___

Google Play - suspicious apps leak Google Account IDs
- http://blogs.mcafee....gle-account-ids
Dec 16, 2013 - "The Google account ID (or account name), which in most cases is a Gmail address, is one of the key identifiers of -Android- device users. McAfee has confirmed a substantial amount of suspicious apps secretly collect Google account IDs on Google Play. In these cases, the corresponding Google account password is not collected, but leaking only IDs still poses a certain level of security and privacy risk. Two particular apps, one a dating service app and the other a fortune app, retrieve Google account IDs and send them to their web server just after they launch and without prior notice to users. The total number of downloads of each app is between 10,000 and 50,000...
> http://blogs.mcafee..../galeaker-1.png
Another set of suspicious apps, from various categories, shown in the figure below* secretly send a device’s Google account ID, IMEI, and IMSI to a single, shared remote web server just after launch and without any prior notice. The aggregate download count of this set of apps amounts to at least several million, probably because they are localized for many languages. It appears the main targets are Japanese users...
* http://blogs.mcafee..../galeaker-2.png
More than 30 suspicious apps leak Google account IDs, IMEI, and IMSI... We have not confirmed why the app developers secretly collect Google account IDs, or how they use them and how they manage the data securely. And we have not so far observed any malicious activities based on the stolen data. But at least these apps should notify users of the collection and of the intended use of their data–and give them opportunity to -decline- the data transfer. Android apps can retrieve Google account IDs with GET_ACCOUNTS permission granted at installation and by using one of the methods of the AccountManager class. This permission is often requested when an app uses the Google Cloud Messaging feature, which is a standard mechanism provided by Google to allow server-to-device push notification. As such, users cannot judge if granting this permission is really safe; some apps request this permission for GCM, but others for collecting account information for potentially malicious purposes...
A GET_ACCOUNTS permission request:
> http://blogs.mcafee....galeaker-3e.png
... With the GET_ACCOUNTS permission granted, Android apps can also retrieve account names for services other than Google that have been registered in the device, including Facebook, Twitter, LinkedIn, Tumblr, WhatsApp, and so on. Users will face these same issues once these other account names are stolen... We strongly recommend that users review the privacy settings on all the services they employ and disable the “allow search by email address” option unless they really want it. Users should also -not- expose their account names..."
 

Edited by AplusWebMaster, 01 January 2014 - 08:50 AM.

[AplusWebMaster]

FYI...

Video: Parcel Reshipping Scams, Parcel Mules and Fake Job Offers
- http://blog.dynamoo....ams-parcel.html
17 Dec 2013 - "A brief presentation on how parcel reshipping scams work, and the role of parcel mules and fake job offers..."
(See the dynamoo URL above for the video.)
 

[AplusWebMaster]

FYI...

