Jump to content


Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
1332 replies to this topic

#1 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 10 August 2008 - 07:32 PM

FYI...

Fake IE 7 update SPAM...
- http://isc.sans.org/...ml?storyid=4852
Last Updated: 2008-08-10 09:56:42 UTC - "A number of readers have alerted us to a round of IE7 update spam being sent out. The e-mails read:

"You are receiving this e-mail because you subscribed to MSN Featured Offers. Microsoft respects your privacy. If you do not wish to receive this MSN Featured Offers e-mail, please click the "Unsubscribe" link below. This will not unsubscribe you from e-mail communications from third-party advertisers that may appear in MSN Feature Offers. This shall not constitute an offer by MSN. MSN shall not be responsible or liable for the advertisers' content nor any of the goods or service advertised. Prices and item availability subject to change without notice."

Well, true enough Microsoft will not be responsible as its not from them! (Shock / Horror). For the sample we received, VT has good coverage:
- http://www.virustota...1a8542a90401b6f ..."

//

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#2 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 11 August 2008 - 08:13 AM

FYI...

IM: Instant Malware... Yahoo! Messenger fraud
- http://blog.trendmic...nstant-malware/
08.10.2008 - "Instant messaging (IM) applications are popular infection vectors — malware authors are known to use instant messaging platforms to spread malware by sending either malicious files or URLs. Trend Micro researchers have recently witnessed spammed email messages that use the popular IM application Yahoo! Messenger in propagating malware, but in a very different way than previosuly mentioned... Clicking the Download now link downloads the file msgr8.5us.exe into the affected system. When executed, it drops the following files:
* mirc.ini - detected by Trend Micro as Mal_Zap
* csrss.exe - detected by Trend Micro as BKDR_ZAPCHAST.AX
* sup.exe - detected by Trend Micro as BKDR_MIRCHACK.CE
For targeted victims which do, in fact, use Yahoo! Messenger, the promised update may prove hard to resist. The same email message even instructs users to pass the news to friends by sending them the source - not very friendly if the supposed update would lead one’s contacts to malware... Downloading from the software vendors themselves still is the safest way to go."

(Screenshot available at the URL above.)

//

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#3 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 12 August 2008 - 06:18 PM

FYI...

Bogus IE7 and MSRT - SPAM
- http://blog.trendmic...cious-software/
August 12, 2008 - "Spam claiming to be from Microsoft and offering download links to Internet Explorer 7.0 and Windows Malicious Software Removal Tool appear in the wild... To buy themselves some credibility, spammers added what seems to be a disclaimer from MSN Featured Offers, which is a newsletter service by MSN, where users subscribe to “offers” from a number of categories. MSN then sends certain discounts and offers to the subscribers depending on the category they have chosen. Upon clicking the links, malicious files are downloaded onto the user’s system. Trend Micro detects the downloaded files as TROJ_RENO.ADX and TROJ_MONDER.HM..."

(Screenshot available at the URL above.)

//

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#4 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 13 August 2008 - 04:28 PM

FYI...

Bogus CNN/MSNBC news...
- http://securitylabs....lerts/3159.aspx
08.13.2008 - "Websense.... has discovered a new replica wave of 'msnbc.com - BREAKING NEWS' alerts that are being sent out via spam emails. Similar to previous attacks related to 'Bogus CNN Custom Alerts', these emails contain links to a legitimate news page, but are designed to encourage users to download a malicious application posing as a video codec... Over the last few days, the ThreatSeeker Network has seen huge volumes of spam wrapped up in CNN-themed templates - most recently email alerts listing the different popular events and news articles, which also encouraged users to download a video codec, which was actually a malicious file. (The malicious payload is only accessed when the user clicks on the ‘breakingnews.msnbc.com’ link, which takes users to a Web page named up.html. This page issues a pop-up encouraging users to download a ‘missing’ video codec, a file called adobe_flash.exe.)
Here are a few examples of the varied subjects we have seen in this campaign:
msnbc.com - BREAKING NEWS: Michael Phelps wins 10th career gold, making him the winningest Olympian in history
msnbc.com - BREAKING NEWS: China beats out U.S. for gold in women's team gymnastics
msnbc.com - BREAKING NEWS: Dark Knight establishes dominance with 400 million mark
msnbc.com - BREAKING NEWS: How to save money on gas
msnbc.com - BREAKING NEWS: Preliminary polls for the election
msnbc.com - BREAKING NEWS: McDonald's found to breach FDA regulations, suspended from trading
msnbc.com - BREAKING NEWS: Jury duties for you
msnbc.com - BREAKING NEWS: Find out how to get top returns for your money at minimum risk
msnbc.com - BREAKING NEWS: Abortion outlawed in California
msnbc.com - BREAKING NEWS: Buy gold at lowest prices and make immediate profits
msnbc.com - BREAKING NEWS: Anthrax case solved
msnbc.com - BREAKING NEWS: Arsenal buys Ronaldo from Man Utd
msnbc.com - BREAKING NEWS: Too much freedom will destroy America
msnbc.com - BREAKING NEWS: Copycat murderer beheads woman on Greyhound bus
msnbc.com - BREAKING NEWS: NASDAQ index gains 720 points overnight upon war announcement
msnbc.com - BREAKING NEWS: Sony announces replacement to successful PSP gaming system
msnbc.com - BREAKING NEWS: Americans loves to sue people
msnbc.com - BREAKING NEWS: Please give your opinions for change
msnbc.com - BREAKING NEWS: Sandwich recall amid Salmonella outbreak ..."
(Screenshot available at the Websense URL above.)


- http://www.f-secure....s/00001485.html
August 13, 2008 - "...Apparently people stopped clicking on -fake- CNN links as today the attackers switched the mails to look like they are now coming from MSNBC..."

CNN and MSNBC Olympic spoof emails - 5 million spam messages per hour
- http://securitylabs....Blogs/3160.aspx
08.14.2008

//

Edited by apluswebmaster, 15 August 2008 - 03:53 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#5 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 15 August 2008 - 03:54 AM

FYI...

Fake AV Trojans Ramping Up
- http://blog.trendmic...ans-ramping-up/
August 14, 2008 - "...new set of rogue antivirus software circulating in the wild. Based on initial analysis, these threats arrive mainly via spammed email messages that contain a link to a bogus celebrity video scandal, although we have also received reports that the said link is also circulating in instant messaging applications and private messages in social networking Web sites. Once the said URL link is clicked, the Web threat infection chain begins and ultimately leads to the downloading of a Trojan detected by Trend Micro as TROJ_FAKEAV.CX, a rogue antivirus that displays very convincing (and for some, alarming) messages... TROJ_FAKEAV.CX also drops another malware, detected as TROJ_RENOS.ACG. RENOS Trojans are known to have very visual payloads that may further alarm users (for example, they modify the system’s wallpaper and screensaver settings to display BSOD). Thus, users may be more convinced that something’s wrong with their system, not knowing that their new software is the one causing it. Rogue antispyware isn’t entirely new, although our researchers have been seeing an increase in activity for the past couple of months... Perhaps it’s because this is also the time of the year when the more legitimate security suites are releasing their latest software updates, and cybercriminals are riding on this season to ramp up their profits. Bad news for the infected users though, as their latest versions of “antivirus software” are actually adding more threats to their system..."

