[apluswebmaster]

FYI...

Fake IE 7 update SPAM...
- http://isc.sans.org/...ml?storyid=4852
Last Updated: 2008-08-10 09:56:42 UTC - "A number of readers have alerted us to a round of IE7 update spam being sent out. The e-mails read:

"You are receiving this e-mail because you subscribed to MSN Featured Offers. Microsoft respects your privacy. If you do not wish to receive this MSN Featured Offers e-mail, please click the "Unsubscribe" link below. This will not unsubscribe you from e-mail communications from third-party advertisers that may appear in MSN Feature Offers. This shall not constitute an offer by MSN. MSN shall not be responsible or liable for the advertisers' content nor any of the goods or service advertised. Prices and item availability subject to change without notice."

Well, true enough Microsoft will not be responsible as its not from them! (Shock / Horror). For the sample we received, VT has good coverage:
- http://www.virustota...1a8542a90401b6f ..."

//

[apluswebmaster]

FYI...

IM: Instant Malware... Yahoo! Messenger fraud
- http://blog.trendmic...nstant-malware/
08.10.2008 - "Instant messaging (IM) applications are popular infection vectors — malware authors are known to use instant messaging platforms to spread malware by sending either malicious files or URLs. Trend Micro researchers have recently witnessed spammed email messages that use the popular IM application Yahoo! Messenger in propagating malware, but in a very different way than previosuly mentioned... Clicking the Download now link downloads the file msgr8.5us.exe into the affected system. When executed, it drops the following files:
* mirc.ini - detected by Trend Micro as Mal_Zap
* csrss.exe - detected by Trend Micro as BKDR_ZAPCHAST.AX
* sup.exe - detected by Trend Micro as BKDR_MIRCHACK.CE
For targeted victims which do, in fact, use Yahoo! Messenger, the promised update may prove hard to resist. The same email message even instructs users to pass the news to friends by sending them the source - not very friendly if the supposed update would lead one’s contacts to malware... Downloading from the software vendors themselves still is the safest way to go."

(Screenshot available at the URL above.)

//

[apluswebmaster]

FYI...

Bogus IE7 and MSRT - SPAM
- http://blog.trendmic...cious-software/
August 12, 2008 - "Spam claiming to be from Microsoft and offering download links to Internet Explorer 7.0 and Windows Malicious Software Removal Tool appear in the wild... To buy themselves some credibility, spammers added what seems to be a disclaimer from MSN Featured Offers, which is a newsletter service by MSN, where users subscribe to “offers” from a number of categories. MSN then sends certain discounts and offers to the subscribers depending on the category they have chosen. Upon clicking the links, malicious files are downloaded onto the user’s system. Trend Micro detects the downloaded files as TROJ_RENO.ADX and TROJ_MONDER.HM..."

(Screenshot available at the URL above.)

//

[apluswebmaster]

FYI...

Bogus CNN/MSNBC news...
- http://securitylabs....lerts/3159.aspx
08.13.2008 - "Websense.... has discovered a new replica wave of 'msnbc.com - BREAKING NEWS' alerts that are being sent out via spam emails. Similar to previous attacks related to 'Bogus CNN Custom alerts', these emails contain links to a legitimate news page, but are designed to encourage users to download a malicious application posing as a video codec... Over the last few days, the ThreatSeeker Network has seen huge volumes of spam wrapped up in CNN-themed templates - most recently email alerts listing the different popular events and news articles, which also encouraged users to download a video codec, which was actually a malicious file. (The malicious payload is only accessed when the user clicks on the ‘breakingnews.msnbc.com’ link, which takes users to a Web page named up.html. This page issues a pop-up encouraging users to download a ‘missing’ video codec, a file called adobe_flash.exe.)
Here are a few examples of the varied subjects we have seen in this campaign:
msnbc.com - BREAKING NEWS: Michael Phelps wins 10th career gold, making him the winningest Olympian in history
msnbc.com - BREAKING NEWS: China beats out U.S. for gold in women's team gymnastics
msnbc.com - BREAKING NEWS: Dark Knight establishes dominance with 400 million mark
msnbc.com - BREAKING NEWS: How to save money on gas
msnbc.com - BREAKING NEWS: Preliminary polls for the election
msnbc.com - BREAKING NEWS: McDonald's found to breach FDA regulations, suspended from trading
msnbc.com - BREAKING NEWS: Jury duties for you
msnbc.com - BREAKING NEWS: Find out how to get top returns for your money at minimum risk
msnbc.com - BREAKING NEWS: Abortion outlawed in California
msnbc.com - BREAKING NEWS: Buy gold at lowest prices and make immediate profits
msnbc.com - BREAKING NEWS: Anthrax case solved
msnbc.com - BREAKING NEWS: Arsenal buys Ronaldo from Man Utd
msnbc.com - BREAKING NEWS: Too much freedom will destroy America
msnbc.com - BREAKING NEWS: Copycat murderer beheads woman on Greyhound bus
msnbc.com - BREAKING NEWS: NASDAQ index gains 720 points overnight upon war announcement
msnbc.com - BREAKING NEWS: Sony announces replacement to successful PSP gaming system
msnbc.com - BREAKING NEWS: Americans loves to sue people
msnbc.com - BREAKING NEWS: Please give your opinions for change
msnbc.com - BREAKING NEWS: Sandwich recall amid Salmonella outbreak ..."
(Screenshot available at the Websense URL above.)