Malvertising campaign leads to Browser-Locking Ransomware
- http://www.symantec....king-ransomware
17 Dec 2013 - "The Browlock ransomware (Trojan.Ransomlock.AG) is probably the simplest version of ransomware that is currently active. It does not download child abuse material, such as Ransomlock.AE, or encrypt files on your computer, like Trojan.Cryptolocker. It does not even run as a program on the compromised computer. This ransomware is instead a plain old Web page, with JavaScript tricks that prevent users from closing a browser tab. It determines the user’s local country and makes the usual threats, claiming that the user has broken the law by accessing pornography websites and demands that they pay a fine to the local police.
> http://www.symantec....lock 1 edit.png
What is substantial is the number of users getting redirected to the Browlock website. In November, Symantec blocked more than 650,000 connections to the Browlock website. The same trend continues in December. More than 220,000 connections were blocked just 11 days into December. Overall, about 1.8 million connections have been blocked since tracking began in September. These numbers may not seem particularly large for those familiar with exploit kits and traffic redirection systems, but they solely represent users of Symantec products. The 650,000 connections detected in November is merely a piece of the pie, but the real number is likely to be much larger.
Browlock ransomware’s activity in November and December this year
> http://www.symantec..../Browlock 2.png
... The Browlock attackers appear to be purchasing traffic that redirects many different visitors to their malicious website. They are using malvertising, an increasingly common approach which involves purchasing advertising from legitimate networks. The advertisement is directed to what appears to be an adult Web page, which then redirects to the Browlock website... In a recent example, the attackers created several different accounts with an advertising network, deposited payment, and began buying traffic to redirect users to a website with a name that resembles an online chat forum. When the user visits the page, they are then redirected to the Browlock site. In fact, the attacker hosts the legitimate-looking domain name on the same infrastructure as the ransomware site itself... Symantec has identified 29 different law enforcement values, representing approximately 25 regions. The following graph shows the percentage of connections for the top ten law enforcement agencies identified. We found that traffic from the US was the most common. This is followed by Germany, then Europol, which covers European countries when no specific image template has been created.
Top ten regions targeted by Browlock
> http://www.symantec..../Browlock 3.png
... We have seen 196 domains since tracking began. The domains adhere to the format of a single letter followed by four digits and then .com. The actual domains have been hosted on a number of different IP addresses over the past four months. The most active Autonomous System (AS) has been AS48031 - PE Ivanov Vitaliy Sergeevich, which was used in each of the past four months. The attackers rotated through seven different IP addresses in this AS. The Browlock ransomware tactic is simple but effective. Attackers save money by -not- using a malicious executable or accessing an exploit kit. As the victim simply needs to close their browser to escape from the Web page, one might think that no one will pay up. However, the Browlock attackers are clearly spending money to purchase traffic and so they must be making a return on that investment. The usual ransomware tactic of targeting users of pornographic websites continues to capitalize on a victim’s embarrassment and may account for the success rate...
Malicious infrastructures used:
AS24940 HETZNER-AS Hetzner Online AG*
    IP address: 144.76.136.174 Number of redirected users: 2,387
AS48031 – PE Ivanov Vitaliy Sergeevich
    IP address: 176.103.48.11 Number of redirected users: 37,521
    IP address: 193.169.86.15 Number of redirected users: 346
    IP address: 193.169.86.247 Number of redirected users: 662,712
    IP address: 193.169.86.250 Number of redirected users: 475,914
    IP address: 193.169.87.14 Number of redirected users: 164,587
    IP address: 193.169.87.15 Number of redirected users: 3,945
    IP address: 193.169.87.247 Number of redirected users: 132,398
AS3255 –UARNET
    IP address: 194.44.49.150 Number of redirected users: 28,533
    IP address: 194.44.49.152 Number of redirected users: 134,206
AS59577 SIGMA-AS Sigma ltd
    IP address: 195.20.141.61 Number of redirected users: 22,960
Nigeria Ifaki Federal University Oye-ekiti
    IP address: 196.47.100.2 Number of redirected users: 47,527
AS44050 - Petersburg Internet Network LLC
    IP address: 91.220.131.106 Number of redirected users: 81,343
    IP address: 91.220.131.108 Number of redirected users: 75,381
    IP address: 91.220.131.56 Number of redirected users: 293
AS31266 INSTOLL-AS Instoll ltd.
    IP address: 91.239.238.21 Number of redirected users: 8,063 "

Diagnostic page for AS24940 (HETZNER-AS)
* http://google.com/sa...c?site=AS:24940
"... over the past 90 days, 4337 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-12-18, and the last time suspicious content was found was on 2013-12-18... Over the past 90 days, we found 683 site(s)... appeared to function as intermediaries for the infection of 1634 other site(s)... We found 514 site(s)... that infected 5040 other site(s)..."

Diagnostic page for AS48031 (XSERVER-IP-NETWORK-AS)
- http://google.com/sa...c?site=AS:48031
"... over the past 90 days, 178 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-12-18, and the last time suspicious content was found was on 2013-12-18... Over the past 90 days, we found 25 site(s) on this network... appeared to function as intermediaries for the infection of 120 other site(s)... We found 16 site(s)... that infected 779 other site(s)..."
___

Fake ‘WhatsApp Missed Voicemail’ emails lead to pharmaceutical scams
- http://www.webroot.c...ceutical-scams/
Dec 18, 2013 - "... A currently circulating fraudulent spam campaign is brand-jacking WhatsApp in an attempt to trick its users into clicking on links found in the email. Once socially engineered users fall victim to the scam, they’re automatically exposed to a fraudulent pharmaceutical site, offering them pseudo bargain deals...
Sample screenshot of the spamvertised email:
> https://www.webroot....cal_Scam_01.png
Sample screenshot of the landing pharmaceutical scam page:
> https://www.webroot....am-1024x587.png
Redirection chain: hxxp :// 203.78.110.20 /horizontally.html -> hxxp ://viagraphysician .com (109.201.133.58). We’re also aware of... fraudulent domains that are known to have phoned back to the same IP (109.201.133.58)... Name servers:
ns1 .viagraphysician .com – 178.88.64.149
ns2 .viagraphysician .com – 200.185.230.32
... fraudulent name servers are also known to have participated in the campaign’s infrastructure at 178.88.64.149 ... We expect that more legitimate brands will continue getting targeted in such a way, with the fraudsters behind the campaign continuing to earn revenue through pharmaceutical affiliate programs..."
(More detail at the webroot URL above.)

