News: Cexx forums, with volunteers dedicated to helping you remove malware and stay protected
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
October 20, 2014, 16:33:12
Pages: [1] 2 3 ... 10
 1 
 on: Today at 03:45:44 
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake 'unpaid invoice' SPAM - xls malware
- http://myonlinesecurity.co.uk/acorn-engineering-limited-trading-unpaid-invoice-court-action-fake-excel-xls-malware/
20 Oct 2014 - "An email pretending to be an unpaid invoice and threatening court action with a subject of 'Acorn Engineering Limited trading' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
  Acorn-Maintenance-Engineering-logo...
    October 20, 2014
    Head Office
    Acorn Engineering Limited trading
    as Acorn Maintenance
    Acorn House
    20 Wellcroft Road
    Slough
    Berkshire
    SL1 4AQ
    Tel: 01753 386 073
    Fax: 01753 409 672
    Dear ...
    Reference: 48771955-A8
    Court action will be the consequence of your ignoring this letter.
    Despite our telephone calls on October 10 and our letters of September 25, 2014 and October 20, 2014, and your promise to pay, payment of your account has still not been received. If full payment is not received by October 22, 2014 court action will be taken against your company.
    If you allow this to happen you will incur court costs and you may forfeit your company’s credit status because the name of your company will be recorded by the major credit reference agencies. This may deter others from supplying you.
    You are also being charged debt recovery costs and statutory interest of 8% above the reference rate (fixed for the six month period within which date the invoices became overdue) pursuant to the late payment legislation.
    To stop this from happening please pay in full now the overdue invoice which is also attached to this letter.
    Yours truly,
    signature-Mishenko.gif (626?272)
    Nadine Cox,
    Accountant
    Acorn Engineering Limited
    Enclosure (Attachment)


20 October 2014: Copy4313_B0.zip: Extracts to: Invoice_7380901925299.xls.exe
Current Virus total detections: 3/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Microsoft Excel xls file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/02b93640df6c19e6e77de029688e7dc2cdf6cf0a8a8f68ea0e1777d2ddd98097/analysis/1413800273/
___

Fake PDF invoice SPAM
- http://www.symantec.com/connect/blogs/pdf-invoices-may-cost-more-you-expect
Oct 20, 2014 - "... Over the past week, Symantec has observed a spam campaign involving suspicious emails that masquerade as unpaid invoices. However, these suspicious emails come with a nasty surprise attached in the form of a malicious .pdf file.
Malicious .pdf file attached to suspicious email:
> http://www.symantec.com/connect/sites/default/files/users/user-2598031/Fig1_19.png
While these invoices may appear to be legitimate because the sender’s email address may be associated with a major company, the emails contain spelling errors in the subject line and the body of the email contains just one line of text. Most business emails contain a personal greeting to the recipient and the sender’s signature, but these emails have neither. These signs should serve as warnings to users that the email is not what it claims to be. The attached .pdf file has malicious shellcode hidden inside of it that will be executed when opened with a vulnerable version of Adobe Reader... attackers are trying to exploit the Adobe Acrobat and Reader Unspecified Remote Integer Overflow Vulnerability (CVE-2013-2729) by triggering the vulnerability while parsing the crafted Bitmap encoded image... The embedded shellcode acts as a downloader which downloads a malicious executable file (Infostealer.Dyranges) from a remote location. The downloaded malware attempts to install itself as a service called “google update service”... If successful, the malware is then able to steal confidential information entered into Web browsers by the user. Symantec recommends that users exercise caution when opening emails and attachments from unexpected or unknown senders. We also advise that PDF viewers and security software be kept up-to-date. Symantec detects the malicious .pdf file used in this campaign as Trojan.Pidief*."
* http://www.symantec.com/security_response/writeup.jsp?docid=2009-121708-1022-99&tabid=2
___

Fake 401k SPAM - PDF malware
- http://myonlinesecurity.co.uk/401k-june-2014-fund-performance-participant-communication-fake-pdf-malware/
20 Oct 2014 - "An email pretending to come from Carla Rivers < CarlaRivers@ fidelity .com > giving detailks of the October 2014 401k fund performance results  with a subject of '401k June 2014 Fund Performance and Participant Communication' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
     Co-op 401k Plan Participants –
    Attached you will find the October 2014 401k fund performance results as well as an informational piece regarding online calculators available on the website.
    If you are a facility manager, please forward, print or post a copy of these pages on your bulletin board or in a conspicuous place where your employees can see them.
    Please contact me if you have any questions.
    Carla Rivers
    Employee Benefits/Plan Administrator ..