(Screenshots available at the URL above.)

//

Edited by apluswebmaster, 15 August 2008 - 04:18 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#6 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 18 August 2008 - 09:28 AM

FYI...

Fake FedEx emails
- http://securitylabs....lerts/3161.aspx
08.18.2008 - "...The notifications claim to be from FedEx and explain that a package sent by the recipient in the past month was not delivered. The message has an attachment claimed to be a copy of the invoice. The attachment is in a zip file but is actually a Trojan Downloader. This spam wave is a continuation of an ongoing theme used in recent months of using a parcel service invoice as the social engineering attack vector..."

(Screenshot available at the URL above.)

//

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#7 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 19 August 2008 - 06:24 AM

FYI...

Facebook - Viral SPAM
- http://securitylabs....Blogs/3162.aspx
08.18.2008 - "... We've had to create numerous tools and methods to detect these types of attacks because most Web 2.0 social networking sites are difficult to track due to limited public access to most accounts. Most social networking accounts can only be viewed if the account holder explicitly accepts or requests another account to be added as a "friend". A generic Web crawler and even a search engine Web crawler would not be able to mine the pages on a social networking site due to lack of permission... attacks on Facebook and MySpace are nothing new. There have been continual, targeted Facebook attacks for some time now... A very enticing email was sent to one of our test accounts, letting us know that something had been written about us, and that we'd probably want to read more about it. An average user would probably want to know what was written about them, especially because it's on a public blog such as blogspot. Most users have an enormous amount of trust in their fellow Facebook friends. So, the chances of a user clicking on one of these emails is tremendously high. The attackers in this case were able to legitimately have Facebook send a spam email by compromising an account that the test user was "friends" with, and writing a comment on the test user's wall. Writing on the wall triggered an automatic email to the test user's email account with the message that was written on the wall. So, in this case Facebook wall writing is being used as a mechanism to send spam... this particular attack has been going on for over six months. The phishing URL... was registered in July 2008, but several domains have been used in this ongoing attack. It's nameserver is responsible for a load of other phishing domains, including numerous MySpace phishing pages. Users are clicking on these links manually, either when they receive them in email or read them on their walls. They click on the link, get redirected to a phishing page, and manually input their credentials. Attackers are then using their credentials to post manually and perhaps automatically to their wall, as well as their friends' walls, allowing them to spread within the walls of the social networking world. As social networking sites become the place where the majority of Web users are spending the majority of their Internet time, we're going to see more and more MySpace, Facebook, and other social networking attacks. Web 2.0 Web sites open up a huge attack vector to exploit transitive trust. Attackers know it, and are actively taking advantage of it.
References:
http://pi3141.wordpr...ishing-warning/
http://www.matthewbi...cebook-forgery/
http://thenextweb.or...ack-from-china/ "

(Screenshots available at the Websense URL above.)

//

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#8 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 20 August 2008 - 08:13 AM

FYI... (Screenshot available at the URL below.)

Photobucket phish...
- http://blog.trendmic...t-gets-phished/
August 19, 2008 - "Photobucket is, by far, one of the largest photo-sharing sites in the world. It is generally used for personal photographic albums, remote storage of avatars displayed on Internet forums, and storage of videos. Lots of people may like to keep their albums private, allowing password-protected guest access, or open them up to the public. And now this photo-sharing site is being attacked by phishers... The login page above looks exactly like the original site that lures the users to enter their user name and password. Once victims enter their credentials, phishers can use them to obtain full access to their Photobucket account, and may use their albums to insert malicious code... popular image hosting sites have become the targets of several different attacks:

Turkish Hackers Relive Memories in Photobucket
- http://blog.trendmic...-in-photobucket
06.25.2008

Two New Yahoo Phish Sites
- http://blog.trendmic...hoo-phish-sites ..."
07.31.2008

//

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#9 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 21 August 2008 - 10:05 AM

FYI...

Russia-Georgia conflict - malware SPAM
- http://www.us-cert.g..._russia_georgia
August 21, 2008 - " US-CERT is aware of public reports* of malware circulating via spam email messages related to the Russia/Georgia conflict. These messages contain factual information about the conflict. The messages also contain download instructions for the user to watch a video that is attached to the message. If a user opens the attachment, malware may be downloaded and installed onto their system..."

* http://preview.tinyurl.com/58u83x
08-21-2008 (Symantec Security Response Blog)
Russia/Georgia Conflict News Used to Hide Malicious Code in Spam
"...The messages themselves contain an attachment, along with instructions and passwords for the download of the attachment... One subject line that has been seen reads:
“Subject: Journalists Shot in Georgia”... The attachment contains no videos; rather, the attachment redirects to a link that delivers a payload identified as Trojan.Popwin... We have observed several -million- instances of this particular spam attack delivering malicious code..."

//

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#10 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 21 August 2008 - 04:16 PM

FYI...

- http://sunbeltblog.b...-in-trojan.html
August 21, 2008 - "We’ve seen the same trojan being sent to inboxes in all kinds of ways — and seemingly obsessively on the subject of Angelina Jolie. Minor shift, now they’re putting the fake codec window right in the spam. Pushes video.avi.exe, a fake alert trojan which invariably installs Antivirus XP 2008 or some such rogue security program."

Screenshot available at the URL above.)


//

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#11 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 26 August 2008 - 10:12 AM

Spoofs, forgeries, and the like...

FYI...

- http://isc.sans.org/...ml?storyid=4927
Last Updated: 2008-08-24 18:15:34 UTC - "I received an email today from a reader (thank you) who reported that they received a piece of spam today that came from the address: monitoring @isp.com. (Notice the domain name.) Now, we have seen this type of spam before, you know, perpetrating like it comes from your ISP while just having a malicious link in it, etc. Except this time the spam was signed "ISC monitoring team" (Notice the first three letters, and how they differ from the domain name). So I am guessing that someone is trying to imitate us. And while we recognize that imitation is the most sincerest form of flattery, this kind could be actually damaging. Rest assured our faithful readers, this is not from us. First of all our email addresses are not "isp.com", nor "monitoring". We don't sign our emails "ISC monitoring team". Nor do we spell the word "Consortium" -- "Consorcium" (misspelling from the email)..."

- http://www.f-secure....s/00001488.html
August 26, 2008 - "This morning we saw several spam runs in the country of Denmark. The messages are in Danish and they are sent to Danish e-mail addresses. The e-mail claims to be from us. It's not. Here's what the email looks like:
From: supportupdate@f-secure.com
Date: 26. August 2008 08:31
Subject: Data er tillagt og sendt med denne meddelelse.
Käre kunder!
Regning
Data er tillagt og sendt med denne meddelelse.
Jeg bruger gratis F-secure antispamversion, som allerede har fjernet 338 spambreve.
Antispam er helt gratis for private brugere.
Attachment: f-secure.rar
The attachment contains a file called update26.08.2008.exe, which, when run, drops a file called dcbcg.exe (Unker-related trojan) that connects to a server in Ukraine. We detect this trojan as Trojan:W32/Agent.FVO... The spam run must have been fairly large, as we've received more than 13,000 bounces to supportupdate @f-secure.com from non-existant email addresses alone..."

