Jump to content


Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
2041 replies to this topic

#151 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 31 July 2009 - 05:42 AM

FYI...

Rogueware growth - 2009 ...
- http://www.darkreadi...cleID=218700073
July 29, 2009 - "All told, 374,000 new versions of rogueware samples were released in this year's second quarter - and that number is expected to nearly double to 637,000 in the third quarter. PandaLabs researchers, who have been tracking the spread of this latest trend in cybercrime, say rogueware is easier for the bad guys than traditional banking Trojan attacks... the numbers have been spiking during the past year:
In the fourth quarter of 2008, PandaLabs found more than 50,000 rogueware samples for a total of 92,000 for the year*. "And there were two times as many in Q2 versus Q1," PandaLabs' Carrons says. "Last year, they were using typical malware distribution channels, with links that were trying to distribute the fake AV. In the second quarter of 2009, we had predicted there would be 220,000 samples [of rogueware], but it turned out to be 374,000." But now social networks, such as Facebook, MySpace, and Twitter, are the latest vehicle for spreading rogueware. Attackers hijack user accounts and go after their friends with a video link... These fake antivirus programs alert victims that they are "infected" and lure them to click and clean their machines; when they do, they are prompted to purchase a license for the phony security application... So the bad guys are now automatically generating new, unique samples that AV engines can't recognize, according to the researchers. PandaLabs found in its research two main tiers in the rogueware business model: the creators, who develop the rogue applications and provide back-office services, such as payment gateways, and the affiliates, who distribute the fake AV. Affiliates are mostly Eastern Europeans..."
* http://www.pandasecu...orts#Monographs

Following the Money: Rogue Anti-virus Software
- http://voices.washin...trail_of_r.html
July 31, 2009

:ph34r: :grrr:

Edited by apluswebmaster, 10 August 2009 - 07:00 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#152 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 10 August 2009 - 06:48 AM

FYI...

Q2-2009 - $34m in Rogueware per month...
- http://www.theregist...areware_market/
7 August 2009 - "Fraudsters are making approximately $34m per month through scareware attacks, designed to trick surfers into purchasing rogue security packages supposedly needed to deal with non-existent threats. A new study, The Business of Rogueware*, by Panda Security researchers Luis Corrons and Sean-Paul Correll, found that scareware distributors are successfully infecting 35 million machines a month. Social engineering attacks, often featuring social networking sites, that attempt to trick computer users into sites hosting scareware software have become a frequently used technique for distributing scareware. Tactics include manipulating the search engine rank of pages hosting scareware. Panda reckons that there are 200 different families of rogueware, with more new variants coming on stream all the time... Luis Corrons, PandaLabs' technical director: "By taking advantage of the fear in malware attacks, they prey upon willing buyers of their fake anti-virus software, and are finding more and more ways to get to their victims, especially as popular social networking sites and tools like Facebook and Twitter have become mainstream." In Q2 2009, four times more new strains were created than in the whole of 2008, primarily in a bid to avoid signature-based detection by genuine security packages..."
* http://www.pandasecu...orts#Monographs
"... results:
• We predict that we will record more than 637,000 new rogueware samples by the end of Q3 2009, a tenfold increase in less than a year.
• Approximately 35 million computers are newly infected with rogueware each month (approximately 3.50 percent of all computers).
• Cybercriminals are earning approximately $34 million per month through rogueware attacks..."

:grrr: :ph34r: :hmmm:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#153 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 11 August 2009 - 07:28 PM

FYI...

PayPal fraud with CAPTCHA
- http://blog.trendmic...d-with-captcha/
Aug. 11, 2009 - "... CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) used to protect web sites against abusive automated softwares that can register, spam, login, or even splog. However, now a days that isn’t the case anymore. Just like the traditional PayPal phish, the web page http ://{BLOCKED}www.security-paypal.citymax.com /paypal_security.html asks the user to provide feedback from their Shopping by asking for their Name, E-mail Address and PayPal password... After which, a CAPTCHA image is shown and requires the user to enter the code indicated for spam prevention. However, after entering the user’s personal information, this could be used to create bogus mail accounts, among other things..."

(Screenshot available at the URL above.)

:ph34r: :grrr:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#154 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 14 August 2009 - 05:33 AM

FYI...

Spam changes HOSTS file...
- http://blog.trendmic...g-a-hosts-file/
Aug. 14, 2009 - "We have recently detected a new spam attack that attempts to grab the bank data of Brazilian users. The mechanics of this attack are simple. Users receive this spam email... The mail claims that the user has received an e-card, and contains a link to “read” the said card. Click on the related link, a file is downloaded and executed... Apparently nothing happens, just an Internet Explorer is opened showing a related web card from this initial phishing. In the background, however, the HOSTS file is changed, and set to redirect certain Brazilian baking Web sites to a malicious web site. All information posted in any of the said pages will then be grabbed by the attacker..."

(Screenshots available at the URL above.)

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#155 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 20 August 2009 - 09:30 AM

FYI...

Facebook apps used for phishing
- http://blog.trendmic...d-for-phishing/
Aug. 19, 2009 - "It would be easy to think that once someone has logged in successfully to Facebook—and not a phishing site—that the security threat is largely gone. However, that’s not quite the case, as we’ve seen before*. Earlier this week, however, Trend Micro... found at least two—if not more—malicious applications on Facebook. (These were the Posts and Stream applications.) They were used for a phishing attack that sent users to a known phishing domain, with a page claiming that users need to enter their login credentials to use the application. The messages appear as notifications in a target user’s -legitimate- Facebook profile... While Trend Micro has informed Facebook of these findings, users should still exercise caution when entering login credentials. They should be doubly sure that these are being entered into legitimate sites, and not carefully crafted phishing sites..."
* http://blog.trendmicro.com/?s=Koobface

(Screenshots available at the URL at the top listed above.)

:ph34r: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#156 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 24 August 2009 - 04:18 AM

FYI...

Employers block social networking, web surfing at work
- http://www.darkreadi...cleID=219401053
Aug. 21, 2009 - "... According to new data collected by ScanSafe, which filters more than a billion Web queries each month, some 76 percent of companies are now blocking social networking sites - a 20 percent increase over the past six months. More companies now block social networking sites than block Webmail (58 percent), online shopping (52 percent), or sports sites (51 percent), ScanSafe says*. "Social networking sites can expose businesses to malware, and if not used for business purposes, can be a drain on productivity and bandwidth," says Spencer Parker, director of product management at ScanSafe... Companies are also increasing their restrictions on other types of sites, including travel, restaurants, and job hunting sites, according to the data..."
* http://www.scansafe...._networking_use

.
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#157 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 26 August 2009 - 05:20 AM

FYI...

