2041 replies to this topic

[AplusWebMaster]

FYI...

HMRC phishing email and website
- http://securitylabs....lerts/3276.aspx
01.06.2009 - "Websense... has discovered a phishing site emulating the Web site belonging to HM Revenue & Customs (HMRC), the UK government's taxation authority. The fake site is hosted in Denmark and uses the same stylesheet and graphics as the real HMRC Web site. Recipients first receive an email advising them that they are due a tax refund. This email contains a link to the phishing Web site. The phishing site aims to collect personal information such as name, address, and credit card information. Upon submitting the data, the user is redirected to the real HMRC site. The sending of the email is very timely with certain HMRC deadlines for online applications of tax returns imminent (31st January 2009). Websense has advised HMRC of this threat..."

(Screenshot of the phishing email available at the Websense URL above.)

[AplusWebMaster]

FYI...

- http://blog.trendmic...icious-content/
Jan. 5, 2009 - "The LinkedIn professional networking site connects more than 30 million users from across many different industries. The advantages of maintaining a list of trusted business contacts for career planning purposes is not lost on LinkedIn’s users. The fostering of business relationships is further enhanced by features such as LinkedIn Answers and access from mobile devices... found some bogus LinkedIn profiles which contain links to malware, using the names and images of famous personalities such as:
* Beyoncé Knowles
* Victoria Beckham
* Christina Ricci
* Kirsten Dunst
* Salma Hayek
* Kate Hudson
... and several others. Malicious links contained in these bogus profiles lead browsers through a series of redirections, but ultimately to malware. Note that there are several routes this infection path may take..."

(Screenshot available at the URL above.)

[AplusWebMaster]

FYI...

MLB.com pushing malware
- http://sunbeltblog.b...ng-malware.html
January 06, 2009 - "... stay away from this site until they get it cleaned up. We are seeing various mlb sites redirecting to fake antivirus scan. These are almost certainly being done by malilcious flash advertisements. Not the first time* it's happened (courtesy of Innovative Marketing**)."
(Screenshot available at the URL above.)

* http://www.security-...ic.php?p=272589

** http://sunbeltblog.b...-continues.html

- http://www.theregist...aseball_threat/
8 January 2009 - "... Update: MLB spokesman Matthew Gould said the tainted ads were the result of an individual who claimed to sell ads through a company the website has done business with before. After the scam came to light, MLB officials discovered this individual had no affiliation with the company, which Gould declined to name because he says MLB is pursuing legal action. Gould said MLB officials believe the ads were taken down on Monday, less than 24 hours after going live. "As soon as we were made aware of the problem we removed the ad in all instances across our network," he said..." (Pop-up image for "Antivirus2009" shown at the URL above.)

Edited by apluswebmaster, 09 January 2009 - 07:45 AM.

[AplusWebMaster]

FYI...

- http://www.shadowser...lendar.20090109
9 January 2009 - "...we have a bunch of new and interesting information on the trojan, much of which has come from a number of security researchers out there. However, we are just going to touch on the last item and give you an updated list of domains associated with Waledac. You are bound to see all kinds of great research and interesting findings from others on this soon. In the meantime, please use this information to protect your networks and proactively (and retroactively) block these hosts. The following are a list of domains known to be associated with Waledac. Most of these domains have been seen in the wild and may be posted elsewhere. However, we want to provide our research that we have collected ourselves in a central spot for anyone to see and share. Please DO NOT visit these domains as they are distributing malware both through the files they are peddling and via exploits.
Waledac Domain Listing (several new ones since our 12-31 post):
bestchristmascard .com
bestmirabella .com
bestyearcard .com
blackchristmascard .com
cardnewyear .com
cheapdecember .com
christmaslightsnow .com
decemberchristmas .com
directchristmasgift .com
eternalgreetingcard .com
freechristmassite .com
freechristmasworld .com
freedecember .com
funnychristmasguide .com
greatmirabellasite .com
greetingcardcalendar .com
greetingcardgarb .com
greetingguide .com
greetingsupersite .com
holidayxmas .com
itsfatherchristmas .com
justchristmasgift .com
lifegreetingcard .com
livechristmascard .com
livechristmasgift .com
mirabellaclub .com
mirabellamotors .com
mirabellanews .com
mirabellaonline .com
newlifeyearsite .com
newmediayearguide .com
newyearcardcompany .com
newyearcardfree .com
newyearcardonline .com
newyearcardservice .com
smartcardgreeting .com
superchristmasday .com
superchristmaslights .com
superyearcard .com
themirabelladirect .com
themirabellaguide .com
themirabellahome .com
topgreetingsite .com
whitewhitechristmas .com
worldgreetingcard .com
yourchristmaslights .com
yourdecember .com
yourmirabelladirect .com
yourregards .com
youryearcard .com

Related Exploit Domains (no new ones listed):
seocom .name
seocom .mobi
seofon .net
Please feel free to distribute the above list as you see fit..."

[AplusWebMaster]

FYI...

- http://www.us-cert.g..._email_messages
January 9, 2009 - "US-CERT is aware of public reports of malicious code circulating via spam email messages related to the Israel/Hamas conflict in Gaza. These messages may contain factual information about the conflict and appear to come from CNN. Additionally, the messages indicate that additional news coverage of the conflict can be viewed by following a link provided in the email body. If users click on this link, they are redirected to a bogus CNN website that appears to contain a video. Users who attempt to view this video will be prompted to update to a new version of Adobe Flash Player in order to view the video. This update is -not- a legitimate Adobe Flash Player update; it is malicious code. If users download this executable file, malicious code may be installed on their systems..."

- http://www.rsa.com/b...ry.aspx?id=1416
(Screenshot at the RSA URL above.)

Edited by apluswebmaster, 09 January 2009 - 04:34 PM.

[AplusWebMaster]

FYI...

Yandex used in SPAM redirects
- http://sunbeltblog.b...-redirects.html
January 11, 2009 - "We’re seeing a fair number of pages on Narod (a service by that provides free web hosting, from Yandex, the Russian search engine). These are used for both redirects to malware, as well as redirects in spam... Administrators would be well advised to simply block any email or web traffic with narod .ru ."

[AplusWebMaster]

FYI...

Malware directed at Classmates Online...
- http://securitylabs....Blogs/3279.aspx
01.14.2009 - "Websense... noticed that a campaign against Classmates Online, Inc had broken out. We observed that thousands of URLs were registered in one day to spread the worm. The newly-registered URLs were unusually long, had several subdomains, and always contained some specific words such as process, multipart and so on... The new campaign was spread by email. The malicious email contained a link to a video invitation to reunite high school classmates and celebrate Classmates Day 2009. When the email recipient viewed the invitation, they downloaded a worm named Adobe_Player10.exe. This could fool a user into thinking they needed the latest version of the Adobe Player, prompting them to run the executable... the main purpose of this worm was to steal user information and send it to a server located in the Ukraine. The address of the server was hardcoded in the worm. The worm did a lot of work, including dropping a driver file to hide itself, injecting itself into every process, downloads and so on. It collected several kinds of information, including details about POP3, IMAP, ICQ, FTP, and certification from the user's MY certificate store, which is used to store trusted sites and personal certificates... The worm injected itself in every process. The injected code would enum a module of the process, and then hook some APIs into the module..."

