Jump to content


Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
2041 replies to this topic

#101 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 10 April 2009 - 01:53 PM

FYI...

NOT the easter egg you were expecting
- http://www.sophos.co...abs/v/post/3962
April 10, 2009 - "Messages posing as legitimate greeting cards with titles such as “You’ve received A Hallmark E-Card! !” have been prevalent on the Internet... Over the past months, the malicious emails have become slightly more subtle in their delivery method. While they previously included a telltale zip file as an attachment or a link to an exe, the current crop of messages masquerade as legitimate notifications with no attachments, but the links embedded in the mail point to a web page on some third party web site - which is designed to load malware... avoid opening e-cards that aren’t addressed to you, and aren’t from someone you know. The majority of the spammed e-cards do not indicate the sender or the recipient in the body, and so are easy to recognize. Legitimate e-cards tend to have this personally identifiable information included in the message body..."

(Screenshot available at the URL above.)

:techsupport:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#102 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 12 April 2009 - 11:17 AM

FYI...

Easter worm in Twitter...
- http://www.f-secure....s/00001653.html
April 12, 2009 - "A cross-site scripting worm was spreading in Twitter profiles for several hours last night. People started reporting that their profile had sent Twitter messages without their knowledge... Later on the messages morphed several times... Many people followed the links to stalkdaily .com, as they believe the messages to be genuine Tweets from their friends. A cross-site script on the site then caused new users to start to Tweet the same messages... As expected, the whole worm was a publicity stunt by stalkdaily .com... You can see the latest official status of Twitter from their status page at http://status.twitter.com/ . Updated to add: This is -not- over. There's going to be quite a few modified Twitter worms for a day or two. Be careful in Twitter, don't view profiles, don't follow links... All these attacks are Javascript-based. Turn Javascript off if you're worried..."
(Screenshots available at the F-secure URL above.)

- http://status.twitte.../update-on-worm
Apr 13, 2009 - "Update on worm... We are currently addressing a new manifestation of the worm attack..."

:grrr:

Edited by apluswebmaster, 13 April 2009 - 04:07 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#103 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 13 April 2009 - 01:32 PM

FYI...

Copycat Twitter XSS worms...
- http://isc.sans.org/...ml?storyid=6187
Last Updated: 2009-04-13 18:07:20 UTC - "... copycat Twitter XSS worms exploit the same vulnerability – actually most of the code remains the same but they obfuscated it to make analysis a bit harder. They also added couple of updates so it looks like they are exploiting other profile setting fields which the original worm didn't exploit, such as the profile link color. One thing about this copycat worm I found interesting is the type of obfuscation they used. The attackers used the [ and ] operators in JavaScript in order to reference methods in objects... It looks like the folks from Twitter are still fixing all the vulnerabilities... Use addons such as Noscript* for Mozilla ..."
* http://noscript.net/getit

- http://www.f-secure....s/00001654.html
April 13, 2009

:grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#104 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 14 April 2009 - 04:54 PM

FYI...

Twitter worm Google searches lead to malware
- http://www.f-secure....s/00001657.html
April 14, 2009 - "No surprise at all that Google searches for information about the Twitter worm would lead to malware sites, it was really just a matter of time. Especially not after all the talk about it over the weekend and the guy behind it even confessing everything. Malicious search results about popular news is something we see very often unfortunately... So, unfortunately we're not surprised that this happened. As usual, get your news and information from sources you trust. Random Google searches can't be trusted.
Updated to add: Searching for "Mikeyy" also leads to malicious results."
(Screenshots available at the URL above.)

Twitter Worm Mikeyy Keywords Hijacked to Serve Scareware
- http://ddanchev.blog...s-hijacked.html
April 15, 2009

:techsupport:

Edited by apluswebmaster, 16 April 2009 - 06:04 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#105 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 15 April 2009 - 06:43 AM

FYI...

New rogue: P Antispyware 09
- http://sunbeltblog.b...spyware-09.html
April 14, 2009 - "P Antispyware 09 is yet another rogue from WinSpywareProtect family of rogue security products."

New rogue: Antivirus'09
- http://sunbeltblog.b...-antivirus.html
April 15, 2009 - "Antivirus'09 is a new rogue security product. This rogue uses fake/scare scanner pages to trick users into downloading the rogue application."

(Screenshots available at both URLs above.)

:ph34r: :grrr: :!:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#106 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 17 April 2009 - 06:22 PM

FYI...

Yet another Twitter worm
- http://www.f-secure....s/00001661.html
April 17, 2009 - "A new Twitter cross-site scripting worm is going around on Twitter. Just like the previous Twitter worms it talks about Mikeey... The malicious script itself is downloaded from 74.200.253.195*. Twitter is working on fixing the problem... Updated to add: Michael Mooney (Mikeey) confesses to writing this latest worm as well."
* http://centralops.ne...ainDossier.aspx
Queried whois.arin.net with "74.200.253.195"...
OrgName: FastServers, Inc.
OrgID: FASTS-1
Address: 175 W. Jackson Blvd
Address: Suite 1770
City: Chicago
StateProv: IL
PostalCode: 60604
Country: US ...

:ph34r: :hmmm:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#107 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 19 April 2009 - 04:52 AM

FYI...

New rogue: AV Antispyware
- http://sunbeltblog.b...ntispyware.html
April 19, 2009 - "AV Antispyware is the latest rogue from WinSpywareProtect family of rogue security products... Sites Involved:
64.191.12.38 Av-antispyware com
195.88.81.74 Files scanner-antispy-av-files com
195.88.81.116 dl scan-antispy-4pc com
195.88.80.207 Int reporting32 com ..."

(Screenshot available at the URL above.)

:ph34r: :grrr:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#108 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 21 April 2009 - 05:36 AM

FYI...

Zango: The End
- http://www.vitalsecu.../zango-end.html
April 21, 2009 - "Zango Inc., the adware distributor fined $3 million by the Federal Trade Commission in 2006 for sneaking software onto people's PCs, has closed its doors after being acquired by video search engine company Blinkx PLC..."
- http://www.theregist...09/04/21/zango/
21 April 2009 - "... The end-game for Zango marks the end of the controversial adware business model. Other well known names in the field - including Claria (Gator), WhenU and DirectRevenue - ceased operations some time ago, leaving Zango as the last man standing."
- http://www.theregist...09/04/21/zango/
21 April 2009 "Updated... The adware maker was forced to pull down the shutters on its business after it was left unable to service its debts. Initially we, along with othe news outlets, incorrectly reported that video search engine firm Blinkx had acquired Zango. In fact Blinkx has only bought a proportion of its assets from administrators. "The bank foreclosed on Zango and Blinkx purchased some technical assets from the bank, including some IP and hardware, which constituted about 10 per cent of Zango's total assets," a Blinkx spokeswoman explained..."

