2072 replies to this topic

[AplusWebMaster]

FYI...

Fake NatWest SPAM - uses goo.gl links to spread malware
- http://blog.dynamoo....re-message.html
1 Aug 2014 - "This fake NatWest bank message uses the Goo.gl URL shortener to spread malware:

Screenshot: https://2.bp.blogspo...600/natwest.png

The link in the email goes to goo .gl/dGDi7l and the downloads a ZIP file from berkleyequine .com/wp-includes/images/Documents-43632.zip, containing a malicious executable Documents-43632.scr which has a VirusTotal detection rate of just 1/54*. The CAMAS** report shows that the malware calls out to the following URLs;
94.23.247.202 /0108uk1/SANDBOXA/0/51-SP2/0/
94.23.247.202 /0108uk1/SANDBOXA/1/0/0/
94.23.247.202 /0108hk1/SANDBOXA/1/0/0/
94.23.247.202 /0108ok1/SANDBOXA/1/0/0/
acanthe .be/css/01u1.rar
dirbeen .com/misc/01u1.rar
porfintengoweb .com/css/heap_61_id3.rar
sso-unidadfinanzas .com/images/heap_61_id3.rar
theothersmag .com/covers/opened.rar
firstfiresystems.com/css/slimbox/opened.rar
The characteristics of this malware are very similar to this one seen yesterday***, and you can be assured that there are other goo .gl URLs and download locations in addition to the one listed here... Google don't make it easy to report spammy links and they are awfully slow to respond to reports, but their reporting form is at goo.gl/spam-report if you want to try it...
Recommended blocklist:
94.23.247.202
acanthe .be
dirbeen .com
porfintengoweb .com
sso-unidadfinanzas .com
theothersmag .com
firstfiresystems .com
berkleyequine .com "
* https://www.virustot...sis/1406886192/

** http://camas.comodo....25d38adb8372e48

*** http://blog.dynamoo....shortening.html

94.23.247.202: https://www.virustot...02/information/
___

Fake NYC Homicide Suspect SPAM - using goo .gl shortener to spread malware
- http://blog.dynamoo....de-suspect.html
1 Aug 2014 - "... This spam is slightly unusual..
    From:     ALERT@nyc.gov [ALERT@ static-23-106-230-77.ipcom.comunitel .net]
    Date:     1 August 2014 10:43
    Subject:     Homicide Suspect
    Bulletin Headline: HOMICIDE SUSPECT
    Sending Agency: New York City Police
    Sending Location: NY - New York - New York City Police
    Bulletin Case#: 14-10078
    Bulletin Author: BARILLAS #9075
    Sending User #: 94265
    APBnet Version: 287320
    The bulletin is a pdf file. To download please follow the link below (Google Disk Drive service):
    https ://goo .gl/RwNKEA ...

The link in the email is goo .gl/RwNKEA which goes to unionlawgroup .com/wp-content/images/Documents-43632.zip which is exactly the same payload as used in this spam*...
Blocking unionlawgroup .com is probably a good idea."
* http://blog.dynamoo....re-message.html

50.63.221.1: https://www.virustot....1/information/

- http://threattrack.t...de-suspect-spam
Aug 1, 2014
78.46.78.137: https://www.virustot...37/information/
___

Fake Payroll Received by Intuit – PDF malware
- http://myonlinesecur...ke-pdf-malware/
1 Aug 2014 - "Payroll Received by Intuit pretending to come from Intuit Payroll Services <IntuitPayrollServices@ payrollservices. intuit .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
Dear [customer]
We received your payroll on August 01, 2014 at 09:00 AM EST.
Attached is a copy of your Remittance. Please click on the attachment in order to view it.
Please note the deadlines and status instructions below:
If your payroll is received BEFORE 5 p.m., your Direct Deposit employees will be paid two (2) banking days from the date received or on your paycheck date, whichever is later.
If your payroll is received AFTER 5 p.m., your employees will be paid three (3) banking days from the date received or on your paycheck date, whichever is later.
YOUR BANK ACCOUNT WILL BE DEBITED THE DAY BEFORE YOUR CHECKDATE.
Funds are typically withdrawn before normal banking hours so please make sure you have sufficient funds available by 12 a.m. on the date funds are to be withdrawn.
Intuit must receive your payroll by 5 p.m., two banking days before your paycheck date or your employees will not be paid on time.
Intuit does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
Thank you for your business.
Sincerely,
Intuit Payroll Services...

1 August 2014: Remittance.zip (10kb): Extracts to Remittance.scr
Current Virus total detections: 5/52* ... This Payroll Received by Intuit is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1406908230/

Payroll Received by Intuit
- https://security.int...alert.php?a=109
8/1/14 - "... receiving -fake- emails with the title 'Payroll Received by Intuit'..."
___

Fake Corporate eFax SPAM ...
- http://blog.dynamoo....-unknown-3.html
1 Aug 2014 - "This somewhat mangled spam has a malicious attachment:
    Date:      Fri, 1 Aug 2014 09:45:45 -0700 [12:45:45 EDT]
    From:      eFax Corporate [message@ inbound .efax .com]
    Subject:      Corporate eFax message from "unknown" - 3 page(s)
    You have received a 3 page fax             at 2014-08-01 10:55:05. * The
    reference number for this fax is p2_did1-4724072401-8195088665-159.       Thank you for
    using the eFax Corporate service!        2014 j2 Global, Inc. All rights reserved. eFax
    Corporate is a registered trademark of j2 Global, Inc. This account is subject to the
    terms listed in the  eFax Corporate Customer Agreement. 

Attached is an archive file Fax_912_391233111_941.zip which in turn contains a malicious executable Fax_912_391233111_941.scr which has a VirusTotal detection rate of 10/54*. The Comodo CAMAS report** shows the malware reaching out to the following locations:
94.23.247.202 /0108us1/SANDBOXA/0/51-SP2/0/
94.23.247.202 /0108us1/SANDBOXA/1/0/0/
theyungdrungbon .com/wp-includes/images/0108us1.zip
101romanticcheapdates .com/wp-includes/images/0108us1.zip
Recommended blocklist:
94.23.247.202
theyungdrungbon .com
101romanticcheapdates .com "
* https://www.virustot...sis/1406919623/

** http://camas.comodo....aaa2239c5d4c58d

94.23.247.202: https://www.virustot...02/information/
___

Fake Googlebots increasingly used to launch DDoS Attacks
- http://atlas.arbor.n...index#683046610
Elevated Severity
31 Jul 2014 - "Spoofed Googlebots, Google's search bot software, are increasingly being used to launch application-layer DDoS attacks.
Analysis: The fake Googlebots have also been observed scraping sites, sending spam, and hacking as well. These bots could prove an effective tool, as even well-protected companies with appropriate blocking rules still allow for Google. However, the fake Googlebots are easily identified, as legitimate Googlebots come from a predetermined IP address range. [ http://threatpost.co...ack-tool/107317 ] "
 

 

Edited by AplusWebMaster, 01 August 2014 - 03:41 PM.

[AplusWebMaster]

FYI...

Fake "Sup" snowshoe SPAM - from 208.71.174.32/27
- http://blog.dynamoo....8711743227.html
4 Aug 2014 - "Here's a strange spam I've been tracking for a couple of days:
    Date:      Sun, 03 Aug 2014 20:56:48 -0700 [08/03/14 23:56:48 EDT]
    From:      Olive [olive@ platesat .us]
    Subject:      Sup ...

The "IMG" is invalid and shows a placeholder.. making you think that it is broken, but in fact it is triggering the "unsubscribe" link in the email. So.. the email automatically unsubscribes its victims? Not exactly. A look at the root directory of www .gonename .us (143.95.38.234 = petyrbaelish .asmallorange .com)... The presence of unsubscribe.dat and unsubscribe.php is a characteristic of Maxprog MaxBulk Mailer which like all mailing list applications can be used for good or evil. MaxBulk Mailer does have an unsubscribe option which stores names the unsubsribe.dat file (hardly secure, I know), and what appears to be happening in this case is the the HTML has been altered slightly to make -everyone- unsubscribe... At the time of writing, over 6800 email addresses have been validated for further spamming, a number that is increasing quite rapidly. Emails are held in plaintext and can be harvested by anyone... No doubt the people who opened this email can look forward to a whole set of additonal spam in their inboxes. All the sending IPs are in the 208.71.174.32/27 range (Network Data Center Host Inc, US). Each IP has a .us domain hosted on it, but the WHOIS details for each domain appear to be -fake- . This attack started last week with a different range of sending addresses in the 188.165.94.176/28 (OVH, France / VertVPS, Canada) range sending victims to a spamvertised site of www .morehex .us which was configured in the same way. All those sites have now been -suspended- . Email subjects in that case were:
What's up?
Hey Sister
G'day
Whoever is running these spam servers has taken enormous pains to hide their identity, and they are also well-resourced enough to be able to rent server farms for a short period until they get terminated... Looking more deeply into the /27 also yields some more domains, all of which have fake or anonymous WHOIS details..
Recommended blocklist:
208.71.174.32/27
gonename .us "
(More detail at the dynamoo uRL above.)
___

Fake BoA SPAM leads to Cryptowall
- http://blog.dynamoo....ments-spam.html
4 Aug 2014 - "This -fake- BofA spam has a malicious payload:
    Date:      Mon, 4 Aug 2014 19:57:07 +0800 [07:57:07 EDT]
    From:      Andrea Talbot [Andrea.Talbot@ bofa .com]
    Subject:      RE: Important Documents
    Please check attached documents regarding your Bofa account.
    Andrea Talbot
    Bank Of America
    817-298-4679 office
    817-180-2340 cell Andrea.Talbot@ bofa .com ...

