• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
AplusWebMaster

SPAM frauds, fakes, and other MALWARE deliveries...

1,889 posts in this topic

FYI...

 

NOT the easter egg you were expecting

- http://www.sophos.com/blogs/sophoslabs/v/post/3962

April 10, 2009 - "Messages posing as legitimate greeting cards with titles such as “You’ve received A Hallmark E-Card! !” have been prevalent on the Internet... Over the past months, the malicious emails have become slightly more subtle in their delivery method. While they previously included a telltale zip file as an attachment or a link to an exe, the current crop of messages masquerade as legitimate notifications with no attachments, but the links embedded in the mail point to a web page on some third party web site - which is designed to load malware... avoid opening e-cards that aren’t addressed to you, and aren’t from someone you know. The majority of the spammed e-cards do not indicate the sender or the recipient in the body, and so are easy to recognize. Legitimate e-cards tend to have this personally identifiable information included in the message body..."

 

(Screenshot available at the URL above.)

 

:techsupport:

Share this post


Link to post
Share on other sites

FYI...

 

Easter worm in Twitter...

- http://www.f-secure.com/weblog/archives/00001653.html

April 12, 2009 - "A cross-site scripting worm was spreading in Twitter profiles for several hours last night. People started reporting that their profile had sent Twitter messages without their knowledge... Later on the messages morphed several times... Many people followed the links to stalkdaily .com, as they believe the messages to be genuine Tweets from their friends. A cross-site script on the site then caused new users to start to Tweet the same messages... As expected, the whole worm was a publicity stunt by stalkdaily .com... You can see the latest official status of Twitter from their status page at http://status.twitter.com/ . Updated to add: This is -not- over. There's going to be quite a few modified Twitter worms for a day or two. Be careful in Twitter, don't view profiles, don't follow links... All these attacks are Javascript-based. Turn Javascript off if you're worried..."

(Screenshots available at the F-secure URL above.)

 

- http://status.twitter.com/post/95693986/update-on-worm

Apr 13, 2009 - "Update on worm... We are currently addressing a new manifestation of the worm attack..."

 

:grrr:

Edited by apluswebmaster

Share this post


Link to post
Share on other sites

FYI...

 

Copycat Twitter XSS worms...

- http://isc.sans.org/diary.html?storyid=6187

Last Updated: 2009-04-13 18:07:20 UTC - "... copycat Twitter XSS worms exploit the same vulnerability – actually most of the code remains the same but they obfuscated it to make analysis a bit harder. They also added couple of updates so it looks like they are exploiting other profile setting fields which the original worm didn't exploit, such as the profile link color. One thing about this copycat worm I found interesting is the type of obfuscation they used. The attackers used the [ and ] operators in JavaScript in order to reference methods in objects... It looks like the folks from Twitter are still fixing all the vulnerabilities... Use addons such as Noscript* for Mozilla ..."

* http://noscript.net/getit

 

- http://www.f-secure.com/weblog/archives/00001654.html

April 13, 2009

 

:grrr::ph34r:

Share this post


Link to post
Share on other sites

FYI...

 

Twitter worm Google searches lead to malware

- http://www.f-secure.com/weblog/archives/00001657.html

April 14, 2009 - "No surprise at all that Google searches for information about the Twitter worm would lead to malware sites, it was really just a matter of time. Especially not after all the talk about it over the weekend and the guy behind it even confessing everything. Malicious search results about popular news is something we see very often unfortunately... So, unfortunately we're not surprised that this happened. As usual, get your news and information from sources you trust. Random Google searches can't be trusted.

Updated to add: Searching for "Mikeyy" also leads to malicious results."

(Screenshots available at the URL above.)

 

Twitter Worm Mikeyy Keywords Hijacked to Serve Scareware

- http://ddanchev.blogspot.com/2009/04/twitt...s-hijacked.html

April 15, 2009

 

:techsupport:

Edited by apluswebmaster

Share this post


Link to post
Share on other sites

FYI...

 

New rogue: P Antispyware 09

- http://sunbeltblog.blogspot.com/2009/04/ne...spyware-09.html

April 14, 2009 - "P Antispyware 09 is yet another rogue from WinSpywareProtect family of rogue security products."

 

New rogue: Antivirus'09

- http://sunbeltblog.blogspot.com/2009/04/ne...-antivirus.html

April 15, 2009 - "Antivirus'09 is a new rogue security product. This rogue uses fake/scare scanner pages to trick users into downloading the rogue application."

 

(Screenshots available at both URLs above.)

 

:ph34r::grrr: :!:

Share this post


Link to post
Share on other sites

FYI...

 

Yet another Twitter worm

- http://www.f-secure.com/weblog/archives/00001661.html

April 17, 2009 - "A new Twitter cross-site scripting worm is going around on Twitter. Just like the previous Twitter worms it talks about Mikeey... The malicious script itself is downloaded from 74.200.253.195*. Twitter is working on fixing the problem... Updated to add: Michael Mooney (Mikeey) confesses to writing this latest worm as well."

* http://centralops.net/co/DomainDossier.aspx

Queried whois.arin.net with "74.200.253.195"...

OrgName: FastServers, Inc.

OrgID: FASTS-1

Address: 175 W. Jackson Blvd

Address: Suite 1770

City: Chicago

StateProv: IL

PostalCode: 60604

Country: US ...

 

:ph34r::hmmm:

Share this post


Link to post
Share on other sites

FYI...

 

New rogue: AV Antispyware

- http://sunbeltblog.blogspot.com/2009/04/ne...ntispyware.html

April 19, 2009 - "AV Antispyware is the latest rogue from WinSpywareProtect family of rogue security products... Sites Involved:

64.191.12.38 Av-antispyware com

195.88.81.74 Files scanner-antispy-av-files com

195.88.81.116 dl scan-antispy-4pc com

195.88.80.207 Int reporting32 com ..."

 

(Screenshot available at the URL above.)

 

:ph34r::grrr:

Share this post


Link to post
Share on other sites

FYI...

 

Zango: The End

- http://www.vitalsecurity.org/2009/04/zango-end.html

April 21, 2009 - "Zango Inc., the adware distributor fined $3 million by the Federal Trade Commission in 2006 for sneaking software onto people's PCs, has closed its doors after being acquired by video search engine company Blinkx PLC..."

- http://www.theregister.co.uk/2009/04/21/zango/

21 April 2009 - "... The end-game for Zango marks the end of the controversial adware business model. Other well known names in the field - including Claria (Gator), WhenU and DirectRevenue - ceased operations some time ago, leaving Zango as the last man standing."