- http://sunbeltblog.b...go-is-dead.html
April 21, 2009

:!:

Edited by apluswebmaster, 21 April 2009 - 04:08 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#109 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 27 April 2009 - 01:08 PM

FYI...

Spam referencing Swine flu outbreak
- http://www.sophos.co...abs/v/post/4245
April 27, 2009 - "Predictably enough, today we started to see spam taking advantage of concerns around the current Swine Flu outbreak... In the campaign seen earlier today, the purpose of the spam is meds related. Anyone clicking on the link in the message is -redirected- to an all too familiar Canadian Pharmacy site..."
(Screenshots available at the URL above.)

- http://www.us-cert.g...ing_attacks_and
April 27, 2009

- http://blog.trendmic...b-through-spam/
Apr. 28, 2009 - (More screenshots...)

Spamvertised Swine Flu Domains
- http://ddanchev.blog...lu-domains.html
April 28, 2009 - "... Swine flu spamvertised domains (long list)... Happy blacklisting/cross-checking!"

:grrr:

Edited by apluswebmaster, 30 April 2009 - 04:12 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#110 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 28 April 2009 - 03:43 PM

FYI...

Rogue AV projected growth in 2009
- http://preview.tinyurl.com/cqv4se
23 April 09 - PandaLabs blog - "... Cyber-criminals have chosen Rogue Anti-Malware as their primary method of payment because it has become easier for them to make money by affiliate systems and utilizing these types of attacks. It’s no wonder why we have seen more Rogue detections in the first quarter of 2009 then all of 2008... PandaLabs predicts that incidents of rogue AV scams will grow 100 percent quarter over quarter through the end of Q3*... Remember, It's just as important to update your web applications as it is to update your operating system. If you use Wordpress as a platform for your blog or website, then I recommend viewing the official hardening guide**."

* (Chart available at the URL above.)

** http://codex.wordpre...ening_WordPress

:grrr:

Edited by apluswebmaster, 28 April 2009 - 03:46 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#111 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 30 April 2009 - 05:08 AM

FYI...

Facebook phishing attack
- http://preview.tinyurl.com/crz7yq
April 29, 2009 Techcrunch.com - "... new phishing attack that has broken out on Facebook. If you get an email message that looks to be from Facebook with the subject, “Hello,” and featuring the text below, don’t bother clicking on the link included. Doing so takes you to a site called fbaction .net that mimics the look of the main Facebook login page, hoping to get you to sign in. Naturally, if you do that, the site will have access to your account and can send out more of these messages to your friends. The message body will apparently read something like this (with YOURFRIEND being replaced by the name of a friend of yours):
YOURFRIEND sent you a message.
Subject: Hello
“Visit http: //www.facebook .com/l/4253f;http://fbaction .net/”...
... looks like “fbaction .net” is now the #2 hot trending search topic for all of Google Trends. This thing is apparently spreading quick... Facebook is now blocking outgoing links to that domain, and some browsers, like IE8, have flagged it as malicious."

(Screenshot available at the Techcrunch URL above.)

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#112 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 30 April 2009 - 03:53 PM

FYI...

- http://sunbeltblog.b...ngines-and.html
April 30, 2009 - "... Spammers saw this coming on Monday. Spam with headlines claiming that celebrities (Salma Hayek, Madonna) have caught the disease are peddling generic Tamiflu – or stealing the credit card numbers of those naïve enough to make a purchase from one of the nearly 300 newly-registered domains with a “Swine Flu” twist in their name. Cisco’s IronPort anti-spam service says Swine Flu spam is now four percent of global spam. Spam that preys on public fears generated by big news stories is now a genre... See Information week’s coverage here*."
* http://www.informati...cleID=217200528

:grrr:

Edited by apluswebmaster, 30 April 2009 - 03:58 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#113 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 02 May 2009 - 01:59 PM

FYI...

More Swine/Mexican/H1N1 related domains
- http://isc.sans.org/...ml?storyid=6325
Last Updated: 2009-05-02 14:21:58 UTC - "... be ever vigilant in your browsing for Swine/Mexican/H1N1 flu information. We show over 1000 new domains containing those keywords registered in the last 24 hours."

Fed Reserve Spam/Malware Attack is After Your Data
- http://www.shadowser...lendar/20090429
29 April 2009 - "... spam campaigns that are designed to appear as if they are coming from the Federal Reserve. These attacks are not attempting to phish you and trick you into giving them banking or other personal information... They are actually looking to install an info-stealing/banking trojan on your system via drive-by exploits... it is designed to look like a message coming from the Federal Reserve with a message designed to get you to click the link from the e-mail...The bad guys behind the Federal Reserve malware use the LuckySploit exploit pack. LuckySploit has a variety of exploits... Successful exploitation tends to drop a file named wQJs.exe onto the system in the user's Temp folder. It may also drop a file named svchost.exe (same name as a legitimate Windows file) onto the system as well. This "svchost.exe" and "wQJs.exe" are the same file. They both create shell32.dll and 123.info in the user's Temp directory as well. Note that 123.info is just a text file that contains the path to the malware.
Malware Details:
File Name: wJQs.exe | svchost.exe
File Size: 9216 bytes
MD5 hash: 175ef7faf41ecbe757bcd3021311f315
File Name: shell32.dll
File Size: 6144 bytes
MD5 hash: 3182da0a9c6946e226ee6589447af170
VirusTotal Results for these files can be viewed below:
.exe: http://www.virustota...0d7f86ceb6181f1
.dll: http://www.virustota...c6215bf41a64f7c ..."

(Screenshot and more detail available at the Shadowserver URL above.)

:ph34r: :grrr: :ph34r:

Edited by apluswebmaster, 02 May 2009 - 02:29 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#114 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 04 May 2009 - 04:39 AM

FYI...

IFrame redirects lead to MBR rootkit
- http://blog.trendmic...to-mbr-rootkit/
May 3, 2009 - "Websites related to pornography that appear to be compromised were found by Trend Micro engineers loading malicious JavaScript which redirects users onto malicious domains that ultimately lead to the download of an MBR rootkit (TROJ_SNOWAL.A) onto the affected system... malicious scripts all follow a similar routine: upon execution, it checks for the date on the target system then generates a URL based on the date obtained. It then creates an IFrame, which would redirect the user to the generated URL. The URL then leads to the download of a malicious file, which in turn downloads an MBR rootkit..."