20 October 2014: October-2014-401k-Fund.zip : Extracts to: October-2014-401k-Fund.scr
Current Virus total detections: 3/53* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/file/782d490bedb9e65bb1640a4d08e0e3debe2c11b270415aeb8bbfb83377469a3b/analysis/1413823356/
... Behavioural information
DNS requests
cyba3 .co.uk (94.136.40.103)
TCP connections
188.165.214.6: https://www.virustotal.com/en-gb/ip-address/188.165.214.6/information/
94.136.40.103: https://www.virustotal.com/en-gb/ip-address/94.136.40.103/information/
___

Fake 'LogMeIn Security Update' SPAM – PDF malware
- http://myonlinesecurity.co.uk/october-16-2014-logmein-security-update-fake-pdf-malware/
20 Oct 2014 - "An email that says it is an announcement that you need to install a new 'LogMeIn security certificate' which  pretends to  come from LogMeIn .com < auto-mailer@ logmein .com >  with a subject of October 16, 2014 'LogMeIn Security Update' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/LogMeIn-security-update.png

20 October 2014: cert_client.zip: Extracts to: cert_1020.scr
Current Virus total detections: 1/52* . This October 16, 2014 'LogMeIn Security Update' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a legitimate file  instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/file/19d11eec77e1f1b6179005277d67a8640b5f5bf573dac486c7e1e6baea227c59/analysis/1413811609/
___

Fake 'my new photo Wink' SPAM - trojan variant
- http://blog.mxlab.eu/2014/10/20/latest-email-my-new-photo-contains-a-new-trojan-variant/
Oct 20, 2014 - "...  intercepted a new trojan variant distribution campaign by email with the subject “my new photo Wink”... sent from the spoofed email addresses and has the following short body:

   my new photo Wink

The attached ZIP file has the name photo.zip, once extracted a folder photo is available with that contains the 57 kB large file photo.exe . The trojan is known as a variant of HEUR/QVM03.0.Malware.Gen or Win32:Malware-gen. At the time of writing, 2 of the 53 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en-gb/file/83912dc14a7de0ae2dbc6f12f2a5dbb54e2d94861ec6214163eaa2031df1b9b5/analysis/1413812842/
___

Fake Invoice SPAM – word doc malware
- http://myonlinesecurity.co.uk/adobe-invoice-word-doc-malware/
20 Oct 2014 - "An email pretending to come from Adobe with the subject of 'Adobe Invoice' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email has an attachment that looks like a proper word.doc but something has disinfected all copies on its travels. All copies that I have received have been -less- than 1kb in size and are empty files with a name only adb-102288-invoice.doc . They are almost certainly supposed to be the typical malformed word docs, that contain a macros script -virus- we have been seeing so much recently that will infect you if you open or even preview them when you have an out of date or vulnerable version of Microsoft word on your computer... The email looks like:
   Adobe(R) logo    
    Dear Customer,
    Thank you for signing up for Adobe Creative Cloud
    Service.
    Attached is your copy of the invoice.
    Thank you for your purchase.
    Thank you,
    The Adobe Team
    Adobe Creative Cloud Service...


Never just blindly click on the file in your email program. Always save the file to your downloads folder, so you can check it first. Most (if not all) malicious files that are attached to emails will have a faked extension..."

- http://blog.dynamoo.com/2014/10/adobe-billing-adobe-invoice-spam-adb.html
20 Oct 2014
Screenshot: https://1.bp.blogspot.com/-mt-vGbR2Q-U/VEUFltRbPGI/AAAAAAAAF3E/b3_TOFcDpHk/s1600/adobe.png
> https://www.virustotal.com/en-gb/file/bc79dea26a2ec94646dcbad540d3921198c46701359539925e530839aa68fb13/analysis/1413809174/
... Behavioural information
TCP connections
62.75.182.94: https://www.virustotal.com/en-gb/ip-address/62.75.182.94/information/
208.89.214.177: https://www.virustotal.com/en-gb/ip-address/208.89.214.177/information/
___

Dropbox phish - hosted on Dropbox
- http://www.symantec.com/connect/blogs/dropbox-users-targeted-phishing-scam-hosted-dropbox
Updated: 18 Oct 2014 - "... In this scam, messages included links to a -fake- Google Docs login page hosted on Google itself. We continue to see millions of phishing messages every day, and recently we saw a similar scam targeting Dropbox users. The scam uses an email (with the subject "important") claiming that the recipient has been sent a document that is too big to be sent by email, or cannot be sent by email for security reasons. Instead, the email claims, the document can be viewed by clicking on the link included in the message. However, the link opens a -fake- Dropbox login page, hosted on Dropbox itself.
Fake Dropbox login page:
> http://www.symantec.com/connect/sites/default/files/users/user-2551621/Dropbox%201.png
The -fake- login page is hosted on Dropbox's user content domain (like shared photos and other files are) and is served over SSL, making the attack more dangerous and convincing. The page looks like the real Dropbox login page, but with one crucial difference. The scammers are interested in phishing for more than just Dropbox credentials; they have also included logos of popular Web-based email services, suggesting that users can log in using these credentials as well. After clicking "Sign in," the user’s credentials are sent to a PHP script on a compromised Web server. Credentials are also submitted over SSL, which is critical for the attack's effectiveness. Without this, victims would see an unnerving security warning.
Security warning:
> http://www.symantec.com/connect/sites/default/files/users/user-2551621/Dropbox%202.jpg
Upon saving or emailing the user's credentials to the scammer, the PHP script simply -redirects- the user to the real Dropbox login page. Although the page itself is served over SSL, and credentials are sent using the protocol, some resources on the page (such as images or style sheets) are not served over SSL. Using non-SSL resources on a page served over SSL shows warnings in recent versions of some browsers. The prominence of the warning varies from browser to browser; some browsers simply change the padlock symbol shown in the address bar, whereas others include a small banner at the top of the page. Users may not notice or understand these security warnings or the associated implications. Symantec reported this phishing page to Dropbox and they immediately took the page down. Any Dropbox-hosted phishing pages can be reported to the abuse@dropbox.com email address..."