- https://www.virustot...58/information/

- https://www.virustot...49/information/

- https://www.virustot...32/information/

- https://www.virustot...20/information/
___

Gmail’s Image Display defaults may change your Privacy
- http://blog.trendmic...e-your-privacy/
Dec 18, 2013 - "... this means that all pictures in emails will now be automatically displayed. Instead of being served directly from the site hosting the image, however, they will be given a copy that has been scanned by Google. Officially, the stated rationale for this change is that previously, senders “might try to use images to compromise the security of your computer”, and that with the change images will be “checked for known viruses or malware”. This change affects users who access Gmail via their browser, or the official iOS and Android apps. In the past, there have been occasions where malicious images were used to compromise computers. A number of image formats were exploited in 2005 and 2006, including a Windows Metafile vulnerability (MS06-001), and an Office vulnerability that allowed arbitrary code execution (MS06-039). More recently, a vulnerability in how TIFF files were handled (MS13-096) was found and not patched until the December Patch Tuesday cycle. Properly implemented, scanning the images would be able to prevent these attacks from affecting users... actual exploitation of these vulnerabilities has been relatively uncommon. Exploit kits have opted to target vulnerabilities in Flash, Internet Explorer, Java, and Reader instead. Image vulnerabilities are not even listed in the control panels of these kits. The primary reason to block images is not to block malware, but to stop information leakage. Images are used by spammers and attackers to track if/when email has been read and to identify the browser environment of the user. Email marketers also use this technique to check how effective their email campaigns are. Email marketers have already confirmed that in spite of Google’s moves, email tracking is still very possible. Google’s proposed solution (a web proxy that checks images for malware images) appears to solve a small security problem (malicious image files), while leaving at risk user’s security and privacy. Attackers still have the capability to track that users have read email–and to learn aspects of their browser environment. Users can still revert to the previous behavior via their Gmail settings, as outlined in Google’s blog post:
    Of course, those who prefer to authorize image display on a per message basis can choose the option “Ask before displaying external images” under the General tab in Settings. That option will also be the default for users who previously selected “Ask before displaying external content”.
We -strongly- recommend that users -change- this setting for their accounts. Users who access Gmail via POP3 or IMAP should check the settings of their mail application to control the display of images."
___

Fake VISA Report SPAM / payment-history-n434543-434328745231.zip
- http://blog.dynamoo....eport-spam.html
18 Dec 2013 - "This -fake- VISA spam comes with a malicious attachment:
    Date:      Wed, 18 Dec 2013 14:32:50 -0500 [14:32:50 EST]
    From:      Visa [Eddie_Jackson@ visa .com]
    Subject:      VISA - Recent Transactions Report
    Dear Visa card holder,
    A recent review of your transaction history determined that your card was used in
    possible fraudulent transactions. For security reasons the requested transactions were
    refused. Please carefully review electronic report for your VISA card.
    For more details please see the attached transaction report.
    Virgie_Cruz
    Data Protection Officer
    VISA EUROPE LIMITED
    1 Sheldon Square
    London W2 6WH
    United Kingdom ...

Attached to the message is an archive file payment-history-n434543-434328745231.zip with a VirusTotal detection rate of 10/48*, which in turn contains payment-history-n434543-434328745231.exe with a detection rate of 10/49**. Automated analysis tools... indicate a network connection to bestdatingsitesreview4u .com on 38.102.226.126 (PSInet, US). This appears to be the only site on that server, blocking either the IP or domain temporarily may help mitigate against infection."
* https://www.virustot...sis/1387397621/

** https://www.virustot...sis/1387397396/

- https://www.virustot...26/information/
 

Edited by AplusWebMaster, 18 December 2013 - 03:41 PM.

[AplusWebMaster]

FYI...

Fake Voicemail SPAM - from "Elfin Cars Sports"
- http://blog.dynamoo....elfin-cars.html
19 Dec 2013 - "This -fake- voicemail message from "Elfin Cars Sports" has a malicious attachment:
    Date:      Thu, 19 Dec 2013 08:36:56 -0600 [09:36:56 EST]
    From:      Voice Mail [noreply@ spamcop .net]
    Subject:      New Voicemail Message
    New Voicemail Message
    You have been left a 1:02 long message (number 1) in mailbox from "Elfin Cars Sports"
    07594434593, on Thursday, December 19, 2013 at 07:20:02 AM
    The voicemail message has been attached to this email - which you can play on most
    computers...