- http://www.f-secure....s/00001485.html
August 13, 2008 - "...Apparently people stopped clicking on -fake- CNN links as today the attackers switched the mails to look like they are now coming from MSNBC..."

CNN and MSNBC Olympic spoof emails - 5 million spam messages per hour
- http://securitylabs....Blogs/3160.aspx
08.14.2008

//

This post has been edited by apluswebmaster: 15 August 2008 - 03:53 AM

[apluswebmaster]

FYI...

Fake AV Trojans Ramping Up
- http://blog.trendmic...ans-ramping-up/
August 14, 2008 - "...new set of rogue antivirus software circulating in the wild. Based on initial analysis, these threats arrive mainly via spammed email messages that contain a link to a bogus celebrity video scandal, although we have also received reports that the said link is also circulating in instant messaging applications and private messages in social networking Web sites. Once the said URL link is clicked, the Web threat infection chain begins and ultimately leads to the downloading of a Trojan detected by Trend Micro as TROJ_FAKEAV.CX, a rogue antivirus that displays very convincing (and for some, alarming) messages... TROJ_FAKEAV.CX also drops another malware, detected as TROJ_RENOS.ACG. RENOS Trojans are known to have very visual payloads that may further alarm users (for example, they modify the system’s wallpaper and screensaver settings to display BSOD). Thus, users may be more convinced that something’s wrong with their system, not knowing that their new software is the one causing it. Rogue antispyware isn’t entirely new, although our researchers have been seeing an increase in activity for the past couple of months... Perhaps it’s because this is also the time of the year when the more legitimate security suites are releasing their latest software updates, and cybercriminals are riding on this season to ramp up their profits. Bad news for the infected users though, as their latest versions of “antivirus software” are actually adding more threats to their system..."

(Screenshots available at the URL above.)

//

This post has been edited by apluswebmaster: 15 August 2008 - 04:18 AM

[apluswebmaster]

FYI...

Fake FedEx emails
- http://securitylabs....lerts/3161.aspx
08.18.2008 - "...The notifications claim to be from FedEx and explain that a package sent by the recipient in the past month was not delivered. The message has an attachment claimed to be a copy of the invoice. The attachment is in a zip file but is actually a Trojan Downloader. This spam wave is a continuation of an ongoing theme used in recent months of using a parcel service invoice as the social engineering attack vector..."

(Screenshot available at the URL above.)

//

[apluswebmaster]

FYI...

Facebook - Viral SPAM
- http://securitylabs....Blogs/3162.aspx
08.18.2008 - "... We've had to create numerous tools and methods to detect these types of attacks because most Web 2.0 social networking sites are difficult to track due to limited public access to most accounts. Most social networking accounts can only be viewed if the account holder explicitly accepts or requests another account to be added as a "friend". A generic Web crawler and even a search engine Web crawler would not be able to mine the pages on a social networking site due to lack of permission... attacks on Facebook and MySpace are nothing new. There have been continual, targeted Facebook attacks for some time now... A very enticing email was sent to one of our test accounts, letting us know that something had been written about us, and that we'd probably want to read more about it. An average user would probably want to know what was written about them, especially because it's on a public blog such as blogspot. Most users have an enormous amount of trust in their fellow Facebook friends. So, the chances of a user clicking on one of these emails is tremendously high. The attackers in this case were able to legitimately have Facebook send a spam email by compromising an account that the test user was "friends" with, and writing a comment on the test user's wall. Writing on the wall triggered an automatic email to the test user's email account with the message that was written on the wall. So, in this case Facebook wall writing is being used as a mechanism to send spam... this particular attack has been going on for over six months. The phishing URL... was registered in July 2008, but several domains have been used in this ongoing attack. It's nameserver is responsible for a load of other phishing domains, including numerous MySpace phishing pages. Users are clicking on these links manually, either when they receive them in email or read them on their walls. They click on the link, get redirected to a phishing page, and manually input their credentials. Attackers are then using their credentials to post manually and perhaps automatically to their wall, as well as their friends' walls, allowing them to spread within the walls of the social networking world. As social networking sites become the place where the majority of Web users are spending the majority of their Internet time, we're going to see more and more MySpace, Facebook, and other social networking attacks. Web 2.0 Web sites open up a huge attack vector to exploit transitive trust. Attackers know it, and are actively taking advantage of it.
References:
http://pi3141.wordpr...ishing-warning/
http://www.matthewbi...cebook-forgery/
http://thenextweb.or...ack-from-china/ "

(Screenshots available at the Websense URL above.)