(Screenshot and more detail available at the URL above.)

:ph34r: :grrr: :ph34r:

Edited by apluswebmaster, 04 May 2009 - 04:48 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#115 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 04 May 2009 - 10:18 AM

FYI...

Facebook phishing malware
- http://isc.sans.org/...ml?storyid=6328
Last Updated: 2009-05-04 14:47:00 UTC - "Looks like there may be a piece of malware out there is sending out messages to folks on Facebook trying to trick them into visiting a facsimile "Facebook" login page to steal credentials. The phishing site is currently on "junglemix .in," so you may want to block that site. More details as we figure this thing out..."

:grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#116 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 04 May 2009 - 07:32 PM

FYI...

H1N1 Domains
- http://www.f-secure....s/00001674.html
May 4, 2009 - "... here is a list of domains* registered over the weekend using the words swine flu. There are 1,344 on the list. Again, so far, none of the domains we've checked are hosting any malicious files. In fact, the only malicious file we've seen is something that Symantec posted** about last week. It's a PDF "Swine Flu FAQ" exploit which drops a password stealer and then opens a clean PDF file as a decoy. One interesting thing about the exploit that hasn't been mentioned yet is the file name, The Association of Tibetan journalists Press Release.pdf. Tibet themed exploits are very popular with targeted attacks***."
* http://www.f-secure....ay_4th_2009.txt

** https://forums2.syma.../article-id/268

*** http://www.f-secure....s/00001672.html
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#117 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 06 May 2009 - 04:20 AM

FYI...

Waledac Turns to Cash and Vaccines w/SPAM
- http://blog.trendmic...h-and-vaccines/
May 5, 2009 - "Riding on the ongoing global economic recession, Waledac updates its SPAM messages with email subjects related to earning a fortune through Google cash. Other spam email subjects we’ve seen so far:
* Be your own boss with Google
* Earn cash using Google today
* Google System that really works
* Make a fortune online
* Make thousands a month from home
* Start your home business today
* Use Google to earn extra cash

As of this writing, the hyperlink found in the email body redirects to an advertising link which currently returns a redirect loop error in Firefox web browser. Another current event seen leveraged on by this wave of Waledac spam runs is the swine flu outbreak, as spammed messages bear subjects that seem related to a vaccine for swine flu. Other spam email subjects seen so far:
* Anti-swine flu drugs are available here
* Anti-viral treatment for swine flu
* Are you worried about swine flu?
* Are you worried about swine flu? buy medicine!
* Be quick! anti-swine flu drugs are almost sold out
* Buy medicine that prevent you from getting swine flu
* Buy medicine to prevent swine flu
* Buy new effective medicine against swine flu
* Buy the most effective treatment for combating the new swine flu
* Do you want to prevent yourself from swine flu?
* Do you want to protect yorself against swine flu?
* Dont stand in line for swine flu medicine
* Get swine flu medicine here
* Get the swine flu medicine right here
* Hurry up! swine flu drugs are almost sold out
* Keep your family from getting swine flu
* New medicine to prevent swine flu
* New vaccine helps to prevent swine flu
* New vaccine to prevent swine flu
* Order anti-swine flu medicine today
* Order new medicine against swine flu
* Order now vaccine against swine flu
* Prevent infections with swine flu viruses
* Prevent yourself from cathcing swine flu
* Protect your family against swine flu!
* Protect yourself from swine flu
* Stop risk of being killed by swine flu!
* The vaccine protecting against swine flu
* You can buy swine flu drugs here
* You can order anti-flu drugs treaing swine flu here
* You can order anti-swine flu drugs on-line
* You can protect yourself against swine flu!

The given link however only leads to the all too familiar Canadian pharmacy site..."

(Screenshots available at the TrendMicro URL above.)

:grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#118 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 07 May 2009 - 08:49 AM

FYI...

Targeted attacks - most common file types
- http://www.f-secure....s/00001676.html
May 6, 2009 - "... we decided to take a look at targeted attacks and see which file types were the most popular during 2008 and if that has changed at all during 2009. In 2008 we identified about 1,968 targeted attack files. The most popular file type was DOC, i.e. Microsoft Word representing 34.55%... So far in 2009 we have found 663 targeted attack files and the most popular file type is now PDF. Why has it changed? Primarily because there has been more vulnerabilities in Adobe Acrobat Reader than in the Microsoft Office applications... More info about targeted attacks and how they work can be found in our YouTube video*."

(Charts available at the URL above.)

*

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#119 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 18 May 2009 - 03:56 PM

FYI...

Rogue Browser Agents
- http://www.f-secure....s/00001684.html
May 18, 2009 - "How big an issue are Rogue antivirus applications? Let's take a look. What is your browser's user agent? Any ideas? The Firefox browser should look something like this: You can determine yours from http://whatsmyuseragent.com . Now let's take a look at this user agent:
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; AntivirXP08; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

Do you see it? Right there in the middle, "AntivirXP08". What is that all about? Some rogues modify the browser's user agent. We've seen hundreds of AntivirXP08 string variations. The modified string is possibly used to identify the affiliates responsible for the installation which drives "business" to the rogue's website. Modified user agents could also be used deliver different content. A victim with AntivirXP08 doesn't need to be convinced to download an installer, instead they can be targeted to complete the scam and to buy the rogue. How many infected user agents are out there? Toni examined one of our sinkholes and its April 2009 logs contained 63,000 unique IP addresses using agents that contain AntivirXP08. 63 thousand. That's a lot of infections, right? And that doesn't include other strings we've seen such as "Antimalware2009". It's a small measure of a very large problem."

(Screenshot available at the F-secure URL above.)

:ph34r: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#120 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 20 May 2009 - 10:11 AM

FYI...

eBay phishing Scam...
- http://www.sophos.co...abs/v/post/4452
May 20, 2009 - "... eBay phishing scam came in the form of a seemingly innocent query about the sale of iPhones. The scam message is quite simple... At first sight, it appears to be a product spam campaign to promote the iPhone. However, when clicking the link that came with the attached email, a -fake- eBay page comes up. This email is actually a ruse designed to steal an eBay user’s information...
SophosLabs analysts have encountered many instances of such misdirection of legitimate websites. They range from internet banking websites to online retail websites. As always, online users should take precautions and never attempt to follow an embedded weblink to an online store or a banking website from an email, even if by first appearances, it looks legitimate..."