- http://www.theregister.co.uk/2009/04/21/zango/

21 April 2009 "Updated... The adware maker was forced to pull down the shutters on its business after it was left unable to service its debts. Initially we, along with othe news outlets, incorrectly reported that video search engine firm Blinkx had acquired Zango. In fact Blinkx has only bought a proportion of its assets from administrators. "The bank foreclosed on Zango and Blinkx purchased some technical assets from the bank, including some IP and hardware, which constituted about 10 per cent of Zango's total assets," a Blinkx spokeswoman explained..."

 

- http://sunbeltblog.blogspot.com/2009/04/di...go-is-dead.html

April 21, 2009

 

:!:

Edited by apluswebmaster

Share this post


Link to post
Share on other sites

FYI...

 

Spam referencing Swine flu outbreak

- http://www.sophos.com/blogs/sophoslabs/v/post/4245

April 27, 2009 - "Predictably enough, today we started to see spam taking advantage of concerns around the current Swine Flu outbreak... In the campaign seen earlier today, the purpose of the spam is meds related. Anyone clicking on the link in the message is -redirected- to an all too familiar Canadian Pharmacy site..."

(Screenshots available at the URL above.)

 

- http://www.us-cert.gov/current/#swine_flu_...ing_attacks_and

April 27, 2009

 

- http://blog.trendmicro.com/swine-flu-outbr...b-through-spam/

Apr. 28, 2009 - (More screenshots...)

 

Spamvertised Swine Flu Domains

- http://ddanchev.blogspot.com/2009/04/spamv...lu-domains.html

April 28, 2009 - "... Swine flu spamvertised domains (long list)... Happy blacklisting/cross-checking!"

 

:grrr:

Edited by apluswebmaster

Share this post


Link to post
Share on other sites

FYI...

 

Rogue AV projected growth in 2009

- http://preview.tinyurl.com/cqv4se

23 April 09 - PandaLabs blog - "... Cyber-criminals have chosen Rogue Anti-Malware as their primary method of payment because it has become easier for them to make money by affiliate systems and utilizing these types of attacks. It’s no wonder why we have seen more Rogue detections in the first quarter of 2009 then all of 2008... PandaLabs predicts that incidents of rogue AV scams will grow 100 percent quarter over quarter through the end of Q3*... Remember, It's just as important to update your web applications as it is to update your operating system. If you use Wordpress as a platform for your blog or website, then I recommend viewing the official hardening guide**."

 

* (Chart available at the URL above.)

 

** http://codex.wordpress.org/Hardening_WordPress

 

:grrr:

Edited by apluswebmaster

Share this post


Link to post
Share on other sites

FYI...

 

Facebook phishing attack

- http://preview.tinyurl.com/crz7yq

April 29, 2009 Techcrunch.com - "... new phishing attack that has broken out on Facebook. If you get an email message that looks to be from Facebook with the subject, “Hello,” and featuring the text below, don’t bother clicking on the link included. Doing so takes you to a site called fbaction .net that mimics the look of the main Facebook login page, hoping to get you to sign in. Naturally, if you do that, the site will have access to your account and can send out more of these messages to your friends. The message body will apparently read something like this (with YOURFRIEND being replaced by the name of a friend of yours):

YOURFRIEND sent you a message.

Subject: Hello

“Visit http: //www.facebook .com/l/4253f;http://fbaction .net/”...

... looks like “fbaction .net” is now the #2 hot trending search topic for all of Google Trends. This thing is apparently spreading quick... Facebook is now blocking outgoing links to that domain, and some browsers, like IE8, have flagged it as malicious."

 

(Screenshot available at the Techcrunch URL above.)

 

:ph34r:

Share this post


Link to post
Share on other sites

FYI...

 

- http://sunbeltblog.blogspot.com/2009/04/tr...ngines-and.html

April 30, 2009 - "... Spammers saw this coming on Monday. Spam with headlines claiming that celebrities (Salma Hayek, Madonna) have caught the disease are peddling generic Tamiflu – or stealing the credit card numbers of those naïve enough to make a purchase from one of the nearly 300 newly-registered domains with a “Swine Flu” twist in their name. Cisco’s IronPort anti-spam service says Swine Flu spam is now four percent of global spam. Spam that preys on public fears generated by big news stories is now a genre... See Information week’s coverage here*."

* http://www.informationweek.com/shared/prin...cleID=217200528

 

:grrr:

Edited by apluswebmaster

Share this post


Link to post
Share on other sites

FYI...

 

More Swine/Mexican/H1N1 related domains

- http://isc.sans.org/diary.html?storyid=6325

Last Updated: 2009-05-02 14:21:58 UTC - "... be ever vigilant in your browsing for Swine/Mexican/H1N1 flu information. We show over 1000 new domains containing those keywords registered in the last 24 hours."

 

Fed Reserve Spam/Malware Attack is After Your Data

- http://www.shadowserver.org/wiki/pmwiki.ph...lendar/20090429

29 April 2009 - "... spam campaigns that are designed to appear as if they are coming from the Federal Reserve. These attacks are not attempting to phish you and trick you into giving them banking or other personal information... They are actually looking to install an info-stealing/banking trojan on your system via drive-by exploits... it is designed to look like a message coming from the Federal Reserve with a message designed to get you to click the link from the e-mail...The bad guys behind the Federal Reserve malware use the LuckySploit exploit pack. LuckySploit has a variety of exploits... Successful exploitation tends to drop a file named wQJs.exe onto the system in the user's Temp folder. It may also drop a file named svchost.exe (same name as a legitimate Windows file) onto the system as well. This "svchost.exe" and "wQJs.exe" are the same file. They both create shell32.dll and 123.info in the user's Temp directory as well. Note that 123.info is just a text file that contains the path to the malware.

Malware Details:

File Name: wJQs.exe | svchost.exe

File Size: 9216 bytes

MD5 hash: 175ef7faf41ecbe757bcd3021311f315

File Name: shell32.dll

File Size: 6144 bytes

MD5 hash: 3182da0a9c6946e226ee6589447af170

VirusTotal Results for these files can be viewed below:

.exe: http://www.virustotal.com/analisis/a4f6ce9...0d7f86ceb6181f1

.dll: http://www.virustotal.com/analisis/d6ba4ef...c6215bf41a64f7c ..."

 

(Screenshot and more detail available at the Shadowserver URL above.)

 

:ph34r::grrr::ph34r:

Edited by apluswebmaster

Share this post


Link to post
Share on other sites

FYI...

 

IFrame redirects lead to MBR rootkit

- http://blog.trendmicro.com/porn-sites-lead-to-mbr-rootkit/

May 3, 2009 - "Websites related to pornography that appear to be compromised were found by Trend Micro engineers loading malicious JavaScript which redirects users onto malicious domains that ultimately lead to the download of an MBR rootkit (TROJ_SNOWAL.A) onto the affected system... malicious scripts all follow a similar routine: upon execution, it checks for the date on the target system then generates a URL based on the date obtained. It then creates an IFrame, which would redirect the user to the generated URL. The URL then leads to the download of a malicious file, which in turn downloads an MBR rootkit..."