 Evil or Very Mad Evil or Very Mad  Sad

 2 
 on: October 18, 2014, 20:15:01  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Recent Updates
- http://www.malwaredomains.com/?p=3670
October 17th, 2014
10/13 – 64 domains
10/14 – 195 domains
10/17 – 187 domains
Sources: malwareurls.joxeankoret.com, blog.dynamoo.com, www.spamhaus.org, app.webinspector.com, cybercrime-tracker.net and others ...

 Exclamation  Evil or Very Mad

 3 
 on: October 18, 2014, 20:02:24  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Evil network: 5.135.230.176/28 - OVH
- http://blog.dynamoo.com/2014/10/evil-network-513523017628-ovh-eldar.html
18 Oct 2014 - "These domains are currently hosted or have recently been hosted on 5.135.230.176/28 and all appear to be malicious in some way, in particular some of them have been hosting the Angler EK* (hat tip)... 5.135.230.176/28 is an OVH IP range allocated to what might be a ficticious customer:
organisation:   ORG-EM25-RIPE
org-name:       eldar mahmudov
org-type:       OTHER
address:        ishveran 9
address:        75003 paris
address:        FR
e-mail:         mahmudik@ hotmail .com
abuse-mailbox:  mahmudik@ hotmail .com
phone:          +33.919388845
mnt-ref:        OVH-MNT
mnt-by:         OVH-MNT
changed:        noc@ ovh .net 20140621
source:         RIPE
There appears to be nothing legitimate at all in this IP address range, I strongly recommend that you -block-  traffic going to it."
* http://malware-traffic-analysis.net/2014/10/06/index.html

Diagnostic page for AS16276 (OVH)
- https://www.google.com/safebrowsing/diagnostic?site=AS:16276
"... over the past 90 days, 4009 site(s)... resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2014-10-18, and the last time suspicious content was found was on 2014-10-18... we found 543 site(s) on this network... that appeared to function as intermediaries for the infection of 4498 other site(s)... We found 1150 site(s)... that infected 2883 other site(s)..."
___

malwr
- https://malwr.com/
Oct. 19, 2014 - "Last Comments:
Malware.    
222.236.47.53:8080 195.206.7.69:443 46.55.222.24:8080 162.144.60.252:8080 91.212.253.253:443 95.141.32.134:8080
"
- https://malwr.com/about/ >> http://www.shadowserver.org/ *

- 222.236.47.53: https://www.virustotal.com/en/ip-address/222.236.47.53/information/
- 195.206.7.69: https://www.virustotal.com/en/ip-address/195.206.7.69/information/
- 46.55.222.24: https://www.virustotal.com/en/ip-address/46.55.222.24/information/
- 162.144.60.252: https://www.virustotal.com/en/ip-address/162.144.60.252/information/
- 91.212.253.253: https://www.virustotal.com/en/ip-address/91.212.253.253/information/
- 95.141.32.134: https://www.virustotal.com/en/ip-address/95.141.32.134/information/

Bot Count Graphs
* https://www.shadowserver.org/wiki/pmwiki.php/Stats/BotCountYearly#toc1
Page last modified on Sunday, 19 October 2014
___

- http://blog.dynamoo.com/2014/10/final-notification-malware-spam-uses.html
17 Oct 2014
... ShippingLable_HSDAPDF.scr
- https://www.virustotal.com/en/file/9ad980467347dffbb50493c93ca834c40dbfdec61fc1339004a107aef6633ed2/analysis/1413566277/
... Comments:
Full list of CnCs:
5.135.28.118: https://www.virustotal.com/en/ip-address/5.135.28.118/information/
185.20.226.41: https://www.virustotal.com/en/ip-address/185.20.226.41/information/
5.63.155.195: https://www.virustotal.com/en/ip-address/5.63.155.195/information/
___