(Screenshots available at the URL above.)

:ph34r: :grrr:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#121 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 22 May 2009 - 08:25 AM

FYI...

Malicious iFrame on Gadgetadvisor.com
- http://www.f-secure....s/00001687.html
May 22, 2009 - "Are you a gadget geek? Do you often seek advice from Gadget Advisor before making a purchase? Our Web Security Analyst discovered a malicious IFrame on the popular tech website that redirects visitors to a malicious website... If the site detects a PDF browser plugin for Adobe Acrobat and Reader, it loads a specially-crafted malicious PDF file that exploits a stack-based buffer overflow vulnerability ( http://web.nvd.nist....d=CVE-2008-2992 ). The net effect of the attack is to plant a trojan, detected as Trojan-Downloader.Win32.Agent.brxr, on vulnerable systems by calling the util.printf JavaScript function, which connects back to the malicious website in order to download the trojan to the machine. A remote attacker can access the user's machine once it has been infected with the trojan... This attacks is targeted against older, unpatched version of Adobe programs, as the latest Adobe updates have already fixed this problem. More information and the updates can be found at Abobe at:
http://www.adobe.com.../apsb08-19.html. Disabling the JavaScript function in Acrobat and Reader will also prevent the threat from proceeding."

(Screenshot available at the F-secure URL above.)

:grrr: :ph34r: :(
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#122 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 25 May 2009 - 04:32 AM

FYI...

Facebook phishing/spam/"worm" ...
- http://isc.sans.org/...ml?storyid=6451
Last Updated: 2009-05-25 07:16:47 UTC ... (Version: 5) - "... new Facebook phising/spam/"worm" campaign is doing the rounds. It uses Belgium domains (.be) to impersonate the Facebook login page and steal the user credentials.
UPDATE 4: The malicious domains do not only impersonate Facebook but contain malicious "hidden" (1x1pixel) iframes, hosted on the same host, such as: "/tds/r.php?sid=2&pid=5511". Do not browse them...
UPDATE 3: As expected, more domains are coming (and some of them are still active right now - May 25, 0:00am CET)...:
• redfriend dot be, redbuddy dot be, picoband dot be, areps dot at, greenbuddy dot be
• picoband dot be, vispace dot be, whiteflash dot be, bestspace dot be
• There are other "more than suspicious" .be domains associated to the same IP address.
The ones active do resolve to IP address 211.95.78.98. From APNIC...
country: CN ..."

- http://www.f-secure....s/00001689.html
May 25, 2009

:ph34r: :grrr: :ph34r:

Edited by apluswebmaster, 25 May 2009 - 11:33 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#123 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 26 May 2009 - 05:47 AM

FYI...

Facebook phishing using Belgium (.be) domains (cont'd)
- http://isc.sans.org/...ml?storyid=6451
Last Updated: 2009-05-25 20:01:20 UTC ...(Version: 6)
"UPDATE 5: (May 25, 22:00h CET) It seems there is a new variation moving around, using tinyurl links... For example, you get a Facebook message pointing to "tinyurl dot com /o5kblj/" that takes you to a link at "simplemart dot be".
> Remember you can enable/disable the tinyurl preview feature through
" http://tinyurl.com/preview.php ". You just need to enable cookies on your browser.
Some of the malicious domains being used are redfriend dot be, redbuddy dot be, picoband dot be... (at this point, none of them can be resolved)..."

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#124 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 27 May 2009 - 08:02 AM

More on same...

Koobface... again
- http://securitylabs....lerts/3403.aspx
05.26.2009 - "... Koobface attempted another running campaign on Facebook. If infected, Facebook users start to spam their friends with a link to a malicious Web site. When users visit the link, they are redirected various malicious and phishing pages. We detected these on numerous .be domains and TinyURL links. One such malicious page is a fake YouTube page that appears to be a funny video. The page tells visitors to to upgrade their Flash player in order to play the video, and the Flash setup program is actually Koobface malware... Among other things, a proxy server is installed on the infected computer..."

(Screenshots available at the Websense URL above.)

:grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#125 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 01 June 2009 - 03:18 PM

FYI...

Another "Digital Certificate" malware campaign
- http://isc.sans.org/...ml?storyid=6499
Last Updated: 2009-06-01 16:21:12 UTC - "... a "Bank of America Digital Certificate Updating" scheme is used, where a victim of the luring email is directed to a fake website... Using the <Update Certificate> button here will net you a piece of Malware that has approximately 30% AV coverage (as indicated by VirusTotal). A quick analysis of said malware shows probable signs of, suprise-suprise, Waledac..."

(Screenshot available at the URL above.)

:ph34r: :hmmm:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#126 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 01 June 2009 - 11:26 PM

FYI...

Twitter hit with rogue anti-virus scam
- http://www.theregist...r_malware_scam/
2 June 2009 - "Twitter users over the weekend were the target of a scam that tried to infect them with rogue anti-virus software and other malware, in what is one of the first times the micro-blogging site has been hit by a known for-profit attack, a security researcher said. The problem started after a flurry of tweets directed users to a website promising "Best Video." The site appeared to offer content from YouTube, but behind the scenes, the site delivered a PDF document designed to infect those using vulnerable versions of Adobe's Reader program. Victims then received an urgent warning that their systems were infected and needed to cleaned using fraudulent security software... The scam promoted a piece of rogue anti-virus software dubbed System Security."

- http://www.viruslist...logid=208187734
June 01, 2009 - "... fake program called "System Security" is being promoted... Most likely the cyber criminals behind this attack simply used the stolen credentials of those phished accounts to tweet the messages... If the trends we've seen on other social platforms are any indicator for Twitter then we can only expect an increase in attacks."
(Screenshots available at the URL above.)

- http://pandalabs.pan...nds-Attack.aspx
11 June 09 - "... cyber criminals have been targeting Twitter users by creating thousands of messages (tweets) embedded with words involving trending topics and malicious URLs. If the URLs were accessed, the victims would arrive at a rogueware website designed to trick them into thinking that their computer is infected, therefore justifying the need to purchase the fake software offered. Since the initial discovery, we have been keeping a close eye on this attack, but the malicious tweets continue... The ease of carrying out this type of attack leaves us to believe that this will not go away anytime soon... "

:grrr: :ph34r:

Edited by apluswebmaster, 17 June 2009 - 07:09 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#127 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 09 June 2009 - 06:46 AM

FYI...