(Screenshots available at the Websense URL above.)

[AplusWebMaster]

FYI...

Spam, Phishing, and Malware related to Presidential Inauguration
- http://www.us-cert.g...malware_related
January 15, 2009 - "US-CERT has received reports of an increased number of phishing sites and spam related to the upcoming Presidential Inauguration. US-CERT reminds users that phishing and spamming campaigns often coincide with highly publicized events...
US-CERT encourages users and administrators to take the following preventative measures to help mitigate the security risks:
• Install antivirus software, and keep the virus signatures up to date.
• Do not follow unsolicited links and do not open unsolicited email messages.
• Use caution when visiting untrusted websites..."

- http://blog.trendmic...s-sites-abound/
Jan 18, 2009

- http://www.f-secure....s/00001585.html
January 17, 2009 - "...All the links point to a file called speech.exe, which is a Waledec malware variant..."

- http://blog.trendmic...guration-scams/
January 16, 2009

Edited by apluswebmaster, 19 January 2009 - 07:29 AM.

[AplusWebMaster]

FYI...

3322 .org
- http://isc.sans.org/...ml?storyid=5710
Last Updated: 2009-01-19 12:01:36 UTC - "...adding the 3322-dot-org domain to your block list would be a good idea. As you can tell from this diary* that we published in 2007, it is by far not the first time that this domain shows up on our malware radar ..."
* http://isc.sans.org/...ml?storyid=3266

[AplusWebMaster]

FYI...

More Prez SPAM...
- http://www.theregist...ware_spam_scam/
19 January 2009

- http://preview.tinyurl.com/79ay3a
17 January 09 (PandaLabs blog) - "Today we discovered a botnet controlled, fast-flux operated malware campaign impersonating the United States President-elect Barack Obama’s website. The fake website looks just like the real thing and attempts to bait viewers into clicking a story entitled, “Barack Obama has refused to be a president”. When the user clicks on the link, the malware (W32\Iksmas.A.worm) begins to download all of the necessary files needed to host the fake site on the victims computer... The attack appears to have originated from China as the domains were purchased from a Chinese domain registrar called XINNET TECHNOLOGY CORPORATION. Xinnet has a history of abuse problems and we have contacted them to remove the domain names... The file names of the malware are:
• doc.exe , statement.exe , obamaspeech.exe , blog.exe , barack.exe , usa.exe , baracknews.exe , pdf.exe , news.exe , obamasblog.exe , barakblog.exe , statement.exe , president.exe , obamanews.exe ..."

[AplusWebMaster]

FYI...

Inauguration Themed Waledac - New Tactics & New Domains
- http://www.shadowser...lendar.20090119
January 19, 2009 - "...the Inauguration of Barack Obama and the Waledac trojan has been in full swing attempting to take advantage of the event. Since late last week the trojan has been blasting its way across the Internet with e-mails attempting to bring unwitting users to a page that looks a lot like the official Barack Obama website. The page is updated each day to appear to have a new blog entry... As always do NOT visit these domains as they are malicious and hosting exploit code... Click here* for a full listing of Waledac domains that we are aware of - this link will be updated as we get them. Your best bet is to block these domains or otherwise avoid them..."
* http://www.shadowser...dac_domains.txt

Edited by apluswebmaster, 20 January 2009 - 12:43 PM.

[AplusWebMaster]

FYI...

Phishing Alert - Canada Revenue Agency
- http://securitylabs....lerts/3282.aspx
01.20.2009 - "Websense... has discovered phishing sites spoofing the Web site belonging to Canada Revenue Agency (CRA), the Canadian government's taxation authority. The fake site is hosted in Germany and uses the same stylesheet and graphics as the real CRA Web site. The phishing site aims to collect personal information such as the victim's social insurance number, full name, address, date of birth, mother's maiden name, and credit card information. Upon submitting the data, the user is redirected to the real CRA site. This campaign is timed to coincide with the upcoming CRA deadline for online tax return applications..."

[AplusWebMaster]

FYI...

United Airlines - e-mail scam malware attack
- http://www.sophos.co...malware-attack/
January 19, 2009 - "Last week... spammers were sending out emails posing as messages from Northwest Airlines*. The attached file was not an electronic airline ticket of course, but a Trojan horse designed to infect your computer. As anticipated, the hackers have made a simple switch - changing the bait from a Northwest Airlines email to one claiming to come from United Airlines, and spoofing the email address tickets@united .com ... As before, opening the ZIP file is a very bad idea. Although it's understandable that you might panic into thinking that your credit card has been debited without your permission, for a flight you don't want or need, you should be cynical enough to smell this for what it is - a dirty rotten scam designed to infect your personal computer."
* http://www.sophos.co...malware-attack/

(Screenshots available at both URLs above.)

Video: http://www.sophos.co...alware-campaign

[AplusWebMaster]

FYI...

Valentine SPAM already!...
- http://blog.trendmic...es-to-spam-you/
Jan. 26, 2009 - "Holidays and popular annual events as a social engineering tool in spamming is a signature Storm technique. The following spammed email message should then cement WALEDAC's association with the said bot giant...
Spammed Valentine's greetings.
These messages flood inboxes weeks before Valentine's day, also typical of previous Storm spam runs. Clicking on the link redirects a user to a site with a heart images. When this page is clicked, the user is prompted to download a file, malicious of course, detected by Trend Micro as WORM_WALEDAC.AR... Beside the social engineering techniques used in email, following are the similar methods applied by this worm family:
• Fast-flux networks and several different name servers used per domain
• Files names ecard.exe and postcard.exe
• In some instances, the installation of rogue antispyware ..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Fed Reserve Bank phish-about-phish
- http://www.hoax-slay...am-emails.shtml
28 January 2009 - "Email purporting to be from the Federal Reserve Bank claims that U.S. Treasury Department has imposed restrictions on federal wire transfers due to a widespread phishing attack... Email is -not- from the Reserve Bank - Links lead to bogus websites... The FDIC published an alert* about the scam..."
* http://www.fdic.gov/...09/sa09020.html
FDIC: SA-20-2009 January 15, 2009

[AplusWebMaster]

FYI...

Work-At-Home Scams...
- http://www.ic3.gov/m...009/090203.aspx
February 3, 2009 - "Consumers need to be vigilant when seeking employment on-line. The IC3 continues to receive numerous complaints from individuals who have fallen victim to work-at-home scams. Victims are often hired to "process payments", "transfer funds" or "reship products." These job scams involve the victims receiving and cashing fraudulent checks, transferring illegally obtained funds for the criminals, or receiving stolen merchandise and shipping it to the criminals. Other victims sign up to be a "mystery shopper", receiving fraudulent checks with instructions to cash the checks and wire the funds to "test" a company's services.
Victims are told they will be compensated with a portion of the merchandise or funds. Work-at-home schemes attract otherwise innocent individuals, causing them to become part of criminal schemes without realizing they are engaging in illegal behavior. Job scams often provide criminals the opportunity to commit identity theft when victims provide their personal information, sometimes even bank account information to their potential "employer." The criminal/employer can then use the victim's information to open credit cards, post on-line auctions, register Web sites, etc., in the victim's name to commit additional crimes..."