The attachment is VoiceMail.zip with a VirusTotal detection rate of 9/49*, which in turn contains a malicious executable VoiceMail.exe with an icon to make it look like an audio file, and this has a also detection rate of 9/49** (but with slightly different detections). Automated analysis tools... show an attempted connection to plantautomation-technology .com on 216.151.164.211 (NJ Tech Solutions, US) and anuudyog .com on 66.7.149.156 (Web Werks, US)."
* https://www.virustot...sis/1387465669/

** https://www.virustot...sis/1387465683/
___

Fake Navy Federal Credit Union Phish
- http://threattrack.t...dit-union-phish
Dec 19, 2013 - "Subjects Seen:
    NAVY FEDERAL Credit Union
Typical e-mail details:
    We recently reviewed your account, and we suspect an unauthorized ATM-based transactions on your account access. Our banking service will help you to avoid frequently fraud transactions and to keep your savings and investments confidential.
    To ensure that your account is not compromised please login to NAVY Account Access by clicking this link, verify and update your profile and your current account access will be 128-bit encrypted and guard by our security system.
    - Click Here to login your Federal Credit Union Account
    - Enter your Account Access details
    - Verify and update with NAVY FEDERAL
    Thank you for using F.C.U Account Access Security

Malicious URLs:
    holidayindingle .com/wp-admin/css/colors/blue/gos/
80.93.29.195
- https://www.virustot...95/information/

Screenshot: https://gs1.wac.edge...cEAF1r6pupn.png

Tagged: Navy Federal Credit Union, phish
___

AT&T Voicemail Message Spam
- http://threattrack.t...il-message-spam
Dec 19, 2013 - "Subjects Seen:
    AT&T - You Have a new Voice Mail
Typical e-mail details:
    You are receiving this message because we were unable to deliver it, voice message did not go through because the voicemail was unavailable at that moment.
    The length of transmission was 25 seconds.
    Thank you,
    AT&T Online Services

Malicious File Name and MD5:
    VoiceMail.zip (BE7D2F4179D6D57827A18A20996A5A42)
    VoiceMail.exe (D1CA2DC1B6D1C8B32665FCFA36BE810B)

Screenshot: https://gs1.wac.edge...aSPC1r6pupn.png

Tagged: AT&T, Upatre
___

Fake emails regarding license key from Adobe - trojan
- http://blog.mxlab.eu...key-from-adobe/
Dec 19, 2013 - "... new trojan distribution campaign by email with the following subjects:
Download your adobe software
Download your license key
Thank you for your order
Your order is processed
This email is send from the spoofed address “Adobe Software <soft@ adobes .com>”, “Adobe Software <support@ adobes .com>”, “Adobe <software@ adobes .com>”, “Adobe Software <your_order@ adobes .com>” or similar and has the following body:
    Hello.
    Thank you for buying Director 11.5 software.
    Your Adobe License key is in attached document below.
    Adobe Systems Incorporated.
    Hello.
    Thank you for buying Creative Suite 6 Master Collection software.
    Your Adobe License key is in attached document below.
    Adobe Systems Incorporated.
    Order Notification.
    Thank you for buying Adobe Connect software.
    Your Adobe License key is in attached document below.
    Adobe Systems Incorporated.
The attached ZIP file has the name License_Key_OR8957.zip and contains the 209 kB large file License_Key_Document_Adobe_Systems_Incorporated.exe. The trojan is known as Win32:Malware-gen, W32/Trojan.BDDH-7155, W32/Trojan3.GVP, Trojan-Downloader.Win32.Dofoil.rqh or Artemis!30AAE526F5C4. At the time of writing, 11 of the 45 AV engines did detect the trojan at Virus Total*..."
* https://www.virustot...sis/1387485019/

Alert: Adobe License Key Email Scam
- http://blogs.adobe.c...key-email-scam/
Dec 20, 2013 - "Adobe is aware of reports that a phishing campaign is underway involving malicious emails purporting to deliver license keys for a variety of Adobe offerings. Customers who receive one of these emails should -delete- it immediately without downloading attachments or following hyperlinks that may be included in the message..."
 

Edited by AplusWebMaster, 20 December 2013 - 07:16 PM.