// :-/

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#12 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 27 August 2008 - 02:11 PM

FYI...

'Want to Know Who Deleted You on MSN Live?'
- http://blog.trendmic...ou-on-msn-live/
Aug. 26, 2008 - "While monitoring countless sites as part of our current Web threat strategy, we have stumbled upon a legitimate-looking prompt from MSN Live Messenger... or so it would appear (at first). As shown from the screen captures below, this prompt bears a close resemblance to the actual prompt being displayed by the MSN Live Messenger instant messaging application (also known as Windows Live Messenger) whenever a friend from the user's friends list logs in. Potential victims who unfortunately encounter the site (Borradito.com) via spam or spammed IM is first enticed by the Web site's description, which promises the capability to view which of their friends have removed them from their friends list, provided they are logged in, of course—a pretty convincing trick to lure users to key in their user names and passwords. As the Web site is accessed, a message prompt from MSN Live Messenger appears at the lower-right part of the screen, just below the system tray... Once users click on the prompt, they are diverted to a Flash-based window which also resembles an actual MSN group chat window... This routine is used to attract the users, as well as to build credibility. If the user goes back to the main site and enters their credentials, the site displays a list of users who have allegedly removed the affected user from their contact lists... What happens under the radar, however, is that the site captures the entered credentials and the accounts are then opened by a remote malicious user and IM messages containing a link to the Borradito phishing site are sent to all contacts on the affected account's buddy list... This ensures further propagation of this threat. Directly at risk are MSN users and their contacts. The account information harvested in this account may be used to access various Windows Live services such as Windows Live Call (PC-to-phone calls), SkyDrive (file-sharing services), Spaces, and even Hotmail accounts under the same account. Today, your email accounts hold many important tidbits on different aspects of your life, job, and personal details many people would prefer not to be divulged to others. Letting your guard down can be be very costly and can lead to exploitation. The worst possible scenarios include identity theft and financial loss..."

(Screenshots available at the URL above.)

:ph34r: :!:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#13 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 28 August 2008 - 04:56 AM

FYI...

Critical Update: Please Patch Windows with Malware
- http://blog.trendmic...s-with-malware/
Aug, 27, 2008 - "After patching 11 vulnerabilities for this month's Patch Tuesday, spam is being sent that falsely claims that the recipient should immediately install another critical Microsoft update... Patching one's system using this spam as a guidance, however, downloads a multitude of badness, and one particular malicious piece of malware which is detected as EXPL_ANICMOO.GEN... Malware writers are counting on the urgency of the email's tone to trick recipients into applying the "patch"..."

(Screenshot available at the URL above.)

:ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#14 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 28 August 2008 - 10:04 AM

FYI...

Western Union MTCN #2989115571
- http://www.f-secure....s/00001490.html
August 28, 2008 - "Fake airplane tickets, greetings cards and credit card receipts... There's plenty of ZIPped trojans being spammed around. The one that's being seeded right now claims to be a bounced Western Union money transfer. And the malware inside the ZIP is a ZBot banking trojan variant."

(Screenshots available at the URL above.)

:ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#15 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 31 August 2008 - 09:04 AM

FYI...

Treasury Optimizer - malware update
- http://blog.trendmic...s-with-malware/
Aug. 30, 2008 - "Treasury Optimizer is an online banking tool offered by Capital One Bank which aims to provide secure access to business accounts on the Web, 24/7. Posed to replace electronic money or more popularly known as eCash, it offers to protect customers' accounts through security features such as multifactor authentication. Unfortunately, their security offerings come short, as we receive bulks of phishing emails that "promote" the Treasury Optimizer. The phishing mail instructs the client to update their account due to a potential security risk that affects all of Capital One Bank products, including the Treasury Optimizer... The conventional phishing attack aims to capture users' credentials through fake login pages spammed through email. For this attack however, the phishing link given in the phishing email leads to a page that does not ask for credentials, but tells the user to download a file instead. When the user clicks the link contained in the phishing email, the following spoofed Treasury Optimizer Web page is displayed... The page explains that the bank had to fix (the) vulnerability; and in order to fix it, the client MUST download the update. It even displays different download links for different operating systems. It will then download an .EXE file that poses as an installation setup... The downloaded file is detected by Trend Micro as TROJ_SMALL.MAT. This malware-enhanced phishing attack is neither the typical type of phishing attack, nor is it less dangerous. The scope of a phishing attack is usually limited; one account from a target organization compromised in every successful attack. But this phishing attack installs a malware on the affected user's system instead, and then uses it to monitor users' online activities, thus possibly disclosing more information..."

(Screenshots available at the URL above.)

:!: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#16 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 03 September 2008 - 03:40 PM

FYI...

Fake celebrity news SPAM - Malicious Code
- http://securitylabs....lerts/3172.aspx
9.03.2008 - "...ThreatSeeker Network has seen huge volumes of spam wrapped up in CNN and MSNBC themed templates. Recently, email alerts listing different popular events and news articles also encouraged users to download a video codec, which was actually a malicious file... The malicious payload is only accessed when the user clicks on the 'READ FULL STORY' link, which takes them to a Web page on a compromised site named index97.html, which issues a pop-up encouraging users to download a ‘missing’ video codec, a file called video98.exe... Here are a few examples of the varied subjects we have seen in this campaign:
Sensational news. Check the message.
Breaking news! Be the first to know.
Very important news.
Astonishing Please take a look.
Sensational information inside.
Check this out. This is a bomb
This is really great news. Please check.
..."

(Screenshots available at the Websense URL above.)

:ph34r: :grrr:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#17 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 09 September 2008 - 11:16 AM

FYI...

SPAM campaign targeting US Presidential Election... Malicious Code
- http://securitylabs....lerts/3177.aspx
09.09.2008 - "Websense... has discovered an emerging email campaign which uses the US presidential election as a social engineering mechanism to install information-stealing code on a victim's machine. With less than 2 months before the start of the election, emails are circulating with fake news of a sex scandal affecting one of the candidates. Recipients of the email are encouraged to view a video supposedly involving the Democratic candidate Barack Obama. Users who click the link are shown a pornographic video taken from hxxp ://homemade*snip*.com/ . While the video plays for 14 seconds, malicious applications are installed on the victim's machine... The dropper installs 809.exe in the user's Temporary Internet Files folder. Also a Browser Helper Object (BHO) named Siemens32.dll is registered. This is an information-stealing application that posts data to a compromised Finnish travel site, hxxp ://*snip*-hotel.com/ ..."
(Screenshots available at the URL above.)

- http://www.f-secure....s/00001497.html
September 10, 2008 - "...Interestingly, there is no Medved Hotel in Finland... we have reported this to local authorities and they are working on getting the site shut down."
(More screenshots...)

:ph34r: :grrr:

Edited by apluswebmaster, 10 September 2008 - 07:25 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#18 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 12 September 2008 - 05:20 AM

FYI...