- http://www.fbi.gov/p...scams020309.htm
February 4, 2009

Edited by apluswebmaster, 14 February 2009 - 12:43 PM.

[AplusWebMaster]

FYI...

4chan.org Malware .gif files...
- http://isc.sans.org/...ml?storyid=5821
Last Updated: 2009-02-07 21:51:03 UTC - "A Storm Center subscriber has just submitted malware embedded in .gif image files, downloaded from the image site 4chan.org. For the sake of expediency, and because this person did such a good write up, here is the analysis provided:

"The *.gif files were found (on) the "random" board of the image board site 4chan. The files contain a large picture with instructions to save the file with a .jse extension and run it. The *.out files are the result of applying scrdec to the gifs to reveal the encoded script. It appears to:
1) copy itself somewhere as 'sys.jse'
2) add itself to a Run key in the registry
3) a) fetch the index to 4chan's /b forum
b) download the first image
c) save it as 'j.jse'
d) attempt to run 'j.jse'
4) construct a POST request containing the image as payload
5) upload itself as a new post on 4chan
6) point an instance of IE at site it came from
(3)-(6) are in an infinite loop."

To the subscriber who did the legwork on this one, my thanx for the excellent work... will provide more data as it develops."

Edited by apluswebmaster, 07 February 2009 - 06:18 PM.

[AplusWebMaster]

FYI...

Waledac new variant - Valentine's Day Theme
- http://securitylabs....lerts/3299.aspx
02.09.2009 - "... new spammed variant continues to use the Valentines theme. Once a user opens the URL in the spammed message, he is redirected to a site with 2 puppies and a love heart to give a Valentines theme. The user is then enticed to download a Valentines kit to prepare a present for a loved one, which is a new Waledac variant. This variant has a very low AV detection rate..."
- http://www.trustedso...am-on-the-Loose
(Screenshot of spammed email available at both URLs above.)

Waledac Domain (Block) List - Updated 02-10-2009 - 4:21 UTC
- http://www.shadowser...dac_domains.txt

- https://forums.syman.../article-id/239
02-09-2009 - "Up until recently, Waledac’s main purpose had been to peddle performance-enhancing pharmaceuticals by sending large runs of unsolicited mail to thousands of unwilling recipients. Today we noticed a shift in this trend. In addition to sending large volumes of spam, Waledac is now distributing misleading applications. In our testing we noticed that the misleading application that is installed this time around is MS AntiSpyware 2009..."

Edited by apluswebmaster, 11 February 2009 - 08:06 AM.

[AplusWebMaster]

FYI...

Skype Valentine SPAM lure
- http://securitylabs....lerts/3305.aspx
02.12.2009 - "Websense... has spotted an emerging malicious spam lure, masquerading as a message from Skype. The spammed message uses Skype's logos and themes, posing as a Valentine promotion. With two days to go before Valentine's day, the fake promotion entices the user into sending a free Valentine video message to a loved one. The proposed video link in the message leads to a malicious compressed archive file named valentine.exe... Earlier today we noticed that the same group were sending out spoofed-Hallmark e-greetings and now they have recently switched to this spoofed-Skype video card campaign..."

(Screenshots of a spammed email available at the URL above.)

[AplusWebMaster]

FYI...

WALEDAC Valentine SPAM variants on the rise...
- http://blog.trendmic...e-malware-love/
Feb. 13, 2009 - "... A recently reported case of malware-related SPAM contains a short Valentine's message — and with an embedded URL that leads to malicious content... The malicious file is actually a WALEDAC variant detected... WALEDAC variants* have been previously served through e-card spam..."
(Screenshots available at the URL above.)

Search Results for 'WALEDAC' - MALWARE and GRAYWARE List
* http://preview.tinyurl.com/akubv6
...42 records match your query

Waledac Tracker Summary Data
- http://www.sudosecur...ledac/index.php
2009-02-14

Edited by apluswebmaster, 14 February 2009 - 08:18 AM.

[AplusWebMaster]

FYI...

Re-resurgence of .cn URL SPAM
- https://forums.syman.../article-id/148
02-17-2009 - "As discussed in the Symantec State of Spam Report* for February, URLs with the “.cn” country code top level domain (ccTLD) have become a popular ingredient in spam messages. A top-level domain (TLD) is the part of a domain name that follows the final dot of any domain name. A ccTLD is a top-level domain generally reserved or used by a country or a dependent territory. According to the February report, URLs with .cn ccTLDs accounted for approximately 32% of all URLs seen during that period. However, we saw a noticeable decrease in this particular technique starting around the end of January with levels dropping down to 7%. On February 12, we once again observed a revival approaching similar levels as was seen in January—these levels are currently sitting around 29%. The URLs are applied to various kinds of spam attacks, but one of the more popular versions uses legitimate messages such as newsletters and replaces the existing URLs with .cn URLs to peddle spam products..."
* http://www.symantec....d=state_of_spam
___

SPAM Attacks on Job Seekers
- https://forums.syman.../article-id/147
02-17-2009 - "With the worsening economic situation, unemployment figures have risen worldwide. This has led millions of people to search for jobs, using whatever resources they can find. One of the most common is online job search sites. Email alerts from recruitment agencies are anxiously viewed for future job prospects and hopes dashed when rejection letters are received. Malicious code writers are making use of this opportunity to distribute their malware. Symantec has recently observed emails with malicious attachments, informing the recipient of a job rejection and including an attached copy of their purported application. These emails pose as though they have been sent from a genuine recruitment agency... The attached zip file “copy of your CV.zip” contains an executable file, detected as Hacktool.Spammer by Symantec Antivirus. Hacktool.Spammer is a program that hackers use to attack mail boxes by flooding them with email. It can be programmed to send many email messages to specific addresses. It will be difficult to ignore emails from job agencies, but we can definitely be cautious of file types, particularly executables (.exe). -Any- email with this type of application extension should be considered suspicious, particularly if it's coming from an unknown sender. We have also seen job offer attacks with an intention of harvesting email addresses. If the recipient clicks on any of the links found in the message, the spammer gets a confirmation that the email address is a live account. This account can then be targeted in a spam campaign at a later date. Clicking an "unsubscribe" link also yields the same results, because in the action of unsubscribing you are confirming the account is a live address..."

[AplusWebMaster]

FYI...