Attached to the message is an archive AccountDocuments.zip which in turn contains the malicious executable AccountDocuments.scr which has a VirusTotal detection rate of 6/54* and the comments indicate that this is a variant of Cryptowall. The Comodo CAMAS report shows that it phones home..
Recommended blocklist:
94.23.247.202
dirbeen .com
ibuildchoppers .com "
* https://www.virustot...sis/1407179338/

** http://camas.comodo....26880519e2b2f6f

94.23.247.202: https://www.virustot...02/information/
___

Fake IRS SPAM – 'Fiscal Activity 71363' .doc malware
- http://myonlinesecur...rd-doc-malware/
4 Aug 2014 - "IRS Notification – Fiscal Activity 71363. pretending to come from International Taxpayer Service <lhopkins@ wm .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers... current bunch of malwares being spread by attempting to use  a genuine Word Doc with an embedded macro. This one, once again tries to contact http ://moviebernie1996 .ru/u.exe  and download the zbot which has a current virus total detection rate of 5/54*. If you still use an older version of Microsoft Word, then you are at risk of being infected by this. Modern versions, that is 2010 and 2013 have macros disabled by default and are set to display in read only mode by default... aimed at US tax payers who are living or working in UK, because the Address and phone number in the email belong to the American Embassy in London:
> http://www.irs.gov/s...ts/img/logo.png
Here is a report on your early 2014 Federal Tax return report.
Kindly download the attachment to view your report and start
filling for 2014 return as early as second week of July.
Thanks
Internal Revenue Service
24/31 Grosvenor Square
London W1K 6AH
United Kingdom
Tel.Fax.: [44] (207) 672-2808 ...

4 August 2014: Fiscal Activity.Doc  Current Virus total detections: 7/52*
This  IRS Notification – Fiscal Activity 71363. is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1407132830/
___

Fake BT Digital SPAM
- http://blog.dynamoo....-file-spam.html
4 Aug 2014 - "This -fake- BT spam has a malicious attachment:

Screenshot: https://1.bp.blogspo...gital-vault.png

The attachment is BT_Digital_Vault_File.zip which contains a malicious executable BT_Digital_Vault_File.exe which has a VirusTotal detection rate of 5/54*... Comodo CAMAS report** ...
Recommended blocklist:
94.23.247.202
amhzconsultancy .com
sintesismark .com
bianconeandwilinsky .com
osteoarthritisblog .com
hopeisnull .comuf .com
grenzland-classic .de "
* https://www.virustot...sis/1407158959/

** http://camas.comodo....a7efd53c296ada8

94.23.247.202: https://www.virustot...02/information/
___

Fake Invoice 2014080420 SPAM
- http://blog.dynamoo....80420-spam.html
4 Aug 2014 - "This spam has a malicious attachment:
    Date:      Mon, 04 Aug 2014 20:29:43 +0900 [07:29:43 EDT]
    From:      Accounts Dept [tolvan.rover@ btinternet .com]
    Subject:      Invoice 2014080420 dynamoo
    This email contains an invoice file for June 2014 - July 2014. Please pay invoice in full in 3 business days and reply to us...

There is an attachment INV_2014080420.zip containing a folder invoice_june2014-july2014.xls which in turn contains a malicious executable invoice_june2014-july2014.xls.scr which has a VirusTotal detection rate of 6/52*. Automated analysis tools are inconclusive..."
* https://www.virustot...sis/1407159727/
___

Backdoor Techniques in Targeted Attacks
- http://blog.trendmic...rgeted-attacks/
Aug 4, 2014 - "Backdoors are an essential part of targeted attacks, as they allow an external threat actor to exercise control over any compromised machines. These allow the threat actor to collect information.. various targeted attacks have showed that a wide variety of tactics are used by backdoors to carry out their routines, as well as remain -undetected- by network administrators and security products... Using free services for C&C functions is not new; we noted just recently how Dropbox was being used in a similar way...  resources to help deal with targeted attacks can be found in our targeted attacks hub*."
* http://about-threats...rgeted-attacks/
___

Fake IRS e-Help Desk Spam
- http://threattrack.t...-help-desk-spam
Aug 4, 2014 - "Subjects Seen:
    E-mail Receipt Confirmation - Ticket#SD3784695 [/i]
Typical e-mail details:
    The IRS e-help Desk has received your email on 06/20/14. A case has been opened in response to your question or issue.
    Your case ID is : SD3784695
    Details about this case has been attached.
    If additional contact is necessary, please reference this case ID.
    You will receive a reply within two business days.
    Thank you for contacting the IRS e-help Desk...

Malicious File Name and MD5:
    SD08042014.scr (8AB01278965D09ACA5F2CE175756DB8C)
    SD3784695.zip (108D153B71D2E8C66A2FA54F13317E18)

Screenshot: https://gs1.wac.edge...md3R1r6pupn.png

Tagged: IRS, Upatre
___

Fake iTunes Order Acknowledgment Spam
- http://threattrack.t...owledgment-spam
Aug 4, 2014
"Screenshot: https://gs1.wac.edge...SCM11r6pupn.png
Subjects Seen:
    Order Number: W6269799
Typical e-mail details:
    Dear Apple Member,
    Thank you for shopping Apple.com. Please review your order details below and retain this email for your records. You will receive a shipping confirmation email once your order has shipped.
    For more information please check attached PDF invoice.

Malicious File Name and MD5:
    W6269799.scr (8AB01278965D09ACA5F2CE175756DB8C)
    W6269799.zip (1B14810142A86D7F2B63D4E23F586274)

Tagged: iTunes, Upatre
___

Phish: Booking .com
- http://blog.malwareb...-holiday-phish/
4 Aug 2014 - "... it contained all of their genuine hotel booking information for starters – and claimed to be sent from Booking .com, which happens to be the company they booked their stay through. The information included:
* Correct reservation dates
* Correct hotel name
* Personal information such as name, home address
* Correct invoice amount
The email didn’t stop there – it also asked for payment information (CVV number) and asked for a payment to be -wired- to (what appears to be) a bank in Poland (despite the hotel being in Spain). While it isn’t unusual for payments to show in one location when the hotel is in another – depending on how you do it or which third party you book through, you may find your cash wings its way to an entirely different location – it is a little unusual to see wiring money mentioned and this likely set off alarm bells. The scammers also asked for a scanned copy of the wire transfer deposit – this is often used in 419 / wire scams, because they’ll take the scan to the place where the money it sent and pretend to be the victim or a relative before wandering off with a tidy stack of notes. The outlook on this one right now seems to be that the hotel has been targeted in some way rather than the booking website, and likely involves social engineering. If you do have a trip planned and receive -emails- about -payments- , phone the hotel and / or booking agents -directly- instead of replying – as you can see, these mails are 100% accurate and will probably brush aside many “But what about…” -scam- flags recipients would ordinarily raise. Another type of email -scam- to steer clear of, then..."
___

Phish: Barclays - "Your account might be compromised"
- http://myonlinesecur...clays-phishing/
4 Aug 2014 - "Your account might be compromised pretending to come from Barclays Current Accounts <barclays@ securesuite .net> is one of a series of currently spreading emails that are intended to get your bank log in details. They ask you to open the attached zip & fill in the html form inside it. That of course will end up with you having your bank, credit card and email details -stolen- and used by criminals. -If- you fill in the form, it then sends you on to a genuine Barclays log in page, where you don’t realise that you have filled in a form & details were sent -elsewhere- ...
  Dear Customer,
We recently have determined that different computers have logged in your Barclays
account, and multiple password failures were present before the logons.
For your security we have temporary suspended your account.
Please download the document attached to this email and fill carefully.
If you do not restore your account by August 05, we will be forced to suspend
your account indefinitely, as it may have been used for fraudulent purposes.
Do not ignore this message is for your security.
We apologize for any inconvenience.
Yours sincerely,
Jessica M. Klaus,
IT Assistant,
Barclays Current Accounts...
 

 

Edited by AplusWebMaster, 04 August 2014 - 08:08 PM.

[AplusWebMaster]

FYI...

Fake iTunes Order SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
5 Aug 2014 - "iTunes Order Number : W8057748 pretending to come from iTunes <store@apple.com>is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
iTunes Order Acknowledgment
Order Number: W8057748
Ordered on August 04, 2014
Dear Apple Member,
Thank you for shopping Apple.com. Please review your order details below and retain this email for your records. You will receive a shipping confirmation email once your order has shipped.
For more information please check attached PDF invoice...