More Blackhat SEO "scareware" campaigns
- http://ddanchev.blog...ont-end-to.html
June 08, 2009 - "... they've got no customers but the cybercriminals themselves maintaining a portfolio of over 7,000 adult related keywords which they have been using for blackhat SEO campaigns across thousands of automatically registered - CAPTCHA recognition outsourced - Blogspot accounts since February, 2009... Not only is life4info .info or dirsite .com a bogus free hosting provider, but the campaigns hosted by them are interacting with our "dear friends" at AS30407; VELCOM .com which Spamhaus describes as "N. American base of Ukrainian cybercrime spammers" - and with a reason."

(Screenshots and more detail available at the URL above.)

:grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#128 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 11 June 2009 - 11:04 AM

FYI...

Malicious SPAM - Air France plane crash
- http://securitylabs....lerts/3417.aspx
06.11.2009 - "Websense... has detected a new malicious spam campaign pretending to deliver legitimate news updates about the Air France plane crash ( http://news.bbc.co.u...cas/8078147.stm ). The spam campaign is in Portuguese, and includes a link to view the first videos from the crash site. The link to the video leads to a Trojan Downloader file named: Video_AirFrance_447.com. If a user runs the file, it downloads a malicious executable file masquerading as an image from [removed].org/imgs/like2.jpg. The malware registers a password-stealing BHO component on the system masquerading as a McAfee SiteAdvisor component with this GUID: {9387b8b2-5508-11de-8729-c56f55d89593}. The GUID is linked to the malicious installed DLL file named mcieplg.dll under the system32 directory (%windir%\system32\mcieplg.dll). AV detection rates on this file are very low*..."
* http://www.virustota...6914-1244673584

(Screenshots available at the Websense URL above.)

:grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#129 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 15 June 2009 - 06:49 PM

FYI...

Fake MSRT...
- http://preview.tinyurl.com/l28pj7
June 12 2009 CA Security Advisor blog - "CA ISBU Research Lab receives a large number of malicious samples on a daily basis, many of which are found to be Rogue Antivirus applications belonging to the extremely prevalent malware family, Win32/FakeAV... this variant imitates Microsoft Windows Malicious Software Removal Tool (MSRT), as well as promoting Microsoft Office upgrade and other trusted Antivirus products.
Fake Microsoft MSRT Warnings
When the installation package is executed, it will display the fake alert in the system tray... Then, it will display the fake GUI for Microsoft Windows Malicious Software Removal Tool scanning your system and it will display the scan result... (also) imitates the Windows Security Center..."

(Screenshots available at the URL above.)

:grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#130 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 15 June 2009 - 06:50 PM

FYI...

SPAM - Fake EULAs, fixtools...
- https://forums2.syma.../article-id/276
06-12-2009 - "... SPAM (message) noted that Symantec was working with Microsoft to create a patch for "Conflicker." According to the spam message, Conficker is also called "Troj/Brisv.A"... The spam is accompanied by a file named "remtool_conf.exe." The spammers have taken an extra step ahead of just spreading their Trojans. This file is actually a Symantec fixtool for Trojan.Brisv bundled with the Trojan. So, when someone runs this file they actually run the Symantec Brisv fixtool, along with the Trojan completing its task. In this case, the dropped Trojan contacts a remote site in order to download another piece of malware, which is currently detected by Symantec products as Suspicious.MH690.A... We gave the infection a run on a test machine. Almost immediately we saw our own EULA... Running the email attachment did a few things–it dropped the original (signed) Symantec Trojan.Brisv fixtool into a temporary folder; it dropped a Trojan into the same folder; and, it ran the original fixtool. One can see that this is indeed Symantec’s own legitimate fixtool. But, the Trojan file "webexplorer.exe" is basically a downloader. It contacts a remote site in order to download another file called "winupdate.exe". As you’ve guessed, that is also a Trojan and is currently detected as Suspicious.MH690.A... If you have a need to run a Symantec fixtool, go to the Symantec website* and download it for free..."
* http://www.symantec....emovaltools.jsp

(Screenshots available at the first Symantec URL above.)

:ph34r: :grrr:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#131 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 15 June 2009 - 06:52 PM

FYI...

Rogue AV hosted in USA...
- http://sunbeltblog.b...right-here.html
June 15, 2009 - "Contrary to popular belief, not all malware is hosted in Eastern Europe or China. In fact, there’s a whole bucketload of malware hosted in Scranton, PA. Here are malware domains associated with IP 64.191.92.197..."

(Long list and screenshots available at the URL above.)

:ph34r: :grrr:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#132 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 15 June 2009 - 06:53 PM

FYI...

- https://forums2.syma.../article-id/200
06-15-2009 - "It may not be encouraging news for scammers, but users are slowly but surely adopting a see-and-delete approach for the usual fake stories related to lotteries, dormant bank accounts, an inheritance of huge wealth, and relatives of deceased or exiled political leaders sharing their millions. However, lately the trends seem to show that news stories involving current events are being piggybacked or manipulated by scammers to trap users into falling for fraudulent offers... Another recent scam we have been monitoring involves an event resembling the highly rated television reality show Big Brother, which began on June 4 in the UK. Scammers have been inviting recipients to participate in their Big Brother World to be held on July 12 in London, UK... Scammers claim to be a Big Brother agent and will furnish the competition details once users respond to the mailed invitation. Users will need to reply with the application type along with their full name, address, age, and telephone number. Even a casual look at the email reveals several spelling mistakes that start right from the subject line and continue on throughout the message, including using “price” instead of “prize” in the mail body. We would recommend that users follow the usual practice of ignoring [and deleting] such unsolicited emails..."

(Screenshot of scam e-mail available at the URL above.)

:grrr: :ph34r: :hmmm:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#133 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 22 June 2009 - 08:18 PM

FYI...

Fake MS Update SPAM...
- http://blog.trendmic...cal-info-theft/
June 22, 2009 - "... Close to the weekend, we identified SPAM claiming to be a Microsoft Outlook and Outlook Express critical update that “offers the highest levels of stability and security.” A tricky difference here is that all the links in the email (the links to Contact Us, Privacy Statement, Trademarks, and Terms of Use) are legitimate–except one. The URL where the “critical update” may be downloaded looks legitimate, but hovering over the hyperlink (or checking the source code of the mail) reveals a totally different destination... For content security experts this already bears the marks of an email-based cyber-criminal attack. True enough, the URL leads to the download of a file (detected as TROJ_ZBOT.BTS) that on its execution it accesses a website to download a .bin file with information referring to where the Trojan can download an updated copy of itself, and where to send stolen data. The list also contains compromised websites targeted for stealing information. Our engineers confirm that the list was containing several names of banking institutions, among other social networking targets like Facebook and MySpace, and media sites YouTube and Flickr. The list can be viewed here*. Note that the said list may be changed at any time. How does the scam work? Whenever the user visits any of the monitored sites, the Trojan starts logging keystrokes. It then saves gathered information (which presumably includes sensitive information like user name and password, credit card information, etc.) in a file and then sends the file to a dedicated server via HTTP POST..."
* http://preview.tinyurl.com/qrbt7m

(Screenshots available at the Trendmicro URL above.)