 

(Screenshot and more detail available at the URL above.)

 

:ph34r::grrr::ph34r:

Edited by apluswebmaster

Share this post


Link to post
Share on other sites

FYI...

 

Facebook phishing malware

- http://isc.sans.org/diary.html?storyid=6328

Last Updated: 2009-05-04 14:47:00 UTC - "Looks like there may be a piece of malware out there is sending out messages to folks on Facebook trying to trick them into visiting a facsimile "Facebook" login page to steal credentials. The phishing site is currently on "junglemix .in," so you may want to block that site. More details as we figure this thing out..."

 

:grrr::ph34r:

Share this post


Link to post
Share on other sites

FYI...

 

H1N1 Domains

- http://www.f-secure.com/weblog/archives/00001674.html

May 4, 2009 - "... here is a list of domains* registered over the weekend using the words swine flu. There are 1,344 on the list. Again, so far, none of the domains we've checked are hosting any malicious files. In fact, the only malicious file we've seen is something that Symantec posted** about last week. It's a PDF "Swine Flu FAQ" exploit which drops a password stealer and then opens a clean PDF file as a decoy. One interesting thing about the exploit that hasn't been mentioned yet is the file name, The Association of Tibetan journalists Press Release.pdf. Tibet themed exploits are very popular with targeted attacks***."

* http://www.f-secure.com/weblog/archives/sw...ay_4th_2009.txt

 

** https://forums2.symantec.com/t5/blogs/bloga.../article-id/268

 

*** http://www.f-secure.com/weblog/archives/00001672.html

Share this post


Link to post
Share on other sites

FYI...

 

Waledac Turns to Cash and Vaccines w/SPAM

- http://blog.trendmicro.com/waledac-turns-t...h-and-vaccines/

May 5, 2009 - "Riding on the ongoing global economic recession, Waledac updates its SPAM messages with email subjects related to earning a fortune through Google cash. Other spam email subjects we’ve seen so far:

* Be your own boss with Google

* Earn cash using Google today

* Google System that really works

* Make a fortune online

* Make thousands a month from home

* Start your home business today

* Use Google to earn extra cash

 

As of this writing, the hyperlink found in the email body redirects to an advertising link which currently returns a redirect loop error in Firefox web browser. Another current event seen leveraged on by this wave of Waledac spam runs is the swine flu outbreak, as spammed messages bear subjects that seem related to a vaccine for swine flu. Other spam email subjects seen so far:

* Anti-swine flu drugs are available here

* Anti-viral treatment for swine flu

* Are you worried about swine flu?

* Are you worried about swine flu? buy medicine!

* Be quick! anti-swine flu drugs are almost sold out

* Buy medicine that prevent you from getting swine flu

* Buy medicine to prevent swine flu

* Buy new effective medicine against swine flu

* Buy the most effective treatment for combating the new swine flu

* Do you want to prevent yourself from swine flu?

* Do you want to protect yorself against swine flu?

* Dont stand in line for swine flu medicine

* Get swine flu medicine here

* Get the swine flu medicine right here

* Hurry up! swine flu drugs are almost sold out

* Keep your family from getting swine flu

* New medicine to prevent swine flu

* New vaccine helps to prevent swine flu

* New vaccine to prevent swine flu

* Order anti-swine flu medicine today

* Order new medicine against swine flu

* Order now vaccine against swine flu

* Prevent infections with swine flu viruses

* Prevent yourself from cathcing swine flu

* Protect your family against swine flu!

* Protect yourself from swine flu

* Stop risk of being killed by swine flu!

* The vaccine protecting against swine flu

* You can buy swine flu drugs here

* You can order anti-flu drugs treaing swine flu here

* You can order anti-swine flu drugs on-line

* You can protect yourself against swine flu!

 

The given link however only leads to the all too familiar Canadian pharmacy site..."

 

(Screenshots available at the TrendMicro URL above.)

 

:grrr::ph34r:

Share this post


Link to post
Share on other sites

FYI...

 

Targeted attacks - most common file types

- http://www.f-secure.com/weblog/archives/00001676.html

May 6, 2009 - "... we decided to take a look at targeted attacks and see which file types were the most popular during 2008 and if that has changed at all during 2009. In 2008 we identified about 1,968 targeted attack files. The most popular file type was DOC, i.e. Microsoft Word representing 34.55%... So far in 2009 we have found 663 targeted attack files and the most popular file type is now PDF. Why has it changed? Primarily because there has been more vulnerabilities in Adobe Acrobat Reader than in the Microsoft Office applications... More info about targeted attacks and how they work can be found in our YouTube video*."

 

(Charts available at the URL above.)

 

*

 

:ph34r:

Share this post


Link to post
Share on other sites

FYI...

 

Rogue Browser Agents

- http://www.f-secure.com/weblog/archives/00001684.html

May 18, 2009 - "How big an issue are Rogue antivirus applications? Let's take a look. What is your browser's user agent? Any ideas? The Firefox browser should look something like this: You can determine yours from http://whatsmyuseragent.com . Now let's take a look at this user agent:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; AntivirXP08; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

 

Do you see it? Right there in the middle, "AntivirXP08". What is that all about? Some rogues modify the browser's user agent. We've seen hundreds of AntivirXP08 string variations. The modified string is possibly used to identify the affiliates responsible for the installation which drives "business" to the rogue's website. Modified user agents could also be used deliver different content. A victim with AntivirXP08 doesn't need to be convinced to download an installer, instead they can be targeted to complete the scam and to buy the rogue. How many infected user agents are out there? Toni examined one of our sinkholes and its April 2009 logs contained 63,000 unique IP addresses using agents that contain AntivirXP08. 63 thousand. That's a lot of infections, right? And that doesn't include other strings we've seen such as "Antimalware2009". It's a small measure of a very large problem."

 

(Screenshot available at the F-secure URL above.)

 

:ph34r: :ph34r:

Share this post


Link to post
Share on other sites

FYI...

 

eBay phishing Scam...

- http://www.sophos.com/blogs/sophoslabs/v/post/4452

May 20, 2009 - "... eBay phishing scam came in the form of a seemingly innocent query about the sale of iPhones. The scam message is quite simple... At first sight, it appears to be a product spam campaign to promote the iPhone. However, when clicking the link that came with the attached email, a -fake- eBay page comes up. This email is actually a ruse designed to steal an eBay user’s information...

SophosLabs analysts have encountered many instances of such misdirection of legitimate websites. They range from internet banking websites to online retail websites. As always, online users should take precautions and never attempt to follow an embedded weblink to an online store or a banking website from an email, even if by first appearances, it looks legitimate..."