5 August 2014: W8057748.zip (10kb): Extracts to   W08042014.scr
Current Virus total detections: 25/54* . This iTunes Order Number : W8057748 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1407216005/

- http://threattrack.t...owledgment-spam
4 Aug 2014
Screenshot: https://gs1.wac.edge...SCM11r6pupn.png
___

Dyreza / Pushdo outbreak - QuickBooks, Dun & BradStreet and iTunes themed emails
- http://stopmalvertis...med-emails.html
5 Aug 2014 - "Yesterday we received several unsolicited emails appearing to be either from QuickBooks, Dun & BradStreet and iTunes. The emails respectively arrive with the subject line "Payment Overdue", "New Company Complaint - 4086489" and "Order Number: W0666513". All emails come with an attachment that the recipient is invited to open. Each file inside the ZIP archive poses as a -PDF- no matter what their file extension is. That’s why you need to make sure that Windows Explorer is configured to show file extensions and -never- trust a file by its icon. The first stage payload of each mail is -Upatre- , its unique objective is to load malware on the compromised computer. Although the executable is named differently, the Upatre payload of the QuickBooks invoice and the Dun & BradStreet complaint share the same MD5 hash. In every single case Upatre downloads Dyreza, a Trojan banker and the spambot Pushdo, a dropper for Cutwail. The Pushdo sample is identical in the three spam campaigns. The Dyreza sample from the iTunes campaign is different to the two other campaigns..."
___

Fake Order confirmation SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
5 Aug 2014 - ""Order confirmation pretending to come from Scott Powell is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
    Attached is a list of items we have recently supplied that require the prices to be confirmed.
    Regards
    Scott Powell

5 August 2014  Order 9680748.zip (44kb) : Extracts to Order 2661788.exe
Current Virus total detections: 1/51* ... This Order confirmation is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1407237866/
___

Fake Invoice June2014-July2014 SPAM
- http://blog.dynamoo....-july-2014.html
5 Aug 2014 - "This -spam- is very like this one*, but has a different payload:
    Date:      Tue, 05 Aug 2014 17:18:39 +0700 [06:18:39 EDT]
    From:      Accounts Dept [optique@ hotmail .com]
    Subject:      Invoice 20146308660 June 2014 - July 2014 dynamoo
    This email contains an invoice file for June 2014 - July 2014. Please pay invoice in full in 3 business days and reply to us.

Attached is an archive ID_20146308660.zip which contains a folder invoice__details_June-July.xls which in turn contains a malicious executable invoice__details_June-July.xls.scr which has a VirusTotal detection rate of just 2/54**. According to the CAMAS report***, the malware then downloads a further component... This second stage has a VirusTotal detection rate of 9/54****. Automated analysis tools are inconclusive..."
(Long 'Recommended blocklist' at the dynamoo URL above.)
* http://blog.dynamoo....80420-spam.html

** https://www.virustot...sis/1407242827/

*** http://camas.comodo....412a8fa791e997b

**** https://www.virustot...sis/1407244040/
___

Phish: Gumtree 'Account Locked' Scam
- http://www.hoax-slay...hing-scam.shtml
Aug 5, 2014 - "Email purporting to be from online buying and selling website Gumtree claims that you Gumtree account has been locked for security reasons and you must proceed with a verification process to restore access. The email is -not- from Gumtree. It is a phishing scam designed to trick you into giving your personal and financial information to Internet criminals.

Screenshot: http://www.hoax-slay...hing-scam-1.jpg

According to this email, which claims to be from online buying and selling portal Gumtree, your Gumtree account has been locked for security reasons. The email urges you to download a file to start a verification process that will restore account access... Clicking the link in the scam email will download a .zip file that contains a .html file. Clicking the .html file will open a -fake- Gumtree login page in your browser. -If- you enter you login details on the fake page, you may then be taken to a second page that asks you to provide address and ID information as well as credit card details... information submitted on the -bogus- webpages will be collected by criminals and used for financial fraud and identity theft. The criminals may also use the stolen information to hijack your Gumtree account and use it for further fraudulent activities..."
 

 

Edited by AplusWebMaster, 05 August 2014 - 08:03 AM.

[AplusWebMaster]

FYI...

Fake email SPAM - Word Doc attachment malware
- http://myonlinesecur...rd-doc-malware/
6 Aug 2014 - "'Change in percent' pretending to come from mnmorgan@ tribune .com is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email addresses are either faked or belong to users with infected computers or servers, that various bots have compromised. Since posting this, I have received several other copies of the -malware- email from different senders and all with different names and phone numbers in the body... once again a genuine word doc with an embedded macro that acts as a downloader to download a full blown zbot from http ://bernisuperfilm .ru/uupdate2.exe*  which has a current virus total detection rate of 3/54** ... Office 2010 and Office 2013 have macros disabled by default and are set to display in read only mode by default. That -stops- any -macros- or embedded programs from running... Email reads:
    Hi [redacted]
    Yield reduced. We ask you for information to the attached document to pass to your superiors.
    Riojas Imelda
    Tel./Fax.: +44 171 6825484

6 August 2014: Information.zip : Extracts to  Information.doc
Current Virus total detections: 2/44*** ... accidentally open it and be infected...."
* 77.28.100.73: https://www.virustot...73/information/

** https://www.virustot...sis/1407273243/

*** https://www.virustot...sis/1407295528/
___

Fake 'Benefit Elections' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
6 Aug 2014 - "'Benefit Elections' pretending to come from Landon.Carter@ adp .com is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
    Please review the attached CBE form, If you require changes to the options shown, please contact me right away so that we may address your concerns. We will record your elections in our system and provide you a final Client Confirmation Statement for your review.
    Please sign and send it back.
    Regards,
    ADP TotalSource Benefits Team

6 August 2014 : CBEform.zip ( 8kb) : Extracts to CBEform.exe
Current Virus total detections: 0/54* ... This 'Benefit Elections' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1407339197/
___

Fake Companies House SPAM
- http://blog.dynamoo....20571-spam.html
6 Aug 2014 - "This -fake- Companies House spam has a malicious attachment:
    Date:      Wed, 6 Aug 2014 19:45:59 +0700 [08:45:59 EDT]
    From:      Companies House [WebFiling@ companieshouse .gov .uk]
    Subject:      RE: Case 4620571
    The submission number is: 4620571
    For more details please check attached file.
    Please quote this number in any communications with Companies House.
    All Web Filed documents are available to view / download for 10 days after their
    original submission. However it is not possible to view copies of accounts that
    were downloaded as templates.
    Companies House Executive Agency may use information it holds to prevent
    and detect fraud. We may also share such information, for the same purpose,
    with other Organizations that handle public funds...

Attached is a file Case_4620571.zip which in turn contains a malicious executable Case_4620571.scr which has a VirusTotal detection rate of 11/53*. Automated analysis tools... show that the malware reaches out to... locations which are good candidates for blocking:
64.191.43.150
94.23.247.202
feelgoodframesstore .com
beeprana .com
upscalebeauty .com "
* https://www.virustot...sis/1407338507/

94.23.247.202: https://www.virustot...02/information/
___

US-based Tech Support SCAMS ...
- http://blog.malwareb...-support-scams/
Aug 6, 2014 - "... last month, we stumbled upon -fake- warning pages urging users to call a number for ‘emergency tech support’. When we rang the number, we were surprised to hear that the technician sounded American. It turned out that their company was based in ‘the sunshine state‘ of Florida, USA... The following are fraudulent sites that display a warning message and play -sound- effects with the goal of scaring the user and making them believe that their computer is infected:
> http://cdn.blog.malw...aredwarning.png
...
> http://cdn.blog.malw.../othererror.png
... There is an ongoing and strong affiliate campaign pushing these warnings. You may come across them as you are browsing the net...
A -bogus- sales pitch: Upon seeing the warning message, many people may feel as though there is really something wrong with their machine. In fact, the pages themselves are designed in such a way that you cannot close them by clicking the ‘X’. Instead you need to forcefully ‘kill’ the browser either via TaskManager or other Windows utilities. Those who take the bait will call the 1-800 number to speak with a technician and this is where their real troubles begin. The warning page is essentially a launchpad for the technician to talk about online threats, giving examples of recent attacks and eventually scare the user... This is -not- true of course. Microsoft has stated many times that “You will -never- receive a legitimate call from Microsoft or our partners to charge you for computer fixes*“.
* http://www.microsoft...hone-scams.aspx
... US-based companies are much less likely to cold-call people because of the risks of getting caught, not to mention the fact that this practice has such a bad reputation...
> http://cdn.blog.malw...014/07/flag.png
... The technician was friendly, spoke proper English and the work was done in a timely and efficient manner. But, what these victims may not see and what we decided to expose here, is how some dishonest tech support companies have trained their staff to fabricate lies in order to -scare- their prospect customers into paying a lot of money for a service they may actually -not- need. At the end of the day, this is a tough issue because there are a lot of people out there (especially the elderly) that do need some assistance with their computers and often don’t have many options to get it. If they look for it online, chances are that they will get ripped off..."
(More detail at the malwarebytes URL at the top.)
___