> http://www.microsoft.com/protect/yourself/...ng/msemail.mspx

:grrr: :ph34r:

Edited by apluswebmaster, 23 June 2009 - 06:50 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#134 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 24 June 2009 - 05:10 PM

FYI...

Nonstop site re-infections
- http://securitylabs....Blogs/3425.aspx
06.24.2009 - "We recently published an alert* about the Ethiopian Embassy site being compromised... This isn't the first time the site has been compromised. In March of 2009, we noticed an iframe injection pointing to hxxp://[REMOVED]vv.com/index.php. The domain was also serving virus-infected files in other locations, including hxxp://[REMOVED]vv.com/unic/1.exe, a Trojan [see VirusTotal report**]... Attackers are in control and re-compromising the site over and over, potentially infecting visitors with malicious code at any time. These attacks are somewhat of a trend. We've documented a number of compromised embassy sites in the past, illustrating how malware delivery occurs through Web sites..."
* http://securitylabs....lerts/3423.aspx

** http://www.virustota...05a9-1240536959
"File 5143155606c013934a4601648e310800aff688c2.EXE ..."

(Screenshots and more detail available at the Websense URL above.)

:ph34r: :grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#135 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 25 June 2009 - 05:35 AM

FYI...

Zbot In Your Inbox
- http://www.marshal8e...trace.1005~.asp
June 24, 2009 - "A password stealing Zbot (ZeuS bot) Trojan has been increasingly spammed throughout the previous two weeks. We believe the spam originates from the Pushdo botnet. The spam template varies from time to time, mostly using subject lines such as “You have received a Greeting ecard ”, “Statement request”, “Microsoft outlook update”, “Postal Tracking” and may come either as an attachment or a link in the message body... Zbot attempts to download a file named "djwl.bin". This file is an encrypted configuration file..."
(Screenshots available at the URL above.)

Also see: http://www.abuse.ch/?p=1192
March 20, 2009

:grrr:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#136 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 26 June 2009 - 05:59 AM

FYI...

SPAM runs exploit celebrity deaths
- http://www.theregist...son_death_spam/
26 June 2009 - "Spammers have wasted no time exploiting the shock death of Michael Jackson to run an email harvesting campaign. Security watchers warn that malware-laced email themed around the death of the King of Pop and Charlie's Angels star Farrah Fawcett, who also died on Thursday, are likely to follow..."

- http://securitylabs....lerts/3426.aspx
06.26.2009
- http://www.virustota...0ce4-1246012313
File michael_1_.gif received on 2009.06.26 10:31:53 (UTC)
...Result: 5/41 (12.20%)
- http://www.virustota...2ff9-1246029869
File Michael.Jackson.videos.scr received on 2009.06.26 15:24:29 (UTC)
...Result: 10/41 (24.39%)

- http://www.sophos.co...oslabs//?p=5035
June 26, 2009

:ph34r: :ph34r:

Edited by apluswebmaster, 26 June 2009 - 11:41 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#137 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 28 June 2009 - 03:14 PM

FYI...

MSN IM - Pushdo variant...
- http://blog.trendmic...jacksons-death/
June 26, 2009 - "... a slew of malicious links related to Michael Jackson’s last moments in the hospital before his death are now being proliferated in the wild via the instant messaging (IM) application, MSN... When recipients of such messages click on any of these links, they are then prompted to save a file named PIC-IMG029-www.hi5.com.exe (with the MD5 checksum of 031429fc14151f94c8651a3fb110c19b), instead of being led to an image site or gallery. Initial analysis shows that the said file is a variant of the SDBOT family...
Update - 27 June 2009: The botnet is said to push the templated messages through an IRC to the client to be spammed... The malware responsible for this is detected as WORM_IRCBOT.GAT. It opens a certain port on the affected system then listens for remote commands. Kharouni reports that commands to download certain files are received and executed by the affected system, ultimately leading to the download a PUSHDO variant. PUSHDO is a botnet responsible for a huge amount of spam activity..."

(Screenshot available at the URL above.)

:ph34r: :grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#138 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 29 June 2009 - 02:00 PM

FYI...

More celebrity malware...
- http://www.f-secure....s/00001709.html
June 29, 2009 - "There have been a couple of malware attacks that have tried to use the news coverage of the death of Michael Jackson as the lure to get people infected. Last night we saw this one: a file called Michael-www.google.com.exe. This file was distributed through a site called photos-google.com and possibly also through photo-msn.org, facebook-photo.net and orkut-images.com. Do not visit these sites. When executed, Michael-www.google.com.exe drops files called reptile.exe and winudp.exe. These are IRC bots with backdoor capability. The file also shows this fake error message..."
(Screenshot available at the F-secure URL above.)

- http://www.sophos.co...m-hits-inboxes/
July 1, 2009 - "... we have encountered a mass-mailing worm that spams out messages with the following characteristics:
Subject: Remembering Michael Jackson
Attached file: Michael songs and pictures.zip
The email, which claims to come from sarah@michaeljackson.com, says that the attached ZIP file contains secret songs and photos of Michael Jackson. opening the attachment exposes you to infection - and if your computer is hit you will be spreading the worm onto other internet users. Besides spreading via email, the malware is also capable of spreading as an Autorun component on USB memory sticks (an increasingly common trend for malware as use of these devices has become more and more popular). Sophos detects the malware proactively as Mal/ZipMal-B and Mal/VB-AD, and recommends that users of other anti-virus products ensure that their defences are properly updated..."

:grrr:

Edited by apluswebmaster, 02 July 2009 - 06:32 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#139 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 01 July 2009 - 04:55 PM

FYI...