 

(Screenshots available at the URL above.)

 

:ph34r::grrr:

Share this post


Link to post
Share on other sites

FYI...

 

Malicious iFrame on Gadgetadvisor.com

- http://www.f-secure.com/weblog/archives/00001687.html

May 22, 2009 - "Are you a gadget geek? Do you often seek advice from Gadget Advisor before making a purchase? Our Web Security Analyst discovered a malicious IFrame on the popular tech website that redirects visitors to a malicious website... If the site detects a PDF browser plugin for Adobe Acrobat and Reader, it loads a specially-crafted malicious PDF file that exploits a stack-based buffer overflow vulnerability ( http://web.nvd.nist.gov/view/vuln/detail?v...d=CVE-2008-2992 ). The net effect of the attack is to plant a trojan, detected as Trojan-Downloader.Win32.Agent.brxr, on vulnerable systems by calling the util.printf JavaScript function, which connects back to the malicious website in order to download the trojan to the machine. A remote attacker can access the user's machine once it has been infected with the trojan... This attacks is targeted against older, unpatched version of Adobe programs, as the latest Adobe updates have already fixed this problem. More information and the updates can be found at Abobe at:

http://www.adobe.com/support/security/bull.../apsb08-19.html. Disabling the JavaScript function in Acrobat and Reader will also prevent the threat from proceeding."

 

(Screenshot available at the F-secure URL above.)

 

:grrr::ph34r::(

Share this post


Link to post
Share on other sites

FYI...

 

Facebook phishing/spam/"worm" ...

- http://isc.sans.org/diary.html?storyid=6451

Last Updated: 2009-05-25 07:16:47 UTC ... (Version: 5) - "... new Facebook phising/spam/"worm" campaign is doing the rounds. It uses Belgium domains (.be) to impersonate the Facebook login page and steal the user credentials.

UPDATE 4: The malicious domains do not only impersonate Facebook but contain malicious "hidden" (1x1pixel) iframes, hosted on the same host, such as: "/tds/r.php?sid=2&pid=5511". Do not browse them...

UPDATE 3: As expected, more domains are coming (and some of them are still active right now - May 25, 0:00am CET)...:

• redfriend dot be, redbuddy dot be, picoband dot be, areps dot at, greenbuddy dot be

• picoband dot be, vispace dot be, whiteflash dot be, bestspace dot be

• There are other "more than suspicious" .be domains associated to the same IP address.

The ones active do resolve to IP address 211.95.78.98. From APNIC...

country: CN ..."

 

- http://www.f-secure.com/weblog/archives/00001689.html

May 25, 2009

 

:ph34r::grrr::ph34r:

Edited by apluswebmaster

Share this post


Link to post
Share on other sites

FYI...

 

Facebook phishing using Belgium (.be) domains (cont'd)

- http://isc.sans.org/diary.html?storyid=6451

Last Updated: 2009-05-25 20:01:20 UTC ...(Version: 6)

"UPDATE 5: (May 25, 22:00h CET) It seems there is a new variation moving around, using tinyurl links... For example, you get a Facebook message pointing to "tinyurl dot com /o5kblj/" that takes you to a link at "simplemart dot be".

> Remember you can enable/disable the tinyurl preview feature through

" http://tinyurl.com/preview.php ". You just need to enable cookies on your browser.

Some of the malicious domains being used are redfriend dot be, redbuddy dot be, picoband dot be... (at this point, none of them can be resolved)..."

 

:ph34r:

Share this post


Link to post
Share on other sites

More on same...

 

Koobface... again

- http://securitylabs.websense.com/content/Alerts/3403.aspx

05.26.2009 - "... Koobface attempted another running campaign on Facebook. If infected, Facebook users start to spam their friends with a link to a malicious Web site. When users visit the link, they are redirected various malicious and phishing pages. We detected these on numerous .be domains and TinyURL links. One such malicious page is a fake YouTube page that appears to be a funny video. The page tells visitors to to upgrade their Flash player in order to play the video, and the Flash setup program is actually Koobface malware... Among other things, a proxy server is installed on the infected computer..."

 

(Screenshots available at the Websense URL above.)

 

:grrr::ph34r:

Share this post


Link to post
Share on other sites

FYI...

 

Another "Digital Certificate" malware campaign

- http://isc.sans.org/diary.html?storyid=6499

Last Updated: 2009-06-01 16:21:12 UTC - "... a "Bank of America Digital Certificate Updating" scheme is used, where a victim of the luring email is directed to a fake website... Using the <Update Certificate> button here will net you a piece of Malware that has approximately 30% AV coverage (as indicated by VirusTotal). A quick analysis of said malware shows probable signs of, suprise-suprise, Waledac..."

 

(Screenshot available at the URL above.)

 

:ph34r::hmmm:

Share this post


Link to post
Share on other sites

FYI...

 

Twitter hit with rogue anti-virus scam

- http://www.theregister.co.uk/2009/06/02/tw...r_malware_scam/

2 June 2009 - "Twitter users over the weekend were the target of a scam that tried to infect them with rogue anti-virus software and other malware, in what is one of the first times the micro-blogging site has been hit by a known for-profit attack, a security researcher said. The problem started after a flurry of tweets directed users to a website promising "Best Video." The site appeared to offer content from YouTube, but behind the scenes, the site delivered a PDF document designed to infect those using vulnerable versions of Adobe's Reader program. Victims then received an urgent warning that their systems were infected and needed to cleaned using fraudulent security software... The scam promoted a piece of rogue anti-virus software dubbed System Security."

 

- http://www.viruslist.com/en/weblog?weblogid=208187734

June 01, 2009 - "... fake program called "System Security" is being promoted... Most likely the cyber criminals behind this attack simply used the stolen credentials of those phished accounts to tweet the messages... If the trends we've seen on other social platforms are any indicator for Twitter then we can only expect an increase in attacks."

(Screenshots available at the URL above.)

 

- http://pandalabs.pandasecurity.com/archive...nds-Attack.aspx

11 June 09 - "... cyber criminals have been targeting Twitter users by creating thousands of messages (tweets) embedded with words involving trending topics and malicious URLs. If the URLs were accessed, the victims would arrive at a rogueware website designed to trick them into thinking that their computer is infected, therefore justifying the need to purchase the fake software offered. Since the initial discovery, we have been keeping a close eye on this attack, but the malicious tweets continue... The ease of carrying out this type of attack leaves us to believe that this will not go away anytime soon... "

 

:grrr::ph34r:

Edited by apluswebmaster

Share this post


Link to post
Share on other sites

FYI...

