News: Cexx forums, with volunteers dedicated to helping you remove malware and stay protected
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
October 26, 2014, 00:28:53
Pages: [1] 2 3 ... 10
 1 
 on: October 25, 2014, 17:42:22  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

2 hacks plead guilty to $15 million scheme
- http://www.reuters.com/article/2014/10/24/us-usa-crime-cybersecurity-idUSKCN0ID2IM20141024
Oct 24, 2014 - ""A Massachusetts man was sentenced to 21 months in prison on Friday for his role in a cybercrime scheme that hacked accounts at banks, brokerage firms and government agencies in an attempt to steal more than $15 million, U.S. prosecutors said. Robert Dubuc, 41, pleaded guilty to wire fraud conspiracy, conspiracy to commit access device fraud and identity theft in federal court in New Jersey in April. U.S. District Judge Peter Sheridan in Trenton imposed the sentence on Friday. A co-defendant, Oleg Pidtergerya, pleaded guilty to the same charges and is scheduled for sentencing in December. Prosecutors said the two men were members of an international cybercrime ring led by Oleksiy Sharapka and Leonid Yanovitsky of Kiev, Ukraine, who have also been indicted but remain at large. The group hacked into accounts in 2012 and 2013 at global banks and other institutions, including Citigroup Inc, JPMorgan Chase & Co, the U.S. Department of Defense, PayPal and others, and diverted funds into accounts and debit cards they controlled, prosecutors said. The group then used “cash out” crews to tap the stolen funds by withdrawing cash from ATMS and making fraudulent purchases, according to prosecutors. Dubuc operated a crew out of Massachusetts, while Pidtergerya led a crew in New York, the government said. Eight individuals have been charged in the case."
- http://www.justice.gov/usao/nj/Press/files/Dubuc,%20Robert%20Sentencing%20News%20Release.html

 Evil or Very Mad

 2 
 on: October 25, 2014, 03:26:04  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake 'New order' SPAM - malware
- http://myonlinesecurity.co.uk/daniela-lederer-re-new-order-malware/
25 Oct2014 - "'Daniela Lederer Re: New Order' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/Daniela-Lederer-new-order.png

25 October 2014: J2134457863.zip: Extracts to: J2134457863.exe
Current Virus total detections: 14/54* . Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en-gb/file/e5b881143bd10304d8211fc4f2708839361cab6af59934d327150bcb0d098e86/analysis/1414216443/

 Evil or Very Mad  Sad

 3 
 on: October 24, 2014, 09:16:06  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

- http://tools.cisco.com/security/center/publicationListing.x

Cisco ASA Software - multiple vulns
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa
Rev 1.1 - 2014 Oct 24 - "Summary: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities:
- Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability
- Cisco ASA VPN Denial of Service Vulnerability
- Cisco ASA IKEv2 Denial of Service Vulnerability
- Cisco ASA Health and Performance Monitor Denial of Service Vulnerability
- Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability
- Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability
- Cisco ASA DNS Inspection Engine Denial of Service Vulnerability
- Cisco ASA VPN Failover Command Injection Vulnerability
- Cisco ASA VNMC Command Input Validation Vulnerability
- Cisco ASA Local Path Inclusion Vulnerability
- Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability
- Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability
- Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability
These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others... Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available..."
Rev1.1 - 2014-Oct-24 - Updated the target date for Cisco ASA Software version 9.3(1.1) and the "Exploitation and Public Announcements" Section.
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3382 - 7.8 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3383 - 7.8 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3384 - 7.8 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3385 - 7.8 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3386 - 7.8 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3387 - 7.8 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3388 - 7.8 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3389 - 9.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3390 - 6.8
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3391 - 6.8
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3392 - 8.3 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3393 - 4.3
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3394 - 5.0

Cisco IronPort Appliances Telnet Remote Code Execution vuln
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120126-ironport
Rev 2.0 - 2014 Oct 16 - "Summary: Cisco AsyncOS Software for Cisco Web Security Appliance (WSA), Cisco Email Security Appliance (ESA), and Cisco Content Security Management Appliance (SMA) contain a vulnerability that may allow a remote, unauthenticated attacker to execute arbitrary code with elevated privileges. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available..."
Rev2.0 - 2014-Oct-16 - Added important information about Cisco WSA.
See "Software Versions and Fixes": Cisco ESA, SME, WSA
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4862 - 10.0 (HIGH)

 Exclamation Exclamation

 4 
 on: October 24, 2014, 03:37:13  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake Invoice SPAM – Word doc malware
- http://myonlinesecurity.co.uk/invoice-8014042-october-word-doc-malware/
24 Oct 2014 - "'invoice 8014042 October' pretending to come from Sandra Lynch with a malformed word doc attachment containing a macro virus is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
  Please find attached your October invoice, we now have the facility to email invoices,
    but if you are not happy with this and would like a hard copy please let me know.
    New bank details for BACS payments are Santander Bank Sort Code 8014042 Account No 5608014042.
    Thanks very much
     Kind Regards
     Sandra Lynch