DHS email Scam
- http://www.us-cert.g...#dhs_email_scam
September 11, 2008 at 04:42 pm - "US-CERT is aware that spam email messages are being sent that appear to come from high-level DHS officials, some of which attempt to entice the user into an advance fee fraud scam. In some cases, the sender's address has been spoofed so that the email appears to come from a legitimate dhs.gov address..."

:ph34r: :grrr:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#19 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 15 September 2008 - 12:41 PM

FYI...

Fake Postcards... Fake Hurricane Relief Web Site
- http://blog.trendmic...elief-web-site/
Sep. 14, 2008 - "... The Hurricane Gustav connection is not really that apparent in the following spammed email message... It informs recipients that they received a postcard, and if they desire to view it, they should click any of the two links in the message body. Recipients who are lured into believing that some family member actually have sent them a postcard are redirected to the following Web page when they click either link... The nameless family member (one would immediately notice that this is so impersonal) who sent the postcard also wants the recipient to donate to Gustav victims. A well-crafted "postcard" and a chance to help people in need, how heartwarming! But only if there indeed was a legitimate card, and only if the money actually went to those affected by the hurricane. Even if the Web site says so, donations through this dubious channel do not go to Red Cross. The criminals behind this scam are the only ones who get to keep the money..."

(Screenshots available at the URL above.)

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#20 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 17 September 2008 - 07:44 AM

FYI...

UPS tracking invoice trojan...
- http://isc.sans.org/...ml?storyid=5051
Last Updated: 2008-09-16 20:15:52 UTC - "We received two reports of fake UPS invoice tracking Trojan zip files. This is similar to other invoice Trojans we have seen... notice that while this appears to be a two way conversation it was really just the spammer who created the whole thing. The victim did -not- send UPS an email..."

(More detail at the URL above.)


- http://www.ups.com/c...s/virus_us.html

:ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#21 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 21 September 2008 - 10:11 AM

FYI...

Fake Careerbuilder sites/phish...
- http://asert.arborne...iran-and-burma/
September 19, 2008 - "...new fast flux phishing malcode delivery scheme targeting CareerBuilder. Lures bring you in to a number of sites and launch malcode onto your system. Pretty classic technique these days, been used heavily for banks in the past couple of weeks... It’s a fast flux botnet, apparently doing double flux too... Much of that list comes from Gary Warner’s always excellent blog*. So, as many of you may be in the job market, keep in mind that not everything from CareerBuilder is really from them..."
* http://garwarner.blo...st-digital.html

(Screenshots available at both URLs above.)

:ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#22 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 22 September 2008 - 10:17 PM

FYI...

Facebook "add friend" Malicious SPAM
- http://securitylabs....lerts/3185.aspx
09.22.2008 - "Websense... has discovered a new malicious social-engineering spam campaign masquerading as official emails sent by the popular Web 2.0 social-networking site, Facebook. The email is spoofed to appear from the domain facebookmail.com, an official domain used by Facebook for their outbound emails when notifying their users of an event. It is common for Facebook to send an email to notify their users when another Facebook user adds them as a friend on the social network. However, the spammers included a zip attachment that purports to contain a picture in order to entice the recipient to double-click on it. The attached file is actually a Trojan horse..."

(Screenshot avaliable at the URL above.)

:ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#23 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 23 September 2008 - 09:42 AM

FYI...

Wachovia... spy-phishing rootkit
- http://blog.trendmic...stalls-rootkit/
Sep. 22, 2008 - "... spy-phishing scheme targeting the Fortune 500 company and 4th largest banking chain in the US, Wachovia Bank. This attack ends in the execution of a rootkit, TROJ_ROOTKIT.FX, which is a file that hides files and processes, allowing malicious attacks to run entirely beneath the radar.
Macalintal warns that he has seen the following subject headings used in this attack:
* Wachovia Connection Update Alert.
* Wachovia Connection Customer Support - Security Updates.
* Wachovia Connection upgrade warning.
* Wachovia Connection Emergency Alert System...
The malicious links download a file named SPlusWachoviadigicert.exe. Trend Micro Smart Protection Network detects this as TROJ_AGENT.AINZ. It accesses a certain URL to download another malware that in turn drops and installs TROJ_ROOTKIT.FX. This infection chain can be cut off at various points by the Smart Protection Network as we already detect the spam, the malicious links therein, and the files that are downloaded and executed on the system...
The legitimate Wachovia Security Plus link can be accessed here*, where the company discusses several security issues and precautionary methods to avoid being tricked by these types of attacks..."
* http://www.wachovia....lus/0,,,00.html

(Screenshot available at the TrendMicro URL above.)

:ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#24 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 24 September 2008 - 10:21 PM

FYI...

American Airlines phish...
- http://securitylabs....lerts/3187.aspx
09.23.2008 - "Websense... has discovered a new phishing campaign targeting American Airlines AAdvantage® Program customers. Users receive an email, which is spoofed, that tries to convince the user that, if they log in and fill out a 5-question survey, they will get a $50 reward. The email provides a link that takes visitors to the phishing Web site. The email also provides a fake code which is meant to entice the user even more..."

(Screenshot available at the URL above.)

:ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#25 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 26 September 2008 - 08:27 AM

FYI...

World War 3 SPAM
- http://sunbeltblog.b...war-3-spam.html
September 25, 2008 - "This is particularly nasty spam pushing a fake codec trojan... If you go to that link, you get to a very convincing site pushing a fake codec. That CNNWorld was created yesterday, hosted in Iran..."

(Screenshots available at the URL above.)

:ph34r: :glare:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#26 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 26 September 2008 - 01:36 PM

FYI...

Bank fraud emails
- http://www.firstcybe.../news.asp#news1
25 September 2008 - "An increase in fraudulent activity is likely to follow the recent events in the banking sector... Customers with internet banking accounts are urged to take care if asked to respond to emails from banks which have been named as being involved in the recent takeovers and mergers. According to Director David Holman, "This is just the sort of confusion on which the fraudsters thrive. As these mergers and acquisitions continue in the banking sector, the consumer will expect to receive communications from their banks detailing name changes and giving them different websites to gain access to their internet bank accounts. Unless this is handled carefully it is a real opportunity for fraudsters to steal private information". While many of us are wary of emails purporting to be from our banks, the latest APACs figures show that 18% of people who receive them still click through to links included in these (e)mails..."

- http://news.cnet.com...0051688-83.html
September 25, 2008

:ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#27 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 30 September 2008 - 10:29 AM

FYI...

Same WW3 SPAM... more detail
- http://blog.trendmic...i-malware-spam/
Sep. 29, 2008 - "...SPAM announcing the declaration of World War III. The link provided points to a legitimate-looking CNN page with a video. However, users wishing to view this video are prompted to install an ActiveX Object... The supposed ActiveX Object is actually malware, which Trend Micro detects as TSPY_BANCOS.JN. TSPY_BANCOS.JN, like all BANCOS variants, is an info stealer that monitors the browser of the affected system. It waits for the user to access certain banking-related Web sites, then spoofs the login pages of the bank Web site to steal sensitive account information. The request to install an ActiveX Object is a popular ploy to spread malware these days, and this bogus ActiveX Object is yet another one designed to deceive the user to believe that he’s installing something useful..."

