Jump to content


Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
1409 replies to this topic

#1401 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,413 posts

Posted 20 February 2015 - 09:21 AM

FYI...

Fake 'Bank' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
20 Feb 2015 - "'Lloyds Bank – Pendeford Securities – Please Read Action Required/PI Documents/ Region code East 2/ 9147056/' pretending to come from RSTNAME} Woodruff  <Arron.Woodruff@ lloydsbanking .com> with a zip attachment is another one from the current bot runs... The email looks like:
    Please find attached our document pack for the above customer. Once completed please return via email to the below address.
    If you have any queries relating to the above feel free to contact us at MN2Lloydsbanking@ lloydsbanking .com
    Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC95000. Telephone: 0131 225 4555. Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Telephone 0207626 1500. Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000. Telephone: 08457 21 31 41. Cheltenham & Gloucester plc. Registered Office: Barnett Way, Gloucester GL4 3RL. Registered in England and Wales 0128078. Telephone: 0845 603 1637
    Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority.
    Cheltenham & Gloucester plc is authorised and regulated by the Financial Conduct Authority.
    Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester Savings is a division of Lloyds Bank plc.
    HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC272200.
    This e-mail (including any attachments) is private and confidential and may contain privileged material. If you have received this e-mail in error, please notify the sender and delete it (including any attachments) immediately. You must not copy, distribute, disclose or use any of the information in it or any attachments. Telephone calls may be monitored or recorded...


The malware attached to this email is the same malware as in today’s other Upatre "delivery supply only quotation 16822 in total"* – fake PDF malware . If previous days are anything to go by, we -will- see -numerous- different emails all containing the same upatre malware and all with different file names..."

* http://myonlinesecur...ke-pdf-malware/
20 Feb 2015 - "'supply only quotation 16822 in total' pretending to come from wendy@ burwoodsupply .co .uk with a zip attachment is another one from the current bot runs... The email looks like:
     Hi
    Attached are 1 quotes so far they are in excel format so they can be altered if necessary (I normally only send the quotes in PDF so they can’t be altered but Mike asked me not to do this).
    The rest to follow tomorrow a.m.
    Regards
    Teresa Byron
    Office Administrator
    ECY  Armco  Barley Castle Lane, Appleton Thorn, Warrington, Cheshire, WA4 4RB  t: +44(0)1925 860000  f: +44(0)1925 861111
    This email is confidential. It may also be privileged or otherwise protected by work product immunity or other legal rules. If you are not the intended recipient please notify the sender. Please delete the message from all places in your computer where it is stored...


20 February 2015: quotes.zip: Extracts to: quotes.exe
Current Virus total detections: 2/57** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
** https://www.virustot...sis/1424432388/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
31.43.236.251: https://www.virustot...51/information/
81.169.145.150: https://www.virustot...50/information/
31.43.236.251: https://www.virustot...51/information/
___

Fake 'NYC Parking Fine' SPAM - malware
- http://www.hoax-slay...s-malware.shtml
Feb 20, 2015 - "Email purporting to be from the NYC Department of Finance thanks you for paying $7900 in parking fines via your credit card and suggests you open an -attached- file to view details... claims to be from the NYC Department of Finance... Opening the attached .zip file will reveal a malicious .exe file. If you then click-the-.exe file, -malware- may be installed on your computer. The exact type of malware varies..."
___

Lenovo - vulnerable to HTTPS Spoofing
- https://www.us-cert....-HTTPS-Spoofing
Feb 20, 2015 - "Lenovo consumer personal computers employing the pre-installed Superfish Visual Discovery software contain a critical vulnerability through a compromised root CA certificate. Exploitation of this vulnerability could allow a remote attacker to read -all- encrypted web browser traffic (HTTPS), successfully impersonate (spoof) any website, or perform other attacks on the affected system. US-CERT recommends users and administrators review Vulnerability Note VU#529496* and US-CERT Alert TA15-051A** for additional information and mitigation details."

* http://www.kb.cert.org/vuls/id/529496
Feb 20, 2015 - "... Solution: The CERT/CC is currently unaware of any official solutions to this problem and recommends the following workarounds.
- Uninstall Komodia Redirector SDK and associated root CA certificates
- Uninstall any software that includes the Komodia Redirector and SSL Digestor libraries..."
** https://www.us-cert....lerts/TA15-051A
Feb 20, 2015 - "... Solution: Uninstall Superfish VisualDiscovery and associated root CA certificate
- Uninstall any software that includes the Komodia Redirector and SSL Digestor libraries. In the case of Lenovo PCs, this includes Superfish Visual Discovery.
It is also necessary to remove affected root CA certificates. Simply uninstalling the software does not remove the certificate. Microsoft provides guidance on [3] deleting (link is external) and [4] managing (link is external) certificates in the Windows certificate store. In the case of Superfish Visual Discovery, the offending trusted root certification authority certificate is issued to “Superfish, Inc.”
Mozilla provides similar [5] guidance for their software, including the Firefox and Thunderbird certificate stores."

3] https://technet.micr...y/cc772354.aspx

4] http://windows.micro...ur-certificates

5] https://wiki.mozilla...oot_Certificate

> http://support.lenov...rfish_uninstall

- https://blog.malware...perfish-fiasco/
Feb 20, 2015 - "... To find out if you are affected, you can visit:
- https://filippo.io/Badfish/ "

:ph34r:  :grrr:


Edited by AplusWebMaster, 23 February 2015 - 05:09 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1402 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,413 posts

Posted 23 February 2015 - 10:35 AM

FYI...