Torrentreactor site compromised
- http://securitylabs....lerts/3430.aspx
07.01.2009 - "Websense... has detected that Torrentreactor, one of the oldest and most reliable torrent search engines on the Web, has been compromised and injected with malicious code. The site has been injected with an IFrame leading to a site laden with exploits. The exploits on the payload site include Internet Explorer (MDAC) and Microsoft Office Snapshot Viewer, as well as Acrobat Reader and Adobe Shockwave. If the user's browser is successfully exploited, a malicious file is downloaded and run from the exploit site. The malicious file has an extremely low AV detection rate*. The file (MD5: 24bd24f8673e3985fc82edb00b24ba73) is a Trojan Downloader and connects to a Bot C&C server at IP 78.109.29.116. After connecting to the IP, the file downloads a Rootkit installer from the same IP..."
* http://www.virustota...b2b7-1246425266
File rncsys32.exe received on 2009.07.01 05:14:26 (UTC)
Result: 2/41 (4.88%)

- http://www.theregist...reactor_breach/
1 July 2009 - "... The malicious file in the latest compromise communicates with a server at 78.109.29.116, an IP address that web searches suggest has ties to the Russian Business Network..."

:ph34r: :grrr:

Edited by apluswebmaster, 02 July 2009 - 06:08 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#140 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 02 July 2009 - 01:36 PM

FYI...

Click fraud trojan...
- http://secureworks.c...reat=ffsearcher
June 26, 2009 - "While analyzing a slew of malware downloaded by the exploit kit used in the "Nine-Ball" web attacks, the SecureWorks Counter Threat Unit came across an interesting trojan that used a previously-unseen HTTP request pattern... After some time we came to the conclusion that the trojan was a search hijacker trojan used for click fraud. Click fraud trojans are as old as Internet advertising itself, and usually we see one of two types: browser hijackers that change one's start page and searches to redirect to a third-party search engine, or trojans that silently pull down a list of ad URLs and generate fake clicks on the ads in a hidden Internet Explorer window. This trojan however, was much more subtle and creative - in this case, every click on an ad is user-generated, and the user never notices any change in their web-surfing experience. We call this trojan search hijacker "FFSearcher", named after one of the websites used in this scheme. Detection of the dropper executable by anti-virus engines is poor at this time, with only 4 of 39 scanners* detecting it at all... As click-fraud trojans go, this is one of the more clever that we've seen, with an impressive feature set:
1. Working code to hijack both Firefox and IE
2. Difficult to spot by the average user
3. Minimally impacting to the infected machine
4. Probably difficult for fraud detection systems at the search engine sites to detect, since every ad-click that comes through is generated on purpose by a user in the course of normal web-surfing activity..."
(Screenshots available at the Secureworks URL above.)
* http://www.virustota...6c9b-1244830834
File nkavnxe.exe received on 2009.06.12 18:20:34 (UTC)
Result: 4/39 (10.26%)

:ph34r: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#141 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 03 July 2009 - 04:00 PM

FYI...

Happy 4th from Waledac...
- http://securitylabs....lerts/3431.aspx
07.03.2009 - "Websense... has detected yet another new Waledac campaign theme in the wild. The new variant uses an Independence Day theme as a social engineering mechanism. The USA celebrates Independence Day on July 4 each year. The malicious emails that are sent use subjects and content related to Independence Day, Fourth of July and fireworks shows. The malicious Web sites in the current attack also have a July 4 or fireworks theme within the domain name. ThreatSeeker has been monitoring the registration of these domains. Should the user click on the video, which is designed to appear to be a YouTube video, an .exe is offered. When downloaded the .exe would install the latest Waledac variant onto the user's machine..."
(Screenshots available at the URL above.)

- http://www.eset.com/...er/blog/?p=1244
July 2, 2009
- http://www.eset.com/...er/blog/?p=1250
July 3, 2009

:ph34r: :grrr:

Edited by apluswebmaster, 03 July 2009 - 11:23 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#142 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 04 July 2009 - 10:48 AM

FYI...

More on Waledac for the 4th...
- http://blog.trendmic...ndence-day-too/
July 4, 2009 - "... These messages contain links to a site which appears to be from Youtube... The video supposedly shows a fabulous fireworks show, but in reality attempting to play the video results in downloading a copy of WORM_WALEDAC.DU..."

(Screenshot available at the URL above)

:grrr: :ph34r: :grrr:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#143 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 05 July 2009 - 07:24 PM

FYI...

Waledac July 4th update - New domains added
- http://www.shadowser...lendar/20090704
4 July 2009 - "... quick update on Waledac. We have been keeping an eye on it for a bit and it's been actively spamming and updating clients to Fake Antivirus products for the last few months. However, we also saw it start spamming itself out again starting yesterday. Actually saw a quick first post of the from sudosecure.net:
http://www.sudosecure.net/archives/583
No real need to have tons of duplicate write-ups and screen shots. You can get the same basic information from the site. It's the standard spam to a link involving a fake YouTube video that wants you to download an executable... We have updated our Waledac domain lists that you can use to block/track Waledac domains. The first URL is to the list that is updated with timestamps, ugly comments, and newest domains at the bottom:
http://www.shadowser...dac_domains.txt
We also have the all-time Waledac domain list that contains just the domain listing since the start. It currently has 244 domains on it and can be reached via the following URL:
http://www.shadowser...aledac_list.txt
These are domains you definitely want to avoid visiting and consider blocking where possible."

:ph34r: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#144 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 06 July 2009 - 11:09 AM

FYI...

Koobface worm infections exploding
- http://www.threatpos...tions-exploding
July 6, 2009 - "In June, we saw an explosive rise in the number of Koobface modifications - the number of variants we detected jumped from 324 at the end of May to nearly 1000 by the end of June. And this weekend brought another flood, bringing us up to 1049 at the time of writing... Koobface spreads via major social networking sites like Facebook and MySpace. It's now spreading via Twitter as well... the pool of potential victims is growing day by day - just take a look at the Alexa stats* for Facebook. So naturally, cybercriminals are going to be targeting these sites more and more often."
* http://www.alexa.com...fo/facebook.com
"... Percent of global Internet users who visit facebook.com:
... 7 day avg: 20.01% ..."

:ph34r: :grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#145 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 10 July 2009 - 07:08 AM

FYI...

Twitter suspends Koobface infected computers
- http://blog.trendmic...itter-activity/
July 9, 2009 - "... Koobface has increased its Twitter activity, sending out tweets with different URL links pointing to Koobface malware. This is in contrast with previous Koobface Twitter activity wherein only three TinyURLs pointing to Koobface were used. As of writing, there are a couple of hunded Twitter users affected by Koobface in the past few hours, but dozens more are being infected as we speak. We advise Twitter users to (not click on) URLs on tweets, especially if the tweet advertises a home video.
Update: It seems this Koobface problem in Twitter is getting bigger and bigger, prompting Twitter itself to temporarily suspend* infected user accounts."
* http://status.twitte...-malware-attack
July 9, 2009 - "... If we suspend your account, we will send you an email notifying you of the suspension. This email also includes tips for removing the malware from your PC."