24 October 2014: invoice_8014042.doc : Current Virus total detections: 0/54*
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
* https://www.virustotal.com/en/file/9659be0ec03fafcea7200032cdf3434ba14c99b9a8e0c3a16f5419d3817c48de/analysis/1414141144/
___

Fake Fax SPAM.. again.
- http://blog.dynamoo.com/2014/10/youve-received-new-fax-spam-again.html
24 Oct 2014 - "Another day, another -fake- fax spam.
   From:     Fax [fax@ victimdomain .com]
    To:     luke.sanson@ victimdomain .com
    Date:     24 October 2014 10:54
    Subject:     You've received a new fax
    New fax at SCAN2383840 from EPSON by https://victimdomain.com
    Scan date: Fri, 24 Oct 2014 15:24:22 +0530
    Number of pages: 2
    Resolution: 400x400 DPI
    You can secure download your fax message at ...
    (eFax Drive is a file hosting service operated by J2, Inc.)


The link in the email goes to a script which (if the the browser settings are correct) downloads a file document_92714-872_pdf.zip which in turn contains a malicious executable document_92714-872_pdf.exe which has a VirusTotal detection rate of 3/54*... The malware also drops two executables on the system, kcotk.exe (VT 0/53**...) and ptoma.exe (VT 2/51***...)... Recommended blocklist:
188.165.214.6
rodgersmith .com
"
* https://www.virustotal.com/en/file/d9f637e2750f01b7d07451b4262a5d560ef2b5743db0a26881c4ebbd9e04373f/analysis/1414145184/

** https://www.virustotal.com/en-gb/file/8483369c80851bb2ecbf221b9d4c01dbd2980b7d3eb3c5829eccad62bef80651/analysis/1414145764/

*** https://www.virustotal.com/en-gb/file/b4798bbf747180a96b476af6adf167bd62e5c8b5d92b0c994e8a42a45c3bd19e/analysis/1414145784/
___

Widespread malvertising - delivered ransomware
- http://net-security.org/malware_news.php?id=2894
24.10.2014 - "A newer version of the Cryptowall ransomware has been delivered to unsuspecting Internet users via malicious ads shown on a considerable number of high-profile websites, including properties in the Yahoo, Match.com, and AOL domains. According to Proofpoint's calculations*, the malvertising campaign started in late September, picked up the pace this month, and lasted until October 18 and likely even a bit longer... In this campaign, the attackers used already existing ads for legitimate products, and submitted it to at least three major ad network members (Rubicon Project, Right Media/Yahoo Advertising, and OpenX). Visitors to the sites that ended up serving the malicious ads were automatically infected with the ransomware if they used software with vulnerabilities exploitable by the FlashPack Exploit Kit. The ransomware then encrypted the victims' hard drive and asks for money in return for the decryption key. Unfortunately, even if the ransom is paid, there is no guarantee that the victim will actually receive the key. The ransom is supposed to be paid in Bitcoin, and the addresses the criminals used for this purpose are C&C server-generated and many... This particular campaign now seems to be over - all the affected parties (optimizers and ad networks) have been notified, and the malicious ads pulled. Still, that doesn't mean that the attackers have not switched to spreading CryptoWall 2.0 via other means..."
* http://www.proofpoint.com/threatinsight/posts/malware-in-ad-networks-infects-visitors-and-jeopardizes-brands.php
___

Ebola-themed emails deliver malware, exploit Sandworm vulnerability (MS14-060)
- http://net-security.org/malware_news.php?id=2895
24.10.2014 - "US CERT has recently issued a warning* about malware-delivery campaigns using users' fear of the Ebola virus and its spreading as a bait. One of the most prolific campaigns is the one that -impersonates- the World Health Organization:
> http://www.net-security.org/images/articles/who-spam-24102014.jpg
The emails in question initially -linked- to the -malware- a variant of the DarkKomet RAT tool, used by attackers to access and control the victim's computer remotely and steal information. After a while, the attackers began to attach the malware directly to the message, as access to the malicious file hosted on a popular cloud data storage service was blocked quickly by service administrators, noted Tatyana Shcherbakova:
> https://securelist.com/blog/spam-test/67344/a-false-choice-the-ebola-virus-or-malware/
According to Websense researchers**, Ebola-themed malicious emails and documents are also being used by attackers taking advantage of the recently discovered Sandworm vulnerability (CVE-2014-4114***)..."
* https://www.us-cert.gov/ncas/current-activity/2014/10/16/Ebola-Phishing-Scams-and-Malware-Campaigns
Oct 16, 2014
** http://community.websense.com/blogs/securitylabs/archive/2014/10/23/Ebola-Spreads-_2D00_-In-Cyber-Attacks-Too.aspx
*** https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4114 - 9.3 (HIGH)
___

Phalling for the phish...
- http://blog.dynamoo.com/2014/10/do-people-really-fall-for-this.html
24 Oct 2014 - "... a simple phishing spam..
    From:     info@ kythea .gr
    Date:     24 October 2014 13:50
    Subject:     payment
    this mail is to inform you that the payment have been made
    see the attached file for the payment slip
    ANTON ARMAS