Cybercrime Hub in Estonia
- http://blog.trendmic...hub-in-estonia/
Aug. 26, 2009 - "... this company has been serving as the operational headquarters of a large cybercrime network since 2005. From its office in Tartu (Estonia), employees administer sites that host codec Trojans and command and control (C&C) servers that steer armies of infected computers. The criminal outfit uses a lot of daughter companies that operate in Europe and in the United States. These daughter companies’ names quickly get the heat when they become involved in Internet abuse and other cybercrimes. They disappear after getting bad publicity or when upstream providers terminate their contracts. Some of the larger daughter companies survived up to 5 years, but got dismantled after they lost internet connectivity in a data center in San Francisco, when webhosting company Intercage went dark in September 2008, and when ICANN decided to revoke the company’s domain name registrar accreditation. This caused a major blow to the criminal operation. However, it quickly recovered and moreover immediately started to spread its assets over many different webhosting companies. Today we count about 20 different webhosting providers where the criminal Estonian outfit has its presence. Besides this, the company owns two networks in the United States. We gathered detailed data on the cyber crime ring from Tartu and found that they control every step between driving traffic to sites with Trojans and exploiting infected computers. Even the billing system for fake antivirus software that is being pushed by the company is controlled from Tartu. An astonishing number of 1,800,000 Internet users were exposed to a bogus “you are infected” messages in July 2009 when they tried to access high traffic pornography sites."

(Screenshots available at the URL above.)

:ph34r: :grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#158 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 27 August 2009 - 06:29 PM

FYI...

Malware in the mail...
- http://www.theregist.../postal_trojan/
27 August 2009

- http://preview.tinyurl.com/kkwztk
August 27, 2009 [Infoworld] - "... The (FBI) is trying to figure out who sent five Hewlett-Packard laptop computers to West Virginia Governor Joe Mahchin a few weeks ago, with state officials worried that they may contain malicious software... According to sources familiar with the investigation, other states have been targeted too, with HP laptops mysteriously ordered for officials in 10 states. Four of the orders were delivered, while the remaining six were intercepted..."

Malicious CD ROMs mailed to banks
- http://isc.sans.org/...ml?storyid=7024
Last Updated: 2009-08-26 22:16:01 UTC - "The National Credit Union Administration (NCUA) published an interesting advisory here:
http://www.ncua.gov/.../MR09-0825a.htm
Member credit unions evidently are reporting receiving letters which include two CDs. The letters claim to originate form the NCUA and advertises the CDs as training materials. However, it appears that the letter is a fake and the CDs include malware..."

:ph34r: :ph34r:

Edited by apluswebmaster, 28 August 2009 - 04:58 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#159 johnpeterson1982

johnpeterson1982

    Member

  • Banned
  • Pip
  • 2 posts

Posted 02 September 2009 - 12:29 AM

Fake Microsoft patch SPAM

- http://securitylabs....lerts/3122.aspx
06.30.2008 - "Websense... has discovered a substantial number of spam messages utilizing a reliable social engineering trick that lures users to download a Microsoft critical security update... The message uses an open redirect at the legitimate shopping site shopping.***.com; the redirect forwards users to a malicious URL offering to download a malicious executable. The malicious hostname is a lengthy one embedding 62 characters, and uses the sub-domain update.microsoft.com. Users who open this file will have their desktop infected with a Backdoor... An interesting trait of this particular attack is that the malicious top level domain is pointing to the government site of the United States Secret Service - The Electronic Crimes Tasks Forces Web site in an apparent attempt to work around IP reputation-based systems... It is important to add that Microsoft -never- sends security update notifications through emails..."

regards
________________________________________________________________________________
__________________________________________________

john

#160 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 02 September 2009 - 04:03 PM

FYI...

Rogue AV goes Green
- http://securitylabs....Blogs/3469.aspx
09.02.2009 - "Given the world's ever-increasing environmental concerns, it’s easy to see why malware authors are monetizing via an eco-friendly strategy. Just as the scare tactics of rogue AVs have already taken their toll, yet another ingenious twist appears - this time resorting to a friendlier, “greener” tone. Green-conscious people, beware! The latest scheme states that, for every fake AV you buy, a donation will be made to an environmental care program. It’s very simple and direct – buy the software and save the planet. Unlike other rogue AV campaigns that offer “free trial versions,” this ploy actually requires the user to buy the malware with a credit card, all the while assuring the user that a donation will be made to a green cause. This social engineering scheme appears to be picking up steam—as stories of fake AV grief from victims posted on the Web continue to pour in." (including search engine poisoning w/links to the rogue software)

(Screenshots available at the URL above.)

:ph34r:

Edited by apluswebmaster, 02 September 2009 - 04:04 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#161 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 04 September 2009 - 10:38 AM

FYI...

Malicious blogs on Blogspot...
- http://www.symantec....s-koobface-gang
September 1, 2009 - "... We have been monitoring Koobface for a while now, and here we have some findings based on analyzing data collected over three weeks. These findings shed some light onto the modus operandi of the gang behind Koobface and the effectiveness of its techniques. The infrastructure used by the Koobface gang is relatively simple: a central redirection server redirects victims to one of the infected bots where the actual social engineering attack takes place. While the central redirection point has been actively targeted by take-down requests, the Koobface gang has so far been quick to replace suspended domain names and blacklisted IPs with new ones... The use of SEO techniques by Koobface has only recently come under analysis. For example, a recent post* by Finjan’s Daniel Chechik has described how Koobface automatically creates malicious blogs on Blogspot, Google’s blogging platform, to attract and infect victims. During our monitoring we detected 11,337 such malicious blogs..."
* http://www.finjan.co...px?EntryId=2317

(Screenshots available at the URL above.)

:grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#162 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 04 September 2009 - 04:19 PM

Contraviro Yet another rogue.. http://siri-urz.blog...contraviro.html

Contraviro is a new fake malware cleaner (rogue). The GUI and name has changed, but it is the same code as Unvirex rogue...

HijackThis symptoms:

O2 - BHO: StatusBarPane - {CCB5551D-8594-4999-85F9-1E3EABCB95AC} - C:\Program Files\Contraviro\IEAddon.dll
O4 - HKLM\..\Run: [Contraviro] C:\Program Files\Contraviro\Contraviro.exe
O10 - Unknown file in Winsock LSP: c:\program files\contraviro\siglsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\contraviro\siglsp.dll

Notice the LSP Hijack. Removing siglsp.dll file without restoring the LSP chain will break Internet connexion. ..


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#163 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 06 September 2009 - 05:03 AM

FYI...