 

More Blackhat SEO "scareware" campaigns

- http://ddanchev.blogspot.com/2009/06/fake-...ont-end-to.html

June 08, 2009 - "... they've got no customers but the cybercriminals themselves maintaining a portfolio of over 7,000 adult related keywords which they have been using for blackhat SEO campaigns across thousands of automatically registered - CAPTCHA recognition outsourced - Blogspot accounts since February, 2009... Not only is life4info .info or dirsite .com a bogus free hosting provider, but the campaigns hosted by them are interacting with our "dear friends" at AS30407; VELCOM .com which Spamhaus describes as "N. American base of Ukrainian cybercrime spammers" - and with a reason."

 

(Screenshots and more detail available at the URL above.)

 

:grrr::ph34r:

Share this post


Link to post
Share on other sites

FYI...

 

Malicious SPAM - Air France plane crash

- http://securitylabs.websense.com/content/Alerts/3417.aspx

06.11.2009 - "Websense... has detected a new malicious spam campaign pretending to deliver legitimate news updates about the Air France plane crash ( http://news.bbc.co.uk/1/hi/world/americas/8078147.stm ). The spam campaign is in Portuguese, and includes a link to view the first videos from the crash site. The link to the video leads to a Trojan Downloader file named: Video_AirFrance_447.com. If a user runs the file, it downloads a malicious executable file masquerading as an image from [removed].org/imgs/like2.jpg. The malware registers a password-stealing BHO component on the system masquerading as a McAfee SiteAdvisor component with this GUID: {9387b8b2-5508-11de-8729-c56f55d89593}. The GUID is linked to the malicious installed DLL file named mcieplg.dll under the system32 directory (%windir%\system32\mcieplg.dll). AV detection rates on this file are very low*..."

* http://www.virustotal.com/analisis/c57a0a4...6914-1244673584

 

(Screenshots available at the Websense URL above.)

 

:grrr::ph34r:

Share this post


Link to post
Share on other sites

FYI...

 

Fake MSRT...

- http://preview.tinyurl.com/l28pj7

June 12 2009 CA Security Advisor blog - "CA ISBU Research Lab receives a large number of malicious samples on a daily basis, many of which are found to be Rogue Antivirus applications belonging to the extremely prevalent malware family, Win32/FakeAV... this variant imitates Microsoft Windows Malicious Software Removal Tool (MSRT), as well as promoting Microsoft Office upgrade and other trusted Antivirus products.

Fake Microsoft MSRT Warnings

When the installation package is executed, it will display the fake alert in the system tray... Then, it will display the fake GUI for Microsoft Windows Malicious Software Removal Tool scanning your system and it will display the scan result... (also) imitates the Windows Security Center..."

 

(Screenshots available at the URL above.)

 

:grrr::ph34r:

Share this post


Link to post
Share on other sites

FYI...

 

SPAM - Fake EULAs, fixtools...

- https://forums2.symantec.com/t5/blogs/bloga.../article-id/276

06-12-2009 - "... SPAM (message) noted that Symantec was working with Microsoft to create a patch for "Conflicker." According to the spam message, Conficker is also called "Troj/Brisv.A"... The spam is accompanied by a file named "remtool_conf.exe." The spammers have taken an extra step ahead of just spreading their Trojans. This file is actually a Symantec fixtool for Trojan.Brisv bundled with the Trojan. So, when someone runs this file they actually run the Symantec Brisv fixtool, along with the Trojan completing its task. In this case, the dropped Trojan contacts a remote site in order to download another piece of malware, which is currently detected by Symantec products as Suspicious.MH690.A... We gave the infection a run on a test machine. Almost immediately we saw our own EULA... Running the email attachment did a few things–it dropped the original (signed) Symantec Trojan.Brisv fixtool into a temporary folder; it dropped a Trojan into the same folder; and, it ran the original fixtool. One can see that this is indeed Symantec’s own legitimate fixtool. But, the Trojan file "webexplorer.exe" is basically a downloader. It contacts a remote site in order to download another file called "winupdate.exe". As you’ve guessed, that is also a Trojan and is currently detected as Suspicious.MH690.A... If you have a need to run a Symantec fixtool, go to the Symantec website* and download it for free..."

* http://www.symantec.com/business/security_...emovaltools.jsp

 

(Screenshots available at the first Symantec URL above.)

 

:ph34r::grrr:

Share this post


Link to post
Share on other sites

FYI...

 

Rogue AV hosted in USA...

- http://sunbeltblog.blogspot.com/2009/06/ca...right-here.html

June 15, 2009 - "Contrary to popular belief, not all malware is hosted in Eastern Europe or China. In fact, there’s a whole bucketload of malware hosted in Scranton, PA. Here are malware domains associated with IP 64.191.92.197..."

 

(Long list and screenshots available at the URL above.)

 

:ph34r::grrr:

Share this post


Link to post
Share on other sites

FYI...

 

- https://forums2.symantec.com/t5/blogs/bloga.../article-id/200

06-15-2009 - "It may not be encouraging news for scammers, but users are slowly but surely adopting a see-and-delete approach for the usual fake stories related to lotteries, dormant bank accounts, an inheritance of huge wealth, and relatives of deceased or exiled political leaders sharing their millions. However, lately the trends seem to show that news stories involving current events are being piggybacked or manipulated by scammers to trap users into falling for fraudulent offers... Another recent scam we have been monitoring involves an event resembling the highly rated television reality show Big Brother, which began on June 4 in the UK. Scammers have been inviting recipients to participate in their Big Brother World to be held on July 12 in London, UK... Scammers claim to be a Big Brother agent and will furnish the competition details once users respond to the mailed invitation. Users will need to reply with the application type along with their full name, address, age, and telephone number. Even a casual look at the email reveals several spelling mistakes that start right from the subject line and continue on throughout the message, including using “price” instead of “prize” in the mail body. We would recommend that users follow the usual practice of ignoring [and deleting] such unsolicited emails..."

 

(Screenshot of scam e-mail available at the URL above.)

 

:grrr::ph34r::hmmm:

Share this post


Link to post
Share on other sites

FYI...

 

Fake MS Update SPAM...

- http://blog.trendmicro.com/critical-update...cal-info-theft/

June 22, 2009 - "... Close to the weekend, we identified SPAM claiming to be a Microsoft Outlook and Outlook Express critical update that “offers the highest levels of stability and security.” A tricky difference here is that all the links in the email (the links to Contact Us, Privacy Statement, Trademarks, and Terms of Use) are legitimate–except one. The URL where the “critical update” may be downloaded looks legitimate, but hovering over the hyperlink (or checking the source code of the mail) reveals a totally different destination... For content security experts this already bears the marks of an email-based cyber-criminal attack. True enough, the URL leads to the download of a file (detected as TROJ_ZBOT.BTS) that on its execution it accesses a website to download a .bin file with information referring to where the Trojan can download an updated copy of itself, and where to send stolen data. The list also contains compromised websites targeted for stealing information. Our engineers confirm that the list was containing several names of banking institutions, among other social networking targets like Facebook and MySpace, and media sites YouTube and Flickr. The list can be viewed here*. Note that the said list may be changed at any time. How does the scam work? Whenever the user visits any of the monitored sites, the Trojan starts logging keystrokes. It then saves gathered information (which presumably includes sensitive information like user name and password, credit card information, etc.) in a file and then sends the file to a dedicated server via HTTP POST..."