RIG Exploit Kit Dropping CryptoWall 2.0
- http://www.threattracksecurity.com/it-blog/rig-exploit-kit-dropping-cryptowall-2-0/
Oct 17, 2014 - "... observed spammers exploiting vulnerable WordPress links to -redirect- users to servers hosting the RIG Exploit Kit, which takes advantage of any number of vulnerabilities in unpatched Silverlight, Flash, Java and other applications to drop CryptoWall 2.0... nasty updated version of CryptoWall, which has built up steam since the disruption of CryptoLocker. Once infected with CryptoWall 2.0, users’ files are encrypted and held for ransom. The spammers behind this latest campaign seem to be the same crew behind a recent wave of eFax spam reported over at Dynamoo’s Blog*... The campaign Dynamoo revealed is being hosted side-by-side on the same server as the RIG Exploit Kit: hxxp ://206.253.165.76 :8080. The exploit redirector is hxxp ://206.253.165.76 :8080/ord/rot.php. And the spam Dynamoo reported is hxxp ://206.253.165.76 :8080/ord/ef.html... The exploit redirector is hxxp :// 206.253.165.76 :8080/ord/rot.php... malicious link loads a RIG Exploit Kit landing page to exploit any of its targeted vulnerabilities to drop CryptoWall 2.0. The MD5 of the sample analyzed is 8cc0ccec8483dcb9cfeb88dbe0184402 ..."
* http://blog.dynamoo.com/2014/10/efax-message-from-02086160204-spam.html

206.253.165.76: https://www.virustotal.com/en/ip-address/206.253.165.76/information/

 Evil or Very Mad  Sad

 4 
 on: October 18, 2014, 05:43:39  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

PHP 5.6.2 released ...
- http://php.net/
16 Oct 2014 - "The PHP development team announces the immediate availability of PHP 5.6.2. Four security-related bugs were fixed in this release, including fixes for CVE-2014-3668, CVE-2014-3669 and CVE-2014-3670. All PHP 5.6 users are encouraged to upgrade to this version..."

Changelog
- http://www.php.net/ChangeLog-5.php#5.6.2

- http://www.php.net/downloads.php

- http://windows.php.net/download/

CVE Reference(s): CVE-2014-3668, CVE-2014-3669, CVE-2014-3670
___

PHP 5.5.18 released
-  http://php.net/
16 Oct 2014 - "The PHP development team announces the immediate availability of PHP 5.5.18. Several bugs were fixed in this release. A -regression- in OpenSSL introduced in PHP 5.5.17 has also been addressed in this release. PHP 5.5.18 also fixes 4 CVEs in different components. All PHP 5.5 users are encouraged to upgrade to this version..."

Changelog
- http://www.php.net/ChangeLog-5.php#5.5.18

- http://www.php.net/downloads.php

- http://windows.php.net/download/
___

PHP 5.4.34 released
- http://php.net/
16 Oct 2014 - "The PHP development team announces the immediate availability of PHP 5.4.34. 6 security-related bugs were fixed in this release, including fixes for CVE-2014-3668, CVE-2014-3669 and CVE-2014-3670. Also, a fix for OpenSSL which produced regressions was -reverted- . All PHP 5.4 users are encouraged to upgrade to this version...  

Changelog
- http://www.php.net/ChangeLog-5.php#5.4.34

- http://www.php.net/downloads.php

- http://windows.php.net/download/

 Exclamation Exclamation Exclamation

 5 
 on: October 17, 2014, 08:39:08  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

M$ yanks botched patch KB 2949927, re-issues KB 2952664
Windows 7 upgrade compatibility patch gets a tweaked installer, while the SHA-2 hashing patch is summarily removed without explanation
- http://www.infoworld.com/article/2834930/security/microsoft-yanks-botched-patch-kb-2949927-re-issues-kb-2952664.html
Oct 17, 2014 - "Tell me if you've heard this one before: Microsoft has pulled a patch - KB 2949927*, a patch so important it rated its own Security Advisory - and there's no official notification that the patch was yanked, no explanation as to why it's been pulled, and no instructions for removing (or keeping) the patch if it did somehow get installed... Take-away lesson: Ignore Windows error messages. Aunt Martha can handle that. The more disconcerting patch, KB 2949927, was one of the -four- botched patches I mentioned yesterday. It adds SHA-2 hash signing and verification capability to Windows 7. Trying to install it on some machines led to multiple reboots failing with error 80004005 - a nice way to spend your Tuesday afternoon. And Wednesday. And Thursday morning... What should you do if the patch was installed? I have no idea, and Microsoft isn't saying a thing. Still -no- word on the other bad patches..."
* https://support.microsoft.com/kb/2949927
Last Review: Oct 17, 2014 - Rev: 4.0

 Neutral Neutral  Sad

 6 
 on: October 17, 2014, 04:22:17  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Adblock Plus 2.6.5 for Firefox
- https://adblockplus.org/releases/adblock-plus-265-for-firefox-released
Changes:
- Fixed: Element hiding exceptions are broken by changes in Firefox 34 and Firefox 35 (issue 1241, issue 1381).
- Fixed: Blocking via context menu won’t always suggest blocking the most recent request (issue 362).
- Fixed: Issue reporter will complain about too many filter lists even when these filter lists are “special” like the anti-adblock list (issue 690).
- Fixed: Disabling filters via space bar no longer works in preferences (issue 1129).
- Fixed: Sharing Adblock Plus from the first-run page won’t work if the Anti-Social list is enabled (issue 1133).
- Fixed: Anti-Adblock warning will sometimes appear on websites without any anti-adblock behavior (issue 1161).
- Made $sitekey option behavior more consistent, it can be used similarly to $domain now rather than whitelisting complete websites only (issue 432).