Swine flu SPAM leads to malware
- http://blog.trendmic...ead-to-malware/
Sep. 5, 2009 - "No one is absolutely safe from Influenza H1N1, not even world leaders. This is the scenario painted by cybercriminals in their latest spam run. The spammed message informs recipients that the President of Peru, Alan Gabriel Ludwig García Pérez, and other attendees of the delegation of UNASUR (Union of South American Nations) summit have confirmed cases of Swine flu. Furthermore, it states that the presidents of Brazil and Bolivia were also both infected but are now recovering... Written in Spanish, the spam attempts to stir recipients’ curiosity by saying that the incident is being kept from the public. It also urges them to click on the malicious link, which purports to contain the audio news pertaining to this incident. Instead of news, however, all victims get is an executable file ( Alan.Gripe.Porcina.mp3 .exe ) detected by Trend Micro as TSPY_BANCOS.AEM. BANCOS variants are known for its info-stealing capabilities..."

(Screenshots available at the URL above.)

:grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#164 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 07 September 2009 - 07:20 AM

FYI...

WordPress worm circulating...
> http://www.spywarein...?...st&p=701246

:grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#165 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 08 September 2009 - 06:33 AM

FYI...

Koobface attacks on Facebook and MySpace...
- http://www.associate...ook.html?cat=15
September 07, 2009 - "Rumors of a Fan Check virus have circulated in the Facebook community. The Kaspersky Lab* two variants of Koobface viruses which (for now) are only attacking Facebook and MySpace users... As a Facebook user, it's important to remember not to open suspicious links, even if they are from "friends".... had problems in the past with hackers using my friends' accounts to spam or to send viruses. One of the current links is to a YouTube video and a message asking the users to update to the latest version of Flash Player. By clicking, the user will have effectively downloaded a worm...."
* http://www.kaspersky...ws?id=207575670

- http://www.eset.com/...-about-facebook
September 8, 2009 - "... Quite a few people are talking about Fan Check at the moment, but mostly in the context of the "Facebook Fan Check Virus" hoax: briefly, the bad guys are using SEO poisoning to ensure that if you look for search terms like "Facebook Fan Check Virus" in a search engine, some of the top-ranking hits you get will be to sites that will try to trick you into downloading a rogue anti-malware application..."

:grrr: :ph34r:

Edited by apluswebmaster, 08 September 2009 - 08:05 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#166 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 10 September 2009 - 06:10 AM

FYI...

Bogus work-at-home schemes...
- http://voices.washin...447000_fro.html
September 9, 2009 - "Organized cyber thieves are increasingly looting businesses in heists that can net hundreds of thousands of dollars. Security vendors and pundits may be quick to suggest a new layer of technology to thwart such crimes, but in a great many cases, the virtual robbers are foiled because an alert observer spotted something amiss early on and raised a red flag. In mid-July, computer crooks stole $447,000 from Ferma Corp., a Santa Maria, Calif.-based demolition company, by initiating a large batch of transfers from Ferma's online bank account to 39 "money mules," willing or unwitting accomplices who typically are ensnared via job search Web sites into bogus work-at-home schemes..."

:grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#167 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 11 September 2009 - 06:01 AM

FYI...

FakeAV for 9/11
- http://blog.trendmic...r-september-11/
Sep. 10, 2009 - "As the anniversary of the horrible September 11 attacks in The United States approaches, Trend Micro researchers donned their research coats and waited for the people behind FAKEAV to make their move. Predictably, they did not disappoint. Through SEO poisoning, users searching for any reports related to September 11 may find themselves stacked with Google search results that lead to a rogue AV malware... several malicious Web sites that can all be found in the poisoned Google search results... The people behind FAKEAV still show no sign of slowing down. With the holiday season coming up, users are also advised to refrain from visiting unknown sites returned in Search Engine results and rely on reputable news agencies instead."
(Screenshot available at the URL above.)

- http://www.sophos.co...ers-exploit-911
September 11, 2009

:grrr: :ph34r:

Edited by apluswebmaster, 12 September 2009 - 06:11 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#168 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 11 September 2009 - 08:17 PM

FYI...

Google Groups trojan
- http://www.symantec....e-groups-trojan
September 11, 2009 - "... A back door Trojan that we are calling Trojan.Grups* has been using the Google Groups newsgroups to distribute commands. Trojan distribution via newsgroups is relatively common, but this is the first instance of newsgroup C&C usage that Symantec has detected. It’s worth noting that Google Groups is not at fault here; rather, it is a neutral party. The authors of this threat have chosen Google Groups simply for its bevy of features and versatility. The Trojan itself is quite simple. It is distributed as a DLL, and when executed will log onto a specific account:
Escape[REMOVED]@gmail.com
h0[REMOVED]t
The Web-based newsgroup can store both static “pages” and postings. When successfully logged in, the Trojan requests a page from a private newsgroup, escape2sun. The page contains commands for the Trojan to carry out. The command consists of an index number, a command line to execute, and optionally, a file to download. Responses are uploaded as posts to the newsgroup using the index number as a subject. The post and page contents are encrypted using the RC4 stream cipher and then base64 encoded. The attacker can thus issue confidential commands and read responses. If no command is received from the static page, the infected host uploads the current time."
* http://www.symantec...._...-99&tabid=2

:grrr: :ph34r:

Edited by apluswebmaster, 11 September 2009 - 08:28 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#169 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 14 September 2009 - 05:54 AM

FYI...

NY Times pushes Fake AV malvertisement
- http://countermeasur...malvertisement/
Sep. 14, 2009 - "...the New York Times issued a warning over Twitter and also on the front page of the web site. The newspaper advised visitors that they had had reports from “some NYTimes .com readers” relating to a malicious pop-up window while browsing the site... In the warning, the influential newspaper stated their belief that the pop-ups were the result of an “unauthorised advertisement”... it looks as though the problem may have been ongoing for upwards of 24 hours. The pop-up window itself... was the all-too-familiar sight of rogue antivirus software informing the NYTimes reader that their computer is infected with random, spurious, non-existent malware and promising “Full System Cleanup” for a fee of course... The malicious software being punted in this case, is the same as we were seeing in much of the black-hat SEO around the 9/11 attacks, as reported previously on the TrendLabs malware blog*. In this particular example, the malicious site and sofware is being hosted by a German provider, Hetzner AG, which has a colourful track record when it comes to spewing dodgy content, having hosted literally hundreds of malicious URLS. Here’s a really simple tip to remember. If you *ever* see a pop-up windows that arrives uninvited, telling you your PC is infected, ignore it, it is a scam. Close the window, empty your browser cache... UPDATE: Troy Davis was fortunate enough to be able to examine the attack in real-time and provides an excellent code level analysis here**".

* http://blog.trendmic...r-september-11/

** http://troy.yort.com...-on-nytimes-com

:ph34r: :grrr:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#170 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 15 September 2009 - 06:20 AM

FYI...

Fake A/V hacks for another celebrity death...
- http://www.sophos.co...reware-hackers/
September 15, 2009 - "Patrick Swayze, the star of movies such as "Dirty Dancing" and "Ghost", has died after fighting cancer of the pancreas for two years. Although the entertainment world mourns his loss, heartless hackers are taking advantage of the hot news story by creating malicious webpages that lead to fake anti-virus (also known as scareware) alerts... This is the same tactic used by cybercriminals after the death of Natasha Richardson and when they exploited interest amongst the public in the anniversary of the 9/11 terrorist attack last week. Clearly the cybercriminals are no slackers when it comes to jumping on a trending internet topic, and are more professional than ever before in spreading their fake anti-virus scams..."