Fake Magazine Invoice SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
23 Feb 2015 - "'Essex Central Magazine Invoice' pretending to come from Essex Central Magazine <darren@ notifications .kashflow .com> with a zip attachment is another one from the current bot runs... The email looks like:
     Please see attached invoice for the upcoming issue of Essex Central
    Magazine.
     Regards,
     Accounts Dept.


23 February 2015: invoice.zip: Extracts to: invoice_pdf.exe
Current Virus total detections: 4/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1424701064/

- http://blog.mxlab.eu...-upatre-trojan/
Feb 23, 2014
> https://www.virustot...42b79/analysis/
___

A Week in Security...
- https://blog.malware...rity-feb-15-21/
Feb 23, 2013 - "... fakeouts festooned all over YouTube, claiming to activate Windows 10:
> https://blog.malware...ps-and-surveys/
... rogue tweets on Twitter baiting whoever is interested in Evolve:
> https://blog.malware...ted-by-malware/
... a quite rare phishing campaign that targets accounts of Japanese gamers who have profiles under Square Enix:
> https://blog.malware...x-video-gamers/
... an infection via malicious code injection on the official website of renowned British celebrity chef... the site launches exploits targeting vulnerabilities on Adobe Flash, Silverlight, and Java:
> https://blog.malware...to-exploit-kit/
...  a compromise on RedTube, a top adult entertainment site. It was injected with a rogue iframe that directs visitors to the download and execution of an Angler exploit kit variant. The said EK targets Flash and Silverlight vulnerabilities:
> https://blog.malware...cts-to-malware/
... Malwarebytes Labs Team."
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 24 February 2015 - 03:43 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1403 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,413 posts

Posted 24 February 2015 - 07:20 AM

FYI...

Fake Invoice SPAM - doc malware
- http://blog.dynamoo....td-invoice.html
24 Feb 2015 - "This -fake- invoice is not from Berendsen UK Ltd but is a simple forgery. They are not sending out the spam and their systems have not been compromised in any way. Instead, this email has a malicious Word document attached.
    From:    donotreply@ berendsen .co .uk
    Date:    24 February 2015 at 08:09
    Subject:    Berendsen UK Ltd Invoice 60020918 117
    Dear Sir/Madam,
    Please find attached your invoice dated 21st February.
    All queries should be directed to your branch that provides the service. This detail can be found on your invoice.
    Thank you...


I have only seen one sample of this email, with a Word document IRN001549_60020918_I_01_01.doc which has a -zero- detection rate*. Contained within this is a malicious Word macro which downloads a component from the following location:
http ://heikehall .de/js/bin.exe
This binary has a VirusTotal detection rate of 2/57**. Automated analysis tools... show that it attempts to phone home to:
92.63.87.13 (MWTV, Latvia)
5.196.241.196 (OVH, Ireland)
66.110.179.66 (Microtech Tel, US)
202.44.54.5 (World Internetwork Corporation, Thailand)
78.140.164.160 (Webazilla, US)
31.160.233.212 (KPN, Netherlands)
185.14.30.98 (UA Servers, Ukraine)
86.104.134.156 (One Telecom, Moldova)
MWTV have featured several times on this blog. A close examination of their 92.63.80.0/20 block indicates a mix of legitimate and illegitimate sites, however the bad sites are concentrated in the following ranges:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
In addition to this, the malware attempts to drop a Dridex DLL which is widely detected by AV vendors with a detection rate of 30/57***.
Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
5.196.241.196
66.110.179.66
202.44.54.5
78.140.164.160
31.160.233.212
185.14.30.98
86.104.134.156
"
* https://www.virustot...sis/1424770482/

** https://www.virustot...sis/1424770511/

*** https://www.virustot...sis/1424772155/

- http://myonlinesecur...rd-doc-malware/
24 Feb 2015 - "'Izabela Pachucka Arsenal LTD document do confirm' pretending to come from Izabela Pachucka <pachuckaizabela@ arsenalltd .pl>with a malicious word doc attachment is another one from the current bot runs...
Screenshot: http://myonlinesecur...la-Pachucka.png
The malware attached to this series of emails is exactly the same as in today’s Berendsen UK Ltd Invoice 60020918 117 – Word doc malware although renamed as roexport.doc* or roexport.xls..."
* http://myonlinesecur...rd-doc-malware/

Screenshot: http://myonlinesecur...en-1024x682.png
___

Fake Order SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
24 Feb 2015 - "'Board Order – PO15028' pretending to come from Andrew Manville <andy@ icotherm .co .uk> with a malicious word doc attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...der-PO15028.png

... exactly the -same- as the attachments to today’s other malicious word and excel macros Izabela Pachucka Arsenal LTD document do confirm – Word doc malware* and Berendsen UK Ltd Invoice 60020918 117 – Word doc malware** although re-named as SCAN_20150224_100752437.doc or SCAN_20150224_100752437.xls ..."
* http://myonlinesecur...rd-doc-malware/

** http://myonlinesecur...rd-doc-malware/
___

Fake 'Time Sheet' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
24 Feb 2015 - "'Time Sheet' pretending to come from hartsellb@ mtpleasantnc .us with a zip attachment is another one from the current bot runs... The email looks like:
    Sorry again this time it has a attachment.
    Thanks
    Bobby


24 February 2015: 2-9-15 to 2-15-15.zip: Extracts to: 2-9-15 to 2-15-15.exe
Current Virus total detections: 8/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1424785308/
... Behavioural information
TCP connections
216.146.39.70: https://www.virustot...70/information/
181.189.152.131: https://www.virustot...31/information/
199.116.77.164: https://www.virustot...64/information/
181.189.152.131: https://www.virustot...31/information/