(Screenshots available at the URL above.)


:ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#28 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 01 October 2008 - 09:20 AM

FYI...

SPAM using e-mail "delivery receipt" to verify valid addresses
- http://preview.tinyurl.com/4tksdr
Sep. 30, 2008 (TrendLabs) - "...recent report of -spammers- using a feature called 'delivery receipt request' to verify if a certain email address exists. Delivery receipts are messages sent to the original sender of an email message to verify that the sent message has been delivered to the intended recipient. While message delivery receipt acknowledgment is indeed available in popular desktop mail clients (such as Microsoft Outlook), and can be selectively ignored, most Web email platforms automatically send a delivery receipt when requested to do so if the targeted account exists. A Microsoft page stating instructions on how to enable & use this feature in various releases of Outlook can be seen here*. In enabling this function, spammers can now send spam to a large number of addresses and subsequently filter out the legitimate ones easily — that is, if the recipient chooses to selectively acknowledge each delivery request, or simply chooses to acknowledge all messages which have this request embedded. This unwillingly places a recipient on the spammer's list of future victims just by acknowledging receipt of the initially sent spam. The delivery receipt function is ideally a useful feature especially for people who want to be absolutely sure that there message has been received. Unfortunately, this function, like so many other supposedly reputable functions, has been used for malicious intent instead..."
* http://support.microsoft.com/kb/192929
(In Outlook: >Tools >E-mail Options >Tracking Options - choose: "Never send a response")

:ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#29 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 06 October 2008 - 09:52 AM

FYI...

New YouTube malware tool
- http://blog.trendmic...e-malware-tool/
Oct. 5, 2008 - "A new hacking tool circulating in the Internet now allows malicious users to create fake -YouTube- pages designed to deliver malware. The said tool, detected by Trend Micro as HKTL_FAKEYOUT, features a user-friendly console in Spanish that a hacker may use to create a pair of Web pages that look eerily identical to legitimate -YouTube- pages.
With a little crafty social engineering, unsuspecting users may be led into the first of the fake pages, INDEX.HTML. Here, users may be disappointed to see that they cannot view their video as they need a new version of Adobe Flash Player or some plugin or codec. A link is handily provided, and clicking the link leads users to the hacker's file of choice, which could very possibly be something malicious. A second fake page informing users that the video they were trying to view cannot be shown is then displayed. This is to make users think that nothing's really happened, when in fact by downloading the plugin, malware may already be running in their systems.
Fake codecs remain popular masks for malware. The popularity of -YouTube- also makes it a preferred target for malware users who want to infect more users... HKTL_FAKEYOUT could be very dangerous because it is very accessible to script kiddies who could use it for their malware and hacking operations. Users are advised to always check the URLs of pages they are viewing. Also, product updates should be downloaded from the vendors themselves to ensure that these are legitimate and not malicious."

Also see:
- http://voices.washin...aker_helps.html
September 12, 2008

(Screenshots available at both URLs above.)

:ph34r:

Edited by apluswebmaster, 07 October 2008 - 11:20 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#30 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 13 October 2008 - 03:39 PM

FYI...

Blogspot under push by malware authors
- http://sunbeltblog.b...re-authors.html
October 13, 2008 - "We’ve seen a number of new blogs on Blogspot today that push malware, pushing various search keywords...
Examples:
buzzwocdco. blogspot. com
iberianiceaande. blogspot. com
semtmbmshmenf. blogspot. com
These sites push fake codecs which generally make ones life quite miserable."

(Screenshot available at the URL above.)

:ph34r: :grrr:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#31 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 14 October 2008 - 07:19 AM

FYI...

MS e-mail spoofs with malware
- http://blogs.technet...th-malware.aspx
October 13, 2008 - "... While malicious e-mails posing as Microsoft security notifications with attached malware aren't new (we've seen this problem for several years) this particular one is a bit different in that it claims to be signed by our own Steve Lipner and has what appears to be a PGP signature block attached to it. While those are clever attempts to increase the credibility of the mail, I can tell you categorically that this is not a legitimate e-mail: it is a piece of malicious spam and the attachment is malware. Specifically, it contains Backdoor:Win32/Haxdoor... we never, ever, ever send attachments with our security notification e-mails. And, as a matter of company policy, Microsoft will never send you an executable attachment. If you get an e-mail that claims to be a security notification with an attachment, delete it. It is always a spoof..."


:ph34r: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#32 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 14 October 2008 - 11:44 AM

FYI...

MSN Messenger used as lure in malicious SPAM
- http://securitylabs....lerts/3206.aspx
10.14.2008 - "Websense... has discovered a new malicious spam lure that uses the threat of a virus to encourage users to download a malicious Trojan. The email explains that by downloading the application linked within the email, users can protect themselves against a virus that spams messages to a user's contacts. The email offers an update to Live Messenger Plus - this is actually a Trojan (md5: 5F1D2521F6949F8B71B9FF93C17A8BE2). Antivirus detection rate is low... The URLs provided in the email redirect the user to a two-stage downloader named dsc.scr. As a distraction for the user, a dialog box is displayed explaining that the user will be redirected to msn.com.br. A browser then opens pointing to this site... A scheduled task is then created, and modifications are made to autoexec.bat to disable GBPlugin and other tools promoted by Brazilian banks to protect against such keyloggers and other malware..."

Hi5 "Add Friend" malicious SPAM
- http://securitylabs....lerts/3205.aspx
10.13.2008 - "Websense... has discovered a new malicious, visual social-engineering spam campaign masquerading as official emails sent by the popular Web 2.0 social-networking site Hi5. The email comes in Spanish language, and is -spoofed- to appear as if it comes from the domain hi5.com, an official domain used by Hi5 for their outbound emails when notifying their users of an event. It is common for Hi5 to send an email to notify their users when another Hi5 user adds them as a friend on the social network. However, the spammers embedded malicious links and a fake friend photograph in order to entice the recipient to click on them, which leads to a download of a Trojan horse (md5: 5f6b089f0048e6510c78bb38a3909b9c). The malicious application aims to steal confidential logins for a popular Mexican bank. A-V detection of this banker Trojan is low... A fake Hi5 friend request is
included in the body of the email. We have previously alerted on a similar attack relating to Facebook "add friend" Malicious Spam. This clearly indicates that spammer and malware authors are increasingly targeting Web 2.0 sites to carry out their attacks..."

(Screenshots available at both URLs above.)

:ph34r: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#33 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 20 October 2008 - 02:59 PM

FYI...