:ph34r: :grrr:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#171 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 17 September 2009 - 03:24 AM

FYI...

Rogue Anti-Virus SEO Poisoning...
- http://securitylabs....Blogs/3479.aspx
09.16.2008 - "SEO poisoning is fast becoming a trend in spreading rogue anti-virus software. This type of attack coupled with relevant news items that might be of interest to users from all walks of life is a lethal combination. Search terms related to the recent MTV Video Music Awards brouhaha and President Obama’s off-the-record comments about Kanye West, as well as updates on murdered Yale graduate student Annie Le, are the latest targets... Upon visiting these search results, visitors would be presented with the standard fake / rogue AV Web site. To make matters worse, (real) anti-virus have very poor detection rates..."

- http://www.virustota...9896-1253125434
File setup_build6_195.exe received on 2009.09.16 18:23:54 (UTC)
Result: 1/41 (2.44%)

- http://www.virustota...610e-1253125440
File Soft_71.exe received on 2009.09.16 18:24:00 (UTC)
Result: 3/41 (7.32%)

(Screenshots of the fake AV Web site, as led to by the search engine, available at the Websense URL above.)

- http://isc.sans.org/...ml?storyid=7144
Last Updated: 2009-09-17 07:36:18 UTC

:grrr: :ph34r:

Edited by apluswebmaster, 17 September 2009 - 06:20 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#172 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 19 September 2009 - 08:31 AM

FYI...

PBS site hacked - used to serve exploits
- http://www.threatpos...ve-exploits-118
September 18, 2009 - "Some sections of the popular PBS.org Web site have been hijacked by hackers serving up a cocktail of dangerous exploits. According to researchers at Purewire*, attempts to access certain PBS Web site pages yielded JavaScript that serves exploits from a malicious domain via an iframe. The malicious JavaScript was found on the "Curious George" page that provides content on the popular animation series. A look at the code on the hijacked site shows malicious activity coming from a third-party .info domain. The URL serves exploits that target a variety of software vulnerabilities, including those in Acrobat Reader (CVE-2008-2992, CVE-2009-0927, and CVE-2007-5659), AOL Radio AmpX (CVE-2007-6250), AOL SuperBuddy (CVE-2006-5820) and Apple QuickTime (CVE-2007-0015)..."
* http://blog.purewire...-Serve-Exploits

:grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#173 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 21 September 2009 - 04:18 AM

FYI...

Fake Twitter accounts for Fake AV
- http://www.f-secure....s/00001773.html
September 20, 2009 - "We're seeing more and more fake Twitter accounts being auto-generated by the bad boys. The profiles look real. They have variable account and user names (often German) and different locations (US cities). They even upload different Twitter wallpapers automatically... All the tweets sent by these accounts are auto-generated, either by picking up keywords from Twitter trends or by repeating real tweets sent by humans. And where do all the links eventually end up to? Of course, they lead to fake websites trying to scare you into purchasing a product you don't need..."

(Screenshots available at the URL above.)

- http://www.sophos.co...attack-twitter/
September 21, 2009

:ph34r: :grrr:

Edited by apluswebmaster, 22 September 2009 - 06:38 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#174 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 21 September 2009 - 04:45 PM

FYI...

Monopoly Game malware...
- http://securitylabs....lerts/3481.aspx
09.21.2009 - "Websense... discovered a new spam campaign that is targeting players of the Monopoly game. The Monopoly World Championships take place every four years, and Las Vegas is the host city of 2009. Because the Monopoly Regional Championships are going on all over the world and many Monopoly enthusiasts take part, the spammers utilize this chance to play their tricks. Our email honeypot systems detected over 30 thousand Monopoly spam messages on September 21, 2009 alone. The spam uses a social networking technique to "invite" you to play the online board game. It then provides a link to the fake Monopoly game download site, which in fact downloads a Trojan..."

(Screenshots available at the URL above.)

:grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#175 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 24 September 2009 - 08:05 AM

FYI...

Fake Malwarebytes - Bogus Sponsored Link Leads to FAKEAV
- http://blog.trendmic...eads-to-fakeav/
Sep. 24, 2009 - "Apart from SEO poisoning, cybercriminals have found another avenue to proliferate FAKEAV malware - bogus sponsored links (sitio patrocinados in Spanish). Just recently, Trend Micro researchers were alerted to malicious search engine ads that appeared in Microsoft’s Bing and AltaVista, among others, when a user searches the string “malwarebytes.” (Malwarebytes is a free antivirus product, but of course, not a FakeAV.) Clicking the malicious URL points the user to an executable file named MalwareRemovalBot.exe-1 (detected by Trend Micro as TROJ_FAKEAV.DMZ). Upon execution, the rogue antivirus displays false information that the system is infected with files that do not even exist... In the past, cybercriminals employed the same tactic when it hitchhiked on Trend Micro. Some Google searches then showed banner ads that led to a fraudulent Trend Micro website. Though the ads may not appear in all regions, all users are still strongly advised to be extra careful when clicking links in search engines..."

(Screenshots available at the URL above.)

:grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#176 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 25 September 2009 - 08:13 AM

FYI...

Malvertisements - weekend run...
- http://blog.scansafe...rtisements.html
September 24, 2009 - "Between Sep 19-21, malicious banner ads were served via multiple popular sites, including drudgereport.com, lyrics.com, horoscope.com and slacker.com. The ads delivered a trojan downloader using a variety of Adobe PDF exploits as well as the Microsoft ActiveX DirectShow exploit described in MS09-032. Detection of the malicious PDF is quite low, with only 3 out of 41 scanners detecting, as seen in this VirusTotal report*... Attackers use online ads for the same reasons a legitimate company would do so. When an attacker can infiltrate an advertising network, it enables them to reach a broad number of websites within a chosen category. This provides the attacker with the same return on investment that it would a legitimate advertiser – broad exposure to the audience of their choosing..."

- http://www.theregist...s_google_yahoo/
24 September 2009 - "... They were delivered over networks belonging to Google's DoubleClick; Right Media's Yield Manager (owned by Yahoo); and Fastclick, owned by an outfit called ValueClick... the payload installed Win32/Alureon, a trojan that drops a backdoor on infected machines... also appeared on slacker.com ..."

- http://www.virustota...023b-1253635686
File 201f338a343e02a41dc7a5344878b862 received on 2009.09.22 16:08:06 (UTC)
Current status: finished
Result: 3/41 (7.32%)

:grrr: :ph34r: :grrr:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#177 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 28 September 2009 - 05:41 AM

FYI...