Anti-virus-1 new rogue anti-spyware...
- http://www.bleepingc...virus-1-removal
February 18, 2009 - "Anti-virus-1 is a new rogue anti-spyware program from the same family as Antivirus 2010 and Antivirus 360. This program is promoted primarily through two methods. The first is through the use of advertisements that pretend to be online anti-malware scanners. These advertisements go through what appears to be a scan of your machine and then when finished, state that your computer is infected and that you should download Anti-virus-1 to protect yourself. Remember, though, that this is just an advertisement and it has no way of knowing what is running on your computer. The second method that is used to promote this rogue is through the use of Trojans. When certain Trojans are installed on your computer they will display security alerts stating that your computer is infected or that you have some other security risk. When you click on these alerts, it will download and install Anti-virus-1 onto your computer... When Anti-virus-1 is installed it will configure itself to start automatically when Windows starts. It will also modify your C:\Windows\System32\drivers\etc\hosts file so that when you visit certain sites you will be go to a site under the malware developer's control rather than the legitimate site you were expecting to go to. This allows them to show you information that further promotes the Anti-virus-1 program. When the program is started it will automatically scan your computer and then display a list of infections that cannot be removed unless you first purchase the program... Tools Needed for this fix: Malwarebytes' Anti-Malware* ..."
* http://download.blee.../mbam-setup.exe

(Screenshots and more detail available at the first URL listed above.)

[AplusWebMaster]

FYI...

eBay Auction Tool Web Site Infected With Malware
- http://preview.tinyurl.com/d6a9xm
Feb. 23, 2009 PC World - "A Trojan horse lurking on servers belonging to Auctiva.com, a Web site offering eBay auction tools, infected people's PCs last week. The problem became very public when Google's malware warning system kicked in as people tried to browse the site, saying Auctiva was infected with malware. Google will display an interstitial page warning people of certain Web sites known to contain malware. "It appears the reason these virus alert warnings started showing up on our site is because some of our machines were injected with malware originating in China," according to a post on Auctiva's community forum... It appears that the malware targeted Microsoft's Internet Explorer browser... "Found eight Trojans on my system that seemed to have snuck through my on-access protection, or maybe because, like a fool, I clicked 'ignore the warning' to get to Auctiva's front page," wrote one user on Auctiva's forum. If Google displays a warning about a dangerous Web site, it still gives people the option of browsing to the site. Auctiva said it was working with Google to ensure the warning is not displayed now that it has cleaned up its servers. However, people who browsed Auctiva between Thursday and Saturday afternoon until 2 p.m. Pacific time should ensure their machines are not infected..."

[AplusWebMaster]

FYI...

eWeek Hacked with drive-by download - Anti-Virus-1...
- http://securitylabs....lerts/3310.aspx
02.24.2009 - " Websense... has discovered that the eWeek.com Web site is serving malicious advertisements (malvertisements) to visitors...
Update 2/24/09 - eWeek has informed us that the problem has been rectified. We have verified that the Web site is now safe. eWeek.com is the online version of the popular business computing magazine. When users browse to the home page of eWeek, a malvertisement hosted on the DoubleClick advertisement network performs a redirect to a malicious Web site through a series of iframes. This causes a redirect to one of two files on hxxp ://[removed]inside .com/ - Either a pdf document containing exploit code is served, or index.php redirects to the rogue ad-server. With no user interaction, a file named "winratit.exe" (MD5: A12DA1D62B7335CBE6D6EA270247BBC1) is installed in the user's temporary files folder. Two additional files are dropped onto the user's machine and are bound to startup. The host file is also modified so that if the user tries to browse to popular software download sites to remedy the infected machine, s/he is instead directed to a malicious Web site offering further rogue AV downloads. The name of the rogue AV application is Anti-Virus-1. If the user chooses to register the rogue AV, a connection is made to hxxp ://[removed]-site .info/ which has been setup to collect payment details..."

[AplusWebMaster]

FYI...

Rogue Facebook apps...
- http://blog.trendmic...in-just-a-week/
Feb. 26, 2009 - "In a second attack, extremely reminiscent of the one that took place this weekend*, Facebook users have once again been victimized by cybercriminals. Reports started surfacing this afternoon of yet another rogue Facebook application posting notifications to user profiles... The link in the notification led on to an application named f a c e b o o k - - closing down!!! which, once installed, would proceed to spam all of the affected user’s friends with the same message. It may also harvest personal information along the way... Prevention of rogue applications with extremely dubious intent to propagate freely within the site is needed. Users are advised to exercise extreme caution when surfing..."
* http://blog.trendmic...o-blackhat-seo/

(Screenshots available at both URLs above.)

[AplusWebMaster]

FYI...

New Koobface worm variant spreading on Facebook
- http://blog.trendmic...ng-on-facebook/
March 1, 2009 - "I just received a Facebook message from a friend; it was a pretty standard one that is beginning to look familiar to a lot of us I am sure. What surprised me though, was the page that the link led to. On the face of it is a very familiar looking spoofed version of YouTube, complete with bogus comments from “viewers”... Take a second look though, the link had taken me to a site supposedly hosting a video posted by the same person that I had received the Facebook message from. In fact not only was the malicious landing page displaying his name, it had also pulled the photo from his Facebook profile.... Clicking the Install button redirects to a download site for the file setup.exe which is the new Koobface variant detected as WORM_KOOBFACE.AZ. It is hosted on an IP address in another part of the world, and in the last hour, we’ve seen 300+ different unique IP addresses hosting setup.exe and we’re expecting more. All seen IP addresses hosting the said malicious file are now detected as HTML_KOOBFACE.BA. Analysis by our engineers reveal that WORM_KOOBFACE.AZ propagates through other social networking sites as well..."
(Screenshots available at the URL above.)

- http://www.us-cert.g...cial_networking
March 4, 2009 - "...malicious code spreading via popular social networking sites including myspace.com, facebook.com, hi5.com, friendster.com, myyearbook.com, bebo.com, and livejournal.com. The reports indicate that the malware, named Koobface, is spreading through invitations from a user's contact that include a link to view a video. If the users click on the link in this invitation, they are prompted to update Adobe Flash Player. This update is not a legitimate Adobe Flash Player update, it is malicious code..."

Edited by apluswebmaster, 08 March 2009 - 12:11 PM.

[AplusWebMaster]

FYI...

Fake job ads up 345%...
- http://www.informati...cleID=215800622
March 5, 2009 - "Job seekers beware. Identity thieves are looking to steal personal information from those searching for employment. Fake job ads are up 345% over the past three years, according to the U.K. Association for Payment Clearing Services, and the Identity Theft Resource Center (ITRC)* warns that would-be workers should be careful about providing personal information to purported employers..."
* http://preview.tinyurl.com/2j6y3b

[AplusWebMaster]

FYI...

Scams - Economic Stimulus email and websites...
- http://www.us-cert.g...ail_and_website
March 5, 2009 - "... economic stimulus scams circulating. These scams are being conducted through both email and malicious websites. Some of the email scam messages request personal information, which can then be used for identity theft. Other email scam messages offer to deposit the stimulus funds directly into users' bank accounts. If users provide their banking information, the attackers may be able to withdraw funds from the users' accounts. The website scams entice users by claiming that they can help them get money from the stimulus fund. These websites typically request payment for their services. If users provide their credit card information, the attackers running the malicious sites may make unauthorized charges to the card, or charge users more than the agreed upon terms..."
- http://ftc.gov/opa/2...imulusscam.shtm

Edited by apluswebmaster, 06 March 2009 - 07:12 AM.