* http://preview.tinyurl.com/qrbt7m

 

(Screenshots available at the Trendmicro URL above.)

 

> http://www.microsoft.com/protect/yourself/...ng/msemail.mspx

 

:grrr::ph34r:

Edited by apluswebmaster

Share this post


Link to post
Share on other sites

FYI...

 

Nonstop site re-infections

- http://securitylabs.websense.com/content/Blogs/3425.aspx

06.24.2009 - "We recently published an alert* about the Ethiopian Embassy site being compromised... This isn't the first time the site has been compromised. In March of 2009, we noticed an iframe injection pointing to hxxp://[REMOVED]vv.com/index.php. The domain was also serving virus-infected files in other locations, including hxxp://[REMOVED]vv.com/unic/1.exe, a Trojan [see VirusTotal report**]... Attackers are in control and re-compromising the site over and over, potentially infecting visitors with malicious code at any time. These attacks are somewhat of a trend. We've documented a number of compromised embassy sites in the past, illustrating how malware delivery occurs through Web sites..."

* http://securitylabs.websense.com/content/Alerts/3423.aspx

 

** http://www.virustotal.com/analisis/94c15c9...05a9-1240536959

"File 5143155606c013934a4601648e310800aff688c2.EXE ..."

 

(Screenshots and more detail available at the Websense URL above.)

 

:ph34r::grrr::ph34r:

Share this post


Link to post
Share on other sites

FYI...

 

Zbot In Your Inbox

- http://www.marshal8e6.com/trace/i/Zbot-In-...trace.1005~.asp

June 24, 2009 - "A password stealing Zbot (ZeuS bot) Trojan has been increasingly spammed throughout the previous two weeks. We believe the spam originates from the Pushdo botnet. The spam template varies from time to time, mostly using subject lines such as “You have received a Greeting ecard ”, “Statement request”, “Microsoft outlook update”, “Postal Tracking” and may come either as an attachment or a link in the message body... Zbot attempts to download a file named "djwl.bin". This file is an encrypted configuration file..."

(Screenshots available at the URL above.)

 

Also see: http://www.abuse.ch/?p=1192

March 20, 2009

 

:grrr:

Share this post


Link to post
Share on other sites

FYI...

 

SPAM runs exploit celebrity deaths

- http://www.theregister.co.uk/2009/06/26/jackson_death_spam/

26 June 2009 - "Spammers have wasted no time exploiting the shock death of Michael Jackson to run an email harvesting campaign. Security watchers warn that malware-laced email themed around the death of the King of Pop and Charlie's Angels star Farrah Fawcett, who also died on Thursday, are likely to follow..."

 

- http://securitylabs.websense.com/content/Alerts/3426.aspx

06.26.2009

- http://www.virustotal.com/analisis/67cba7b...0ce4-1246012313

File michael_1_.gif received on 2009.06.26 10:31:53 (UTC)

...Result: 5/41 (12.20%)

- http://www.virustotal.com/analisis/d602b5c...2ff9-1246029869

File Michael.Jackson.videos.scr received on 2009.06.26 15:24:29 (UTC)

...Result: 10/41 (24.39%)

 

- http://www.sophos.com/blogs/sophoslabs//?p=5035

June 26, 2009

 

:ph34r: :ph34r:

Edited by apluswebmaster

Share this post


Link to post
Share on other sites

FYI...

 

MSN IM - Pushdo variant...

- http://blog.trendmicro.com/msn-bot-plays-o...jacksons-death/

June 26, 2009 - "... a slew of malicious links related to Michael Jackson’s last moments in the hospital before his death are now being proliferated in the wild via the instant messaging (IM) application, MSN... When recipients of such messages click on any of these links, they are then prompted to save a file named PIC-IMG029-www.hi5.com.exe (with the MD5 checksum of 031429fc14151f94c8651a3fb110c19b), instead of being led to an image site or gallery. Initial analysis shows that the said file is a variant of the SDBOT family...

Update - 27 June 2009: The botnet is said to push the templated messages through an IRC to the client to be spammed... The malware responsible for this is detected as WORM_IRCBOT.GAT. It opens a certain port on the affected system then listens for remote commands. Kharouni reports that commands to download certain files are received and executed by the affected system, ultimately leading to the download a PUSHDO variant. PUSHDO is a botnet responsible for a huge amount of spam activity..."

 

(Screenshot available at the URL above.)

 

:ph34r::grrr::ph34r:

Share this post


Link to post
Share on other sites

FYI...

 

More celebrity malware...

- http://www.f-secure.com/weblog/archives/00001709.html

June 29, 2009 - "There have been a couple of malware attacks that have tried to use the news coverage of the death of Michael Jackson as the lure to get people infected. Last night we saw this one: a file called Michael-www.google.com.exe. This file was distributed through a site called photos-google.com and possibly also through photo-msn.org, facebook-photo.net and orkut-images.com. Do not visit these sites. When executed, Michael-www.google.com.exe drops files called reptile.exe and winudp.exe. These are IRC bots with backdoor capability. The file also shows this fake error message..."

(Screenshot available at the F-secure URL above.)

 

- http://www.sophos.com/blogs/gc/g/2009/07/0...m-hits-inboxes/

July 1, 2009 - "... we have encountered a mass-mailing worm that spams out messages with the following characteristics:

Subject: Remembering Michael Jackson

Attached file: Michael songs and pictures.zip

The email, which claims to come from sarah@michaeljackson.com, says that the attached ZIP file contains secret songs and photos of Michael Jackson. opening the attachment exposes you to infection - and if your computer is hit you will be spreading the worm onto other internet users. Besides spreading via email, the malware is also capable of spreading as an Autorun component on USB memory sticks (an increasingly common trend for malware as use of these devices has become more and more popular). Sophos detects the malware proactively as Mal/ZipMal-B and Mal/VB-AD, and recommends that users of other anti-virus products ensure that their defences are properly updated..."

 

:grrr:

Edited by apluswebmaster

Share this post


Link to post
Share on other sites

FYI...