Fake IRS email SPAM - w/Zeus Trojan...
- http://www.computerw...l_virus_problem
September 25, 2009 - "Criminals are waging a nasty online campaign right now, hoping that their victims' fears of the tax collecter will lead them to inadvertently install malicious software. The spam campaign, entering its third week now, is showing no signs of slowing down, according to Gary Warner*, director of research in computer forensics with the University of Alabama at Birmingham. This one campaign accounts for about 10 percent of the spam e-mail that his group is presently tracking, he said... Since first spotting the spam on Sept. 9, antispam vendor Cloudmark has counted 11 million messages sent to the company's nearly 2 million desktop customers... What makes this campaign particularly ugly is that the malware that accompanies the fake IRS messages is a variant of the hard-to-detect Zeus Trojan. This software hacks into bank accounts and drains them of money as part of a widespread financial fraud scheme. Researchers estimate that the Zeus criminals are emptying more than a million dollars per day out of victims' bank accounts with the software. Small businesses have been particularly hard-hit by this fraud, because banks have sometimes held them accountable for the losses..."
* http://garwarner.blo...-continues.html

- http://blog.trendmic...other-irs-scam/

- http://www.irs.gov/p....html?portlet=1

- http://www.us-cert.g...reading_via_irs
September 28, 2009

:ph34r: :grrr:

Edited by apluswebmaster, 28 September 2009 - 09:20 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#178 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 28 September 2009 - 07:21 AM

FYI...

Phishing attacks reach record levels in Q2 2009
- http://www.markmonit...r090928-bji.php
September 28 2009 - "...
• During Q2 2009, phish attacks reached record levels with more than 151,000 unique attacks
• The average number of phishing attacks per organization also increased to record levels, with 351 attacks per organization, on average, in Q2 2009
Social networking attacks continued to rise significantly, recording a 168% increase from the same period in 2008
• Brands in the financial and payment services industries are the most heavily-targeted industry categories for phishers, constituting 80 percent of all phish attacks in Q2 2009..."

:ph34r: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#179 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 29 September 2009 - 01:47 PM

FYI...

Tropical Storm leads to FAKEAV
- http://blog.trendmic...eads-to-fakeav/
Sep. 29, 2008 - "Cybercriminals leveraged on the tropical storm, Ondoy (International name: Ketsana) that hit the Philippines and killed around 140 people... several malicious sites that appeared each time the users search the strings, “manila flood,” “Ondoy Typhoon,” and “Philippines Flood,” among others. The said sites emerged as one of the top search results. Once the user clicks the URL, they will be redirected to several landing pages where they are asked to download an EXE file, soft_207.exe. Trend Micro detects it as TROJ_FAKEAV.BND. This attack does GeoIP checks, which mean it only targets specific regions or location... Although riding on tragic events is not exactly new, what is notable is it employed once again blackhat SEO to lead users to a FAKEAV..."

(Screenshots available at the URL above.)

:ph34r: :grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#180 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 30 September 2009 - 05:19 AM

FYI...

Rogue downloader uses Firefox warning screen lookalike
- http://sunbeltblog.b...ox-warning.html
September 29, 2009 - "... The rogue Alpha AntiVirus page used to hijack a browser copies the Firefox warning screen... Looks like the Firefox warning page ( in Internet Explorer ), but with a difference... What makes research on these rogues very challenging is the fact that they swap the download web sites about every six hours..."

(Screenshots available at the URL above.)

:ph34r: :grrr:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#181 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 01 October 2009 - 10:30 PM

FYI...

Fraudsters on social networking sites
- http://www.ic3.gov/m...009/091001.aspx
October 1, 2009 - "Fraudsters continue to hijack accounts on social networking sites and spread malicious software by using various techniques. One technique involves the use of spam to promote phishing sites, claiming there has been a violation of the terms of agreement or some other type of issue which needs to be resolved. Other spam entices users to download an application or view a video. Some spam appears to be sent from users' "friends", giving the perception of being legitimate. Once the user responds to the phishing site, downloads the application, or clicks on the video link, their computer, telephone or other digital device becomes infected. Another technique used by fraudsters involves applications advertised on social networking sites, which appear legitimate; however, some of these applications install malicious code or rogue anti-virus software. Other malicious software gives the fraudsters access to your profile and personal information. These programs will automatically send messages to your "friends" list, instructing them to download the new application too. Infected users are often unknowingly spreading additional malware by having infected Web sites posted on their Webpage without their knowledge. Friends are then more apt to click on these sites since they appear to be endorsed by their contacts..."

(Tips on avoiding these tactics available at the URL above.)

:ph34r: :ph34r:

Edited by apluswebmaster, 01 October 2009 - 10:32 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#182 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 02 October 2009 - 07:07 AM

FYI...

Rogue AV growth 2009-H1 585 percent
- http://www.theregist...imeware_plague/
2 October 2009 - "The prevalence of scareware packages has reached epidemic proportions, with 485,000 different samples detected in the first half of 2009 alone. The figure is more than five times the combined figure for the whole of 2008, according to statistics from the Anti-Phishing Working Group (APWG). The huge figures are explained by the hacker practice of changing the checksum of every file. The tactic is designed to foil less sophisticated anti-malware defences... More than half (54 per cent) or 11.9 million of the computers scanned by Panda Security, which contributed to APWG's report, were infected with some form of malware. Banking trojan infections detected by the group almost tripled (up 186 per cent) between Q4 2008 and Q2 2009. APWG's report can be found here*."
* http://www.antiphish...ort_h1_2009.pdf

:ph34r: :grrr:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#183 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 06 October 2009 - 05:45 AM

FYI...

Hotmail user info leaked...
- http://blog.trendmic...rmation-leaked/
Oct. 6, 2009

Time to change your hotmail password
- http://isc.sans.org/...ml?storyid=7276
Last Updated: 2009-10-05 23:33:47 UTC - "... Microsoft has confirmed that thousands of Windows Live accounts have been compromised with their passwords posted online... Some information is posted here*..."
* http://windowslivewi...mp;sa=363915619
10/5/2009

:ph34r:

Edited by apluswebmaster, 06 October 2009 - 05:46 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#184 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 06 October 2009 - 12:04 PM

FYI...

Gmail, AOL, Yahoo all hit by webmail phishing scam
- http://www.theregist..._webmail_phish/
6 October 2009 - "Google has confirmed that Gmail has also been targeted by an "industry-wide phishing scheme" which first hit Hotmail accounts. Yahoo! and AOL are also reportedly affected. Hackers used fake websites to gain the login credentials attached to various webmail accounts. The attack emerged after a list of 30,000 purloined usernames and passwords was posted online. These leaked details reportedly referred to Gmail, Comcast and Earthlink accounts. A second list containing webmail addresses and passwords referring to Hotmail, Yahoo, AOL and Gmail also surfaced online. Some of the addresses on this list were old and fake, but at least some were genuine, the BBC reports*. Both lists have been taken offline, so are no longer directly accessible. The search engine giant confirmed that an unspecified number of accounts were compromised, adding that it had reset the passwords of the compromised accounts... The combined incidents serve to further illustrate the importance of password security. Using a different, hard-to-guess password on every site is a very good start in this direction."
* http://news.bbc.co.u...ogy/8292928.stm

- http://www.eset.com/...6/webmail-hacks
October 6, 2009 - "... If you receive an email telling you to provide your password it is a phish. That is as simple as it gets. Never give out your password..."