Revenue and Customs Notice Spam
- http://threattrack.t...reported-income
Aug 6, 2014 - "Subjects Seen:
    Notice of Underreported Income
Typical e-mail details:
    Taxpayer ID: ufwsd-000005925000UK
    Tax Type: Income Tax
    Issue: Unreported/Underreported Income (Fraud Application)
    Please review your tax income statement on HM Revenue and Customs ( HMRC )
    Please complete the attached form
    HM Revenue and Customs

Malicious File Name and MD5:
    ufwsd-000004421455UK.scr (A888BD28BE24D6A59D132B66E5E1AEBB)
    ufwsd-000005925000UK.zip (33809621F99D44BEBC07E7D9B2D092C9)

Screenshot: https://gs1.wac.edge...TNKT1r6pupn.png

Tagged: HMRC, Upatre
___

Hacks amass over a Billion internet passwords
- http://www.nytimes.c...redentials.html
Aug 5, 2014 - "A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses..."
- https://isc.sans.edu...l?storyid=18487
2014-08-06 - "Some of it may be hype. But no matter if 500 Million, 1.5 Billion or even 3.5 Billion passwords have been lost... given all the password leaks we had over the last couple years it is pretty fair to assume that at least -one- of your passwords has been compromised at some point..."
- http://krebsonsecuri...email-accounts/
6 Aug 2014 - "... Q: Should I be concerned about this? A: ... If you are the type of person who re-uses passwords at multiple sites — including email accounts — then the answer is yes. If you re-use your email password at another site and that other site gets -hacked- there is an excellent chance that cyber crooks are plundering your inbox and using it to spam your friends and family to spread malware and to perpetuate the cybercrime food chain... Your email account may be worth far more than you imagine:
> http://krebsonsecuri...E-1-600x333.jpg
 

 

Edited by AplusWebMaster, 06 August 2014 - 07:48 PM.

[AplusWebMaster]

FYI...

FireEye and Fox-IT - free keys designed to unlock systems infected by CryptoLocker
>> https://www.decryptcryptolocker.com/
Aug 6, 2014 - "Please provide your email address [1] and an encrypted file [2] that has been encrypted by CryptoLocker. This portal will then email you a master decryption key along with a download link to our recovery program that can be used together with the master decryption key to repair all encrypted files on your system.
- Please note that each infected system will require its own unique master decryption key. So in case you have multiple systems compromised by CryptoLocker, you will need to repeat this procedure per compromised system.
- Notes:
[1] Email addresses will not be used for marketing purposes, nor will they be in any way stored by FireEye or Fox‑IT.
[2] You should only upload encrypted files that do not contain any sensitive or personally identifiable information..."

- http://www.fireeye.c...decryption.html
Aug 6, 2014
- http://www.fireeye.c.../08/crypto2.png

- https://www.fox-it.c...locker-victims/
6 Aug 2014
 

Edited by AplusWebMaster, 06 August 2014 - 05:43 PM.

[AplusWebMaster]

FYI...

Fake CDS invoice SPAM
- http://blog.dynamoo....voice-spam.html
7 Aug 2014 - "This spam email pretends to be from the CDS Group. CDS are a wholly legitimate company and are NOT sending these emails, and their computer systems have NOT been compromised. However, the emails do contain a malicious attachment and should be deleted... CDS have a notice about these emails on their site*. This is a sample email:

Screenshot: https://3.bp.blogspo...0/s1600/cds.png

Attached is a archive file CDS_241-28195.zip which contains a folder invoice_cdsgroup_799543.xls which in turn contains a malicious executable invoice_cdsgroup_799543.xls.scr which has a very low detection rate at VirusTotal of 3/54**. Automated analysis tools are inconclusive at the moment..."
* http://www.cdsgroup....yber-crime.html

** https://www.virustot...sis/1407408295/

- http://threattrack.t...ds-invoice-spam
Aug 7 2014
- https://gs1.wac.edge...05XI1r6pupn.png
Tagged: cds, Lerspeng
___

Vawtrak sites to block
- http://blog.dynamoo....s-to-block.html
7 Aug 2014 - "I found these domains and IPs today while investigating a machine apparently infected with Vawtrak* (aka Tepfer), most of them seem to be active:
http ://80.243.184.239 /posting.php
http ://80.243.184.239 /viewforum.php
http ://146.185.233.97 /posting.php
http ://146.185.233.97 /viewforum.php
http ://ipubling .com/posting.php
http ://ipubling .com/viewforum.php
http ://magroxis .com/posting.php
http ://magroxis .com/viewforum.php
http ://maxigolon .com/viewforum.php
http ://terekilpane .com/viewforum.php
Some of these domains are associated with the email address ctouma2@ gmail .com. You could block the sites individually, but because the sites are not isolated, I would personally recommend using the following blocklist:
146.185.233.0/24
80.243.184.224/27
The 146.185.233.0/24 range is allocted to "Cherepanova" in Russia. 80.243.184.224/27 is Redstation in the UK."
* http://about-threats...KDR_VAWTRAK.YZY
 

 

Edited by AplusWebMaster, 07 August 2014 - 08:54 AM.

[AplusWebMaster]

FYI...

Fake RBS SPAM
- http://blog.dynamoo....93549-spam.html
8 Aug 2014 - "This fake RBS spam has a malicious attachment:
    Date:      Thu, 24 Jul 2014 09:33:37 GMT [07/24/14 05:33:37 EDT]
    From:      Annie Wallace[Annie.Wallace@ rbs .co.uk]
    Subject:      RE: Incident IM03393549
    Good Afternoon ,
    Attached are more details regarding your account incident. Please extract the attached
    content and check the details.
    Please be advised we have raised this as a high priority incident and will endeavour to
    resolve it as soon as possible. The incident reference for this is IM03393549.
    We would let you know once this issue has been resolved, but with any further questions
    or issues, please let me know.
    Kind Regards, ...

The attachment is IM03393549.zip containing a malicious executable IM008082014.scr which has a VirusTotal detection rate of 15/42*. The CAMAS report** shows that the malware connects to the following locations to download additional components:
94.23.247.202/n0808uk/SANDBOXA/0/51-SP2/0/
94.23.247.202/n0808uk/SANDBOXA/1/0/0/
quesoslaespecialdechia .com/Scripts/n0808uk.zip
energysavingproductsinfo .com/wp-content/uploads/2014/08/n0808uk.zip
The exact nature of the malware is not known, but it is most likely a banking Trojan or Cryptowall.
Recommended blocklist:
94.23.247.202
quesoslaespecialdechia .com
energysavingproductsinfo .com "
* https://www.virustot...sis/1407490764/

** http://camas.comodo....4663b54ab14b0a3
___

Fake Resume SPAM - malicious attachment
- http://blog.dynamoo....attachment.html
8 Aug 2014 - "This terse spam is malicious:
    Date:      Fri, 8 Aug 2014 05:57:02 +0700 [08/07/14 18:57:02 EDT]
    From:      Janette Sheehan [Janette.Sheehan@linkedin.com]
    Subject:      FW: Resume
    Attached is my resume, let me know if its ok.
    Thanks,
    Janette Sheehan

Attached is an archive Resume.zip which in turn contains a malicious executable Resume.scr. This has a VirusTotal detection rate of 24/54*. The CAMAS report** shows that the malware attempts to phone home to the following locations:
94.23.247.202 /0708stat/SANDBOXA/0/51-SP2/0/
94.23.247.202 /0708stat/SANDBOXA/1/0/0/
hngdecor .com/wp-content/uploads/2013/10/cw2800.zip
welfareofmankind .com/underconst/css/cw2800.zip
Recommended blocklist:
94.23.247.202
hngdecor .com
welfareofmankind .com "
* https://www.virustot...sis/1407493005/

** http://camas.comodo....58b27ebf5a55d5b

94.23.247.202: https://www.virustot...02/information/
___

Fake HMRC tax SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
7 Aug 2014 - "HMRC taxes application with reference 4DEW NASM CBCG RC6 received pretending to come from noreply@ taxreg .hmrc .gov .uk is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
    The application with reference number 4DEW NASM CBCG RC6 submitted by you or your agent to register for HM Revenue & Customs (HMRC) taxes has been received and will now be verified. HMRC will contact you if further information is needed.
    The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.
    Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.