 

Torrentreactor site compromised

- http://securitylabs.websense.com/content/Alerts/3430.aspx

07.01.2009 - "Websense... has detected that Torrentreactor, one of the oldest and most reliable torrent search engines on the Web, has been compromised and injected with malicious code. The site has been injected with an IFrame leading to a site laden with exploits. The exploits on the payload site include Internet Explorer (MDAC) and Microsoft Office Snapshot Viewer, as well as Acrobat Reader and Adobe Shockwave. If the user's browser is successfully exploited, a malicious file is downloaded and run from the exploit site. The malicious file has an extremely low AV detection rate*. The file (MD5: 24bd24f8673e3985fc82edb00b24ba73) is a Trojan Downloader and connects to a Bot C&C server at IP 78.109.29.116. After connecting to the IP, the file downloads a Rootkit installer from the same IP..."

* http://www.virustotal.com/analisis/0df0d26...b2b7-1246425266

File rncsys32.exe received on 2009.07.01 05:14:26 (UTC)

Result: 2/41 (4.88%)

 

- http://www.theregister.co.uk/2009/07/01/to...reactor_breach/

1 July 2009 - "... The malicious file in the latest compromise communicates with a server at 78.109.29.116, an IP address that web searches suggest has ties to the Russian Business Network..."

 

:ph34r::grrr:

Edited by apluswebmaster

Share this post


Link to post
Share on other sites

FYI...

 

Click fraud trojan...

- http://secureworks.com/research/threats/ff...reat=ffsearcher

June 26, 2009 - "While analyzing a slew of malware downloaded by the exploit kit used in the "Nine-Ball" web attacks, the SecureWorks Counter Threat Unit came across an interesting trojan that used a previously-unseen HTTP request pattern... After some time we came to the conclusion that the trojan was a search hijacker trojan used for click fraud. Click fraud trojans are as old as Internet advertising itself, and usually we see one of two types: browser hijackers that change one's start page and searches to redirect to a third-party search engine, or trojans that silently pull down a list of ad URLs and generate fake clicks on the ads in a hidden Internet Explorer window. This trojan however, was much more subtle and creative - in this case, every click on an ad is user-generated, and the user never notices any change in their web-surfing experience. We call this trojan search hijacker "FFSearcher", named after one of the websites used in this scheme. Detection of the dropper executable by anti-virus engines is poor at this time, with only 4 of 39 scanners* detecting it at all... As click-fraud trojans go, this is one of the more clever that we've seen, with an impressive feature set:

1. Working code to hijack both Firefox and IE

2. Difficult to spot by the average user

3. Minimally impacting to the infected machine

4. Probably difficult for fraud detection systems at the search engine sites to detect, since every ad-click that comes through is generated on purpose by a user in the course of normal web-surfing activity..."

(Screenshots available at the Secureworks URL above.)

* http://www.virustotal.com/analisis/1e7f27f...6c9b-1244830834

File nkavnxe.exe received on 2009.06.12 18:20:34 (UTC)

Result: 4/39 (10.26%)

 

:ph34r: :ph34r:

Share this post


Link to post
Share on other sites

FYI...

 

Happy 4th from Waledac...

- http://securitylabs.websense.com/content/Alerts/3431.aspx

07.03.2009 - "Websense... has detected yet another new Waledac campaign theme in the wild. The new variant uses an Independence Day theme as a social engineering mechanism. The USA celebrates Independence Day on July 4 each year. The malicious emails that are sent use subjects and content related to Independence Day, Fourth of July and fireworks shows. The malicious Web sites in the current attack also have a July 4 or fireworks theme within the domain name. ThreatSeeker has been monitoring the registration of these domains. Should the user click on the video, which is designed to appear to be a YouTube video, an .exe is offered. When downloaded the .exe would install the latest Waledac variant onto the user's machine..."

(Screenshots available at the URL above.)

 

- http://www.eset.com/threat-center/blog/?p=1244

July 2, 2009

- http://www.eset.com/threat-center/blog/?p=1250

July 3, 2009

 

:ph34r::grrr:

Edited by apluswebmaster

Share this post


Link to post
Share on other sites

FYI...

 

More on Waledac for the 4th...

- http://blog.trendmicro.com/waledac-celebra...ndence-day-too/

July 4, 2009 - "... These messages contain links to a site which appears to be from Youtube... The video supposedly shows a fabulous fireworks show, but in reality attempting to play the video results in downloading a copy of WORM_WALEDAC.DU..."

 

(Screenshot available at the URL above)

 

:grrr::ph34r::grrr:

Share this post


Link to post
Share on other sites

FYI...

 

Waledac July 4th update - New domains added

- http://www.shadowserver.org/wiki/pmwiki.ph...lendar/20090704

4 July 2009 - "... quick update on Waledac. We have been keeping an eye on it for a bit and it's been actively spamming and updating clients to Fake Antivirus products for the last few months. However, we also saw it start spamming itself out again starting yesterday. Actually saw a quick first post of the from sudosecure.net:

http://www.sudosecure.net/archives/583

No real need to have tons of duplicate write-ups and screen shots. You can get the same basic information from the site. It's the standard spam to a link involving a fake YouTube video that wants you to download an executable... We have updated our Waledac domain lists that you can use to block/track Waledac domains. The first URL is to the list that is updated with timestamps, ugly comments, and newest domains at the bottom:

http://www.shadowserver.org/wiki/uploads/C...dac_domains.txt

We also have the all-time Waledac domain list that contains just the domain listing since the start. It currently has 244 domains on it and can be reached via the following URL:

http://www.shadowserver.org/wiki/uploads/C...aledac_list.txt

These are domains you definitely want to avoid visiting and consider blocking where possible."

 

:ph34r: :ph34r:

Share this post


Link to post
Share on other sites

FYI...

 

Koobface worm infections exploding

- http://www.threatpost.com/blogs/koobface-w...tions-exploding

July 6, 2009 - "In June, we saw an explosive rise in the number of Koobface modifications - the number of variants we detected jumped from 324 at the end of May to nearly 1000 by the end of June. And this weekend brought another flood, bringing us up to 1049 at the time of writing... Koobface spreads via major social networking sites like Facebook and MySpace. It's now spreading via Twitter as well... the pool of potential victims is growing day by day - just take a look at the Alexa stats* for Facebook. So naturally, cybercriminals are going to be targeting these sites more and more often."

* http://www.alexa.com/siteinfo/facebook.com

"... Percent of global Internet users who visit facebook.com:

... 7 day avg: 20.01% ..."

 

:ph34r::grrr::ph34r:

Share this post


Link to post
Share on other sites

FYI...

 

Twitter suspends Koobface infected computers

- http://blog.trendmicro.com/koobface-increa...itter-activity/

July 9, 2009 - "... Koobface has increased its Twitter activity, sending out tweets with different URL links pointing to Koobface malware. This is in contrast with previous Koobface Twitter activity wherein only three TinyURLs pointing to Koobface were used. As of writing, there are a couple of hunded Twitter users affected by Koobface in the past few hours, but dozens more are being infected as we speak. We advise Twitter users to (not click on) URLs on tweets, especially if the tweet advertises a home video.