- https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/

 Exclamation Exclamation

 7 
 on: October 17, 2014, 02:53:06  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake Sage Invoice SPAM - malware
- http://blog.dynamoo.com/2014/10/sage-outdated-invoice-spam-spreads.html
17 Oct 2014 - "This -fake- Sage email spreads malware using a service called Cubby, whatever that is.

Screenshot: https://2.bp.blogspot.com/-UFvbcQMZeqc/VEDn4-OJqZI/AAAAAAAAF2I/M7n6GtqZVRM/s1600/sage3.png

Despite appearances, the link in the email (in this case) actually goes to https ://www.cubbyusercontent .com/pl/Invoice_032414.zip/_8deb77d3530f43be8a3166544b8fee9d and it downloads a file Invoice_032414.zip. This in turn contains a malicious executable Invoice_032414.exe which has a VirusTotal detection rate of 3/53*. The Malwr report shows HTTP conversations with the following URLs:
http :// 188.165.214.6 :15600/1710uk3/HOME/0/51-SP3/0/
http :// 188.165.214.6 :15600/1710uk3/HOME/1/0/0/
http :// 188.165.214.6 :15600/1710uk3/HOME/41/5/1/
http :// tonysenior .co.uk/images/IR/1710uk3.osa
188.165.214.6 is (not surprisingly) allocated to OVH France. In turn, it drops an executable bcwyw.exe (VT 6/54**...) which communicates with 66.102.253.25 (a China Telecom address located in the US in a Rackspace IP range) and also moxbk.exe (VT 1/52***...).
Recommended blocklist:
188.165.214.6
66.102.253.25
tonysenior .co.uk
"
* https://www.virustotal.com/en-gb/file/a772bdadac8a2f4819519e3ffb10a4aca141d64d78660e78e6f42a6ceb509183/analysis/1413539374/
... Behavioural information
DNS requests
tonysenior .co.uk (66.7.214.212)
TCP connections
188.165.214.6: https://www.virustotal.com/en-gb/ip-address/188.165.214.6/information/
66.7.214.212: https://www.virustotal.com/en-gb/ip-address/66.7.214.212/information/

** https://www.virustotal.com/en-gb/file/30dc00ee245dc553d569b94cc13f1acfed70740c7c10405d164694bc7d065f9d/analysis/1413540238/

*** https://www.virustotal.com/en-gb/file/3a281070d196e0906851550c51c319843c0c99198a2f7b2e393e433aa0cb0b68/analysis/1413540261/
___

Fake 'SalesForce Security Update' SPAM – malware
- http://myonlinesecurity.co.uk/october-17-2014-salesforce-security-update-malware/
17 Oct 2014 - "'October 17, 2014 SalesForce Security Update' pretending to come from SalesForce .com <no-reply@ salesforce .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The malware inside this zip file is at this time -undetected- by any antivirus on Virus Total* and to make it much worse the Virus Total engine tries to tell you that the file is Probably harmless! There are strong indicators suggesting that this file is safe to use. This is an even bigger problem than it normally would be because of the recent Poodle bug and servers consequently changing their encryption routines to remove the vulnerable SSLv3 version from being used. It is eminently believable that you might need to change the SSL certificate on your browser to comply with the new behaviour if you are not a security or network IT specialist. This is obviously -wrong- and this type of malware that disguises itself as a legitimate file and can apparently conceal the malicious functions from an antivirus scan and make it believe it is innocent is very worrying. The MALWR analysis doesn’t show -anything- wrong and doesn’t show any network connections or other files downloaded. Anubis also comes up with a -nothing- on this one... a couple of manual analysis done by Virus total** users who find it -is- malicious... drops this file which -is- detected... Our friends at TechHelpList(1) have done an analysis on this one which clearly shows its bad behaviour and what it connects to and downloads...
* https://www.virustotal.com/en/file/9519da9cbbf2a13b24e807f40d1537bb1913818ea91ecfe95323326f96632617/analysis/1413556548/

** https://www.virustotal.com/en/file/93691ef6e834951225ad024a6b662e857a47c2f5156e3def9f38ae964143c241/analysis/

1) https://techhelplist.com/index.php/spam-list/664-date-salesforce-security-update-virus

The email looks like:
 Dear client,
     You are receiving this notification because your Salesforce SSL certificate has expired.
    In order to continue using Salesforce.com, you are required to update your digital certificate.
     Download the attached certificate. Update will be automatically installed by double click.
     According to our Terms and Conditions, failing to renew the SSL certificate will result in account suspension or cancelation...  Thank you for using Salesforce .com


17 October 2014: cert_update.zip: Extracts to: cert_update.scr
Current Virus total detections: 0/52* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an icon of a white & red circular arrow instead of the .scr ( executable)  file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/9519da9cbbf2a13b24e807f40d1537bb1913818ea91ecfe95323326f96632617/analysis/1413556548/
___

Fake eFax SPAM
- http://blog.dynamoo.com/2014/10/efax-message-from-02086160204-spam.html
17 Oct 2014 - "This fake eFax spam leads to malware:
   From:     eFax [message@ inbound .claranet .co.uk]
    Date:     17 October 2014 11:36
    Subject:     eFax message from "02086160204" - 1 page(s), Caller-ID: 208-616-0204
    Fax Message [Caller-ID: 208-616-0204]
    You have received a 1 page fax at 2014-10-17 09:34:48 GMT.
    * The reference number for this fax is lon2_did11-4056638710-9363579926-02.
    Please visit... to  view  this message in full...