7 August 2014: 4DEW NASM CBCG RC6.zip (8kb) Extracts to 4DEW NASM CBCG RC6.scr
Current Virus total detections: 0/54* . This HMRC taxes application with reference 4DEW NASM CBCG RC6 received is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1407447014/
___

AmericanExpress - PHISH
- http://blog.dynamoo....rn-on-your.html
8 Aug 2014 - "This -fake- AmEx spam appears to lead to a phishing site on multiple URLs:

Screenshot: https://3.bp.blogspo.../amex-phish.png

In this case the link goes to a phishing site... but there seem to be a bunch of them at the moment... IPs in use are:
91.219.29.35 (FLP Kochenov Aleksej Vladislavovich, Ukraine)
188.240.32.75 (SC CH-NET SRL, Romania)
I recommend blocking these IPs (
91.219.29.35
188.240.32.75 "

91.219.29.35: https://www.virustot...35/information/

188.240.32.75: https://www.virustot...75/information/

- http://myonlinesecur...e-key-phishing/
8 Aug 2014
___

Fake e-on energy SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
8 Aug 2014 - "e-on energy Unable to process your most recent bill payment pretending to come from E ON Energy <noreply@ eonenergy .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
... Dear customer,
This e-mail has been sent to you to inform you that we were unable to process your most recent payment of bill.
Please check attached file for more detailed information on this transaction.
IMPORTANT: The actual delivery date may vary from the Delivery By date estimate. Please make sure that there are sufficient available funds in your account to cover your payment beginning a few days before Delivery By date estimate and keep such funds available until the payment is deducted from your account.
If we fail to process a payment in accordance with your properly completed instructions, we will reimburse you any late-payment-related fees.
We apologize for any inconvenience this may cause.

8 August 2014: e-ON-Energy-Bill.zip (15kb) : Extracts to e-ON-Energy-Bill.exe
Current Virus total detections: 7/54* . This e-on energy Unable to process your most recent bill payment is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1407509103/
 

 

Edited by AplusWebMaster, 08 August 2014 - 10:08 AM.

[AplusWebMaster]

FYI...

Fake BoA SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
11 Aug 2014 - "Bank of America Alert: A Check Exceeded Your Requested Alert Limit pretending to come from Bank of America Alert <onlinebanking@ ealerts.bankofamerica .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like:
Activity Alert
A check exceeded your requested alert limit
We’re letting you know a check written from your account went over the limit you set for this alert.
For more details please check attached file
Amount:     $32,095.35
Check number:     00000006756
Transaction date:     08/11/2014
You can sign in to Online or Mobile Banking to review this activity...
Security Checkpoint
To confirm the authenticity of messages from us, always look for this Security Checkpoint.
Remember: Always look for your SiteKey® before entering your Passcode. We’ll ask you for your Online ID and Passcode when you sign in.
This is a service email from Bank of America. Please note that you may receive service emails in accordance with your Bank of America service agreements..

11 August 2014: report081114_6897454147412.zip(10kb) : Extracts to report081114_6897454147412.exe
Current Virus total detections: 2/54* ... This Bank of America Alert: A Check Exceeded Your Requested Alert Limit is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1407773230/
___

Citi Corp Spam
- http://threattrack.t...n-approved-spam
Aug 11, 2014 - "Subjects Seen:
    RE: Application Approved
Typical e-mail details:
    Your documents are ready , please sign them and email them back.
    Thank you
    Henri Foley
    Level III Account Management

Malicious File Name and MD5:
    application _apprd_93447836734346.exe  (CAD7B09903F7646EC37E4014DD6E70E4)
    application _apprd_93447836734346.zip (0B4A28D6737B9E27E7BF5B98DBBE6B84)

Screenshot: https://gs1.wac.edge...GBaE1r6pupn.png

Tagged: Citi, Upatre
___

Public Wi-Fi is safe?? ...
- http://nakedsecurity...safe-seriously/
11 Aug 2014 - "... most people still don't understand the potential dangers of public and/or free Wi-Fi, despite doom and gloom headlines about the dangers, which include these:
- A US trio who attacked companies by wardriving - i.e., driving around, scanning for poorly protected wireless networks. Between that and breaking in to install keyloggers, they bilked companies of a total of $3 million (£1.8 million).
- An unsecured Wi-Fi home connection that led to a heavily-armed police SWAT team raiding the wrong home, including breaking down the door of a house, smashing windows and tossing a flashbang stun grenade into a living room.
- Facebook accounts of five US politicians being hijacked after they accessed a free, open, wireless Wi-Fi network.
And those are just a tiny selection of the cherries on that bountiful Wi-Fi tree. Of course, there is also the problem of protecting privacy on public Wi-Fi. In just the past year, we learned that businesses are using Wi-Fi to build shopper profiles on us, and in-flight WiFi providers have been helping feds spy on us..."
(More detail at the sophos URL above.)
Sophos - wireless security myths Video 4:26:
 

  

Edited by AplusWebMaster, 11 August 2014 - 12:35 PM.

[AplusWebMaster]

FYI...

Fake Netflix email / Phish
- http://myonlinesecur...f-837-phishing/
12 Aug 2014 - "Your Netflix Account Requires Validation [NVF-837] is an attempt to get access to your Netflix Account... The phishing website in this example is so closely named to the genuine Netflix site, that almost anybody could be fooled by it http ://netflix-validate .com
Email looks like:
Dear Customer,
We recently failed to validate your payment information we hold on record for your account, therefore we need to ask you to complete a brief validation process in order to verify your billing and payment details. Click here to verify your accountFailure to complete the validation process will result in a suspension of your netflix membership.We take every step needed to automatically validate our users, unfortunately in this case we were unable to verify your details. The process will only take a couple of minutes and will allow us to maintain our high standard of account security.
Netflix Support Team ...

Following the link in this 'Your Netflix Account Requires Validation' email or other spoofed emails  takes you to a website that looks exactly like the real Netflix site.  You are then through loads of steps to input a lot of private and personal information, including billing address, date of birth and then to an update payment page, where they want credit card and bank details. Not only  will this information enable them to use your Netflix account, but also your Bank Account, credit card details, Email details, webspace..."

192.99.188.111: https://www.virustot...11/information/

Diagnostic page for AS16276 (OVH)
- https://www.google.c...c?site=AS:16276
"... over the past 90 days, 2638 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2014-08-11, and the last time suspicious content was found was on 2014-08-11... we found 373 site(s) on this network.. that appeared to function as intermediaries for the infection of 821 other site(s)... We found 745 site(s)... that infected 65282 other site(s)..."
___

Fake Order SPAM
- http://myonlinesecur...ke-pdf-malware/
12 Aug 2014 - "Order take 8753884 is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email with subject of Order take < random numbers> arrives with just a subject and no email content except an attachment. It appears to come from various random names at various random companies.

12 August 2014: order 1530875.zip (37 kb) : Extracts to   Order-8991617.exe
Current Virus total detections: 1/54* . This Order take 8753884 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1407832220/
___

Fake new picture or video SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
12 Aug 2014 - "A new picture or video message  pretending to come from getmyphoto@ vodafone .co.uk is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This one wants you to download the -malware- via a tiny URL link in the email, there is no actual attachment. Email looks like:
You have received a picture message from mobile phone number +447584905118
GET MY FOTO
Please note, the free reply expires three days after the original message is sent from the Vodafone network.
Vodafone Service

12 August 2014: f679RqP75G.exe - Current Virus total detections: 0/53*
This 'A new picture or video message' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1407835450/
___

Fake IRS phish...
- http://myonlinesecur...et-refund-card/
12 Aug 2014 - "IRS Get Refund On Your Card pretending to come from IRS <refund@ irs .gov> is one of the phishing attempts to get your bank and credit card information. Email looks like:
We are writing to you because your federal Tax payment (ID: 66116572), recently sent is available for refund.
For your security, new charges on the accounts listed above may be declined. If applicable, you should advise any Additional Card Member(s) on your account that their new charges may also be declined.
For more information, please visit the following link
– https ://sa.www4.irs .gov/irfof/lang/en/irfofgetstatus.jsp?reenter=true
Your prompt response regarding this matter is appreciated.
Sincerely,
IRS Refund Team

Following the link in this 'IRS Get Refund On Your Card' email or -other- spoofed emails takes you  to a website that looks exactly like the real IRS site... then through loads of steps to input a lot of private and personal information, including billing address, date of birth and then to an update payment page, where they want credit card and bank details... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or follow links in them..."
 

 

Edited by AplusWebMaster, 12 August 2014 - 09:43 AM.

[AplusWebMaster]

FYI...

Fake Google drive SPAM - PDF malware
- http://myonlinesecur...019-73-malware/
13 Aug 2014 - "Grady Murphy shared Google Drive:3623019-73 to submit@ < your email address>.pretending to come from Grady Murphy < random name that matches the name inside the email> , Apps Team is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... There are several different versions of this  email leading to different infection sites and links, The names of the alleged Google Drive owner who wants to share with you changes with each email. There is no attachment with this one and they want you to follow the link and download the file to infect you.
Some of the sites are
http ://energydep .net:8080/Gdrive/GDrive025384.exe
http ://bilingdepp .net:8080/Gdrive/GDrive917302.exe
Email looks like:
Accept Grady Murphy Google Drive ID:3623019-73 request clicking on the link below:
    Confirm request
    Unfortunately, this email is an automated notification, which is unable to receive replies. We’re happy to help you with any questions or concerns you may have. Please contact us directly 24/7 via google .com/support/

13 August 2014: GDrive925483.exe (40kb) Current Virus total detections: 6/54*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1407913490/

178.238.236.109: https://www.virustot...09/information/
___

Fake PurelyGadgets SPAM - Word doc malware
- http://myonlinesecur...alware-malware/
13 Aug 2013 - "Order id 769019 | PurelyGadgets .com  pretending to come from a sender named inform at a random email address is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email arrives written in German language and has a zip attachment that when unzipped drops what appears to be a genuine Word Doc. BUT the Doc contains a macro that will infect you, if you use an out of date or older version of word. On previewing it, or opening it in Word 2013 ( which has macros disabled by default ) it tries to tell you to enable macros so that you can read the document. Do -not- ever -enable- macros for any Microsoft office file received by email unless you are 100% sure that you know the sender and are expecting the file... If you still use an older version of Microsoft Word, then you are at risk of being infected by this... Office 2010 and Office 2013 have macros -disabled- by default...

