2072 replies to this topic

[AplusWebMaster]

FYI...

Trace Q1-2009 report
- http://www.marshal.c...hesection=trace
April 1, 2009
"...Spam
...by the end of March 2009 the SVI (Spam Volume Index) had reached its pre-McColo level. Even so, taking a longer term view, spam volume still remains less than mid-2008. We believe successive events, including the interruption of the Atrivo/Intercage network in September, the FTC crackdown of the ‘Affking’ gang in October, the McColo shutdown in November and the subsequent demise of the Srizbi botnet, and disruption to the Bobax botnet in late 2008, have all contributed to make life more difficult for spammers...
Botnets
... a handful of botnets continue to dominate the distribution of spam. At the end of March 2009, the familiar botnets Mega-D and Rustock and Pushdo continued to dominate spam production. Xarvester is the new kid on the block, and shares quite a few similarities to its likely predecessor, Srizbi. Add a second tier of botnets, namely Donbot, Grum and Gheg, and collectively, this motley group accounts for over 70% of spam...
Malicious Spam Campaigns
... The Waledac botnet, the probable successor to Storm, has been active with a range of campaigns including President Obama, Valentines, fake coupons and bomb blast news stories. The Pushdo botnet, too, continues to pump out various malicious spam and phishing email, including fake facebook.com and classmates.com campaigns...
Malicious Web Campaigns... (Rogue AV, etc.)
The last few months has seen the resurgence of the fake anti-virus purveyors, which have been part of the scene in one form or another for the best part of 12 months. Most recently, search engine optimization, using hot Google search terms*, is being used to drive users to websites where they are prompted to download, install, and pay for this dubious ‘anti-virus’ software...."
* http://www.marshal.c...asp?article=884

[AplusWebMaster]

FYI...

More Conficker rogue AV...
- https://forums2.syma.../article-id/173
04-02-2009 - "We have found spam samples attempting to capitalize on the frenzy over Conficker (a.k.a. Downadup), offering the latest in antivirus security software that purportedly protects users from the Conficker threat. Some of these SPAM messages even use names and images of software much like our own Norton AntiVirus 2009... it even mentions the name of one of our Symantec employees frequently cited in the press... In an attempt to increase financial gain, the product website is made to look like the product is one of our Norton consumer security solutions, by using the AntiVirus 2009 name and even comparing itself with other antivirus solutions such as Spybot, Kaspersky, and AVG... After clicking on the link inside the message, we find that it redirects to a website where the user is promptly given directions on how to make a payment. Whether or not any product will be made available after the payment is made is still unknown at this point. Even if it were, its effectiveness would be questionable because it will most likely be a rogue application or pirated software."
(Screenshots available at the Symantec URL above.)

- http://www.f-secure....s/00001639.html
March 30, 2009

[AplusWebMaster]

FYI...

Malicious Excel XLS file
- http://www.f-secure....s/00001649.html
April 7, 2009 @ 11:10 GMT - "We see targeted attacks and espionage with trojans regularily. Here's a typical case. A malicious Excel XLS file (md5: 3c740451ef1ea89e9f943e3760b37d3b) was emailed to a target - apprently to just one person... The exploit code creates two new DLL files to the SYSTEM32 folder ("apimgr.dll" and "netserv.dll") and executes them. These DLL files are backdoors that try to communicate back to the attackers, using these sites:
• feng.pc-officer .com
• ihe1979.3322 .org
Right now, host ihe1979.3322 .org does not resolve at all, and feng.pc-officer .com resolves to a placeholder IP (which is 63.64.63.64). The attackers can temporarily make the hostname resolve to the real IP address and then turn it back, to hide their tracks. The domain name pc-officer .com is a weird one. It has been registered already in 2006, and it has been used in targeted attacks before. See this ISC blog entry from September 2007*. Here the attack was done via a DOC files, instead of XLS. And the reporting server was ding.pc-officer .com, not feng.pc-officer .com. If you haven't read about Ghostnet** yet, now would be a good time..."
* http://isc.sans.org/...ml?storyid=3400
** http://en.wikipedia.org/wiki/GhostNet

(Screenshot available at the F-secure URL above.)