Bogus spammed email eTickets - Continental Airlines...
- http://blog.trendmic...kes-a-worm-fly/
October 20, 2008 - "...Be careful when booking flights online or opening emails about your “online flight ticket”—or you could crash-land on a heap of malware trouble. TrendLabs researchers caught spammed email messages featuring bogus eTickets supposedly from Continental Airlines, the fourth-largest airline in the U.S. The message thanks the recipient for availing of a new service called “Buy flight ticket Online” and provides account details (even a password). Then it makes the recipient simply print out the attached “purchase invoice and plane ticket” before they use these, and they’re off! How convenient!... The attachment is named E-TICKET.ZIP, which in turn contains the file E-TICKET.DOC.EXE. “It’s the old double-extension trick to hopefully fool the user to double-click the attachment”... Trend Micro detects the file contained in the zipped attachment as WORM_AUTORUN.CTO. This worm propagates via removable drives and accesses websites to download other possibly malicious files. It also displays the icon of files related to Microsoft Word to avoid easy detection and consequent removal... The phrase "Your credit card has been charged" will just add more worry for the user, convincing him more to examine (read: double-click) the ‘flight details’... This seems to be a renewed campaign, as we first saw it in late August — only the featured airline then was Northwest Airlines, and the spam attachment led to rogue AV installation instead of a worm. Since then, the transaction fee has gone up; Northwest supposedly charged almost $700 while Continental about $915. And JetBlue Airways, it would seem, “charged” even more..."

(Screenshots available at the URL above.)

:ph34r: :grrr:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#34 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 23 October 2008 - 12:04 AM

FYI...

Malicious BBB Certificate SPAM
- http://securitylabs....lerts/3213.aspx
10.22.2008 - "Websense... has discovered another round of malicious BBB spam today. The spam contains a spoofed -From- address to look as if the message was sent by the Better Business Bureau. The message uses social engineering tactics to entice readers to follow a link in the message in order to "register new software and update contact information". We have seen tens of thousands of these messages coming in since noon today. Also of note is that, from the format of these messages and the resulting links, this looks like it was done by the same group that has been spamming out malicious phishes targeting customers of Bank of America, Wachovia, Royal Bank, and others. Clicking on the link takes the victim to a page which -looks- like the BBB site. The site stresses that a digital certificate should be used while browsing the BBB site. It then provides a prompt to download a file called "TrustedBBBCertificate.exe" which is actually a Trojan Downloader (SHA-1 dcefc1fb912d7bb536de3e66d9c5c6c8465f0790). When this file is executed, it takes the victim to another Web page, which is hosted on another malicious domain, for the "Certificate Registration". This secondary site also tries to get the victim to download "TrustedBBBCertificate.exe"..."

(Screenshots available at the URL above.)

:!: :ph34r: :grrr:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#35 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 05 November 2008 - 10:58 AM

FYI...

Election result SPAM malware
- http://securitylabs....lerts/3229.aspx
11.05.2008 - "Websense... has discovered that malware authors are capitalizing on the recently announced results of the 2008 US Presidential election. Malicious email lures are being sent promising a video showing an interview with the advisors to the recently elected US President. The email actually contains links to a file called 'BarackObama.exe' hosted on a compromised travel site at hxxp://*snip*.com/web/BarackObama.exe. This file is a Trojan Downloader with MD5 9720d70a5da9ca442ecf41e9269f5a27. Upon execution files called system.exe and firewall.exe are dropped into the system directory. A phishing kit is unpacked locally, and the dropped files are bound to startup. The hosts file is also modified. Major anti-virus vendors* are not detecting this Trojan Horse..."
(Screenshots available at the URL above.)

* http://www.virustota...9b58053a00bc4e2
11.05.2008 19:58:04 (CET) - Result: 14/36 (38.89%)
Per: http://voices.washin...n_obama_wi.html

:!: :ph34r:

Edited by apluswebmaster, 05 November 2008 - 09:46 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#36 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 05 November 2008 - 02:10 PM

Same (kind of) stuff, same day...

Election result SPAM malware #2
- http://securitylabs....lerts/3230.aspx
11.05.2008 - "... further activity from malware authors using the news of the U.S. Presidential campaign outcome as bait to attract users into executing malicious executables. So far we have over 25,000 emails through our systems... In a very quick response to the outcome of the U.S. Presidential attacks we have now seen both localized and globalized attacks... Clicking on the link leads the user to a purposely registered domain which advises the user that they need to install the latest version of Adobe Flash player before the video can be viewed. The malicious Web site actually links to a file called 'adobe_flash.exe' with MD5 47C86509A78DC1EDB42F2964BEA86306. This is a Trojan Downloader packed with ASPack. Upon execution, a RootKit is installed on the compromised machine, and data is sent to multiple command and control servers..."

Also see:
- http://garwarner.blo...s-as-obama.html
November 05, 2008

- http://www.f-secure....s/00001530.html
November 5, 2008

- http://sunbeltblog.b...al-malware.html
11.05.2008

(Screenshots available at all URLs above.)

:ph34r:

Edited by apluswebmaster, 05 November 2008 - 05:34 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#37 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 10 November 2008 - 06:50 AM

FYI...

SPAM from 'US Treasury' ...redirects to malicious sites
- http://blog.trendmic...alicious-sites/
November 9, 2008 | 11:52 pm - "Spammed email messages -supposedly- from The United States Federal Reserve Bank warn their recipients of a "large-scaled phishing attack" affecting several banks and credit unions... The email message gives details on the supposed phishing attack and adds that the US Tresury Department has also monitored a high level of illegal wire transfers. Having told recipients that, the email message then informs them of restrictions imposed on federal wire transfers as part of security measures being taken by concerned government agencies. The message helpfully gives some links where users can get more detailed information. But instead of being directed to a legitimate website, those who click are led to .org domains with names completely different from the websites of the Federal Reserve Bank, the Treasury Department, or the Federal Deposit Insurance Corporation... Other related attacks that use the names of legitimate government organizations or mask themselves as security measures include the following:
* 'Treasury Optimizer' Updates Systems With Malware
* Storm Goes Economic
* Fake IRS Web Sites Found (Again)
Users are advised to refrain from clicking links in unsolicited email messages. It is best to go directly to the website of the concerned organization for more information..."

(Screenshot available at the URL above.)

:ph34r: :grrr:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#38 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 13 November 2008 - 03:04 PM

FYI...

SPAM - huge drops with McColo demise...
- http://marshal.com/t...asp?article=815
November 13, 2008 - "Yesterday, MCColo Corp, the company responsible for hosting the control servers for several of the biggest spam botnets was taken offline*. Srizbi, Rustock, Mega-D and Pushdo botnets, as well as several others, all had control servers hosted on McColo's network. Last week these four botnets accounted for over 80 percent of all spam. In addition to botnet control servers, McColo was also known to host malicious software, fake antivirus and child pornography websites... Today, spam has significantly decreased and three of the major botnets, Mega-D, Srizbi and Rustock have almost completely stopped sending spam. Our daily spam volume index showed a massive drop over the last two days... We do not expect this drop in spam to continue for long; often the people or groups responsible for the malicious activity simply move to a new host and continue as normal. Nevertheless, such a dramatic decline in spam, however short-lived, is good news indeed and represents another blow for the cyber criminals."
* http://asert.arborne...es-mccolo-gone/
November 12, 2008

> http://www.spywarein...howtopic=121097

:!:

Edited by apluswebmaster, 13 November 2008 - 05:01 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#39 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 19 November 2008 - 10:45 PM

FYI...