:ph34r: :ph34r:

Edited by apluswebmaster, 07 October 2009 - 03:00 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#185 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 07 October 2009 - 03:19 AM

FYI...

FBI warns public of fraudulent SPAM email
- http://www.us-cert.g...stigation_warns
October 6, 2009 - "The Federal Bureau of Investigation (FBI) has released information warning the public about fraudulent email messages purporting to come from the FBI or the Department of Homeland Security. These email messages contain a malicious attachment that claims to provide an intelligence report or bulletin, but in reality attempts to launch malware on the user's system. More information regarding these messages can be found in the Federal Bureau of Investigation's New E-Scams and Warnings web site*. To help protect against this type of attack, US-CERT recommends that users avoid opening attachments contained in unsolicited email messages..."
* http://www.fbi.gov/c...vest/escams.htm

:grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#186 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 15 October 2009 - 08:19 PM

FYI...

SSL SPAM... w/Zbot
- http://isc.sans.org/...ml?storyid=7333
Last Updated: 2009-10-13 13:13:34 UTC - "... started receiving SPAM messages along the following lines:
'On October 16, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour. The changes will concern security, reliability and performance of mail service and the system as a whole. For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure. This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That's all.
http ://evil-link/evil-file
Thank you in advance for your attention to this matter and sorry for possible inconveniences...'

UPDATE
the sample file we received was named patch.exe MD5=9abc553703f4e4fedb3ed975502a2c7a
ZBOT characteristics, so trojan, keylogger, disables AV.
http://www.threatexp...b3ed975502a2c7a
"... Trojan-Spy.Zbot.YETH - Trojan-Spy.Zbot.YETH is a rootkit trojan which steals online banking information and downloads other malware as well..."

... ThreatExpert on the file... http://www.threatexp...ddfd9c50b0015c9
"... Trojan-Spy.Zbot.YETH - Trojan-Spy.Zbot.YETH is a rootkit trojan which steals online banking information and downloads other malware as well..."
___

- http://blog.trendmic...ious-companies/
Oct. 14, 2009

New variation of SSL Spam
- http://isc.sans.org/...ml?storyid=7357
Last Updated: 2009-10-14 18:25:16 UTC
"... update to a diary we did earlier this week. The body of the spam today is:
' Dear user of the <some company> mailing service!

We are informing you that because of the security upgrade of the mailing
service your mailbox (<user>@<some company>) settings were changed. In
order to apply the new set of settings click on the following link ... '

The email contains a link with a file to download. Some of the files we have seen are:
settings-file.exe MD5: 0244586f873a83d89caa54db00853205
settings-file2.exe MD5: e6436811c99289846b0532812ac49986
The files are being detected by some anti-virus software programs at this time as Zbot variants..."

:ph34r: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#187 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 15 October 2009 - 08:22 PM

FYI...

Outlook SPAM/Scam w/malware
- http://securitylabs....lerts/3491.aspx
10.14.2009 - "Websense... has discovered a new wave of malicious attacks claiming to be an update for Microsoft Outlook Web Access (OWA). Victims receive a message leading to a site to apply mailbox settings which were supposedly changed due to a "security upgrade." The especially dangerous thing about these messages is that they are very deceiving. The messages and attack pages are personalized for the To: email address to imply the message is being sent from tech support of the domain. The URL in the email looks like it leads to the company's own OWA system. We have seen upwards of 30,000 of these messages per hour and they have low AV detection*... The malicious site is also very believable. The victim's domain is used as a sub-domain to the site so that the attack site appears to be the victim's actual OWA site. The victim's domain name and email address are also used in a number of locations on the malicious site to make it that much more believable..."
* http://www.virustota...99b8-1255552077
File settings-file.exe received on 2009.10.14 20:27:57 (UTC)
Result: 6/41 (14.63%)

(Screenshots available at the Websense URL above.)

- http://www.us-cert.g...a_spam_messages
October 15, 2009

:ph34r:

Edited by apluswebmaster, 15 October 2009 - 11:10 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#188 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 15 October 2009 - 08:24 PM

FYI...

New Koobface campaign spoofs Adobe's Flash updater
- http://blogs.zdnet.c...ecurity/?p=4594
October 14, 2009 - "Earlier this week, the botnet masters behind the most efficient social engineering driven botnet, Koobface, launched a new campaign currently spreading across Facebook with a new template spoofing Adobe’s Flash updater embedded within a fake Youtube page. The malware campaign is relying on compromised legitimate web sites, now representing 77% of malicious sites in general, and on hundreds of automatically registered Blogspot accounts with the CAPTCHA recognition process done on behalf of the users already infected by Koobface, compared to the gang’s previous reliance on commercial CAPTCHA recognition services..."

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#189 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 16 October 2009 - 06:03 AM

FYI...

Zbot SPAM campaign continues
- http://blog.trendmic...aign-continues/
Oct. 16, 2009 - "A slightly modified Zbot spam campaign currently making rounds pretend to come from the IT support of various companies. It informs users that a security update in the mailing service caused changes in their mailbox settings. They are instructed to open the ZIP attachment and run the .EXE file, INSTALL.EXE to supposedly apply the changes. Trend Micro detects this as TROJ_FAKEREAN.CF. When executed, this Trojan accesses http ://{BLOCKED}nerkadosa.com /xIw1yPD0q5Gb8t0br4×6k5sk to download another malicious file detected as TROJ_FAKEREAN.BI... Spammers usually employed random email address in the FROM and TO field headers but in this case, the actual company domain is used as email addresses in both fields. This is done to make the email message more credible, and convincingly coming internally from the company, thus luring unknowing users into executing the malware... The said email purports as a notification from the company’s “system administrator” to update the user’s system because of a server upgrade. Accordingly, the subdomains are tailor-made to make it more legitimate. Users are encouraged not to open suspicious-looking emails even though it supposedly came from a trusted source. It is also advisable that users contact first their IT or tech support in case they received such emails to verify if indeed a security update had occured..."

(Screenshots available at the TrendMicro URL above.)

:ph34r: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#190 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 20 October 2009 - 02:41 PM

FYI...