- http://threattrack.t...time-sheet-spam
Feb 24, 2015
___

Fake 'EFT Notification' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
24 Feb 2015 - "'TOWN OF MT PLEASANT, here is your EFT Notification' pretending to come from finance_ap@ cabarruscounty .us with a zip attachment is another one from the current bot runs... The email is very basic and terse and simply has this in the body :

     live-842000_12-17-2014-PE-E.pdf

24 February 2015: live-842000_12-17-2014-PE-E.zip:
Extracts to:  live-842000_12-17-2014-PE-E.exe
Current Virus total detections: 7/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1424793555/
... Behavioural information
TCP connections
216.146.38.70: https://www.virustot...10/information/
181.189.152.131: https://www.virustot...31/information/
46.30.212.175: https://www.virustot...75/information/
181.189.152.131: https://www.virustot...31/information/
UDP communications
66.228.45.110: https://www.virustot...10/information/
___

Fake FedEx SPAM - trojan
- http://blog.mxlab.eu...ontains-trojan/
Feb 23, 2015 - "... intercepted a new trojan distribution campaign by email with the subjects similar to:
Reese Torres agent Fedex
Dylan Livingstone agent Fedex

This email is sent from the spoofed address “Fedex <fedexservice@ juno .com>” and has the following body:
    Dear Customer,
    We tried to deliver your item on February 22th, 2014, 08:15 AM.
    The delivery attempt failed because the address was business closed or nobody could sign for it.
    To pick up the package,please, print the receipt that is attached to this email and visit Fedex location indicated in the invoice.
    If the package is not picked up within 48 hours, it will be returned to the shipper.
    Label/Receipt Number: 44364578782324455
    Expected Delivery Date: February 22th, 2014
    Class: International Package Service
    Service(s): Delivery Confirmation
    Status: Notification sent
    Thank you
    Copyright© 2015 FEDEX. All Rights Reserved...


The attached file Package.zip contains the 78 kB large file 443645787823424455.scr. The trojan is known as HEUR:Trojan.Win32.Generic or Win32.Trojan.Inject.Auto. At the time of writing, 5 of the 57 AV engines did detect the trojan at Virus Total*..."
* https://www.virustot...cb23b/analysis/
... Behavioural information
UDP communications
134.170.185.211: https://www.virustot...11/information/
___

7,038 new security vulnerabilities - 2014 stats
- http://www.gfi.com/b...ations-in-2014/
Feb 18, 2015 - "... 7,038 -new- security vulnerabilities were added to the NVD database in 2014. This means an average of 19 new vulnerabilities per day. The number is significantly higher than in 2013 and continues the ascending trend over the past few years.
> http://www.gfi.com/b...ities-09-14.jpg
24% of these vulnerabilities are rated as high severity. The percentage is lower than in 2013, but the actual number of high security vulnerabilities has -increased- compared to last year.
> http://www.gfi.com/b...erabilities.jpg
Third-party applications are the most important source of vulnerabilities with over 80% of the reported vulnerabilities in third-party applications. Operating systems are only responsible for 13% of vulnerabilities and hardware devices for 4%.
> http://www.gfi.com/b...roduct-type.jpg
Top operating systems by vulnerabilities reported in 2014
> http://www.gfi.com/b...02/OS-chart.jpg
Top applications by vulnerabilities reported in 2014
> http://www.gfi.com/b...ation-chart.jpg
... Not surprisingly at all, web browsers continue to have the most security vulnerabilities because they are a popular gateway to access a server and to spread malware on the clients. Adobe free products and Java are the main challengers but web browsers have continuously topped the table for the last six years. Mozilla Firefox had the most vulnerabilities reported in 2009 and 2012; Google Chrome in 2010 and 2011; Internet Explorer was at the top for the last two years.
To keep systems secure, it is -critical- that they are fully patched. IT admins should focus on (patch them first):
- Operating systems (Windows, Linux, OS X)
- Web browsers
- Java
- Adobe free products (Flash Player, Reader, Shockwave Player, AIR).
Vulnerability and patch management should be priority tasks for every sysadmin. Microsoft’s updates are -not- enough because third-party applications are just as problematic..."
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 24 February 2015 - 09:45 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1404 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,413 posts

Posted 24 February 2015 - 08:55 PM

FYI...

 

Fake 'LogMeIn' SPAM - malicious attachment
- http://blog.dynamoo....ro-payment.html
25 Feb 2015 - "This -fake- financial email does not come from LogMeIn, instead it has a malicious attachment:
    From:    LogMeIn .com [no_reply@ logmein .com]
    Date:    25 February 2015 at 08:52
    Subject:    Your LogMeIn Pro payment has been processed!
    Dear client,
    Thank you for purchasing our yearly plan for LogMeIn Pro on 25 computers.
    Your credit card has been successfully charged.
    Date : 25/2/2015
    Amount : $999 ( you saved $749.75)
    The transaction details can be found in the attached receipt.
    Your computers will be automatically upgraded the next time you sign in.
    Thank you for choosing LogMeIn!


