Fake WhatsApp SPAM / IMG003299.zip
11 Dec 2013 - "This -fake- WhatsApp message has a malicious attachment.
Date: Wed, 11 Dec 2013 18:29:19 +0700 [06:29:19 EST]
Subject: Your friend has just sent you a pic
Your friend has just sent you a photograph in WhatsApp. Open attachments to see what it is.
Attached to the email is an archive IMG003299.zip (VirusTotal detections 7/43*) which in turn contains a malicious executable IMG003299.exe (VirusTotal detections 9/49**). Automated analysis tools... don't reveal very much about the malware in question however."
Facebook Phishing and Malware via Tumblr redirects
Last Updated: 2013-12-11 13:43:23 UTC - "... The initial bait is a message that you may receive from one of your Facebook friends, whose account was compromised. The message claims to contain a link to images that show a crime that was committed against the friend or a close relative of the friend. The image below shows an example, but the exact message varies. The images then claim to be housed on Tumblr.
The Tumblr links follow a pattern, but appear to be different for each recipient. The host name is always two or three random English words, and the URL includes a few random characters as an argument. The preview of the Tumblr page lists some random words and various simple icons. Once the user clicks on the link to the Tumblr page, they are immediately redirected to a very plausible Facebook phishing page, asking the user to log in. The links I have seen so far use the "noxxos .pw" domain, which uses a wildcard record to resolve to 184.108.40.206 ... The fake Facebook page will ask the user for a username and password as well as for a "secret question". Finally, the site attempts to run a java applet (likely an exploit, but haven't analyzed it yet), and the site attempts to run a java applet (likely an exploit, but haven't analyzed it yet), and the user is sent to a Youtube look-alike page asking the user to download and install an updated "Youtube Player". The player appears to be a generic downloader with mediocre AV detection.
(was 3/42 when I first saw it. Now 10/42 improved). As an indicator of compromise, it is probably best right not to look for DNS queries for "noxxos .pw" as well as connections to 220.127.116.11 ..."