Scareware SPAM - Conficker.B infection alerts
* http://ddanchev.blog...-infection.html
October 20, 2009 - "A fake "conficker.b infection alert" spam campaign first observed in April, 2009 (using the following scareware domains antivirus-av-ms-check .com; antivirus-av-ms-checker .com; ms-anti-vir-scan .com; mega-antiviral-ms .com back then) is once again circulating in an attempt to trick users into installing "antispyware application", in this case the Antivirus Pro 2010 scareware. This campaign is directly related to last week's Microsoft Outlook update campaign, with both of these using identical download locations for the scareware..."

(Screenshots and extensive list of domains involved available at the URL above*.)

:grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#191 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 27 October 2009 - 05:52 PM

FYI...

Malicious Facebook password SPAM
- http://securitylabs....lerts/3496.aspx
10.26.2009 - " Websense... has discovered a new wave of malicious email attacks claiming to be a password reset confirmation from Facebook. The From: address on the messages is spoofed using support @ facebook.com to make the messages believable to recipients. The messages contain a .zip file attachment with an .exe file inside (SHA1: d01c02b331f47481a9ffd5e8ec28c96b7c67a8c6). The .exe file currently has a detection rate of about 30 percent on VirusTotal*. Our ThreatSeeker™ Network has seen up to 90,000 of these messages sent out so far today. The malicious exe file connects to two servers to download additional malicious files and joins the Bredolab botnet which means the attackers have full control of the PC, such as steal customer information, send spam emails. One of the servers is in the Netherlands and the other one in Kazakhstan..."
* http://www.virustota...f10c-1256597978
File Facebook_Password_c92dd.exe received on 2009.10.26 22:59:38 (UTC)
Result: 12/41 (29.27%)

- http://www.symantec....nother-comeback
October 27, 2009

(Screenshot available at the Websense and Symantec URLs above.)

:grrr: :ph34r:

Edited by apluswebmaster, 10 November 2009 - 10:58 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#192 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 28 October 2009 - 03:01 AM

FYI...

FDIC alert NOT...
- http://sunbeltblog.b...-alert-not.html
October 27, 2009 - "Malicious SPAM. Don’t go there. Zeus Trojan..."

- http://ddanchev.blog...erves-zeus.html
October 27, 2009

(Screenshots available at both URLs above.)

- http://www.fdic.gov/...erts/index.html
October 26, 2009 - "... This e-mail and associated Web site are fraudulent. Recipients should consider the intent of this e-mail as an attempt to collect personal or confidential information, some of which may be used to gain unauthorized access to on-line banking services or to conduct identity theft. The FDIC does -not- issue unsolicited e-mails to consumers..."

- http://blog.trendmic...o-info-stealer/
Oct. 27, 2009 - "... same cybercriminals responsible for other spam campaigns like the CapitalOne phishing attack and the Outlook update spam... characteristics of the domains (fast-flux and character patterns), URLs (wildcarded subdomains, long URLs), and binaries (Zeus) used in FDIC spam are somewhat similar to the above-mentioned spam waves..."

- http://www.us-cert.g...rporation_warns
October 27, 2009

:ph34r: :ph34r:

Edited by apluswebmaster, 29 October 2009 - 03:35 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#193 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 02 November 2009 - 10:01 AM

FYI...

Worms return - MS SIR report...
- http://www.theregist...ecurity_report/
2 November 2009 - "Microsoft's latest security intelligence report* shows a resurgence in worms, although rogue security software also remains a big issue. Rogue security software was found and removed from 13.4m machines, compared to 16.8m last time. It is still an issue but numbers are falling. Worm figures doubled in the first six months of 2009 - from fifth to second. The focus on worms is partly to do with attention given to Conficker which infected 5.2m machines. Taterf doubled to 4.9m compared to the second half of 2008. Taterf is a worm aimed at massive multi-player games. It spreads via USB drives and mapped drives. Surprisingly it appears in enterprise space rather than consumer space - presumably by people sticking USB sticks into work machines... Cliff Evans, head of security and privacy at Microsoft, advised consumers to keep automatic updates on, keep a firewall running and use one of the newest browsers and up to date anti-malware. He said it was important to check all your software, not just Microsoft's... Microsoft works out the infection rate per thousand machines. The worldwide average is 8.7, Japan, Austria, Germany run at about 3 and the UK 4.9, down from 5.7. In the US the figure is 8.6. The top worm in the UK is koobface which spreads via Facebook and MySpace. It has been around a while but infection is increasing. Microsoft publishes this report every six months..."
* http://www.microsoft...Threat/SIR.aspx

:grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#194 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 03 November 2009 - 09:18 AM

FYI...

Opachki hijacker trojan analysis
- http://www.securewor...hreats/opachki/
November 02, 2009 - "Opachki is one of many software tools developed by criminals to hijack and monetize Windows users' search traffic using affilate-based search engines that are ultimately advertiser-sponsored, sometimes by well-known and respected firms. Each search-hijacking-by-malware scheme... so far seems to have a different twist, and the Opachki trojan is no different. Instead of only hijacking search result links, Opachki attempts to hijack as many links as it can on any web page, using the text enclosed by the HTML HREF tag as a faux search phrase when redirecting the user to an affiliate-based search engine. Opachki carries out this link hijacking using a small bit of JavaScript code that is injected into the top of HTML pages... Opachki demonstrates that even a "benign" threat such as a search/link hijacker has additional risks and costs that sometimes go unseen. For this reason, any trojan infection should be quickly resolved. Manual removal of Opachki is extremely difficult, given the many methods it uses to maintain its code on a system. Because of these difficulties and also because of other unknown trojans, worms or viruses Opachki may have downloaded, the recommended method of removal is to reformat and reinstall the operating system from known good media."

- http://isc.sans.org/...ml?storyid=7519
Last Updated: 2009-11-03 12:46:11 UTC - "... prevents the system from booting in Safe Mode – the attackers did this to make it more difficult to remove the trojan. This goes well with what I've been always saying – do not try to clean an infected machine, always reimage it. As Opachki's main goal is to hijack links, it hooks the send and recv API calls in the following programs: FIREFOX.EXE, IEXPLORE.EXE, OPERA.EXE and QIP.EXE. While the first three are well known, I had to investigate the last one. It turned out that QIP.EXE is an ICQ client that is very popular in Russia, so the trojan has a component that directly attacks Russian users. The trojan will monitor web traffic (requests and responses) that above mentioned applications make and will inject a malicious script tag into every response..."

(More detail available at both URL's above.)

:grrr: :ph34r: :grrr:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#195 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 06 November 2009 - 06:17 AM

FYI...