> http://www.sophos.co...-koobface-worm/
July 10, 2009

Preview a TinyURL
- http://tinyurl.com/preview.php
"Don't want to be instantly redirected to a TinyURL and instead want to see where it's going before going to the site? Not a problem with our preview feature..."

:ph34r: :grrr: :ph34r:

Edited by apluswebmaster, 24 July 2009 - 08:23 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#146 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 21 July 2009 - 06:01 AM

FYI...

H1N1 SPAM w/virus...
- http://www.f-secure....s/00001734.html
July 21, 2009 - "We recently saw this malicious file being spread in emails. The name of the file was Novel H1N1 Flu Situation Update.exe and the icon made it look like a Word document file. When the file was opened, it created several new files to the hard drive:
• %windir%\Temp\Novel H1N1 Flu Situation Update.doc
• %windir%\Temp\doc.exe
• %windir%\Temp\make.exe
• %windir%\system32\UsrClassEx.exe
• %windir%\system32\UsrClassEx.exe.reg
The executables contain backdoor functionality, including an elaborate keylogger. And the document file that is dropped gets automatically opened by the malware, causing the user to think he really opened a Word file..."

- http://www.sophos.co...abs/v/post/5517
July 22, 2009

(Screenshots available at both URLs above.)

:grrr: :ph34r:

Edited by apluswebmaster, 22 July 2009 - 12:11 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#147 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 23 July 2009 - 05:15 PM

FYI...

Targeted malware calling home...
- http://www.f-secure....s/00001736.html
July 23, 2009 - "In targeted attacks, we see more and more attempts to obfuscate the hostname of the server where the backdoors are connecting to. IT staff in many of the targeted organizations are fully aware of these attacks. They keep monitoring their logs for suspicious activity. The admins might spot a host that suddenly connects to known rogue locations like:
• weloveusa.3322.org
• boxy.3322.org
• jj2190067.3322.org
• hzone.no-ip.biz
• tempsys.8866.org
• zts7.8800.org
• shenyuan.9966.org
• xinxin20080628.gicp.net
However, we've now seen a shift in the hostnames. The attackers seem to be registering misleading domain names on purpose, and have now been seen using hosts with names like:
• ip2.kabsersky.com
• mapowr.symantecs.com.tw
• tethys1.symantecs.com.tw
• www.adobeupdating.com
• iran.msntv.org
• windows.redirect.hm
The apparent motive here is that a busy IT administrator might look at a firewall log alert about a machine connecting to www.adobeupdating.com and just disregard it. "That must be the PDF reader trying to download updates..." In reality, adobeupdating.com is registered to somebody in Zaire and has an IP address pointing to Australia."

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#148 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 27 July 2009 - 06:40 AM

FYI...

Rogue AV terminates EXE files
- http://blog.trendmic...ates-exe-files/
July 26, 2009 - "This weekend, we at TrendLabs came across a FAKEAV variant similar to the one peddled in the solar eclipse 2009 in America attack in this recent blog post. This one, however, introduces another new scare tactic (so far the latest new ploy we’ve seen is the ransomware/FAKEAV that encrypts files in the infected computer and offers a bogus fixtool for a price). This FAKEAV variant terminates any executed file with an .EXE file extension and displays a pop-up message saying that the .EXE file is infected and cannot execute... This way, users are left with no choice but to activate the antivirus product since no other application works. This Trojan is detected by Trend Micro as TROJ_FAKEAV.B. It avoids terminating critical processes to prevent system crashes. Unfortunately, cybercriminals work hard in creating so many gimmicks, that we can only guess what comes next in FAKEAV..."

(Screenshot available at the URL above.)

:grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#149 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 27 July 2009 - 02:59 PM

FYI...

Malicious Twitter Posts Get More Personal
- http://blog.trendmic...-more-personal/
July 27, 2009 - "... malicious Twitter posts are getting dangerously more customized, increasing the possibility of users getting hooked into malicious schemes. A Twitter spambot is said to have been used in launching this recent attack. The spambot creates Twitter accounts and fashion them to appear as legitimate accounts by posting seemingly harmless posts like those sharing certain music they listen to, or websites they visit. The spambot accounts then posts tweets directed to unknowing users, sharing a link to a PC repair tool they allegedly came across and used... the spambot posting tweets directed to specific users is a noteworthy social engineering technique that was clearly not seen as suspicious by Twitter admins. The spambot accounts were apparently created prior to a spam cleanup recently conducted by Twitter. Additionally, the spambot uses the URL shortener Doiop.com to mask the original URL in the posts, and for a not so good reason. The URL directs to a URL that triggers a couple of redirections that ultimately lead to the download of the file RegistryEasy.exe, which is detected as TROJ_FAKEAV.DAP. TROJ_FAKEAV.DAP comes off as an application that repairs registry problems. However, in true FAKEAV style, it merely displays false results to convince the user into purchasing the product... in the root of one of the URLs the user is redirected to, an advertisement for an application dubbed as Bot Lite is posted. Bot Lite is, as the post describes, a light Twitter bot that virtually anyone can use... Bot Lite does function as a spambot for Twitter. Its file name is bot_lite_100.exe. Its detection name is HKTL_FAKEBOT. HTKL_ is the detection prefix used by Trend Micro for hacker-tools which are considered to be Grayware. Grayware refers to applications that have annoying, undesirable, or undisclosed behavior but do not fall into any of the major threat (ie. Virus or Trojan horse) categories..."

(Screenshots available at the URL above.)

- http://ddanchev.blog...ecurity_27.html
July 27, 2009

:grrr: :ph34r: :grrr:

Edited by apluswebmaster, 27 July 2009 - 03:13 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#150 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 30 July 2009 - 06:10 PM

FYI...

Dilbert sends out 419 scams...
- http://www.sophos.co...abs/v/post/5633
July 29, 2009 - "... Advance Fee fraud scammers will abuse any free service they can get their hands on to send out their spam messages... In recent days, a group of Nigerian scammers have started abusing the “share-a-comic-strip” feature on Dilbert.com. The scammers do this by including their own fraud message inside the “personal message” portion of the sent messages. This is probably a money-making scheme that Dogbert would approve of..."

(Screenshots available at the URL above.)

:ph34r: :grrr:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.




Member of UNITE
Support SpywareInfo Forum - click the button