13 August 2014: Bestellen.zip (100 kb) : Extracts to Bestellen.Doc
Current Virus total detections: 10/54* . All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened..."
* https://www.virustot...sis/1407936811/
___

UK Land Registry Spam
- http://threattrack.t...d-registry-spam
Aug 13, 2014 - "Subjects Seen:
    Notification of direct debit of fees
Typical e-mail details:
    Notification Number: 4682787
    Mandate Number: LND4682787
    ###THIS IS AN AUTO NOTIFICATION EMAIL. DO NOT REPLY TO THE SENDER OF THIS EMAIL. IF YOU HAVE A QUERY PLEASE REFER TO THE INFORMATION BELOW ###
    This is notification that Land Registry will debit 1527.00 GBP from your nominated account on or as soon as possible before 18/08/2014.
    Details of fees that we shall be collecting by direct debit for the applications charged are now available to view.
    You can access these by opening attached report.
    If you have an enquiry relating to your VDD account please contact Customer Support at customersupport@ landregistry .gsi .gov.uk or call on 0844 892 1111. For all enquiries, please quote your key number.
    Thank you,
    Land Registry

Malicious File Name and MD5:
    LND_Report_13082014.exe (4E3480ADAF846BE2073246C9879290D2)
    LND_Report_4682787.zip (EAD6A8A2A9613175112E6C75D247B0BC)

Screenshot: https://gs1.wac.edge...Ihd01r6pupn.png

Tagged: UK Land Registry, Upatre
 

 

Edited by AplusWebMaster, 13 August 2014 - 02:10 PM.

[AplusWebMaster]

FYI...

Fake Citicorp SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
14 Aug 2014 - "Citicorp Mail Out Report Attached pretending to come from CITICorp <random name @ citicorp .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like:

    From Securitas, please do not reply to this e-mail as it is auto generated.
    For any problems please e-mail derry.andrews@ securitas .uk .com

14 August 2014  Q100515078_Mail Out Report.zip (9kb): Extracts to Q100229861_Mail Out Report.exe
Current Virus total detections: 3/54* . This Citicorp Mail Out Report Attached is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1408010403/
___

Fake Charity Trends SPAM ...
- http://blog.mxlab.eu...9156230_08-xls/
Aug 14, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Oder invoice 9156230_08.xls”. This email is send from the spoofed address  and has the following body:

    Dear *******@*******.co.uk,
    Please find attached invoice #9156230_08 from 13/08/2014.
    Thanks!
    Reyes Mcdaniel .
    We’re happy to help you with any questions or concerns you may have. Please contact us directly 24/7 via hxxp ://www.charitytrends .org/ContactUs.aspx

The attached ZIP file has the name 9156230_08.zip which contains the folder Inv_3145835_453_979154.xls. In this folder the 131 kB large file Inv_3145835_453_979154.xls.scr is found. Please note that the subject line and attachment file names may change with each message.
The trojan is known as Backdoor.Bot.ED. At the time of writing, 1 of the 53 AV engines did detect the trojan at Virus Total*..."
* https://www.virustot...sis/1408011038/

- http://blog.mxlab.eu...ontains-trojan/
Aug 14, 2014 - "... intercept a new trojan distribution campaign by email with the subject “Thank you for your generous donation! Charity Trends .”. This email is send from the spoofed address and has the following body:

    Charity Trends®
    Dear *******@*******.com,
    Thank you for your generous donation of 2623 GBP, which we received today.
    Your generosity will make an immediate difference in the lives of many people who need your help. The funds raised will go toward them.
    You will find all information about your donation in zip archive.You are making a difference!
    Thanks again for your kindness,
    Elsa Nash ...

The attached ZIP file has the name DON_9683272_90.zip and contains the folder DON_4356984_08_14_14. Indside this folder, the 102 kB large file DON_4356_45984_08_14_14.scr will be found. Please note that the subject line and attachment file names may change with each message. The trojan is known as Trojan/Win32.Zbot, Win32:Malware-gen, HEUR/Malware.QVM20.Gen  or Mal/Generic-S... 4/54 VirusTotal*..."
* https://www.virustot...sis/1408011666/
___

Fake Citibank SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
14 Aug 2014 - "'Citibank RE: Account documents' have been uploaded pretending to come from Citibank <noreply@ citibank .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like"
    citibank .com
    RE: Account Documents
    To: <REDACTED>
    Case: C4055427
    Your Documents have been uploaded to dropbox. In order to download / view Please click here to download / view .
    All web filed documents (with the exception of downloaded accounts templates) are available to view / download for 10 days after their original submission. Once accepted, these changes will be displayed on the public record...

14 August 2014 Document-7119.zip ; Extracts to Document-7119.scr ;
Current Virus total detections: 0/54* . This 'Citibank RE: Account documents have been uploaded' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1408029154/
___

ZeroLocker
- http://www.webroot.c...14/zero-locker/
Aug 14, 2014 - "... we saw FireEye and Fox-IT provide the ability to decrypt files encrypted by older crpytolocker variants. They used the command and control servers seized by the FBI during operation Tovar. Since they have access to those RSA keys they essentially have the password required for every single file encrypted by a Cryptolocker variant that used Evgeniy Bogachev’s botnet. That is a major portion of the traditional​ red GUI cryptolocker that became famous... since the emergence of their tool to decrypt files for free, there has been a new encrypting ransomware going around that aims at scamming you into thinking this is a similar helpful tool – except that it demands something all -scams- do - payment:
> https://www.webroot....08/blograrw.bmp
This newest edition to the ever popular business model that is encrypting ransomware doesn’t really have many improvements over the others we’ve already seen. Using -Bitcoin- for payment is standard now. This variant doesn’t show the GUI untill all encryption is completed and the computer is suddenly restarted. Upon restart this window is presented and threatens that you will lose all your files if you close or remove it. The payment structure is right where industry average is – PAINFUL. This specific variant we analyzed does not delete the VSS (Volume Shadow Service) and you can get all your files back by using programs like Shadow Explorer... expect issues like this to be fixed once this malware is adopted by more botnets for widespread distribution... remember that with encrypting ransomware the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity..."
___

Suspicious login message Faked, distributes Backdoor
- http://blog.trendmic...butes-backdoor/
Aug 14, 2014 - "Legitimate services are often used by cybercriminals to try and make their attacks more convincing. Recently, I spotted attacks that used services and platforms like Google Drive and Dropbox in order to look less suspicious to unwary users. I received a spammed message like the one shown right below that supposedly came from Gmail itself. It warned me that someone logged into my account from an unknown device. However, all of the links in it pointed to a Google Drive URL:
Sample spam email:
> http://blog.trendmic...4/08/login3.png
Even though the email message is -similar- to a legitimate Gmail message, a careful user will note that the displayed e-mail address and the supposed source address did -not- match. Further examination of the email’s headers indicates that the email was, in fact, sent via a website’s mail form... all the links provided in the email actually go to an HTML file hosted on Google Drive. This HTML file is used to detect the operating system and browser of the user... Further code also differentiates what payloads are delivered based on the user’s browser. This is what the user would see (here, running Firefox):
Fake plugin download page:
> http://blog.trendmic...4/08/login2.png
...  while the HTML code can differentiate between different configurations, a relatively limited number of payloads are actually delivered. These are detected as BKDR_PERCS.A. This -backdoor- steals email credentials and user names and passwords. It also logs -keystrokes- as part of its information theft routines. As a backdoor, it can also accept remote commands from the attackers... The actual malicious payloads are hosted on Google Drive as well. The attackers upload new files to be used in this attack on a fairly regular basis, although the behavior remains the same... As these files are located on legitimate services, they are also sent via HTTPS, which helps evade some web filtering techniques. In addition, it used a -compromised-  website’s mailer system and an IPv6 address, which can also evade email reputation services..."
(More detail at the trendmicro URL at the top.)
___

Beware of Risky Ads on Tumblr
- https://blog.malware...-ads-on-tumblr/
Aug 14, 2014 - "Online users have come to rely on social media and social networking sites to also update them on current events and commentaries, general news, and what’s happening just down the street and around the corner. Twitter and Facebook are the first go-to sites for most when it comes to real-time news updates. For some, Tumblr.

dailynewsz[dot]tumblr[dot]com

We found the above site posting what appears as news clips but not on a daily basis, as indicated in the URL, unfortunately. According to Google Translate, the site uses both Swahili and Urdu. This site serves ads on its default page and on individual posts. So every time someone shares one, the ads are shared with it. Below is a screenshot of a post:
> https://blog.malware...ynewsz-post.png
Online advertisement is a major source of revenue. Unfortunately, normal ads can easily become malvertisements, serving as a go-between for users and sites hosting -malicious- software. For this particular Tumblr page, it uses the ad network Yllix Media. Google Safe Browsing profiled its official website here*. Other third-party sites either blacklist** the domain or flag it as untrustworthy*** due to its history of leading users to infected sites. As of this writing, the ads are benign, but we may never know several months from now if this will still be the case... we encourage you to use ad blockers, such as AdBlock Plus (ABP) or NoScript (for Mozilla-based browsers only), if you don’t want ads to appear on sites you visit..."
* https://safebrowsing...site=yllix.com/

** http://labs.sucuri.n...klist=yllix.com

*** https://www.mywot.co...ecard/yllix.com
 

 

Edited by AplusWebMaster, 14 August 2014 - 03:52 PM.