//

[apluswebmaster]

FYI... (Screenshot available at the URL below.)

Photobucket phish...
- http://blog.trendmic...t-gets-phished/
August 19, 2008 - "Photobucket is, by far, one of the largest photo-sharing sites in the world. It is generally used for personal photographic albums, remote storage of avatars displayed on Internet forums, and storage of videos. Lots of people may like to keep their albums private, allowing password-protected guest access, or open them up to the public. And now this photo-sharing site is being attacked by phishers... The login page above looks exactly like the original site that lures the users to enter their user name and password. Once victims enter their credentials, phishers can use them to obtain full access to their Photobucket account, and may use their albums to insert malicious code... popular image hosting sites have become the targets of several different attacks:

Turkish Hackers Relive Memories in Photobucket
- http://blog.trendmic...-in-photobucket
06.25.2008

Two New Yahoo Phish Sites
- http://blog.trendmic...hoo-phish-sites ..."
07.31.2008

//

[apluswebmaster]

FYI...

Russia-Georgia conflict - malware SPAM
- http://www.us-cert.g..._russia_georgia
August 21, 2008 - " US-CERT is aware of public reports* of malware circulating via spam email messages related to the Russia/Georgia conflict. These messages contain factual information about the conflict. The messages also contain download instructions for the user to watch a video that is attached to the message. If a user opens the attachment, malware may be downloaded and installed onto their system..."

* http://preview.tinyurl.com/58u83x
08-21-2008 (Symantec Security Response Blog)
Russia/Georgia Conflict News Used to Hide Malicious Code in Spam
"...The messages themselves contain an attachment, along with instructions and passwords for the download of the attachment... One subject line that has been seen reads:
“Subject: Journalists Shot in Georgia”... The attachment contains no videos; rather, the attachment redirects to a link that delivers a payload identified as Trojan.Popwin... We have observed several -million- instances of this particular spam attack delivering malicious code..."

//

[apluswebmaster]

FYI...

- http://sunbeltblog.b...-in-trojan.html
August 21, 2008 - "We’ve seen the same trojan being sent to inboxes in all kinds of ways — and seemingly obsessively on the subject of Angelina Jolie. Minor shift, now they’re putting the fake codec window right in the spam. Pushes video.avi.exe, a fake alert trojan which invariably installs Antivirus XP 2008 or some such rogue security program."

Screenshot available at the URL above.)


//

[apluswebmaster]

Spoofs, forgeries, and the like...

FYI...

- http://isc.sans.org/...ml?storyid=4927
Last Updated: 2008-08-24 18:15:34 UTC - "I received an email today from a reader (thank you) who reported that they received a piece of spam today that came from the address: monitoring @isp.com. (Notice the domain name.) Now, we have seen this type of spam before, you know, perpetrating like it comes from your ISP while just having a malicious link in it, etc. Except this time the spam was signed "ISC monitoring team" (Notice the first three letters, and how they differ from the domain name). So I am guessing that someone is trying to imitate us. And while we recognize that imitation is the most sincerest form of flattery, this kind could be actually damaging. Rest assured our faithful readers, this is not from us. First of all our email addresses are not "isp.com", nor "monitoring". We don't sign our emails "ISC monitoring team". Nor do we spell the word "Consortium" -- "Consorcium" (misspelling from the email)..."

- http://www.f-secure....s/00001488.html
August 26, 2008 - "This morning we saw several spam runs in the country of Denmark. The messages are in Danish and they are sent to Danish e-mail addresses. The e-mail claims to be from us. It's not. Here's what the email looks like:
From: supportupdate@f-secure.com
Date: 26. August 2008 08:31
Subject: Data er tillagt og sendt med denne meddelelse.
Käre kunder!
Regning
Data er tillagt og sendt med denne meddelelse.
Jeg bruger gratis F-secure antispamversion, som allerede har fjernet 338 spambreve.
Antispam er helt gratis for private brugere.
Attachment: f-secure.rar
The attachment contains a file called update26.08.2008.exe, which, when run, drops a file called dcbcg.exe (Unker-related trojan) that connects to a server in Ukraine. We detect this trojan as Trojan:W32/Agent.FVO... The spam run must have been fairly large, as we've received more than 13,000 bounces to supportupdate @f-secure.com from non-existant email addresses alone..."

