3 replies to this topic

[AplusWebMaster]

FYI...

- http://isc.sans.org/...ml?storyid=4289
Last Updated: 2008-04-14 18:13:43 UTC - "We've gotten a few reports that some CEOs have received what purports to be a federal subpoena via e-mail ordering their testimony in a case. It then asks them to click a link and download the case history and associated information. One problem, it's total bogus. It's a "click-the-link-for-malware" typical spammer stunt. So, first and foremost, don't click on such links. An interesting component of this scam was that it did properly identify the CEO and send it to his e-mail directly. It's very highly targeted that way. Second, the United States Federal Courts do not "serve" formal process over email. While there is an Electronic Case Management System, initial contact for a subpoena, lawsuit or other process is done the old fashioned way... someone serving you the old fashioned way. Presumably, if you did already get served you would have a lawyer handling the case for you. In that instance, the *lawyer*, not you, would be getting electronic notices from the court **after service has been handled**.
FOR LAWYERS ONLY: ...You've gotten thousands of these, if you see something radically different, I would log in directly into the CM/ECF system and check the docket record directly. Don't click on the links if you are suspicious. I'm sure a call to the Clerk of the Court would also help you get information. Odds are the Clerk has heard of these kind of e-mails circulating...
FOR EVERYONE ELSE: ...if you are not a lawyer (or not representing yourself pro se and have ECF access) you will -never- get an e-mail from the court.
TECHNICAL DETAILS: The malicious code that gets downloaded is a CAB with acrobat.exe inside... The malware then creates a Browser Helper Object (BHO) at WINDIR%\system32\acrobat.dll and opens a hidden IE window to communciate to the command and control server. The BHO will also steal any installed certificates installed on the system. The C&C server is hard-coded to an ISP in Singapore at this time...
UPDATE 13:04 CDT: ...VirusTotal results... guess coverage isn't that good (12/32). If you have someone infected, backup data and reinstall, targetted phishes like this ought to concern us more than general ones, and the only way to be safe is to "burn it down" and start over if an infection happens.
UPDATE 13:14 CDT: ...another malware variant - same thing, but VirusTotal only has 3/32."

Edited by AplusWebMaster, 15 April 2008 - 11:36 AM.

[AplusWebMaster]

FYI...

- http://www.uscourts..../2008/alert.cfm
"Notice: Invalid Subpoenas
Reports have been received of bogus e-mail grand jury subpoenas, purportedly sent by a United States District Court. The e-mails are not a valid communication from a federal court and may contain harmful links. Recipients are warned not to open any links or download any information relating to this e-mail notice. The federal Judiciary's email address is uscourts.gov. The e-mails in question appear to be sent from a similar address that is not owned and operated by the federal courts. Law enforcement authorities have been notified."

- http://www.us-cert.g...oena_email_scam
April 15, 2008

- http://atlas.arbor.net/ -- Threat Briefings - 4.15.2008
"...we are aware of a targeted Trojan attack involving a subject of the Supreme Court..."

Edited by AplusWebMaster, 15 April 2008 - 11:47 AM.

[AplusWebMaster]

FYI...

Espionage Trojans
- http://www.f-secure....s/00001424.html
April 18, 2008 - "On Monday SANS Internet Storm Center wrote about a targeted attack against CEOs. The e-mail messages were directly sent to senior corporate executives and properly identified them by name. The message claimed their testimony was required in a corporate lawsuit. If they clicked through on the link to read the supposed subpoena they were then asked to install a file. And if they ran the file? Then they were really installing a trojan-spy designed to steal certificates. Here's the description of what we detect as Trojan-Spy:W32/Small.BSL*... We've been watching the evolution of targeted attacks for about two years now. Hopefully this recent press coverage helps to shed some light on a very serious issue. One of our recent posts linked to the Businessweek article "The New E-spionage Threat**". If you haven't read it yet, take the time to do so this weekend..."
* http://www.f-secure....small_bsl.shtml
"...drops a file into the following folder:
%windir%\system32\
The dropped file is called acrobat.dll and is 51712 bytes in size.
The malware sets acrobat.dll with a hidden file attribute and changes its date properties to the current system time.
This malicious component acts like a Browser Helper Object (BHO). After the user has started Internet Explorer the malware will attempt to communicate with a server located at the following URL:
hxxp ://124.217.[REMOVED]/NNN/parse.php
The BHO has the following functionality:
. Steals installed certificates
. Deletes user cookie files
. Updates itself
. Deletes files from C:\Documents and Settings
\%username%\Application Data\Macromedia\Flash Player\
. Updates registry information..."

(Screenshots available at both URLs above.)

** http://www.businessw...80032218430.htm

[AplusWebMaster]

FYI...

- http://sunbeltblog.b...ted-attack.html
April 18, 2008 - "...There’s an overview of part of the problem in this week’s BusinessWeek*..."

The New E-spionage Threat
* http://www.businessw...80032218430.htm
April 10, 2008

- http://isc.sans.org/...ml?storyid=4289
"...UPDATE 4/17 We can share the two checkin/drop sites 124.217.251.118 and 124.94.101.48.
We suggest you watch out for port 80 traffic towards those systems or to block those IP addresses entirely..."

Edited by AplusWebMaster, 20 April 2008 - 09:06 AM.