The link in the email goes to some random hacked WordPress site or other with a URL with a format similar to the following:
http ://tadarok .com/wp-content/themes/deadline/mess.html
http ://107.170.219.47 /wp-content/themes/inove/mess.html
http ://dollfacebeauty .com.au/wp-content/themes/landscape/mess.html
Then (if your user agent and referrer are correct) it goes to a -fake- eFax page at http ://206.253.165.76 :8080/ord/ef.html which does look pretty convincing. (Incidentally if the UA or referrer are not right you seem to get dumped on a pills site of naturaldietpills4u .com).

Screenshot: https://1.bp.blogspot.com/-IzglVG8I_co/VED-m9ehHQI/AAAAAAAAF2Y/HyA5Tk30D9E/s1600/efax2.png

The download link goes to http ://206.253.165.76 :8080/ord/FAX_20141008_1412786088_26.zip which is a ZIP file containing a malicious executable FAX_20141008_1412786088_26.exe which has a VirusTotal detection rate of 4/54*... Recommended blocklist:
107.170.19.156
212.59.117.207
206.253.165.76
"
* https://www.virustotal.com/en-gb/file/b2b9486a36dff94a3222c16d309c073da61a98dfa1c1d303b5d3740f54842ff6/analysis/1413545028/
___

Fake Virgin Media SPAM - phish/malware
- http://myonlinesecurity.co.uk/help-advice-virgin-media-malware/
17 Oct 2014 - "An email with a subject of 'Help & Advice – Virgin Media' pretending to come from Virgin Media  is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
   Virgin Media Automated Billing Reminder
    Date 17th October 2014
    This e-mail has been sent you by Virgin Media to inform you that we were  unable to process your most recent payment of bill. This might be due to one of the following reasons:
        A recent change in your personal information such as Name or address.
        Your Credit or Debit card has expired.
        Insufficient funds in your account.
        Cancellation of Direct Debit agreement.
        Your Card issuer did not authorize this transaction.
    To avoid Service interruption you will need to update your billing profile, failure to update your profile may lead in service cancellation and termination.
    Please click on the link below to login to e-Billing. You will need to login using your primary E-mail address...


 Be very careful with email attachments. -All- of these emails use Social engineering tricks to persuade you to open the attachments or follow the links... -Never- just blindly click on the file in your email program. Always save the file to your downloads folder, so you can check it first. Most ( if not all) malicious files that are attached to emails will have a -faked- extension..."
___

More Free Facebook Hacks ...
- https://blog.malwarebytes.org/fraud-scam/2014/10/more-free-facebook-hacking-sites-surface-online/
Oct 16, 2014 - "... more sites claiming to offer hacking services that target Facebook users. The sites are:
    fbwand(dot)com
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/fbwand.png

    hackfbaccountlive(dot)com
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/hackfbaccountlive.png

One starts off by entering the profile URL of the Facebook user account (the target) he/she wants to hack. The site then makes him/her believe that an -actual- hacking is ongoing, firstly, by retrieving and displaying specific information from Facebook’s Graph Search*, such as user ID, user name, and a large version of the profile photo, to the page; and, secondly, by providing the attacker the progress of completion of each hacking attempt. Below are screenshots of these attempts, beginning with purportedly fetching the target’s email ID:
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/05-verify.png?w=564
After a successful “hack”, the site informs the attacker that they have created an account for them on the website, complete with a generated user name and password, and that they have to log in to their accounts to retrieve the target’s Facebook account details. Just when it seems too easy, the attacker sees this upon logging in:
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/hackers-panel.png
He/She is instructed to unlock the details in two ways. One is to share a generated referral link to their social networks (particularly Facebook and/or Twitter) in order to get 15 visitors to click it... Although it’s true that no website is perfectly secure one must not attempt to hack into them nor break into someone else’s online profile. These are illegal acts. Sites marketing themselves as free, user-friendly hacking-as-a-service (HaaS) tool, such as those I mentioned here, generally takes advantage of user distrust against someone and profits on it, promising big but deliver nothing in the end. Avoid them at all cost."
* https://www.facebook.com/about/graphsearch
___

Ebola Phishing Scams and Malware Campaigns
- https://www.us-cert.gov/ncas/current-activity/2014/10/16/Ebola-Phishing-Scams-and-Malware-Campaigns
Oct 16, 2014 - "... protect against email scams and cyber campaigns using the Ebola virus disease (EVD) as a theme. Phishing emails may contain links that direct users to websites which collect personal information such as login credentials, or contain malicious attachments that can infect a system. Users are encouraged to use caution when encountering these types of email messages and take the following preventative measures to protect themselves:
- Do not follow unsolicited web links or attachments in email messages.
- Maintain up-to-date antivirus software..."
___