[AplusWebMaster]

FYI...

New rogue: Antispyware Pro 2009
- http://sunbeltblog.b...e-pro-2009.html
March 08, 2009

New rogue: Malware Defender 2009
- http://sunbeltblog.b...ender-2009.html
March 06, 2009 - "Malware Defender 2009 is a new rogue security product and a clone of System Guard 2009..."

(Screenshots available at both URLs above.)

Tornado Malware Kit
- http://atlas.arbor.n...ndex#1440121766
March 06, 2009 - "...This is a specific instance of such a drive by kit but demonstrates the current technology that is being sold and delivered on the Internet.
Analysis: These kits have been in used for well over a year and are responsible for many of the drive by downloads we see on the Internet these days.
Source: http://www.securewor...do-malware-kit/
March 5, 2009 - "...Tornado is a Russian web-attack kit used by hackers to compromise as many machines as possible. “Out of the box,” it comes with 14 exploits..."

Edited by apluswebmaster, 08 March 2009 - 06:30 AM.

[AplusWebMaster]

FYI...

Fake Windows Support SPAM... Info-Stealer
- http://blog.trendmic...n-info-stealer/
Mar 9, 2009 - "... Spammed email messages were found pretending to come from Microsoft Windows Support and claiming that Microsoft Service Pack 1 and Service Pack 2 have been discovered to have an error that can damage the computer’s software or even the hardware. These messages encourage users to download and install a file in order to fix the problem. When users click the download button they are redirected to a site and are asked to download a file which Trend Micro detects as TROJ_DLOADER.CUT... TROJ_DLOADER.CUT connects to a certain URL to download another malicious file, which in turn is detected by Trend Micro as TSPY_BANKER.MCL. TSPY_BANKER.MCL monitors the affected user’s online transactions and steals banking related information. Not too many TSPY_BANKER variants have been reported to be related to notable attacks recently, and this incident may pretty much mark the end of the hiatus. Users are advised to ignore spammed messages and, more importantly, to never click links embedded in these messages..."

(Screenshot available at the URL above.)

[AplusWebMaster]

FYI...

ID theft malware rates...
- http://preview.tinyurl.com/dn8vkj
March 9, 2009 PandaLabs blog - "Today we're announcing results of a study that analyzed 67 million computers in 2008 and revealed that 1.1 percent of the worldwide population of Internet users have been actively exposed to identity theft malware. We predict that the infection rate will increase by an additional 336 percent per month throughout 2009, based on the trend of the previous 14 months. Here are the highlights from our study on the evolution of online identity theft:
• Over three million of the audited users in the U.S. and more than 10 million users worldwide were infected with active identity theft-based malware last year.
• 1.07% of all PCs scanned in 2008 were infected with active malware (resident in memory during the scan) related to identity theft, such as banker Trojans.
• 35% of the infected PCs had up-to-date antivirus software installed.
• The number of PCs infected with identify theft malware increased by 800 percent from the first half of 2008 to the second half.
• Arizona, California and Florida continue to be the states with the highest per-capita incidence of reported identity theft.
Active malware means malware that is loaded into the PC's memory and actively running as a process. For example, users of PCs infected with this type of identity theft malware who utilize online services such as shopping, banking, and social networking, have had their identities stolen in some fashion. According to the Federal Trade Commission (FTC), the average time victims spend resolving identity theft issues is 30 hours per incident. The cumulative cost in hours alone from identity theft related malware based on Panda Security's projected infection rate could reach 90 million hours..."

[AplusWebMaster]

FYI...

TinyURL phishing...
- http://blog.trendmic...coming-popular/
Mar. 13, 2009 - "... We previously blogged about similar phishing operations that used this exact technique to trick users into thinking links are legitimate:
• http://blog.trendmic...-tiny-phishing/
• http://blog.trendmic...in-im-phishing/
...Substituting preview.tinyurl.com* for tinyurl.com also allows users to get a preview of the final link."

* http://tinyurl.com/preview.php
"Don't want to be instantly redirected to a TinyURL and instead want to see where it's going before going to the site? Not a problem with our preview feature..."

[AplusWebMaster]

FYI...

Malicious SPAM run(s), again...
- http://www.f-secure....s/00001625.html
March 13, 2009 - "The type of spam runs we saw late last year (Obama and BofA) are starting to pick up again in volume. We've seen Classmates being used as a theme and two days ago it was fake Facebook messages. Today it's back to fake Bank of America certificates... As in all previous spam runs it leads to a site prompting you to download a fake Adobe Flash player. This malware steals confidential information and sends it to a web server. In previous attacks this server was in Ukraine but it has now been moved to Hong Kong. If you see network traffic to the IP address 58.65.232.17 it's a bad sign."

(Screenshot available at the URL above.)

[AplusWebMaster]

FYI... More rogues...

- http://sunbeltblog.b...y-products.html
March 14, 2009 - "General Antivirus and Personal Antivirus are the new clones of Internet Antivirus Pro rogue security product..."

- http://www.symantec...._...-99&tabid=2
March 13, 2009
Name: System Guard 2009
Publisher: System Guard
...The program reports false or exaggerated system security threats on the computer.

- http://www.symantec...._...-99&tabid=2
March 11, 2009
Name: Virus Melt
Publisher: iSystems Inc.
...The program reports false or exaggerated system security threats on the computer.

(Screenshots available at above URLs.)

[AplusWebMaster]

FYI...

Waledac - SPAM new variant theme in the wild...
- http://securitylabs....lerts/3321.aspx
03.16.2009 - "Websense... has detected yet another new Waledac campaign theme in the wild. The new variant uses a Reuters theme as a social engineering mechanism to report a bogus news item relating to a 'bomb explosion'. The malicious Web sites in the current attack are socially engineered to report the geolocation of the incident corresponding to the user's IP address. They encourage users to view a video supposedly related to the news report. When users click on the video or the link below the video, they are advised to download the latest version of Flash Player. This leads to the download of Waledac variants. The theme includes legitimate links corresponding to Wikipedia and Google which are presented in a 'Related Links' section of the attack Web sites. Those legitimate links are used to target unsuspecting users in order to increase chances of success with the attack..."

- http://blog.trendmic...al-engineering/
Mar. 16, 2009

- http://www.marshal.c...hesection=trace
March 16, 2009

- http://www.sophos.co...09/03/3541.html
15 March 2009

(Screenshots available at each URL above.)

Edited by apluswebmaster, 17 March 2009 - 01:21 PM.

[AplusWebMaster]

FYI...

2000 percent increase in web threats - 2005-2008...
- http://blog.trendmic...a-down-economy/
Mar. 17, 2009 - "...TrendLabs reports more than a twenty-fold (2000 percent) increase in web threats between the beginning of 2005 and the end of 2008... for 2008 over 90 percent of all digital threats arrive at their targets via the Internet... from January until November 2008, a staggering 34.3 million PCs were infected with botnet-related malware..."