Update: "... IP 63.64.63.64 is just a placeholder; 216.255.196.154 is the real control server. They only bring it online sporadically, trying to avoid detection.
The IP is located in Spokane, USA:
% whois 216.255.196.154
OrgName: One Eighty Networks
OrgID: OEN-1
Address: 118 N Stevens
City: Spokane
StateProv: WA
PostalCode: 99201
Country: US ..."

Edited by AplusWebMaster, 08 April 2009 - 06:56 AM.
Added update info...

[AplusWebMaster]

FYI...

Match.com malware SPAM
- http://securitylabs....lerts/3337.aspx
04.08.2009 - "... new SPAM campaign aimed at Match.com is being used to spread a trojan over the Internet. Match.com is an online dating service. The service reportedly has more than 15 million members and has Web sites serving 37 countries in more than 12 different languages. On April 7 2009, we received thousands of malicious emails in our email Honey Pot system. The email claims that someone wants to show the user her pictures and videos, and lures the user into visiting the Web site set up by the attacker. When the user starts the video on the Web site, they are asked to install a streaming video player which is actually a trojan with relatively low AV detection*...

(Screenshots available at the Websense URL above.)

* http://www.virustota...761e33959e61e1d
File ADOBE_PlayerInstallation.exe

[AplusWebMaster]

FYI...

IRS SPAM fakes and phish...
- http://blog.trendmic...hishing-season/
Apr. 7, 2009 - "As usual, the approaching tax season (April 15th is Tax Day in the US) also comes with tax-related online threats. With unemployment rates reaching record highs this year, cybercriminals have yet another opportunity to polish their social engineering techniques. Last year, spammed messages supposedly from the Internal Revenue Service (IRS) delivered malware into systems. The email messages were sternly-worded. The intention was to alarm recipients of what these same messages claimed were incomplete tax forms, which could lead to tax avoidance fraud. High-profile institutions, including Fortune 500 companies and US Defense contractors, were prominent targets of this attack. This year, cybercriminals offer their recipients ways to save money by supposedly reducing their expenses on tax preparation transactions. The recent email samples no longer purport to come from the IRS, though. They do, however, offer tax relief services for tax help-seekers. And instead of downloading malware, unknowing users are tricked into giving out personal and sensitive information to phishers... The threat does not end there. After the completing the steps... for users to supposedly have tax relief, other windows load... These are supposedly credit-related sites, but like the tax relief page they also steal sensitive and confidential user information. The spammers/phishers behind this threat have thus fashioned the attack to be both timely and seemingly relevant by exploiting the tax season as well as recession-related concerns. The IRS recently set up an information page* in response to this threat..."
* http://www.irs.gov/p...=179820,00.html

(Screenshots available at the TrendMicro URL above.)

- http://isc.sans.org/...ml?storyid=6145
Last Updated: 2009-04-07 19:50:37 UTC - "... a few things to watch out for:
• fake e-file websites. Only use reputable companies. I did a quick check earlier and didn't see any obvious fakes on Google, but this may change at any time.
• IRS e-mails: The IRS will -never- send you an e-mail asking you to go to a website to get a refund.
• malicous tax preparation software: Don't just download the next best free tax prep software package.
• and once you are all done: Make good offline backups. If you used tax preparation software, burn a couple CDs with your files and don't forget to retain a copy of the software itself so you can read the files later. Keep a paper copy. This includes supporting electronic files like account software and spread sheets that you may use to track finances..."

Edited by AplusWebMaster, 08 April 2009 - 06:56 AM.

[AplusWebMaster]

FYI...