CUTWAIL Spambot Leads to UPATRE-DYRE Infection
- http://blog.trendmicro.com/trendlabs-security-intelligence/cutwail-spambot-leads-to-upatre-dyre-infection/
Oct 16, 2014 - "... new spam attack disguised as invoice message notifications was recently seen spreading the UPATRE malware, that ultimately downloads its final payload- a BANKER malware related to the DYREZA/DYRE banking malware... In early October we observed a surge of spammed messages sent by the botnet CUTWAIL/PUSHDO, totaling to more than 18,000 messages seen in a single day. CUTWAIL/PUSHDO has been in the wild since as early as 2007 and was considered one of the biggest spam botnets in 2009. We spotted some spammed emails that disguise itself as invoice message notifications or “new alert messages” from various companies and institutions.
Screenshot of spammed messages related to CUTWAIL/PUSHDO:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/10/Cutwail_samples.jpg
Top spam sending countries for this CUTWAIL spam run:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/10/Top-spam-sending-countries-01.jpg
... Based on our 1H 2014 spam report, UPATRE is the top malware seen in spam emails. With its continuously developing techniques, UPATRE remains as one of most prevalent malware today. Examples of newer UPATRE techniques are its ability to use password-protected archives as attachments, and abuse of online file storage platform, Dropbox in order to bypass spam filters.
Top malware distributed via spam as of August 2014:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/10/CUTWAIL-Spambot_fig1.jpg
... in this attack, this UPATRE variant, TROJ_UPATRE.YYJS downloads the final payload, TSPY_BANKER.COR, which is related to DYREZA/DYRE banking malware. The DYREZA malware is a banking malware with the following capabilities:
- Performs man-in-the-middle attacks via browser injections
- Steals banking credentials and monitors online banking session/transactions
- Steals browser snapshots and other information
Based on our analysis, TSPY_BANKER.COR connects to several websites to receive and send information. Given this series of malware infections, affected systems also run the risk of having their sensitive data stolen (such as banking credentials data) in order to be used for other future attacks. Apart from the risk of stolen information, this spam attack also highlights the risk of traditional threats (like spam) being used as a vehicle for -other- advanced malware to infect systems. This may consequently even lead to infiltrating an entire enterprise network... We highly recommend that users take extra caution when dealing with emails that contain attachments and URLs in the email body. Ensure that the domains are legitimate and take note of the company name indicated in the email. Another tip is to steer clear of suspicious-looking archive files attached to emails, such as those ending in .ZIP, or .RAR. UPATRE is also known to use email templates through DocuSign with emails that come in the form of -bank- notifications, -court- notices, and -receipts- ..."
___

WhatsApp Spam
- http://threattrack.tumblr.com/post/100162392338/whatsapp-spam
Oct 16, 2014 - "Subjects Seen:
   Voice Message Notification
Typical e-mail details:
   You have a new voicemail!
    Details:
    Time of Call: Oct-13 2014 06:02:04
    Lenth of Call: 07sec


Malicious URLs:
    p30medical .com/dirs.php?rec=LLGIAmEUFLipINmiPz4S0g
Malicious File Name and MD5:
    VoiceMail.zip (713A7D2A9930B786FE31A603CD06B196)
    VoiceMail.exe (2B7E9FC5A65FE6927A84A35B5FEAC062)


Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/5fe4acaac97621cafb4688b950049ac6/tumblr_inline_ndjlwzSYyI1r6pupn.png

Tagged: Whatsapp, Kuluoz

 Evil or Very Mad Evil or Very Mad  Sad

 8 
 on: October 17, 2014, 02:19:20  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

iTunes 12.0.1 released
- https://support.apple.com/kb/HT6537
Last Modified: Oct 16, 2014
CVE Reference(s): CVE-2013-2871, CVE-2013-2875, CVE-2013-2909, CVE-2013-2926, CVE-2013-2927, CVE-2013-2928, CVE-2013-5195, CVE-2013-5196, CVE-2013-5197, CVE-2013-5198, CVE-2013-5199, CVE-2013-5225, CVE-2013-5228, CVE-2013-6625, CVE-2013-6635, CVE-2013-6663, CVE-2014-1268, CVE-2014-1269, CVE-2014-1270, CVE-2014-1289, CVE-2014-1290, CVE-2014-1291, CVE-2014-1292, CVE-2014-1293, CVE-2014-1294, CVE-2014-1298, CVE-2014-1299, CVE-2014-1300, CVE-2014-1301, CVE-2014-1302, CVE-2014-1303, CVE-2014-1304, CVE-2014-1305, CVE-2014-1307, CVE-2014-1308, CVE-2014-1309, CVE-2014-1310, CVE-2014-1311, CVE-2014-1312, CVE-2014-1313, CVE-2014-1323, CVE-2014-1324, CVE-2014-1325, CVE-2014-1326, CVE-2014-1327, CVE-2014-1329, CVE-2014-1330, CVE-2014-1331, CVE-2014-1333, CVE-2014-1334, CVE-2014-1335, CVE-2014-1336, CVE-2014-1337, CVE-2014-1338, CVE-2014-1339, CVE-2014-1340, CVE-2014-1341, CVE-2014-1342, CVE-2014-1343, CVE-2014-1344, CVE-2014-1362, CVE-2014-1363, CVE-2014-1364, CVE-2014-1365, CVE-2014-1366, CVE-2014-1367, CVE-2014-1368, CVE-2014-1384, CVE-2014-1385, CVE-2014-1386, CVE-2014-1387, CVE-2014-1388, CVE-2014-1389, CVE-2014-1390, CVE-2014-1713, CVE-2014-1731, CVE-2014-4410, CVE-2014-4411, CVE-2014-4412, CVE-2014-4413, CVE-2014-4414, CVE-2014-4415
___