Trend Micro 2008 Annual Threat Roundup and 2009 Forecast
- http://us.trendmicro...eat_roundup.pdf
3.26MB PDF file

[AplusWebMaster]

FYI...

SPAM - fake Comcast, Facebook e-mails
- http://www.f-secure....s/00001630.html
March 19, 2009 - "...new SPAM run that's going on. It's from the same group that used Bank Of America as the lure late last week and Northern Bank on Monday. Today it's Comcast and it might actually have a higher success rate then the previous run as users always want faster broadband, especially if there's no fee involved. And the page looks really convincing. Once installed the malware does the same as in the other spam runs - steals data and sends it to Hong Kong...
Update: The spam run was just changed to a Facebook scheme.
Some subjects are:
• FaceBook message: Magnificent girl dancing video clip (Last rated by Sal Velasquez)
• FaceBook message: Dancing Girl Drunk In The Pub- facebook Video (Last rated by Abe Bain)
• FaceBook message: Hot Girl Dancing At Striptease Dance Party (Last rated by Lowell Clay)
• FaceBook message: Dancing Girl Drunk In The Pub- facebook Video (Last rated by Shane Lucas)..."

YouTube e-mail link...
- http://www.f-secure....s/00001629.html
March 19, 2009 "YouTube is once again being used as a lure to spread malware. Some clown is sending out e-mails... if you follow the link, this one actually uses a Java applet (complete with a fake signature) to push a variant of Parite to the machines..."

Death exploited by hackers...
- http://www.sophos.co...death-exploited
March 19, 2009 - "Cybercriminals don't waste any time these days jumping on the coat-tails of breaking news stories in their attempt to infect as many computer users as possible. This time it's the tragic death of award-winning English actress Natasha Richardson, who died yesterday after suffering head injuries in a skiing accident earlier in the week. It appears that hackers are stuffing webpages with keywords - most likely scraping the content off legitimate news websites - in order to lure unwary surfers into visiting their dangerous sites and infecting their computers... of course, if you do visit the malicious web link a malicious script will run on your computer... that then runs a fake anti-virus product designed to scare you into making an unwise purchase. Fake anti-virus products, also known as scareware or rogueware, are one of the fastest growing threats on the internet, and attempt to frighten you into believing that your computer has a security problem and that you should purchase a solution from the very people who have tricked you..."

(Screenshots available at each URL above.)

Edited by apluswebmaster, 20 March 2009 - 04:57 AM.

[AplusWebMaster]

FYI...

Antivirus2009 ransomware...
- http://preview.tinyurl.com/df8n2t
March 20, 2009 Security Fix/Brian Krebs - "... this version of Antivirus2009 encrypts or scrambles contents of documents... so that only users who pay $50 for a FileFixerPro license can get the decryption key needed to regain access to the files in their My Documents folder... The good news is the nice folks over at BleepingComputer.com*, a very active computer-help forum, have posted detailed instructions on how to remove FileFixerPro. The bad news is that these instructions won't help get a victim's documents back. But there is more good news: The folks over at FireEye have figured out how to decrypt documents scrambled by this thing, and have set up a free Web-based service** where victims can upload documents to have them unscrambled. Alex Lanstein, senior security researcher at FireEye, said he hopes his team can soon release a tool users can download to help decrypt the entire My Documents folder. This is the first time I've ever heard of scareware being bundled with so-called "ransomware"..."

* http://www.bleepingc...opic212357.html

** http://blog.fireeye....-scareware.html

- http://www.pcworld.c...virus_apps.html
Mar 20, 2009 - "...According to the Antiphishing Working Group*, the number of fake security programs skyrocketed from average of around 2,500 per month to 9,287 in December..."
* http://www.antiphish...ort_H2_2008.pdf

Edited by apluswebmaster, 20 March 2009 - 02:21 PM.

[AplusWebMaster]

FYI...

Trafficconverter takedown...
- http://www.f-secure....s/00001631.html
March 20, 2009 - "One of the more notorious pay-per-install programs, Trafficconverter has been taken down today.
These sites work like this:
1. Trafficconverter developes a "rogue" antivirus product
2. The product will find viruses even on clean systems
3. It won't "clean" those viruses unless you register the product
4. Trafficconverter does not market their software at all
5. Instead, all the marketing is done through affiliates
6. Affiliates have existing botnets of thousands of infected computers
7. They remotely install these rogue products to those computers
8. Confused end users see warning messages about viruses on their screens
9. ...and register the rogue product for $50 to "fix" their machine
10. Affiliates get $30 per customer, Trafficconverter get $20
11. ??...
12. PROFIT!
...So, it's good to see these guys going offline. Kudos to Brian Krebs*!"
* http://voices.washin..._rogue_ant.html
March 16, 2009
- http://voices.washin...rogue_anti.html
March 20, 2009

(Screenshots available at both URLs above.)

Edited by apluswebmaster, 23 March 2009 - 07:48 AM.

[AplusWebMaster]

FYI...

Trafficconverter takedown - Downadup motivations
- https://forums2.syma.../article-id/254
03-23-2009 - "As the April 1 payload delivery date nears for W32.Downadup.C (also known as Conficker) speculation continues on whether the payload will be one big April Fool’s joke, or the equivalent of a cyber Pearl Harbor. While we can’t predict the future with certainty, we can look at the motivations of past Downadup variants to postulate that the payload will likely be something between the two extremes. The first Downadup variant (.A) provides the best evidence of the motivations of the Downadup authors. In a similar fashion to the recent Downadup variant, Downadup.A had a payload delivery date after its initial release, on December 1, 2008. Downadup.A attempted to download its payload file from hxxp ://trafficconverter.biz/4vir/antispyware/loadadv.exe. While Downadup.A was never able to download its payload because the payload site was shut down, the owner of the site trafficconverter.biz was heavily involved in pushing misleading applications (also known as rogue antispyware products) onto users’ machines..."
//
- http://centralops.ne...ainDossier.aspx
Domain Name: TRAFFICCONVERTER.BIZ ...
Registrant Country Code: GB ...
Name Server: NS1.SUSPENDED-DOMAIN.COM
Name Server: NS2.SUSPENDED-DOMAIN.COM
Created by Registrar: ESTDOMAINS INC ...
//

Edited by apluswebmaster, 24 March 2009 - 04:46 AM.

[AplusWebMaster]

FYI...