Rogue AV on 10M machines
- http://www.darkreadi...cleID=216403298
April 8, 2009 - "Rogue security software infections by just one family of malware jumped 66 percent in the second half of the year, according to Microsoft's new Security Intelligence Report (SIR)*... Microsoft says the Win32/Renos scareware attack was found on 4.4 million computers, for instance, and Win32/FakeXPA and Win32/FakeSecScan on 1.5 million machines. Other rogue AV types were also detected, bringing the total numbers of those types of infections to the 10 million mark..."
* http://www.microsoft.com/sir

[AplusWebMaster]

FYI...

NOT the easter egg you were expecting
- http://www.sophos.co...abs/v/post/3962
April 10, 2009 - "Messages posing as legitimate greeting cards with titles such as “You’ve received A Hallmark E-Card! !” have been prevalent on the Internet... Over the past months, the malicious emails have become slightly more subtle in their delivery method. While they previously included a telltale zip file as an attachment or a link to an exe, the current crop of messages masquerade as legitimate notifications with no attachments, but the links embedded in the mail point to a web page on some third party web site - which is designed to load malware... avoid opening e-cards that aren’t addressed to you, and aren’t from someone you know. The majority of the spammed e-cards do not indicate the sender or the recipient in the body, and so are easy to recognize. Legitimate e-cards tend to have this personally identifiable information included in the message body..."

(Screenshot available at the URL above.)

[AplusWebMaster]

FYI...

Easter worm in Twitter...
- http://www.f-secure....s/00001653.html
April 12, 2009 - "A cross-site scripting worm was spreading in Twitter profiles for several hours last night. People started reporting that their profile had sent Twitter messages without their knowledge... Later on the messages morphed several times... Many people followed the links to stalkdaily .com, as they believe the messages to be genuine Tweets from their friends. A cross-site script on the site then caused new users to start to Tweet the same messages... As expected, the whole worm was a publicity stunt by stalkdaily .com... You can see the latest official status of Twitter from their status page at http://status.twitter.com/ . Updated to add: This is -not- over. There's going to be quite a few modified Twitter worms for a day or two. Be careful in Twitter, don't view profiles, don't follow links... All these attacks are Javascript-based. Turn Javascript off if you're worried..."
(Screenshots available at the F-secure URL above.)

- http://status.twitte.../update-on-worm
Apr 13, 2009 - "Update on worm... We are currently addressing a new manifestation of the worm attack..."

Edited by AplusWebMaster, 13 April 2009 - 04:08 AM.
Update from Twitter...

[AplusWebMaster]

FYI...

Copycat Twitter XSS worms...
- http://isc.sans.org/...ml?storyid=6187
Last Updated: 2009-04-13 18:07:20 UTC - "... copycat Twitter XSS worms exploit the same vulnerability – actually most of the code remains the same but they obfuscated it to make analysis a bit harder. They also added couple of updates so it looks like they are exploiting other profile setting fields which the original worm didn't exploit, such as the profile link color. One thing about this copycat worm I found interesting is the type of obfuscation they used. The attackers used the [ and ] operators in JavaScript in order to reference methods in objects... It looks like the folks from Twitter are still fixing all the vulnerabilities... Use addons such as Noscript* for Mozilla ..."
* http://noscript.net/getit

- http://www.f-secure....s/00001654.html
April 13, 2009

[AplusWebMaster]

FYI...

Twitter worm Google searches lead to malware
- http://www.f-secure....s/00001657.html
April 14, 2009 - "No surprise at all that Google searches for information about the Twitter worm would lead to malware sites, it was really just a matter of time. Especially not after all the talk about it over the weekend and the guy behind it even confessing everything. Malicious search results about popular news is something we see very often unfortunately... So, unfortunately we're not surprised that this happened. As usual, get your news and information from sources you trust. Random Google searches can't be trusted.
Updated to add: Searching for "Mikeyy" also leads to malicious results."
(Screenshots available at the URL above.)

Twitter Worm Mikeyy Keywords Hijacked to Serve Scareware
- http://ddanchev.blog...s-hijacked.html
April 15, 2009

Edited by AplusWebMaster, 16 April 2009 - 06:10 AM.
Added Danchev link...

[AplusWebMaster]

FYI...