Security Update 2014-005
- https://support.apple.com/kb/HT6531
Oct 16, 2014
> https://www.us-cert.gov/ncas/current-activity/2014/10/17/Apple-Releases-Security-Update-2014-005
Oct 17, 2014 - "... Security Update 2014-005 to address vulnerabilities in SSL 3.0..."
___

OS X Server v4.0
- http://support.apple.com/kb/HT6536
Oct 16, 2014

- http://www.securitytracker.com/id/1031071
___

OS X Yosemite v10.10
- http://support.apple.com/kb/HT6535
Oct 16, 2014

- http://www.securitytracker.com/id/1031063

- http://www.securitytracker.com/id/1031065

OS X Yosemite: List of available trusted root certificates
- http://support.apple.com/kb/HT6005
Oct 17, 2014

 Exclamation Exclamation Exclamation

 9 
 on: October 16, 2014, 13:55:15  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Four more botched MS patches: KB 3000061, KB 2984972, KB 2949927, KB 2995388
Windows users are reporting significant problems with four more October Black Tuesday patches
- http://www.infoworld.com/article/2834535/security/four-more-botched-black-tuesday-patches-kb-3000061-kb-2984972-kb-2949927-and-kb-2995388.html
Oct 16, 2014 - "... Black Tuesday problems continue to pile up. Yesterday brought to light problems with KB 2952664*, the seventh patch with that name, which fails to install on a large number of Windows 7 machines. Now there are reports of four more botched patches. It's too early to tell exactly what's causing the problems, but if you're having headaches, you aren't alone - and there are solutions.
* http://www.infoworld.com/article/2833825/microsoft-windows/windows-7-patch-kb-2952664-fails-with-error-80242016.html
KB 3000061**... is a kernel mode driver update, MS 14-058. It's one of Microsoft's zero-day patches this month - there are very limited but identified attacks in the wild that use this security hole.
** https://support.microsoft.com/kb/3000061
 TechNet has a thread*** about failure to install on Server 2012 machines. Poster jcs916 describes a problem with installing KB 3000061 on a Windows 8.1 machine...
*** https://social.technet.microsoft.com/Forums/windowsserver/en-US/f77691d8-a9d0-4714-98ad-71665cfa8965/kb3000061-fails-to-install-on-server-2012?forum=winserver8gen
 Microsoft released seven separately identified security patches that weren't associated with Security Bulletins. One of them, KB 2984972, isn't faring well... AndrewKelly, posting on the TechNet forum[4], says he has had problems with Autodesk packages after applying the patch:
4] https://social.technet.microsoft.com/Forums/en-US/c90212b0-b32c-4488-9753-fb952112828c/warning-kb2984972-and-autodeskrelated-46-appv-packages?forum=mdopappv
... Finally, a nonsecurity update rollup, KB 2995388[5] - also distributed Tuesday - is causing problems with VMware. After installing the patch, every time you try to boot a virtual machine, you get a message: "Not enough physical memory is available to power on this virtual machine with its configured settings." The VMware folks[6] recommend you -not- install KB 2995388; if you have, they recommend that you -uninstall- it."
5] http://support.microsoft.com/kb/2995388

6] http://blogs.vmware.com/workstation/2014/10/workstation-10-issue-recent-microsoft-windows-8-1-update.html
___

- http://blogs.msmvps.com/bradley/2014/10/15/patches-to-keep-an-eye-on/
Oct 15, 2014

 Sad  Confused  Sad

 10 
 on: October 16, 2014, 12:55:30  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

PHP 5.5.18 released
- http://php.net/
16 Oct 2014 - "The PHP development team announces the immediate availability of PHP 5.5.18. Several bugs were fixed in this release. A -regression- in OpenSSL introduced in PHP 5.5.17 has also been addressed in this release. PHP 5.5.18 also fixes -4- CVEs in different components. All PHP 5.5 users are encouraged to upgrade to this version..."

Changelog:
- http://php.net/ChangeLog-5.php#5.5.18

Downloads:
- http://www.php.net/downloads.php

- http://windows.php.net/download/

 Exclamation

Pages: [1] 2 3 ... 10
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines Page created in 0.543 seconds with 15 queries.