Attached is a malicious Excel document called logmein_pro_receipt.xls with a VirusTotal detection rate of 0/56*. Usually in a spam run like this there are several different versions of the document but so far I have only seen one, containing this malicious macro. The macro downloads a file from:
http ://junidesign .de/js/bin.exe
This is saved as %TEMP%\GHjkdfg.exe and has a VirusTotal detection rate of 3/57**. Automated analysis tools... show this calling home to the following IPs:
92.63.87.13 (MTWV, Latvia)
86.104.134.156 (One Telecom, Moldova)
217.12.203.34 (ITL, Bulgaria)
108.61.165.19 (Choopa LLC, Netherlands)
5.196.241.196 (OVH, Ireland)
66.110.179.66 (Microtech Tel, US)
202.44.54.5 (World Internetwork Corporation, Thailand)
95.163.121.179 (Digital Networks aka DINETHOSTING, Russia)
59.97.137.171 (Broadband Multiplay, India)
78.140.164.160 (Webazilla, US)
107.181.174.104 (Colo at 55, US / UA Servers, Ukraine)
... The Malwr report shows that among other activities, this drops an executable that seems to be another version of itself [VT 3/57***] and a malicious DLL which is probably a Dridex component [VT 4/57****].
Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
86.104.134.156
217.12.203.34
108.61.165.19
5.196.241.196
66.110.179.66
202.44.54.5
95.163.121.179
59.97.137.171
78.140.164.160
107.181.174.104
"
* https://www.virustot...sis/1424856686/

** https://www.virustot...sis/1424856906/

*** https://www.virustot...sis/1424858127/

**** https://www.virustot...sis/1424858199/

- http://myonlinesecur...dsheet-malware/
25 Feb 2015
Screenshot: http://myonlinesecur...n-processed.png

Fake emails mimic LogMeIn receipts
- http://blog.logmein....ogmein-receipts
Feb 17, 2015
___

Copy .com used to distribute Crypto Ransomware
- https://isc.sans.edu...l?storyid=19371
2015-02-25 01:04:23 UTC - "Thanks to Marco for sending us a sample of yet another piece of crypto-ransom malware. The file was retrieved after visiting a compromised site (www .my-sda24 .com) . Interestingly, the malware itself was stored on copy .com. Copy .com is a cloud based file sharing service targeting corporate users. It is run by Barracuda, a company also known for its e-mail and web filtering products that protect users from just such malware. To its credit, Barracuda removed the malware within minutes of Marco finding it. At least right now, detection for this sample is not great. According to Virustotal, 8 out of 57 virus engines identify the file as malicious [1]. A URL blacklist approach may identify the original site as malicious, but copy .com is unlikely to be blocked. It has become very popular for miscreants to store malicious files on cloud services, in particular if they offer free trial accounts. Not all of them are as fast as Barracuda in removing these files."

1]  https://www.virustot...6adf4/analysis/

146.185.221.150: https://www.virustot...50/information/
___

Dropbox SPAM - malware
- http://blog.dynamoo....-shared-mt.html
25 Feb 2015 - "This spam leads to a malware download via Dropbox.
    From:    Info via Dropbox
    Reply-To:    hcm0366@ gmail .com
    Date:    25 February 2015 at 05:38
    Subject:    Info Chemicals shared "MT 103_PO_NO!014.zip" with you
    Signed by:    dropbox .com
    From Info:
    "Good day ,
    How are you today
    pls check attached, my manager had requested I email you our new order details together with TT copy of balance payment. Kindly confirm in return.
    regards,
    Frank Manner
    Broad Oak Ltd, Tiverton, Tiverton Way, Tiverton Business Park, Tiverton, Devon, EX16 6TG
    Registered No. 1971053 England & Wales...


The email has been digitally signed by Dropbox (which means exactly nothing) and is -spoofing- the wholly legitimate Broad Oak Ltd who have been a target of this sort of thing several times before. In this case, the link in the email goes to:
https ://www .dropbox .com/l/dFxVxjuDRo3j2oANVURy2v
and then to
https ://www .dropbox .com/s/fnsprei93c45ts6/MT%20103_PO_NO!014.zip
Which leads to a malicious EXE file called MT 103_PO_NO!014.zip. Inside that is the malware itself, a file .pdf.scr which has a detection rate of 11/57*. According to the Malwr report it drops another executable with a detection rate of 9/57**. The payload looks similar to the Zeus trojan. Also, according to Malwr and ThreatExpertit attempts to communicate with an apparent web-to-Tor gateway at
mmc65z4xsgbcbazl .onion .am
onion .am is hosted on 37.220.35.39 (YISP Colo, Netherlands)... Be aware that there are probably many other Dropbox locations in use for this spam run. If you see more, I suggest you forward the email to abuse -at- dropbox.com ..."
* https://www.virustot...sis/1424849825/

** https://www.virustot...sis/1424850664/
___

Fake 'eFax message' SPAM - malware
- http://myonlinesecur...ke-pdf-malware/
25 Feb 2015 - "'eFax message from “POTS modem 2 ” – 1 page(s), Caller-ID: 1-630-226-2563' pretending to come from message@ inbound .efax .com with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...OTS-modem-2.png

25 February 2015 : fax_2342.zip: Extracts to:fax_2342.exe
Current Virus total detections: 19/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1424883423/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
181.189.152.131: https://www.virustot...31/information/
188.65.112.97: https://www.virustot...97/information/
181.189.152.131: https://www.virustot...31/information/
UDP communications
77.72.169.166: https://www.virustot...66/information/
77.72.169.167: https://www.virustot...67/information/
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 25 February 2015 - 02:41 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1405 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,413 posts

Posted 26 February 2015 - 07:33 AM

FYI...