New rogue: P Antispyware 09
- http://sunbeltblog.b...spyware-09.html
April 14, 2009 - "P Antispyware 09 is yet another rogue from WinSpywareProtect family of rogue security products."

New rogue: Antivirus'09
- http://sunbeltblog.b...-antivirus.html
April 15, 2009 - "Antivirus'09 is a new rogue security product. This rogue uses fake/scare scanner pages to trick users into downloading the rogue application."

(Screenshots available at both URLs above.)

[AplusWebMaster]

FYI...

Yet another Twitter worm
- http://www.f-secure....s/00001661.html
April 17, 2009 - "A new Twitter cross-site scripting worm is going around on Twitter. Just like the previous Twitter worms it talks about Mikeey... The malicious script itself is downloaded from 74.200.253.195*. Twitter is working on fixing the problem... Updated to add: Michael Mooney (Mikeey) confesses to writing this latest worm as well."
* http://centralops.ne...ainDossier.aspx
Queried whois.arin.net with "74.200.253.195"...
OrgName: FastServers, Inc.
OrgID: FASTS-1
Address: 175 W. Jackson Blvd
Address: Suite 1770
City: Chicago
StateProv: IL
PostalCode: 60604
Country: US ...

[AplusWebMaster]

FYI...

New rogue: AV Antispyware
- http://sunbeltblog.b...ntispyware.html
April 19, 2009 - "AV Antispyware is the latest rogue from WinSpywareProtect family of rogue security products... Sites Involved:
64.191.12.38 Av-antispyware com
195.88.81.74 Files scanner-antispy-av-files com
195.88.81.116 dl scan-antispy-4pc com
195.88.80.207 Int reporting32 com ..."

(Screenshot available at the URL above.)

[AplusWebMaster]

FYI...

Zango: The End
- http://www.vitalsecu.../zango-end.html
April 21, 2009 - "Zango Inc., the adware distributor fined $3 million by the Federal Trade Commission in 2006 for sneaking software onto people's PCs, has closed its doors after being acquired by video search engine company Blinkx PLC..."
- http://www.theregist...09/04/21/zango/
21 April 2009 - "... The end-game for Zango marks the end of the controversial adware business model. Other well known names in the field - including Claria (Gator), WhenU and DirectRevenue - ceased operations some time ago, leaving Zango as the last man standing."
- http://www.theregist...09/04/21/zango/
21 April 2009 "Updated... The adware maker was forced to pull down the shutters on its business after it was left unable to service its debts. Initially we, along with othe news outlets, incorrectly reported that video search engine firm Blinkx had acquired Zango. In fact Blinkx has only bought a proportion of its assets from administrators. "The bank foreclosed on Zango and Blinkx purchased some technical assets from the bank, including some IP and hardware, which constituted about 10 per cent of Zango's total assets," a Blinkx spokeswoman explained..."

- http://sunbeltblog.b...go-is-dead.html
April 21, 2009

Edited by AplusWebMaster, 21 April 2009 - 04:09 PM.
Added update from The Register...

[AplusWebMaster]

FYI...

Spam referencing Swine flu outbreak
- http://www.sophos.co...abs/v/post/4245
April 27, 2009 - "Predictably enough, today we started to see spam taking advantage of concerns around the current Swine Flu outbreak... In the campaign seen earlier today, the purpose of the spam is meds related. Anyone clicking on the link in the message is -redirected- to an all too familiar Canadian Pharmacy site..."
(Screenshots available at the URL above.)

- http://www.us-cert.g...ing_attacks_and
April 27, 2009

- http://blog.trendmic...b-through-spam/
Apr. 28, 2009 - (More screenshots...)

Spamvertised Swine Flu Domains
- http://ddanchev.blog...lu-domains.html
April 28, 2009 - "... Swine flu spamvertised domains (long list)... Happy blacklisting/cross-checking!"

Edited by AplusWebMaster, 30 April 2009 - 04:13 AM.
Added TrendMicro link...