More Malicious SPAM from Pushdo...
- http://www.marshal.c...hesection=trace
March 18, 2009 "...
> Phishing - Pushdo is currently one of the major botnets responsible for sending Phishing spam. For the past few weeks, it has been targeting Paypal, USBank and Fifth Third Bank customers to lure users into opening links from spam and logging on to a legitimate looking websites... More recently, a Bank Of America spam attack was caught by our spam traps - again sent by Pushdo. The email tells you that the automatic installation of a Bank of America certificate failed and needs manual installation. Opening the link from the message body will open a website that provides an "instruction video" on how to install the "certificate". Of course, it needs "Adobeflashplayer.exe" to view it. But please be wary, the executable file is a password stealing Trojan horse...
> Social Networking website brands like Classmates and Facebook are also used by Pushdo. Its modus operandi is to send you a fake video invitation. Upon opening the URL link the website will require you to download a fake video codec or flash version which, again, is actually a Trojan Horse...
> Malicious Attachments - Pushdo is one of the few botnets that regularly distibutes spam with malicious attachments. Themes vary, but recent themes include fake invoices and airline ticket confirmations. The email usually asks you to open a ZIP-compressed attachment for you to print. The .ZIP attachment contains a password stealing Trojan Horse that hides its appearance by using a Microsoft Excel icon...
> Scams - Our spam traps also receive scam emails offering part-time and remote employment. Pushdo uses variations of subject lines like:
• Experience employment: Manager (Remote, part-time vacancy; 2500 USD/month)
• Experience long-term employment: Accountant (Remote, part-time vacancy; 2500 USD/month)
• Part time Manager (Remote vacancy; 2500 USD/month)
• Newly opening Accountant (Remote, part-time vacancy; 2500 USD/month)
• Experience employment: Accountant (Remote, part-time vacancy; 2500 USD/month)
> Valentine's Day Theme - And lastly, approximately 20% of the spam Pushdo currently sends is still using a Valentine's Day theme. At least for this botnet, everyday is Valentine's day..."

(Screenshots available at the URL above.)

[AplusWebMaster]

Some references from previous post in this thread:
- http://www.spywarein...?...st&p=680460

Xrupter -aka- Vundo ...
- https://forums2.syma.../article-id/255
03-24-2009 - "Over this past weekend, Symantec received news of a new twist in the behavior of Trojan.Vundo(1). Instead of simply pushing misleading applications and other threats onto the infected computers, it seems the authors of Vundo have taken a more direct hand in revenue generation. Rather than just frightening you into believing that you may have problems or threats present on your computer, Vundo now drops a file named fpfstb.dll that attempts to make sure that you do encounter problems on your computer. We currently detect this threat as Trojan.Xrupter(2). This Trojan performs a search in the My Documents folders of your hard drive... This Trojan specifically targets these files for encryption because the creators knows these are the files that you are most likely to want back if the computer was ever compromised. Once the files are encrypted, it starts to display messages stating that certain files on the computer are corrupted. If the user attempts to open any of the encrypted files, a message will also appear saying that the file is corrupt. In both windows, a repair option is available... If the user clicks on repair, a browser window will open to the domain filefixpro.com (now offline). This site offers a program named FileFix Professional (detected as FileFixProfessional), which is supposed to repair the corrupted files. Of course, FileFixPro is not a free application, so you are expected to pay in order to license it for use. FileFix Professional is obviously not what it is cracked up to be—it is, in fact, just another part of this whole scam—it only decrypts the files that its partner in crime (Trojan.Xrupter) has encrypted... The fortunate thing about this whole episode is that the makers of this scam have implemented a very weak algorithm for encryption of the files. Because of this, Symantec and various other security vendors such as FireEye have been able to decrypt the files affected by this Trojan. In fact, we are offering a tool that can be used to clean up this Trojan and recover encrypted files... If you need this fix tool, you can download it here*."

(Screenshots available at the URL above.)

1) http://www.symantec....-112111-3912-99

2) http://www.symantec...._...-99&tabid=1

* http://www.symantec..../FixXrupter.exe

[AplusWebMaster]

FYI...

Ghostnet - targeted attacks
- http://www.f-secure....s/00001637.html
March 29, 2009 - "University of Toronto published today a great research paper on targeted attacks. We've talked about targeted attacks for years. These cases usually go like this:
1. You receive a spoofed email with an attachment
2. The email appears to come from someone you know
3. The contents make sense and talk about real things (and in your language)
4. The attachment is a PDF, DOC, PPT or XLS
5. When you open up the attachment, you get a document on your screen that makes sense
6. But you also get exploited at the same time
7. The exploit drops a hidden remote access trojan, typically Grey Pigeon or Gh0st Rat variant
8. No one else got the email but you
9. You work for a government, a defense contractor or an NGO ...
But the real news is that Greg Walton & co actually managed to get an inside view of some of the servers used in these spying attacks. This means they got to see what was being done with the infected machines and where in the world they were... The release of the paper was synchronized with the New York Times article*. University of Cambridge released a related research paper at the same time as well. The Cambridge paper goes all the way to point the finger directly at the Chinese Government. Most other parties, us included, have not done such direct accusations without concrete proof of government involment... here are selected blog posts on the topic:
• Several examples of what the attack documents looked like
- http://www.f-secure....s/00001406.html
• The mystery of Sergeant "nbsstt"
- http://www.f-secure....s/00001449.html
• How we found the PDF generator used in some of these attacks
- http://www.f-secure....s/00001450.html ..."

* http://www.nytimes.c...logy/29spy.html

(Original document - scribd.com )
- http://preview.tinyurl.com/d5q3cj
Mar, 28, 2009 - "This report documents the GhostNet - a suspected cyber espionage network of over 1,295 infected computers in 103 countries, 30% of which are high-value targets, including ministries of foreign affairs, embassies, international organizations, news media, and NGOs..."

Edited by apluswebmaster, 29 March 2009 - 07:10 PM.

[AplusWebMaster]

FYI...

Conficker hype used by rogue gangs
- http://www.f-secure....s/00001639.html
March 30, 2009 - "... We found out that rogue security software folks have picked up on this. For example, lets have a look at remove-conficker .org, a domain which was registered today... They advertise a tool called MalwareRemovalBot. It's fake. Interestingly, it doesn't always find non-existing malware infections on your PC - only sometimes. But one thing is for sure, it does not remove Conficker.C. We tried it and it didn't do a thing to remove it. When it did find something that it claimed to be malware... And then it asked us to register and pay $39.95 for the removal functionality... When following up on this we did a Google search for "remove conficker.c" and saw several purchased ads that lead to the same type of "security" software as well... Like AdwareAlert and AntiSpy2009 It's clear that it's an affiliate program going on..."

(Screenshots available at the F-secure URL above.)

[AplusWebMaster]

FYI...

Trace Q1-2009 report
- http://www.marshal.c...hesection=trace
April 1, 2009
"...Spam
...by the end of March 2009 the SVI (Spam Volume Index) had reached its pre-McColo level. Even so, taking a longer term view, spam volume still remains less than mid-2008. We believe successive events, including the interruption of the Atrivo/Intercage network in September, the FTC crackdown of the ‘Affking’ gang in October, the McColo shutdown in November and the subsequent demise of the Srizbi botnet, and disruption to the Bobax botnet in late 2008, have all contributed to make life more difficult for spammers...
Botnets
... a handful of botnets continue to dominate the distribution of spam. At the end of March 2009, the familiar botnets Mega-D and Rustock and Pushdo continued to dominate spam production. Xarvester is the new kid on the block, and shares quite a few similarities to its likely predecessor, Srizbi. Add a second tier of botnets, namely Donbot, Grum and Gheg, and collectively, this motley group accounts for over 70% of spam...
Malicious Spam Campaigns
... The Waledac botnet, the probable successor to Storm, has been active with a range of campaigns including President Obama, Valentines, fake coupons and bomb blast news stories. The Pushdo botnet, too, continues to pump out various malicious spam and phishing email, including fake facebook.com and classmates.com campaigns...
Malicious Web Campaigns... (Rogue AV, etc.)
The last few months has seen the resurgence of the fake anti-virus purveyors, which have been part of the scene in one form or another for the best part of 12 months. Most recently, search engine optimization, using hot Google search terms*, is being used to drive users to websites where they are prompted to download, install, and pay for this dubious ‘anti-virus’ software...."
* http://www.marshal.c...asp?article=884

[AplusWebMaster]

FYI...