cPanel ‘Account Suspended’ PHISH serves exploits
- https://blog.malware...erves-exploits/
Feb 26, 2015 - "cPanel is one of the most popular web hosting control panels out there. It allows administrators to manage their website(s) using a graphical front end, perform maintenance and review important logs among other things. cPanel also has a user interface for CGI (short for Common Gateway Interface) typically used to run scripts and generate dynamic content. One such script populates a fairly well-known (and somewhat dreaded) page known as the “Account Suspended” page:
> https://blog.malware.../suspended1.png
Visitors to a site are -redirected- to this screen for one of many reasons ranging from the site owner’s failure to pay for his hosting, violating the Terms and Conditions, or perhaps exceeding their allocated bandwidth... The page itself is made of HTML code, and can be edited by an administrator, often via a Web Host Manager (WHM). Many sites that were once used to distribute malware and have been suspended will sport that kind of page. One would assume that the site would now be harmless, since the hosting provider has already taken action. If you aren’t looking at the URL carefully (the suspended page should be displayed at the root of the domain) and assumed so, you might just run into a case where the site is actually fully compromised and still active... The injected iframe redirects straight to a Fiesta exploit kit landing page. The landing page usually performs various checks and prepares the exploits that are going to get fired at the victim. As is often the case with exploit kits, that page is heavily obfuscated to make identification a little bit more difficult... This case is a reminder not to trust a book by its cover and always exercise caution. Attackers were clever to hide the malicious redirect code where they did because they might trick someone into brushing off the site as “already terminated by the hosting provider”, when in fact it’s not. They might have fooled some, but they didn’t fool us..."
(More detail at the malwarebytes URL at the top.)
___

Fake 'Voice Message' SPAM - wav malware
- http://myonlinesecur...ke-wav-malware/
26 Feb 2015 - "'New Voice Message from No Caller ID on 25/02/2015 at 16:25' pretending to come from notify-uk@ ringcentral .com with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ice-message.png

26 February 2015: NoCallerID-1218-162550-153.wav.zip:
Extracts to:  NoCallerID-1218-162550-1536.wav.exe
Current Virus total detections: 0/57* . The extracted file name is actually NoCallerID-1218-162550-153б.wav.exe  (if you look closely, you can see that the 6 is not the number six at all but a foreign language character that looks like a number 6) This can cause analysis problems with some of the auto analysers which have crashed trying to analyse this one and an error on some windows systems, possibly leading to the file auto-running. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav (voice or music) file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1424938264/
... Behavioural information
TCP connections
81.177.139.53: https://www.virustot...53/information/
95.211.144.65: https://www.virustot...65/information/
92.63.87.13: https://www.virustot...13/information/
80.150.6.138: https://www.virustot...38/information/
UDP communications
134.170.185.211: https://www.virustot...11/information/
___

Fake 'Copy Invoices' SPAM - malicious attachment
- http://blog.dynamoo....s-christou.html
26 Feb 2015 - "This -fake- invoice spam comes with a malicious attachment:
    From:    Chris Christou [chris.christou@ greysimmonds .co.uk]
    Date:    26 February 2015 at 10:45
    Subject:    Copy invoices
    Hello ,
    Please find copy invoices attached as per our telephone conversation.
    Kind regards,
    Chris
    Chris Christou
    Credit Control
    Grey Simmonds
    Cranes Point
    Gardiners Lane South
    Basildon
    Essex SS14 3AP
    Tel:  0845 130 9070
    Fax: 0845 370 9071...


It does -NOT- come from Grey Simmons, nor have their systems been compromised in any way. Instead, this is a simple forgery. I have only seen one sample so far, with an attachment IGM135809.doc [detection rate 0/57*] which contains this malicious macro... which downloads a further component from:
http ://xomma .net/js/bin.exe
This is saved as %TEMP%\GVhjJJVJH.exe and has a VirusTotal detection rate of 4/56**. Automated analysis tools... show it attempting to phone home to the following IPs:
92.63.87.13 (MWTV, Latvia)
78.140.164.160 (Webazilla, US)
86.104.134.156 (One Telecom, Moldova)
104.232.32.119 (Net 3, US)
This Malwr report shows dropped files with an MD5 of 590fc032ac747d970eb8818671f2bbd3 [VT 3/57***] and 1997b0031ad702c8347267db0ae65539 [VT 4/57****].
Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
78.140.164.160
86.104.134.156
104.232.32.119
"
* https://www.virustot...sis/1424948249/

** https://www.virustot...sis/1424948263/

*** https://www.virustot...5553d/analysis/

**** https://www.virustot...faccb/analysis/


- http://myonlinesecur...dsheet-malware/
26 Feb 2015
Screenshot: http://myonlinesecur...py-invoices.png
___

Fake email SPAM - malware attached
- http://myonlinesecur...ke-pdf-malware/
26 Feb 2015 - "'NicolaR RA 069767 (random numbers)' pretending to come from NicolaR@ jhs. co.uk with  a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...2/RA-069767.png

26 February 2015: RA_New.zip: Extracts to: RA_New.exe
Current Virus total detections: 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1424955113/
___

Fake 'Sales Invoice' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
26 Feb 2015 - "'Your Sales Invoice' pretending to come from donotreply@ worldwind .co .uk with  a zip attachment is another one from the current bot runs... The email looks like:

     Your document is attached with our regards.
    The document is in PDF format and requires Adobe Reader to view ...


26 February 2015: 131234.zip: Extracts to: 131234.exe
Current Virus total detections: 7/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1424964940/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
181.189.152.131: https://www.virustot...31/information/
89.248.61.60: https://www.virustot...60/information/
181.189.152.131: https://www.virustot...31/information/
UDP communications
217.10.68.152: https://www.virustot...52/information/
217.116.122.136: https://www.virustot...36/information/
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 26 February 2015 - 04:52 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1406 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,413 posts

Posted 27 February 2015 - 07:29 AM

FYI...