PayPal SPAM warns of fraud - installs Worm instead
- http://blog.trendmic...s-worm-instead/
Nov. 18, 2008 - "A new fake PayPal email message is being spammed — this time, it is not the typical PayPal phishing email that everyone is accustomed to. Instead of including links asking for the recipient's personal information, this spammed message asks users to open a .ZIP attachment... It informs recipients that their PayPal accounts were hacked, and that some fraudulent activity may have occurred. As part of security measures, "PayPal" is asking users to review the "report" in the .ZIP file and then contact the company if anything unusual is discovered. The attachment that arrives with this spam, however, does not contain a report or any similar information. Inside the .ZIP archive is a worm that infects the recipient's computer upon execution..."

(Screenshots available at the URL above.)

:ph34r: :grrr:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#40 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 28 November 2008 - 07:31 AM

FYI...

View Bank of America demo ...Owned.
- http://asert.arborne...g-got-big-fast/
November 27, 2008 - "The Obama spam and malcode gang is back at it with a new fast flux phishing and malcode ruse. This time it's a demo from the Bank of America that requires the classic "Flash Upgrade". At the peak I was seeing 400 unique URLs for this run an hour. The URLs were unique strings, possibly for tracking purposes or possibly to stress URL blacklists. But, when you look more closely you see they are just a handful of domain names. This is a lot like the Rock Phish of old. The malcode download routine is very typical. If you don't follow the lure, a meta-refresh will get ya... The malcode is tiny, but downloads hxxp ://silviocash .com/usp.exe, aka Paparus or Urlsnif. Driver file, rootkitted, and now the box will send info from IE (ie form data) to the hacker. Owned..."
* http://garwarner.blo...unt-do-not.html

(Screenshots available at both URLs above.)

:ph34r: :grrr:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#41 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 29 November 2008 - 01:15 PM

FYI...

Christmas malicious SPAM already...
- http://securitylabs....lerts/3248.aspx
11.27.2008 - "Websense... has discovered that malware authors are already using Christmas themes this year as a social engineering tactic, in an effort to gain control over compromised machines. This campaign uses email messages in the form of e-greetings, leading to supposed animated postcards. These actually lead to a Trojan backdoor that has been distributed in previous malicious spam campaigns. The email messages, spoofed to appear as though they have been sent from postcards.org, display an animated Christmas scene. A URL link within the email leads to a malicious file called postcard.exe hosted on various servers, including those in the .com TLD space. Once executed, a backdoor is created by the malware author enabling access and control over the resources of the compromised machine. Control is conducted over IRC, communicating with ircserver.*snip*.la. During the install process an image called xmas.jpg is displayed to the user as a distraction technique..."

(Screenshot available at the URL above.)

:techsupport:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#42 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 30 November 2008 - 07:30 AM

FYI... more holiday SCAMS...

- http://blog.trendmic...s-phish-fillet/
Nov. 29, 2008 - "Phishers always think out of the box, thinking of ways to fool victims into falling for their phishing schemes. Now... we've found a new twist - one that involves the popular fast-food chain McDonald's. The phishing page displays a fake Member Satisfaction Survey, and for the customer to take the bait, it promises $75 credit to the customer's account..."

- http://blog.trendmic...-files-hostage/
Nov. 28, 2008 - "...Just recently... a new version of the GPcode ransomware has surfaced... It drops several files which are also detected as TROJ_RANDSOM.A. After which, it searches and encrypts files found on any readable and writable drive on the system, rendering them inaccessible (without the encryption key). It also changes the file name of the encrypted files, by adding the .XNC extension. It also drops the file READ THIS.TXT in each folder that contains an encrypted file. This file informs the victim that the files have been encrypted, and that a decrypting tool must be purchased to decrypt the files. Email addresses are also included in the text file, which the victim must contact to obtain the decryption tool. Accordingly, the perpetrator of this crime demands £200 (US$307) for the decryption services... Users are strongly advised to back up their files so as not to be victimized by ransomware."

(Screenshots available at both URLs above.)

:ph34r: :grrr:

Edited by apluswebmaster, 30 November 2008 - 07:56 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#43 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 02 December 2008 - 09:21 PM

FYI...

McDonald's and Coca-Cola - malicious holiday Coupons and Promotions
- http://securitylabs....lerts/3250.aspx
12.02.2008 - "Websense... has discovered another infectious holiday email making the rounds. Victims are receiving messages promoting a coupon from McDonald's or a holiday promotion from the Coca-Cola company. Both messages include a .zip attachment that contains either coupon.exe or promotion.exe. The malicious files (SHA1 ca973b0e458f0e0cca13636bd88784b80ccae24d) are Trojan Droppers, but have low anti-virus detection at the moment. The McDonald's email claims to present their latest discount menu, and states that the attached coupon should be printed. The Coca-Cola email states that the attachment has details about their new online game and a chance to win Coca-Cola drinks for life..."
(Screenshots available at the URL above.)

(More Screenshots):
- http://blog.trendmic...-worm-carriers/

:( :ph34r: :grrr:

Edited by apluswebmaster, 03 December 2008 - 07:31 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#44 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 08 December 2008 - 01:21 PM

FYI...

SPAM - Malicious attachment / references real MS advisory
- http://securitylabs....lerts/3252.aspx
12.08.2008 - "The fraudulent email message references a real Microsoft Security Advisory 951306 (also known as CVE-2008-1436). The email provides instructions in both French and English. When the email's malicious attachment (MSC003-WIN.scr) is run, it connects via IRC to a BOT Controller, [removed]dns .be. This connection is not through the default port, but through port 81. The application binds to startup, ensuring it will be run automatically when the computer is restarted (as instructed in the email). The SHA1 of MSC003-WIN.scr is 2056c9fa1b97fca775cc7a01768fb39818963a94. Major antivirus vendors are -not- detecting the malicious attachment."

(Screenshot available at the URL above.)

:ph34r: :grrr:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#45 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 19 December 2008 - 11:29 AM

FYI...

IE 7 exploit... attacks using Doc files
- http://preview.tinyurl.com/5wfx74
December 17, 2008 - (AvertLabs.com) - "... Malware authors have been coming up with innovative mechanisms to leverage this exploit to social engineer the not so tech-savvy internet users. One of the most prominent and unique techniques adopted by the malware authors involves a Microsoft word document being sent out [SPAM] to an unsuspecting user. Upon opening the word document the embedded ActiveX control... is instantiated and executed... The control then makes a request to the webpage hosting the IE 7 exploit. The charm with this approach is that the exploit is downloaded and run without the knowledge or permission of the user. To the unsuspecting user it will just appear as yet another normal Doc file..."

:ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#46 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 22 December 2008 - 12:42 PM

FYI...