// :-/

[apluswebmaster]

FYI...

'Want to Know Who Deleted You on MSN Live?'
- http://blog.trendmic...ou-on-msn-live/
Aug. 26, 2008 - "While monitoring countless sites as part of our current Web threat strategy, we have stumbled upon a legitimate-looking prompt from MSN Live Messenger... or so it would appear (at first). As shown from the screen captures below, this prompt bears a close resemblance to the actual prompt being displayed by the MSN Live Messenger instant messaging application (also known as Windows Live Messenger) whenever a friend from the user's friends list logs in. Potential victims who unfortunately encounter the site (Borradito.com) via spam or spammed IM is first enticed by the Web site's description, which promises the capability to view which of their friends have removed them from their friends list, provided they are logged in, of course—a pretty convincing trick to lure users to key in their user names and passwords. As the Web site is accessed, a message prompt from MSN Live Messenger appears at the lower-right part of the screen, just below the system tray... Once users click on the prompt, they are diverted to a Flash-based window which also resembles an actual MSN group chat window... This routine is used to attract the users, as well as to build credibility. If the user goes back to the main site and enters their credentials, the site displays a list of users who have allegedly removed the affected user from their contact lists... What happens under the radar, however, is that the site captures the entered credentials and the accounts are then opened by a remote malicious user and IM messages containing a link to the Borradito phishing site are sent to all contacts on the affected account's buddy list... This ensures further propagation of this threat. Directly at risk are MSN users and their contacts. The account information harvested in this account may be used to access various Windows Live services such as Windows Live Call (PC-to-phone calls), SkyDrive (file-sharing services), Spaces, and even Hotmail accounts under the same account. Today, your email accounts hold many important tidbits on different aspects of your life, job, and personal details many people would prefer not to be divulged to others. Letting your guard down can be be very costly and can lead to exploitation. The worst possible scenarios include identity theft and financial loss..."

(Screenshots available at the URL above.)

[apluswebmaster]

FYI...

Critical Update: Please Patch Windows with Malware
- http://blog.trendmic...s-with-malware/
Aug, 27, 2008 - "After patching 11 vulnerabilities for this month's Patch Tuesday, spam is being sent that falsely claims that the recipient should immediately install another critical Microsoft update... Patching one's system using this spam as a guidance, however, downloads a multitude of badness, and one particular malicious piece of malware which is detected as EXPL_ANICMOO.GEN... Malware writers are counting on the urgency of the email's tone to trick recipients into applying the "patch"..."

(Screenshot available at the URL above.)

[apluswebmaster]

FYI...

Western Union MTCN #2989115571
- http://www.f-secure....s/00001490.html
August 28, 2008 - "Fake airplane tickets, greetings cards and credit card receipts... There's plenty of ZIPped trojans being spammed around. The one that's being seeded right now claims to be a bounced Western Union money transfer. And the malware inside the ZIP is a ZBot banking trojan variant."

(Screenshots available at the URL above.)

[apluswebmaster]

FYI...

Treasury Optimizer - malware update
- http://blog.trendmic...s-with-malware/
Aug. 30, 2008 - "Treasury Optimizer is an online banking tool offered by Capital One Bank which aims to provide secure access to business accounts on the Web, 24/7. Posed to replace electronic money or more popularly known as eCash, it offers to protect customers' accounts through security features such as multifactor authentication. Unfortunately, their security offerings come short, as we receive bulks of phishing emails that "promote" the Treasury Optimizer. The phishing mail instructs the client to update their account due to a potential security risk that affects all of Capital One Bank products, including the Treasury Optimizer... The conventional phishing attack aims to capture users' credentials through fake login pages spammed through email. For this attack however, the phishing link given in the phishing email leads to a page that does not ask for credentials, but tells the user to download a file instead. When the user clicks the link contained in the phishing email, the following spoofed Treasury Optimizer Web page is displayed... The page explains that the bank had to fix (the) vulnerability; and in order to fix it, the client MUST download the update. It even displays different download links for different operating systems. It will then download an .EXE file that poses as an installation setup... The downloaded file is detected by Trend Micro as TROJ_SMALL.MAT. This malware-enhanced phishing attack is neither the typical type of phishing attack, nor is it less dangerous. The scope of a phishing attack is usually limited; one account from a target organization compromised in every successful attack. But this phishing attack installs a malware on the affected user's system instead, and then uses it to monitor users' online activities, thus possibly disclosing more information..."

(Screenshots available at the URL above.)