[AplusWebMaster]

FYI...

Fake Barclays SPAM - Trojan.Ransom.ED
- http://blog.mxlab.eu...ojan-ransom-ed/
Aug 15, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Your transaction is completed”. This email is send from the spoofed address “Barclays.NET” <support@ barclays .net>” and has the following body:
    Transaction is completed. 8678 GBP has been successfully transfered.
    If the transaction was made by mistake please contact our customer service.
    Payment receipt is attached.
    *** This is an automatically generated email, please do not reply ***
    Barclays.Net 2013 Corporation. All rights reserved.

The attached ZIP file has the name Payment receipt 1534465.zip and contains the 70 kB large file Payment receipt 8821991.exe (note: file name may vary with each email). The trojan is known as Trojan.Ransom.ED or Mal/Generic-S. At the time of writing, 2 of the 54 engines did detect the trojan at Virus Total*..."
* https://www.virustot...sis/1408097500/
___

Fake VOIP SPAM - Word macro script
- http://blog.mxlab.eu...d-macro-script/
Aug 15, 2014 - "... intercepted a campaign by email with the subject “Your Order No 355253536 | Mob Inc.” which includes a malicious Word document that allows the installation of a trojan downloader using the macro functionality from Word. This email is send from the spoofed addresses and has the following body:
    Thank you for ordering from VOIP Inc.
    This message is to inform you that your order has been received and is currently being processed.
    Your order reference is 488910845598.
    You will need this in all correspondence.
    This receipt is NOT proof of purchase.
    We will send a printed invoice by mail to your billing address.
    You have chosen to pay by credit card. Your card will be charged for the amount
    of 805.74 USD and “VOIP Inc.”
    will appear next to the charge on your statement.
    Your purchase information appears below in the file.

The attached ZIP file has the name Order.zip and contains the 41 kB large file Order.Doc. The Order.Doc is a genuine Word document but the file contains a malicious macro feature. Once opening the Word document, instructions are given on how to enable the content and activate the -malicious- macro script... The downloader is known as W97M/Downloader, MO97:Downloader-DU, VBA/TrojanDownloader.Agent.AL, Trojan-Downloader:W32/Agent.DVCR, Trojan-Downloader.VBA.Agent or Trojan.Mdropper. At the time of writing, 8 of the 53 AV engines did detect the trojan downloader at Virus Total*..."
* https://www.virustot...sis/1408099896/
 

 

[AplusWebMaster]

FYI...

Fake Companies House Spam
- http://threattrack.t...ual-return-spam
Aug 19, 2014 - "Subjects Seen:
    (AR01) Annual Return received
Typical e-mail details:
    Thank you for completing a submission Reference # (9586474).
        (AR01) Annual Return
    Your unique submission number is 9586474
    Please quote this number in any communications with Companies House.
    Check attachment to confirm acceptance or rejection of this filing.

Malicious File Name and MD5:
    AR01_021434.scr (3324B40B5D213BEC291F9F86F0D80F64)
    AR01_021434.zip (7D65D78B6E35843B6FF3C4C46BAAC37A)

Screenshot: https://gs1.wac.edge...ZubX1r6pupn.png

Tagged: Companies House, Upatre
___

JPMorgan Chase Secure Message Spam
- http://threattrack.t...re-message-spam
Aug 19, 2014 - "Subjects Seen:
    Daily Report - August 19, 2014
Typical e-mail details:
   This is a secure, encrypted message.
    Desktop Users:
    Open the attachment (message_zdm.html) and follow the instructions.
    Mobile Users:
    Voltage secure mail is not currently supported on mobile devices. If you experience issues, please access your secure message from a fully functional browser.

Malicious URLs:
    192.241.124.71 /securemail/jpmchase.com/formpostdir/Java/Java_update.exe

Malicious File Name and MD5:
    message_zdm.html (550CB01F07DB2363437C8627697C6B1F)
    Java_update.exe (38d75db0a575891506b1ff0484a03cd0)

Screenshot: https://gs1.wac.edge...JVOT1r6pupn.png

192.241.124.71: https://www.virustot...71/information/

Tagged: JPMorgan, Chase, Dyreza
___

- http://myonlinesecur...9-2014-malware/
Aug 19 2014 - "'JPMorgan Chase & Co Daily Report – August 19, 2014' pretending to come from various names at @ jpmorgan .com is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... email looks like:

Screenshot: http://myonlinesecur...ust-19-2014.png

... the html attachment that comes with the email l0oks like the below and clicking the link hidden behind the Click to read message button leads to a fake Java_update.exe
> http://myonlinesecur...t-19-2014_2.png
Todays Date: Java_update.exe .. Current Virus total detections: 5/53*  
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened..."
* https://www.virustot...12a96/analysis/
___

Fake Evernote extension serves Ads
- https://blog.malware...advertisements/
Aug 19, 2014 - "... a Multiplug PUP that installs a -fake- Evernote browser extension. Fellow researchers can find the link to this sample on VirusTotal here*...
> https://blog.malware...8/cert_info.png
When you execute the PUP, it silently installs a web extension for the Google Chrome, Torch, and Comodo Dragon browsers. The extension takes the form of three obfuscated JavaScript files and one HTML file. The picture shows these files installed in Chrome’s extension directory on a Windows 7 PC.
> https://blog.malware...e_ext_files.png
... The extension that’s installed is called “Evernote Web,” just like the real extension from Evernote.com. When taking a look at the Chrome extensions page, we can see the extension installed there with the ID “lbfehkoinhhcknnbdgnnmjhiladcgbol,” just like the real Evernote Web extension.
> https://blog.malware...08/evernote.png
Clicking “Visit website” directs the user to the chrome webstore page for the actual Evernote Web extension. Chrome believes the real extension is installed, as verified by the Launch App button. When clicking this button with the fake extension installed, nothing happens, whereas normally the user is met with an Evernote log in screen.
> https://blog.malware...hrome_store.png
On the surface, it may seem like the pop ups and advertisements are coming from the websites themselves, but are in fact from the fake Evernote web extension.
Fortunately, removing the extension is a simple task. For Chrome users, simply visit the extensions page and click the picture of a garbage can, and you’re done. You also might want to run a free scan using your Antivirus or Anti-malware programs (like Malwarebytes Anti-Malware) to make sure there wasn’t anything -else- added while you had the extension."
*  https://www.virustot...3fbf4/analysis/
___

Fake Scotiabank SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
18 Aug 2014 - "Scotiabank New Instructions for International and local transfers pretending to come from Mallerlyn Bido <mallerlyn.bido@ scotiabank .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
    Dear Clients
    Hereby we inform you that starting next Tuesday, August 19 all instructions of local and international transfers that are sent to our institution must be completed by a transfer form specifically allocated for the purpose, which will be replacing the letter instruction tend to complete.
    This new document has been implemented to meet international requirements and simultaneously control to make their operations safer.
    We take this opportunity to inform you that the operations of International Transfers can be made &#8203;&#8203;via our internet platform banking the need to complete these types of forms.
    Annex find the forms that apply to transfers in USD and EUR as well as the form used for ACH transfers manuals with some notes to use as a guide to complete. These templates can be saved for you with your details for future use.(See attached file: Outgoing Global.doc Form) (See attached file: Outgoing JPM.doc Form) (See attached file: Form ACH..doc) ...
Best regards,
Mallerlyn Bido | Gerente Soporte al Cliente | BSC ...

18 August 2014: New Instructions for International and Local transfers.zip ( 8kb) :
Extracts to New Instructions for International and Local transfers.exe
Current Virus total detections: 3/52* . This Scotiabank New Instructions for International and local transfers is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1408393889/
 

 

Edited by AplusWebMaster, 19 August 2014 - 05:48 PM.

[AplusWebMaster]

FYI...