Another holiday, another e-card Run - Waledec
- http://asert.arborne...rd-run-waledec/
December 21, 2008 - "But this time it’s not Storm, nor does it even seem at all like Storm. This one is dubbed Waldec. Infection strategy: entice email users to come to the website and get a greeting card. No graphics, but it will entice you anyhow. “Daniel just mailed to you an Online greeting card.” Thanks, Daniel!
Subject lines I’ve seen in our spamtraps:
• Merry Christmas greetings for you
• You have received an eCard
The website you go to says, “Merry Christmas”, and “If you don’t see your greeting card, just click here to download it.”. Here comes /ecard.exe, as always, via a meta-refresh. No HTTP browser exploits on the site. This is hosted on a fast flux network... The ecard.exe binary is pretty much malcode, as you would expect... Pretty weak detection when we look via VirusTotal*. Two vendors dubbed it Waledec...
• Microsoft 1.4205 2008.12.20 Trojan:Win32/Waledac.A
• NOD32 3709 2008.12.20 a variant of Win32/Waledac ..."

* http://www.virustota...68a029cbc1e27f5

:ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#47 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 26 December 2008 - 09:26 AM

FYI...

Christmas e-card malware...
- http://isc.sans.org/...ml?storyid=5557
Last Updated: 2008-12-26 03:12:19 UTC ...(Version: 2) - "... over the last (few) days there has been an increase in malicious Christmas cards distributing the Waledac worm. The e-mails consist of a hyperlink to a "Christmas card"... The user will need to click on either button, get a Security Warning and will need to accept the fact that an executable is being run... Some of the domains that were reported to us by readers (thanks Mike and the Shadowserver foundation) include:
bestchristmascard .com
blackchristmascard .com
cheapdecember .com
christmaslightsnow .com
decemberchristmas .com
directchristmasgift .com
freechristmassite .com
freechristmasworld .com
freedecember .com
funnychristmasguide .com
holidayxmas .com
itsfatherchristmas .com
justchristmasgift .com
livechristmascard .com
livechristmasgift .com
superchristmasday .com
superchristmaslights .com
whitewhitechristmas .com
yourchristmaslights .com
yourdecember .com
Note that this list is still very much incomplete. We may post updates.
For now, we recommend:
• Blocking the download of 'ecard.exe', or the affiliated domains on your corporate proxy;
• Ensure that your anti virus and anti spam solutions are updated frequently as the AV vendors build coverage for this new threat. Given the mass mailing nature, spam protection is likely to be the first to pick up on this...
Arbor Networks has an interesting blog entry* up on the flux tactics involved with this threat here. For further data on the worm itself, visit Symantec's writeup**."
(Screenshot available at the ISC url above.)

* http://asert.arborne...rd-run-waledec/

** http://www.symantec....e...-99&tabid=2

- http://blog.trendmic...ooding-inboxes/
Dec. 26, 2008

:ph34r: :grrr: :ph34r:

Edited by apluswebmaster, 26 December 2008 - 08:38 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#48 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 30 December 2008 - 08:52 AM

FYI...

More "Fake AV" Incarnations Making The Rounds
- http://isc.sans.org/...ml?storyid=5584
Last Updated: 2008-12-30 01:39:49 UTC - "Using obfuscated javascript techniques, more "Fake Anti Virus" malware is continuing to present itself to unsuspecting Internet users - in the hopes of gaining an installation through the use of rather effective, social engineering methods. Some of the latest incarnations observed in the past 24 hours continue to maintain low levels of AV detection (less than 15% based on VirusTotal analysis)... In terms of propagation, getting a "hit" from this malware is as easy as entering a series of search terms on your favorite search engine, and unluckily picking a search result that delivers nothing more than the misleading introductory screen and fake anti-virus pop-up alerts (with their associated "D-level" english grammar). Should you unfortunately find yourself victim to this, remember to not click anywhere on the screen, but instead use "Task Manager - Applications" to terminate the victimized web browser session."

:blush:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#49 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 01 January 2009 - 11:04 AM

FYI...

- http://www.shadowser...lendar.20081231
31 December 2008 - "...A new trojan, which has been called a Waledac variant, appeared in recent weeks hyping up Christmas e-cards with nice inviting e-mails leading you to cute website that you can get your e-card at... Lately the website has been peddling either "ecard.exe" or "postcard.exe" for download. But the fun does not end there. There's a nice little JavaScript reference pointing to "google-analysis.js" which has some nasty excitement embedded into it. The JavaScript currently loads a page from the domain "seocom .mobi" which in turns attempts to exploit the user and install a trojan which gets its commands from the same site. It is ultimately instructed to download and install the same Waledac trojan.
Fast-flux Domains
These e-mail lures have involved several different domains of which all are part of a fast flux network... The best option is to block the domains. The following is a list of all of the domains known to Shadowserver to be associated with the Waledac trojan: ...( see the Shadowserver URL above for the list of domains ) ...the trojan is fairly loud and starts beaconing right away to seeded hosts... we suspect the network is using some form of strong encryption for this communication...
Storm Worm?
Right! You are not the only one thinking this. In fact a lot of people are drawing similar comparisons. There are a ton of differences, but there's also a bunch of similarities for sure. Here's a few similarities we along with our fellow collaborators/security researchers have come up with:
• Fast-flux Network (domains are fast fluxing and name servers frequently change IPs)
• Several Name Servers per Domain (ns[1-6].<waledac.domain>)
• Use of Nginx (sure lots of people use it, but hey it's a similarity)
• Spreading through e-mail and Holiday Themes
• Use of "ecard.exe" and "postcard.exe" (both previously used by Storm)
• Drive-by Exploit in Domains (Storm previously used Neosploit) ...
Prevention and Detection
The first step as always is -not- click the links from your e-mail. This will keep you relatively safe and Waledac free... Your next step is to block the above listed domains. There will surely be new ones added to the mix in the future, but blocking this will definitely help in the near term. Antivirus being up to date can't hurt either..."

:!:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#50 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,202 posts

Posted 05 January 2009 - 07:39 PM

FYI...

Twitter-Facebook Phishing...
- http://isc.sans.org/...ml?storyid=5623
Last Updated: 2009-01-04 15:45:09 UTC - "Several readers have sent us information about a phishing attempt based on Twitter and possibly Facebook. It looks like the twitter folks have it well under control*, but as always with your Internet experience, vigilance and skepticism are your friends..."
* http://blog.twitter....e-phishing.html
January 03, 2009

- http://preview.tinyurl.com/73gm9n
01/05/2009 cgisecurity.net - ""Days after a wave of phishing attacks fooled thousands of Twitter users, it appears that another security hole has been found by...someone... The Fox tweet was deleted an hour after it was posted, so the password may not have been changed... This can't be good for Twitter. It will be good for the people calling for more secure, standards based authentication on Twitter and elsewhere around the web."
- readwrite web
From Twitter's blog: http://blog.twitter....ng-madness.html
"...The issue with these 33 accounts is different from the Phishing scam aimed at Twitter users this weekend. These accounts were compromised by an individual who hacked into some of the tools our support team uses to help people do things like edit the email address associated with their Twitter account when they can't remember or get stuck. We considered this a very serious breach of security and immediately took the support tools offline. We'll put them back only when they're safe and secure"..."

- http://blog.trendmic...er-or-facebook/
Jan. 5, 2009

:blush:

Edited by apluswebmaster, 06 January 2009 - 10:59 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.





6 user(s) are reading this topic

0 members, 6 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button