More Conficker rogue AV...
- https://forums2.syma.../article-id/173
04-02-2009 - "We have found spam samples attempting to capitalize on the frenzy over Conficker (a.k.a. Downadup), offering the latest in antivirus security software that purportedly protects users from the Conficker threat. Some of these SPAM messages even use names and images of software much like our own Norton AntiVirus 2009... it even mentions the name of one of our Symantec employees frequently cited in the press... In an attempt to increase financial gain, the product website is made to look like the product is one of our Norton consumer security solutions, by using the AntiVirus 2009 name and even comparing itself with other antivirus solutions such as Spybot, Kaspersky, and AVG... After clicking on the link inside the message, we find that it redirects to a website where the user is promptly given directions on how to make a payment. Whether or not any product will be made available after the payment is made is still unknown at this point. Even if it were, its effectiveness would be questionable because it will most likely be a rogue application or pirated software."
(Screenshots available at the Symantec URL above.)

- http://www.f-secure....s/00001639.html
March 30, 2009

[AplusWebMaster]

FYI...

Malicious Excel XLS file
- http://www.f-secure....s/00001649.html
April 7, 2009 @ 11:10 GMT - "We see targeted attacks and espionage with trojans regularily. Here's a typical case. A malicious Excel XLS file (md5: 3c740451ef1ea89e9f943e3760b37d3b) was emailed to a target - apprently to just one person... The exploit code creates two new DLL files to the SYSTEM32 folder ("apimgr.dll" and "netserv.dll") and executes them. These DLL files are backdoors that try to communicate back to the attackers, using these sites:
• feng.pc-officer .com
• ihe1979.3322 .org
Right now, host ihe1979.3322 .org does not resolve at all, and feng.pc-officer .com resolves to a placeholder IP (which is 63.64.63.64). The attackers can temporarily make the hostname resolve to the real IP address and then turn it back, to hide their tracks. The domain name pc-officer .com is a weird one. It has been registered already in 2006, and it has been used in targeted attacks before. See this ISC blog entry from September 2007*. Here the attack was done via a DOC files, instead of XLS. And the reporting server was ding.pc-officer .com, not feng.pc-officer .com. If you haven't read about Ghostnet** yet, now would be a good time..."
* http://isc.sans.org/...ml?storyid=3400
** http://en.wikipedia.org/wiki/GhostNet

(Screenshot available at the F-secure URL above.)

Update: "... IP 63.64.63.64 is just a placeholder; 216.255.196.154 is the real control server. They only bring it online sporadically, trying to avoid detection.
The IP is located in Spokane, USA:
% whois 216.255.196.154
OrgName: One Eighty Networks
OrgID: OEN-1
Address: 118 N Stevens
City: Spokane
StateProv: WA
PostalCode: 99201
Country: US ..."

Edited by apluswebmaster, 08 April 2009 - 06:54 AM.

[AplusWebMaster]

FYI...

Match.com malware SPAM
- http://securitylabs....lerts/3337.aspx
04.08.2009 - "... new SPAM campaign aimed at Match.com is being used to spread a trojan over the Internet. Match.com is an online dating service. The service reportedly has more than 15 million members and has Web sites serving 37 countries in more than 12 different languages. On April 7 2009, we received thousands of malicious emails in our email Honey Pot system. The email claims that someone wants to show the user her pictures and videos, and lures the user into visiting the Web site set up by the attacker. When the user starts the video on the Web site, they are asked to install a streaming video player which is actually a trojan with relatively low AV detection*...

(Screenshots available at the Websense URL above.)

* http://www.virustota...761e33959e61e1d
File ADOBE_PlayerInstallation.exe

[AplusWebMaster]

FYI...

IRS SPAM fakes and phish...
- http://blog.trendmic...hishing-season/
Apr. 7, 2009 - "As usual, the approaching tax season (April 15th is Tax Day in the US) also comes with tax-related online threats. With unemployment rates reaching record highs this year, cybercriminals have yet another opportunity to polish their social engineering techniques. Last year, spammed messages supposedly from the Internal Revenue Service (IRS) delivered malware into systems. The email messages were sternly-worded. The intention was to alarm recipients of what these same messages claimed were incomplete tax forms, which could lead to tax avoidance fraud. High-profile institutions, including Fortune 500 companies and US Defense contractors, were prominent targets of this attack. This year, cybercriminals offer their recipients ways to save money by supposedly reducing their expenses on tax preparation transactions. The recent email samples no longer purport to come from the IRS, though. They do, however, offer tax relief services for tax help-seekers. And instead of downloading malware, unknowing users are tricked into giving out personal and sensitive information to phishers... The threat does not end there. After the completing the steps... for users to supposedly have tax relief, other windows load... These are supposedly credit-related sites, but like the tax relief page they also steal sensitive and confidential user information. The spammers/phishers behind this threat have thus fashioned the attack to be both timely and seemingly relevant by exploiting the tax season as well as recession-related concerns. The IRS recently set up an information page* in response to this threat..."
* http://www.irs.gov/p...=179820,00.html

(Screenshots available at the TrendMicro URL above.)

- http://isc.sans.org/...ml?storyid=6145
Last Updated: 2009-04-07 19:50:37 UTC - "... a few things to watch out for:
• fake e-file websites. Only use reputable companies. I did a quick check earlier and didn't see any obvious fakes on Google, but this may change at any time.
• IRS e-mails: The IRS will -never- send you an e-mail asking you to go to a website to get a refund.
• malicous tax preparation software: Don't just download the next best free tax prep software package.
• and once you are all done: Make good offline backups. If you used tax preparation software, burn a couple CDs with your files and don't forget to retain a copy of the software itself so you can read the files later. Keep a paper copy. This includes supporting electronic files like account software and spread sheets that you may use to track finances..."

[AplusWebMaster]

FYI...

Rogue AV on 10M machines
- http://www.darkreadi...cleID=216403298
April 8, 2009 - "Rogue security software infections by just one family of malware jumped 66 percent in the second half of the year, according to Microsoft's new Security Intelligence Report (SIR)*... Microsoft says the Win32/Renos scareware attack was found on 4.4 million computers, for instance, and Win32/FakeXPA and Win32/FakeSecScan on 1.5 million machines. Other rogue AV types were also detected, bringing the total numbers of those types of infections to the 10 million mark..."
* http://www.microsoft.com/sir