Bogus Search Engine leads to Exploits
- https://blog.malware...ds-to-exploits/
Feb 27, 2015 - "... Sadly, devious software makers are using all the tricks in the books to fool users into installing their programs. Even when you take all the precautions necessary and never download anything from an untrusted source, you could still end up with Adware. The recent Lenovo/Superfish fiasco is a good example of that. Brand new computers were pre-installed with Adware that surreptitiously injected ads into the browser by introducing vulnerabilities, in an almost undetectable way. Adware is not only annoying but can also weaken a computer’s security status. Today, we have another case to prove that point. Potentially Unwanted Programs often install a search assistant (or rather a browser and search -hijacker-) on people’s machines:
> https://blog.malware...ebfindfast2.png
The idea is simple: To redirect people’s searches to affiliates or other sponsors and earn pay-per-click commissions. This one is hosted at webfindfast .com*:
> https://blog.malware...02/searches.png
For the end-user, the search experience is simply terrible but yet not the end of their troubles. In this case, clicking on any link results in a -redirection- to an exploit kit landing page, quickly followed by malware... As usual, after several convoluted redirects, the user ends up on the door step of the famous Angler exploit kit... Vulnerable computers are infected with a piece of malware detected as Trojan.Crypt.NKN by Malwarebytes Anti-Malware. It will install a rogue Antivirus program known as 'Malware Defender 2015' and pull up a purchase page from an IP address located in Istanbul (176.53.125.20)**... The lesson to learn from this is to once again stay away from bundled software and other programs that appear to be free but come with a catch. Also, if you’re starting to see a different home page or search engine than you used to, you should make sure your browser has not been altered in some way."
* 136.243.24.248: https://www.virustot...48/information/

** 176.53.125.20: https://www.virustot...20/information/
___

Fake 'Invoice' SPAM - doc malware
- http://blog.dynamoo....-inv650988.html
27 Feb 2015 - "This -fake- invoice email is not from Dennys but is a simple forgery with a malicious attachment. Dennys are not sending the spam, and their systems have not been compromised in any way.
    From:    accounts@ dennys .co.uk
    Date:    27 February 2015 at 09:14
    Subject:    Dennys Invoice INV650988
    To view the attached document, you will need the Microsoft Word installed on your system.


So far I have only seen a single sample, with an attachment INV650988.doc which has a VirusTotal detection rate of exactly zero*. This contains this malicious macro... which downloads another component from the following location:
http ://hew.homepage.t-online. de/js/bin.exe
This is saved as %TEMP%\324235235.exe and has a VirusTotal detection rate of 1/57**.
According to the Malwr report, this executable then goes on and downloads another version of itself and a config file from:
http ://apartmentprofile .su/conlib.php
http ://paczuje.cba .pl/java/bin.exe
It drops several files, KB2896~1.EXE [VT 3/57***], edg2.exe [VT 3/57****] and a Dridex DLL which is much more widely detected (and we saw this same DLL yesterday)... Between the Malwr and VirusTotal analyses, we see attempts to communicate with the following IPs:
198.52.200.15 (Centarra Networks, US)
95.211.144.65 (Leaseweb, Netherlands)
195.114.0.64 (SuperHost.pl, Poland)
92.63.87.13 (MWTV, Latvia)
78.140.164.160 (Webazilla, US)
59.97.137.171 (Broadband Multiplay Project, India)
104.232.32.119 (Net 3, US)
Some of these are shared hosting, I recommend for maximum protection that you apply the following blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
198.52.200.15
78.140.164.160
59.97.137.171
104.232.32.119
"
* https://www.virustot...sis/1425029078/

** https://www.virustot...sis/1425029464/

*** https://www.virustot...sis/1425031075/

**** https://www.virustot...sis/1425031099/


- http://myonlinesecur...dsheet-malware/
27 Feb 2015
> https://www.virustot...sis/1425027918/
___

Fake 'Offer Sheet' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
27 Feb 2015 - "'Pearl Summer Offer Sheet' pretending to come from maikel.theunissen@ pearleurope .com with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...Offer-Sheet.png

27 February 2015: Pearl UK Summer Offer Sheet 2015.zip: Extracts to: Pearl UK Summer Offer Sheet 2015.exe
Current Virus total detections: 0/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1425039221/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
181.189.152.131: https://www.virustot...31/information/
192.185.86.160: https://www.virustot...60/information/
181.189.152.131: https://www.virustot...31/information/
UDP communications
107.23.150.92: https://www.virustot...92/information/
107.23.150.99: https://www.virustot...99/information/
___

Fake 'eFax message' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
27 Feb 2015 - "'eFax message from “unknown” – 1 page(s), Caller-ID: 1-219-972-8538' pretending to come from message@ inbound .efax .com with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...wn-1024x610.png

27 February 2015: FAX_20150226_1424989043_176.zip: Extracts to:  FAX_20150226_1424989043_176.exe
Current Virus total detections: 4/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1425056870/
... Behavioural information
TCP connections
91.198.22.70: https://www.virustot...70/information/
181.189.152.131: https://www.virustot...31/information/
192.185.106.103: https://www.virustot...03/information/
UDP communications
217.10.68.152: https://www.virustot...52/information/
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 27 February 2015 - 06:59 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1407 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,413 posts

Posted 01 March 2015 - 11:57 AM

FYI...

Fake 'Order/ Payment' SPAM – Java malware
- http://myonlinesecur...t-java-malware/
1 Mar 2015 - "'lucy C Ulngaro New Order/ Payment' pretending to come from Admin <tareq@ msp .com.sa> with a jar attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...der-Payment.png

1 March 2015: PO-2015-0123.jar: Current Virus total detections: 22/57*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a zip file instead of the java file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1425193109/
___

Fake job offer SPAM
- http://blog.dynamoo....uctioncouk.html
28 Feb 2015 - "This -fake- job offer claimed to be from a UK-based company called Trade Construction Company LLC using a website at tradeconstruction .co .uk. However, no such company exists in the UK, and this is a rip-off of a wholly legitimate US firm that is actually called Trade Construction Company LLC who are -not- involved in this scam at all.