FBI investigates $100 million in losses from spear phishing
- http://sunbeltblog.b...-in-losses.html
November 04, 2009 - "The FBI has said it is investigating thefts in the last five years of more than $100 million from small and medium sized businesses that fell victim to spear-phishing attacks which siphoned funds from their bank accounts. There are more of the attacks reported each week, they said. The attacks typically involved malware sent by email that installed key loggers and targeted someone in the company who could initiate fund transfers. The criminals used the key loggers to capture the victim’s banking log-in information then initiated fund transfers to money mules, generally in amounts below $10,000 – the level that triggers currency transaction reporting. The mules transfer the funds to the criminals via Western Union or other international money transfer systems. The phishing emails were sent from groups or people known to the victims so they wouldn’t be inclined to consider them fraudulent. Among other measures, the FBI suggests removing the company organization chart from web sites in order to preclude spear-phishing emails that target company financial personnel...". Report here*.
* http://www.ic3.gov/m...9/091103-1.aspx
November 3, 2009

:ph34r: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#196 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 09 November 2009 - 09:02 AM

FYI...

Koobface abuses Google Reader pages
- http://blog.trendmic...e-reader-pages/
Nov. 9, 2009 - "We are seeing another development from the Koobface botnet, this time abusing the Google-owned service Google Reader to spam malicious URLs in social networking sites such as Facebook, MySpace, and Twitter. The Koobface gang used controlled Google Reader accounts to host URLs containing an image that resembles a flash movie. These URL are spammed through the said social networks. When the user clicks the image or the title of the shared content, it leads to the all too familiar fake YouTube page that hosts the Koobface downloader component... This sharing of content to the public is what the cybercriminals abused to use the Google Reader domain in spamming malicious links. We have already contacted Google about this matter to remove the malicious content. As of now we’ve found 1,300 Google Reader accounts used for this attack..."
(Screenshots available at the URL above.)

Malicious Google AppEngine Used as a CnC
- http://asert.arborne...-used-as-a-cnc/
November 9, 2009

- http://www.f-secure....s/00001815.html
November 9, 2009 - "... there are these apparent MySpace phishing e-mails going around ("...please be informed that you are required to update your MySpace account, Please update your MySpace account by clicking here..."). When you follow the link, you end up to this MySpace look-a-like page, hosted on various .uk domains... Why do they want them? So they can pose as you on MySpace and send malicious links to your friends — who will surely follow them, as they know you and trust you. But in this case, this is not the only thing they are after. After logging on, you get this prompt... A New MySpace Update Tool? Really? As an executable file? Hmm… and of course it's not. The file (md5: 4c7693219eaa304e38f5f989a8346e51) turns out to be yet another Zeus / Zbot banking trojan variant..."
(Screenshots available at the F-secure URL above.)

Zeus Malware Moves to Myspace
- http://garwarner.blo...to-myspace.html
November 09, 2009 - "... The newest campaign follows the model of last week's Facebook UpdateTool*, only now targeting MySpace users..."
* http://garwarner.blo...ers-beware.html
October 28, 2009

:ph34r: :ph34r:

Edited by apluswebmaster, 11 November 2009 - 07:21 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#197 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 13 November 2009 - 04:14 PM

FYI...

Conficker patch via email - NOT
- http://isc.sans.org/...ml?storyid=7591
Last Updated: 2009-11-13 20:16:53 UTC - "Microsoft does -not- send patches, updates, anti-virus, or anti-spyware via email (hopefully ever)... in my inbox this aft. The subject was: Conflicker.B Infection alert
"Dear Microsoft Customer,
Starting 12/11/2009 the 'Conficker' worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected.
To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.
Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.
Regards,
Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division"

* https://www.virustot...7ae5-1258134283
File 3YMH6JJY.zip received on 2009.11.13 17:44:43 (UTC)
Result: 11/41 (26.83%)

:ph34r::hmmm::ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#198 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 14 November 2009 - 12:37 PM

FYI...

Bogus ‘Balance Checker’ tool carries malware
- http://blog.trendmic...arries-malware/
Nov. 14, 2009 - "... received samples of spammed messages that purports to come from mobile phone companies, Vodafone and Verizon Wireless. The email messages carry the subject, “Your credit balance is over its limits” and inform users that their credit balance is due. To be able to review the payments, users should employed the balance checker tool attached in the email... When users opened the attached .ZIP file, they won’t find any ballance checker tool and instead will get a malicious file (balancechecker.exe) detected by Trend Micro as TSPY_ZBOT.SMP. TSPY_ZBOT.SMP steals online banking credentials such as usernames and passwords. This stolen information may be used by cybercriminals for other fraudulent activities. It also disables the Windows Firewall and has rootkit capabilities for difficult detection and removal. Users are strongly advised not to open any suspicious-looking emails even it comes from a known source. It also good to verify first any email coming from your mobile services provider just to be sure if it is legitimate or not..."

:ph34r: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#199 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 16 November 2009 - 11:36 AM

FYI...

Online criminals cash in on swine flu
- http://www.sophos.co...ussian-hackers/
November 16, 2009 - "As the number of reported swine flu cases climbs, it's time a strong message was sent out against buying Tamiflu over the internet. Research published by Sophos* exposes the profit model of the Russian cybercriminals making millions of pounds from counterfeit Tamiflu. Panic-induced stockpiling by individuals who aren't officially classified as being at risk of contracting swine flu, and therefore anxious they won't receive Tamiflu from the NHS, will not only line cybercriminals' pockets with millions of pounds in cash but also grant them access to sensitive personal data to be used for other crimes... The criminal gangs working behind the scenes at fake internet pharmacies are putting their customers' health, personal information and credit card details at risk. They have no problem breaking the law to promote these websites, so you can be sure they'll have no qualms in exploiting your confidential data or selling you medications which may put your life in danger. If you think you need medication contact your real doctor, and stay away from quacks on the internet..."
* http://www.sophos.co...b2009-paper.pdf
"... The ‘Canadian Pharmacy’ group now holds the number one position in the Spamhaus Top 10 spammers list... Searching for GlavMed’s support number reveals over 120,000 online pharmacy sites..."

:ph34r: :grrr: :ph34r:

Edited by apluswebmaster, 16 November 2009 - 01:23 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#200 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 18 November 2009 - 07:10 AM

FYI...

Payment Request SPAM contains malware
- http://blog.trendmic...ntains-malware/
Nov. 18, 2009 - "TrendLabs researchers received spammed messages purporting to have come from various companies such as eBay, J.P. Morgan Chase and Co., and Colgate-Palmolive, among others. The email bore the subject, “Payment request from,” and informs users about a certain recorded payment request... The spammed message even gave users two options—to either ignore the email if the payment request has been made or to download the attached .ZIP file and install the inspector module to decline the said payment request. If the user does not make any transaction, he/she still needs to download the attachment just to cancel the payment request. The attached .ZIP file is, of course, not an inspector module but an .EXE file (module.exe) detected by Trend Micro as TROJ_AGENTT.WTRA. Users are advised to be wary before opening -any- attached files even if they come from known sources. It is also best to verify emails you receive from any company first just to be sure it is legitimate..."

(Screenshots available at the URL above.)

:grrr:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.




Member of UNITE
Support SpywareInfo Forum - click the button