Cryptolocker flogged on YouTube
- http://www.theregist...ged_on_youtube/
20 Aug 2014 - "Cryptolocker is being flogged over YouTube by vxers who have bought advertising space... researchers made the discovery while monitoring YouTube and website banners for instances where malware writers had actually purchased space to foist their wares on -unpatched- web users. The duo who will present at the upcoming Virus Bulletin 2014 conference in Seattle wrote in a paper advertisement networks was a viable way to flog virus and trojans. "We conclude that ad networks could be leveraged to aid, or even be substituted for current exploit kits," they said. Purchased ad space was a cheap and effective means of foisting browser malware allowing attackers to filter victims by language, location, and interests, VB reported. Malware contained in ads could be obfuscated and then unleashed once conditions like operating systems, browser versions and other elements were met.
> http://regmedia.co.u...19/tghfgh55.png
CryptoLocker surfaced in September distributed through Gameover ZeuS. It encrypted important files such as images and documents on compromised Windows machines before demanding that victim pay up to $500 in BitCoins within 72 hours for the private keys necessary to unlock files. CryptoLocker used AES symmetric cryptography to encrypt the files and encrypted the AES key with an RSA-2048 bit public key generated on its server side. It came as -malvertisers- were caught flinging malware over Yahoo! ad networks*...
> http://regmedia.co.u.../fghji87y6t.png
... Many excess ad spaces were flogged through affiliates which may accept advertisements without checking the authenticity of the buyer nor the code to be run. Even those that do could end up foisting malware if they failed to detect an attackers' code alterations made after the purchase in order to quietly slip in the malware. The research pair said there was very little advertising networks could do to prevent the attacks."
* http://www.theregist...hoo_ad_network/

> https://www.virusbtn...otovNavaraj.xml
___

Fake Order SPAM – PDF malware
- http://myonlinesecur...er-pdf-malware/
20 Aug 2014 - "'Order – PDF' which comes as an email with a subject of order-6539-8.20.2014.pdf ( where the number is random & the date changes daily is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... These emails have no body content and just a subject of order-6539-8.20.2014.pdf ( the number is random ) They appear to come from a load of common first names with weird characters form the second part of the alleged senders... previous post about this type of attack:
- http://myonlinesecur...chments-emails/
Today’s version although it pretends to be a PDF file is actually a zip file that probably either use some unknown exploit to extract it or the bad actors sending today’s malware have misconfigured the botnet sending it and it won’t automatically extract at all so users will be safe...
20 August 2014: order-6539-8.20.2014.pdf (84 kb) Extracts to order 8.20.2014.exe
Current Virus total detections for pdf is : 2/50* . Current Virus total detections for the extracted .exe : 2/53** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1408523288/

** https://www.virustot...sis/1408523722/
___

'Reveton' ransomware adds powerful password stealer
- https://www.computer...assword_stealer
Aug 20, 2014 - ""A type of malware called Reveton, which -falsely- warns users they've broken the law and demands payment of a fine, has been -upgraded- with powerful password stealing functions, according to Avast*. Reveton is in a class of nasty programs known as "ransomware," which includes the notorious Cryptolocker program that encrypts a computer's files. The FBI issued a warning about Reveton in August 2012 after its Internet Crime Complaint Center was flooded with complaints. The malware often infects computers via drive-by download when a person visits a website rigged to automatically exploit software vulnerabilities. Users are helpless after the computer is locked, with Reveton demanding a few hundred dollars as ransom payable various web-money services... The version of Reveton analyzed by Avast also has another password stealer from the Papras family of malware. It's not as effective as Pony but can disable security programs, the company wrote on its blog*. This particular sample of Reveton was pre-programmed to search a web browser's history and cookies to see if the user had visited online sites of 17 German banks... Around February 2013, an ethnic Russian man was arrested in Dubai upon request of Spanish police for allegedly coordinating Reveton campaigns, netting... US$1.3 million. Ten other people were also arrested on money laundering charges for allegedly laundering the proceeds and transferring funds to Russia, according to Trend Micro**."
* http://blog.avast.co...rously-evolved/

** http://blog.trendmic...ivity-nabbed-2/
___

Linux Trojan makes the jump to Windows
- http://www.theinquir...jump-to-windows
Aug 20 2014 - "... the original malware known as "Linux.Dnsamp" is a Distributed Denial of Service (DDoS) Trojan, which, according to the company blog*, transfers between Linux machines, altering the startup scripts, collecting and sending machine configuration data to the hackers' server and then running silently waiting for orders. Now it appears that the same hackers have ported the Trojan to run in Windows as "Trojan.Dnsamp.1"**. The Windows version gains entry to the system under the guise of a Windows Service Test called "My Test 1". It is then saved in the system folder of the infected machine under the name "vmware-vmx.exe". When triggered, just like its Linux counterpart, the Trojan sends system information back to the hackers' central server and then awaits the signal to start a DDoS attack or start downloading other malicious programs... Although the threat of malware is an everyday hazard to most computer users, to find an attack on Linux is much rarer, and to find any kind of malware that has been ported from one operating system to another is almost unheard of... Project Shield***, an initative designed to help smaller web servers fight off DDoS attacks."
* http://news.drweb.co...c=23&lng=en&p=1

** http://news.drweb.co...903&lng=en&c=14

*** https://projectshiel...hgoogle.com/en/
 

 

Edited by AplusWebMaster, 20 August 2014 - 01:26 PM.

[AplusWebMaster]

FYI...

Tech Support SCAMS rip big brand security software with fake warnings
- https://blog.malware...-fake-warnings/
Aug 21 2014 - "... bogus tech support. If you are looking to download one of the popular antivirus or anti-malware product on the market, watch out before you click.
> https://blog.malware...AVs-965x395.png
Lookalike pages: Fraudsters have set up -fake- download pages that look incredibly like the authentic ones... Hijacked software: Each page links to a download, which of course is -not- the actual software...
> https://blog.malware...07/software.png
The purpose of these fake programs is to trick people into thinking something is wrong with their computers:
> https://blog.malware...14/07/error.png
The fake pages are hosted here:
hzzzp ://onlineinstanthelp .com/antivirus-download.html
hzzzp ://onlineinstanthelp .com/norton-us/download.html
hzzzp ://onlineinstanthelp .com/mcafee-us/download.html
hzzzp ://onlineinstanthelp .com/avg-us/download.html
hzzzp ://onlineinstanthelp .com/malwarebytes-us/download.html
hzzzp ://onlineinstanthelp .com/winzip-us/download.html
hzzzp ://onlineinstanthelp .com/lavasoft-us/download.html
The company providing ‘support’ is: wefixbrowsers .com ... We are reporting the sites to the registrar and passing on the LogMeIn codes so that interested parties can take appropriate actions. To avoid these -fake- installers, users should always go to the company’s official website..."
(More detail at the malwarebytes URL at the top.)

wefixbrowsers .com / 23.91.123.204: https://www.virustot...04/information/

onlineinstanthelp .com / 118.139.186.35: https://www.virustot...35/information/
___

Fake HMRC SPAM - malware
- http://myonlinesecur...-onile-malware/
21 Aug 2014 - "'Helping your Business onile' pretending to come from 'HMRC Business Help and Education Emails' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like:

Screenshot: http://myonlinesecur...iness-onile.png

21 August 2014  Credit_file_961529461.zip ( 50 kb)... Current Virus total detections: 1/51*
...  targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened..."
* https://www.virustot...sis/1408620337/
___

Fake Credit reference SPAM - word Doc malware
- http://myonlinesecur...rd-doc-malware/
21 Aug 2014 - "'RE: Credit reference file request.(108278994)' is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
    Dear <REDACTED>
    You have obtain a copy of your credit reference file.
    We’re happy to help you with any questions or concerns you may have. Please contact us directly 24/7 .
    Lynn Buck.

21 August 2014: Credit_file_108278994.zip (52 kb): Extracts to Credit reference file.doc.scr
Current Virus total detections: 2/52*
21 August 2014: Credit_file_642094175.zip (85kb): Extracts to credit_reference_file.xls.scr
Current Virus total detections: 2/52*
This 'RE: Credit reference file request.(108278994)' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word file instead of the .scr executable file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1408613742/
___

JPMorgan customers targeted in phishing campaign
- http://www.reuters.c...N0GL20R20140821
Aug 21, 2014 - "Fraudsters are targeting JPMorgan Chase & Co customers in an email "phishing" campaign that is unusual because it attempts to collect credentials for that bank and also infect PCs with a virus for stealing passwords from -other- institutions. The campaign, dubbed "Smash and Grab," was launched on Tuesday with a widely distributed email that urged recipients to click to view a secure message from JPMorgan, according to security researchers with corporate email provider Proofpoint Inc. JPMorgan, the No. 1 U.S. bank by assets, confirmed that spammers had launched a phishing campaign targeting its customers... the bank believes most of the spam was stopped by fraud filters at large Internet providers, adding that the email looked realistic because the attackers apparently used a screen grab from an authentic email sent by the bank. Users who click on a malicious link are asked to enter credentials for accessing accounts with JPMorgan. Even if they did not comply, the site attempted to automatically install the Dyre banking Trojan* on their PCs, according to Proofpoint. Dyre is a recently discovered piece of malware that seeks credentials from customers of Bank of America Corp, Citigroup Inc and the Royal Bank of Scotland Group PLC, according to email security firm Phishme."
* http://blog.malcover...ou-need-to-know

> https://www.brainyqu...infr122731.html
"Distrust and caution are the parents of security" - Ben Franklin
 

 

Edited by AplusWebMaster, 21 August 2014 - 02:25 PM.