    From:    JOB ALERT [klakogroups@ gmail .com]
    Reply-To:    klakogroups@ gmail .com
    To:    Recipients [klakogroups@ gmail .com]
    Date:    27 February 2015 at 18:37
    Subject:    NEW JOB VACANCIES IN LONDON.
    Trade Construction Company,
    L.L.C,
    70 Gracechurch Street.
    EC3V 0XL, London. UK
    We require the services of devoted and hardworking workers, who are ready to work after undergoing enlistment training. in all sectors
    as The Trade Construction Company Management intends to increase its man power base due to increasing number of customers and contract in the Company.
    Available Positions...


... The tradeconstruction .co.uk site is almost a bit-by-bit copy of the genuine tradeconstruction .com website.
> https://4.bp.blogspo...nstruction1.jpg
... Nothing about this job offer is legitimate. It does -not- come from who it appears to come from and should be considered to be a -scam- and avoided."
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 01 March 2015 - 02:58 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1408 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,413 posts

Posted 02 March 2015 - 02:48 PM

FYI...

Fake 'Secure Message' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
2 Mar 2015 - "'JP Morgan Access Secure Message' pretending to come from JP Morgan Access <service@ jpmorgan .com> with a zip attachment is another one from the current bot runs... The email looks like:
    Please check attached file(s) for your latest account documents regarding your online account.
    Forrest Blackwell
    Level III Account Management Officer
    817-140-6313 office
    817-663-8851 cell
    Forrest .Blackwell@ jpmorgan .com
    Investments in securities and insurance products are:
    NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
    2015 JPMorgan Chase & Co...


2 March 2015: JP Morgan Access – Secure.zip : Extracts to: JP Morgan Access – Secure.scr
Current Virus total detections: 9/57** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1425314842/
 

:ph34r:  :grrr:


This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1409 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,413 posts

Posted 03 March 2015 - 08:28 AM

FYI...

Fake 'Apple ID' – phish...
- http://myonlinesecur...le-id-phishing/
2 Mar 2015 - "'Your recent download with your Apple ID' pretending to come from Apple iTunes <orders@ tunes .co.uk> is one of the latest -phish- attempts to steal your Apple Account and your Bank, credit card and personal details. This one only wants your personal details, Apple log in details and your credit card and bank details... This one has a short url link in the email which -redirects- you...

Screenshot: http://myonlinesecur...ur-Apple-ID.png

If you follow-the-link (don't) you see a webpage looking like:
> http://myonlinesecur...fy_apple_ID.png
... fill in your user name and password you get a page looking very similar to this one (split into sections), where the phishers try to validate your details to make sure that you are entering “genuine” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format.
> http://myonlinesecur..._apple_ID_2.png
...
> http://myonlinesecur..._apple_ID_3.png
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
___

Fraud Alert: Unauthorised Appstore Payment – phish
- http://myonlinesecur...yment-phishing/
3 Mar 2015 - "Fraud Alert: Unauthorised Appstore Payment' pretending to come from iTunes <datacareapsecurity@ apple. co.uk> is one of the latest -phish- attempts to steal your Apple Account and your Bank, credit card and personal details...

Screenshot: http://myonlinesecur...ore-Payment.png

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
___

Worm.Gazon: Want Gift Card? Get Malware
- http://www.adaptivem...ard-get-malware
2 Mar 2015 - "... A simple piece of -malware- is on the way to become one of the 'spammiest' mobile malware outbreaks seen yet. This malware we have dubbed Gazon spreads via SMS with a shortened link to itself in the spam message, redirecting a potential victim to a webpage that promises an Amazon gift card if you install an APK file hosted on the page:

Hey [NAME], I am sending you $200 Amazon Gift Card You can Claim it here : https ://bit .ly/ getAmazon[redactedD]
> http://www.adaptivem...on-download.jpg

The malware passes itself as an app that gives Amazon rewards. However, the only thing it actually does is pulling up a scam page inside the app which asks you to participate in the -survey- ... Each of the options below ends up taking you to either another scam page or asks you to download a game in the Google Play. While you are busy clicking through pages the author just earns money through your clicks as we have seen in other pieces of mobile malware.
> http://www.adaptivem...gazon-scam1.png
However, in the background this malware harvests all your contacts and sends a -spam- message to each of them with the URL pointing to the body of the worm... Thousands of people have seemingly installed this malware and been a victim. We are seeing over 4k infected devices in all of the major networks in North America, and we've blocked over 200k spam messages generated by these infected devices. Stopping the spread via messaging is critical as each one of these messages was an attempt to spread the app to an infected user's contacts. Based on click-throughs from the shortened URL it also seems this malware has been encountered in multiple other countries as well, worldwide. At the moment none of the AV engines detect this malware according to VirusTotal.
> http://www.adaptivem...-virustotal.png
... users should be aware of this -scam- and as always, be careful clicking on links in text messages that seem suspect. In this case, like other worm malware we have seen recently, even messages your contacts send you may not be safe. The malware can be removed using standard Android app uninstall utilities..."
 

:ph34r:  :grrr:


Edited by AplusWebMaster, 03 March 2015 - 10:47 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1410 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,413 posts

Posted Yesterday, 06:55 AM

FYI...