Update: It seems this Koobface problem in Twitter is getting bigger and bigger, prompting Twitter itself to temporarily suspend* infected user accounts."

* http://status.twitter.com/post/138789881/k...-malware-attack

July 9, 2009 - "... If we suspend your account, we will send you an email notifying you of the suspension. This email also includes tips for removing the malware from your PC."

 

> http://www.sophos.com/blogs/gc/g/2009/07/1...-koobface-worm/

July 10, 2009

 

Preview a TinyURL

- http://tinyurl.com/preview.php

"Don't want to be instantly redirected to a TinyURL and instead want to see where it's going before going to the site? Not a problem with our preview feature..."

 

:ph34r::grrr::ph34r:

Edited by apluswebmaster

Share this post


Link to post
Share on other sites

FYI...

 

H1N1 SPAM w/virus...

- http://www.f-secure.com/weblog/archives/00001734.html

July 21, 2009 - "We recently saw this malicious file being spread in emails. The name of the file was Novel H1N1 Flu Situation Update.exe and the icon made it look like a Word document file. When the file was opened, it created several new files to the hard drive:

• %windir%\Temp\Novel H1N1 Flu Situation Update.doc

• %windir%\Temp\doc.exe

• %windir%\Temp\make.exe

• %windir%\system32\UsrClassEx.exe

• %windir%\system32\UsrClassEx.exe.reg

The executables contain backdoor functionality, including an elaborate keylogger. And the document file that is dropped gets automatically opened by the malware, causing the user to think he really opened a Word file..."

 

- http://www.sophos.com/blogs/sophoslabs/v/post/5517

July 22, 2009

 

(Screenshots available at both URLs above.)

 

:grrr::ph34r:

Edited by apluswebmaster

Share this post


Link to post
Share on other sites

FYI...

 

Targeted malware calling home...

- http://www.f-secure.com/weblog/archives/00001736.html

July 23, 2009 - "In targeted attacks, we see more and more attempts to obfuscate the hostname of the server where the backdoors are connecting to. IT staff in many of the targeted organizations are fully aware of these attacks. They keep monitoring their logs for suspicious activity. The admins might spot a host that suddenly connects to known rogue locations like:

• weloveusa.3322.org

• boxy.3322.org

• jj2190067.3322.org

• hzone.no-ip.biz

• tempsys.8866.org

• zts7.8800.org

• shenyuan.9966.org

• xinxin20080628.gicp.net

However, we've now seen a shift in the hostnames. The attackers seem to be registering misleading domain names on purpose, and have now been seen using hosts with names like:

• ip2.kabsersky.com

• mapowr.symantecs.com.tw

• tethys1.symantecs.com.tw

• www.adobeupdating.com

• iran.msntv.org

• windows.redirect.hm

The apparent motive here is that a busy IT administrator might look at a firewall log alert about a machine connecting to www.adobeupdating.com and just disregard it. "That must be the PDF reader trying to download updates..." In reality, adobeupdating.com is registered to somebody in Zaire and has an IP address pointing to Australia."

 

:ph34r:

Share this post


Link to post
Share on other sites

FYI...

 

Rogue AV terminates EXE files

- http://blog.trendmicro.com/rogue-antivirus...ates-exe-files/

July 26, 2009 - "This weekend, we at TrendLabs came across a FAKEAV variant similar to the one peddled in the solar eclipse 2009 in America attack in this recent blog post. This one, however, introduces another new scare tactic (so far the latest new ploy we’ve seen is the ransomware/FAKEAV that encrypts files in the infected computer and offers a bogus fixtool for a price). This FAKEAV variant terminates any executed file with an .EXE file extension and displays a pop-up message saying that the .EXE file is infected and cannot execute... This way, users are left with no choice but to activate the antivirus product since no other application works. This Trojan is detected by Trend Micro as TROJ_FAKEAV.B. It avoids terminating critical processes to prevent system crashes. Unfortunately, cybercriminals work hard in creating so many gimmicks, that we can only guess what comes next in FAKEAV..."

 

(Screenshot available at the URL above.)

 

:grrr::ph34r:

Share this post


Link to post
Share on other sites

FYI...

 

Malicious Twitter Posts Get More Personal

- http://blog.trendmicro.com/malicious-twitt...-more-personal/

July 27, 2009 - "... malicious Twitter posts are getting dangerously more customized, increasing the possibility of users getting hooked into malicious schemes. A Twitter spambot is said to have been used in launching this recent attack. The spambot creates Twitter accounts and fashion them to appear as legitimate accounts by posting seemingly harmless posts like those sharing certain music they listen to, or websites they visit. The spambot accounts then posts tweets directed to unknowing users, sharing a link to a PC repair tool they allegedly came across and used... the spambot posting tweets directed to specific users is a noteworthy social engineering technique that was clearly not seen as suspicious by Twitter admins. The spambot accounts were apparently created prior to a spam cleanup recently conducted by Twitter. Additionally, the spambot uses the URL shortener Doiop.com to mask the original URL in the posts, and for a not so good reason. The URL directs to a URL that triggers a couple of redirections that ultimately lead to the download of the file RegistryEasy.exe, which is detected as TROJ_FAKEAV.DAP. TROJ_FAKEAV.DAP comes off as an application that repairs registry problems. However, in true FAKEAV style, it merely displays false results to convince the user into purchasing the product... in the root of one of the URLs the user is redirected to, an advertisement for an application dubbed as Bot Lite is posted. Bot Lite is, as the post describes, a light Twitter bot that virtually anyone can use... Bot Lite does function as a spambot for Twitter. Its file name is bot_lite_100.exe. Its detection name is HKTL_FAKEBOT. HTKL_ is the detection prefix used by Trend Micro for hacker-tools which are considered to be Grayware. Grayware refers to applications that have annoying, undesirable, or undisclosed behavior but do not fall into any of the major threat (ie. Virus or Trojan horse) categories..."

 

(Screenshots available at the URL above.)

 

- http://ddanchev.blogspot.com/2009/07/diver...ecurity_27.html

July 27, 2009

 

:grrr::ph34r::grrr:

Edited by apluswebmaster

Share this post


Link to post
Share on other sites

FYI...

 

Dilbert sends out 419 scams...

- http://www.sophos.com/blogs/sophoslabs/v/post/5633

July 29, 2009 - "... Advance Fee fraud scammers will abuse any free service they can get their hands on to send out their spam messages... In recent days, a group of Nigerian scammers have started abusing the “share-a-comic-strip” feature on Dilbert.com. The scammers do this by including their own fraud message inside the “personal message” portion of the sent messages. This is probably a money-making scheme that Dogbert would approve of..."

 

(Screenshots available at the URL above.)

 

:ph34r::grrr:

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now