Fake no body text SPAM - malicious attachment
- http://blog.dynamoo....ohn-donald.html
4 Mar 2015 - "This rather terse email comes with a malicious attachment:
    From:    John Donald [john@ kingfishermanagement .uk .com]
    Date:    4 March 2015 at 09:09
    Subject:    Document1


There is no body text, but there is an attachment Document1.doc which is not currently detected by AV vendors*, in turn it contains this malicious macro... which downloads another component from the following location:
http ://retro-moto .cba .pl/js/bin.exe
Note that there may be other different versions of this document with different download locations, but it should be an identical binary that is downloaded. This file is saved as %TEMP%\GHjkdjfgjkGKJ.exe and has a VirusTotal detection rate of 2/57**. Automated analysis tools... show attempted network traffic to the following IPs:
92.63.87.13 (MWTV, Latvia)
104.232.32.119 (Net3, US)
87.236.215.103 (OneGbits, Lithunia)
108.61.198.33 (Gameservers.com / Choopa LLC, Netherlands)
According to the Malwr report it also drops another version of itself with a detection rate of just 1/57*** plus a DLL with a detection rate of 7/56****.
Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
104.232.32.119
87.236.215.103
108.61.198.33
"
* https://www.virustot...sis/1425464228/

** https://www.virustot...sis/1425464153/

*** https://www.virustot...sis/1425466045/

**** https://www.virustot...sis/1425466059/

- http://myonlinesecur...dsheet-malware/
4 Mar 2015
> Document1.docx: https://www.virustot...sis/1425459634/
> https://www.virustot...sis/1425460757/
... Behavioural information
TCP connections
92.63.87.13: https://www.virustot...13/information/
___

Fake 'Remittance advice SPAM – word doc or excel xls malware
- http://myonlinesecur...dsheet-malware/
4 Mar 2015 - "'Remittance advice [Rem_5556YJ.xml] (random numbers)' pretending to come from random addresses and random companies with a malicious word doc or Excel XLS spreadsheet attachment, these are actually XLM word files is another one from the current bot runs... This email has what appears to be a genuine word doc or Excel XLS spreadsheet attached which is malformed and contains a macro script virus. Modern versions of Microsoft office, that is Office 2010 and 2013 and Office 365 have Macros disabled by default, UNLESS you or your company have enabled them... The email looks like:
    Good morning
    You can find remittance advice [Rem_5556YJ.xml] in the attachment
    Kind Regards
    Lenny Madden
    GLAXOSMITHKLINE


4 March 2015 : Rem_5892GV.xml  Current Virus total detections: 0/56* | 0/56**
So far I have only  seen 2 versions of this malware, but previous campaigns over the last few weeks have delivered 2 or 3 or even more different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1425470968/

** https://www.virustot...sis/1425471785/

- http://blog.dynamoo....ystery-xml.html
4 Mar 2015
"... recommend blocking them:
62.76.176.203
46.30.42.171
74.208.68.243
37.139.47.111
"
___

Fake 'UPS Tracking' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
4 Mar 2015 - "'UPS Ship Notification, Tracking Number 1Z06E18A6840121864 pretending to come from UPS <no-replay@ upsi .com> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...A6840121864.png

04 March 2015: Details.zip: Extracts to: Details.exe
Current Virus total detections: 12/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1425482799/
... Behavioural information
TCP connections
216.146.38.70: https://www.virustot...70/information/
190.111.9.129: https://www.virustot...29/information/
108.174.149.222: https://www.virustot...22/information/
190.111.9.129: https://www.virustot...29/information/
UDP communications
212.79.111.155: https://www.virustot...55/information/
212.79.111.156: https://www.virustot...56/information/
___

Fake 'invoice' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
4 Mar 2015 - "'RMPD#7989 – invoices' pretending to come from Rothn-Ron <ron@ bellsouth .net> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...89-invoices.png

04 March 2015: RMPD#7989 INVOICES.zip: Extracts to: RMPD#7989 INVOICES.exe
Current Virus total detections: 9/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1425486885/
... Behavioural information
TCP connections
216.146.38.70: https://www.virustot...70/information/
190.111.9.129: https://www.virustot...29/information/
108.174.149.222: https://www.virustot...22/information/
190.111.9.129: https://www.virustot...29/information/
UDP communications
217.10.68.152: https://www.virustot...52/information/
217.116.122.136: https://www.virustot...36/information/
___

Many common sites might be temporarily offline
- http://myonlinesecur...rarily-offline/
4 Mar 2015 - "... Amazon and Rackspace have both announced that they will need to -reboot- some of their servers to address the issue before March 10, when the Xen Project plans to disclose the latest bugs*. Details of the vulns are being withheld for now, to give the cloud vendors time to patch. In a FAQ** about the upcoming maintenance, Amazon Web Services said that only some of its earliest Elastic Compute Cloud (EC2) customers should be affected."
* http://xenbits.xen.org/xsa/

** https://aws.amazon.c...enance-2015-03/

- http://blog.trendmic...ker-encryption/
Mar 4, 2015 - "... We advise Android users to refrain from using the default Android browser in their devices. They can instead use the Google Chrome app as it is not affected by the bug. Furthermore, connections to the Google search site are not affected. According to Deep Security Labs Director Pawan Kinger, FREAK is a serious and very real vulnerability which may require some level of sophistication to exploit. However, its sophistication won’t dissuade determined attackers. Carrying out a FREAK exploit requires attackers to be able to first create a man-in-the-middle (MITM) attack against the servers. It would also require the ability to control an SSL session between client and server and then force that session to downgrade to the lower encryption level. Then, the attacker would have to take the weakly encrypted traffic and perform a brute force attack against it that would take several hours, as opposed to days or weeks with higher encryption... Administrators can also check if their site is vulnerable by using the SSL Labs’ SSL Server Test*..."
* https://www.ssllabs.com/ssltest/

- http://www.bloomberg...eak-attack-hole
Mar 4, 2015 - Video 2:40
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, Yesterday, 07:54 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.





9 user(s) are reading this topic

0 members, 9 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button