Attached is a file payment Slip (2).html which displays a popup alert:
    You have been signed out of this account this may have happened automatically cause the attachement needs authentication. to continue using this account, you will need to sign in again. this is done to protect your account and to ensure the privacy of your information

The victim then gets sent to a phishing page, in this case at uere.bplaced .net/blasted/tozaiboeki.webmail .html which looks like this..
> https://4.bp.blogspot.com/-dliSNtwDjPk/VEpWNYc6hyI/AAAAAAAAF48/S74-pPcyPuI/s1600/multiphish.jpg
... do people really fall for this? The frightening answer is.. probably, yes."

bplaced .net: 5.9.107.19: https://www.virustotal.com/en/ip-address/5.9.107.19/information/

 Evil or Very Mad  Sad

 5 
 on: October 24, 2014, 02:59:56  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

QuickTime 7.7.6 released
- https://support.apple.com/kb/HT6493
Oct 22, 2014
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4979 - 9.3 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4350 - 6.8
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4351 - 6.8
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1391 - 6.8

... use Apple Software Update.

- https://www.us-cert.gov/ncas/current-activity/2014/10/23/Apple-Releases-Security-Updates-QuickTime
Oct 23, 2014

 Exclamation

 6 
 on: October 23, 2014, 08:22:05  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

- http://windowssecrets.com/top-story/protecting-yourself-from-poodle-attacks/
Oct 23, 2014 - "The following changes force your browser to not use SSL 3.0. Here’s what to adjust in the top three browsers...

Chrome: In Google’s browser, edit the shortcut that launches the browser, adding a flag to the end of the Shortcut path. Start by selecting the icon normally used to launch Chrome. Right-click the icon and select Properties. Under the Shortcut tab, find the box labeled “Target” and insert –ssl-version-min=tls1 immediately after chrome.exe” (see Figure 1). It should look something like this (note the space between .exe” and –ssl-):
“C:\Program Files (x86)\Google\Chrome\Application\chrome.exe” –ssl-version-min=tls1
Figure 1: http://windowssecrets.com/wp-content/uploads/2014/10/W20141023-TS-Chrome.png

... in the Oct. 14 Mozilla blog post*, Firefox 34, due to be released on Nov. 25, will disable SSL 3.0 support. In the meantime, Mozilla recommends installing the add-on (download site**), “SSL Version Control 0.2? (see Figure 2), which will let you control SSL support within the browser. (Some websites have recommended adjusting Firefox settings in the configuration file, but Mozilla recommends using the add-on instead.)..."
* https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
** https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/
Figure 2: http://windowssecrets.com/wp-content/uploads/2014/10/W20141023-TS-FF.png

... Internet Explorer: In IE, click the gear (settings) icon, open Internet options, and then select the Advanced tab. Scroll down the Settings list to the Security category, and then look for Use SSL 3.0. Uncheck the box (see Figure 3), click OK, and then relaunch IE... Microsoft released an initial security advisory on this topic; expect to see additional guidance in the near future...
Figure 3: http://windowssecrets.com/wp-content/uploads/2014/10/W20141023-TS-IE.png

... How to test your browser’s TLS/SSL protection:
Several websites test whether your currently open browser supports SSL 3.0. For a simple test, Poodletest.com displays a poodle dog if your browser still supports SSL 3.0, and a Springfield terrier if it doesn’t. On the other hand, Qualys SSL Labs (site***) provides a more detailed analysis of the SSL protocols your browser supports.
As noted above, some business sites such as online -banking- might still need SSL 3.0. Again, I recommend leaving SSL 3.0 support on -one- browser; it’ll be faster and safer than repeatedly adjusting browser settings. If you’re running a Web server or small-business server, you should -disable- SSL 3.0 support to better protect connected workstations and Internet-based phones...  there’s a silver lining to this latest security mess — it should now force everyone on the Internet to finally abandon a dated, insecure protocol."
*** https://www.ssllabs.com/ssltest/viewMyClient.html
"Your user agent is not vulnerable..." < What you want to see after the new Firefox extention is installed.

 Exclamation  Shocked

 7 
 on: October 23, 2014, 08:11:52  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

VMSA-2014-0011 - VMware vSphere Data Protection - critical update
- http://www.vmware.com/security/advisories/VMSA-2014-0011.html
2014-10-22
Summary: VMware vSphere Data Protection product update addresses a critical information disclosure vulnerability.
Relevant releases: VMware vSphere Data Protection 5.5 prior to 5.5.7
Solution: Please review the patch/release notes for your product and version...
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4624
Downloads:
- https://my.vmware.com/web/vmware/details?productId=375&downloadGroup=VDPADV55_7
Documentation:
- https://www.vmware.com/support/vdr/doc/vdp_557_releasenotes.html
___

- http://www.securitytracker.com/id/1031114
CVE Reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4624
Oct 23 2014
Impact: Disclosure of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): vSphere Data Protection 5.5.x prior to 5.5.7 ...
Impact: A remote user can obtain passwords.
Solution: The vendor has issued a fix (5.5.7)...

 Exclamation Exclamation

 8 
 on: October 23, 2014, 04:48:11  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake 'Order Confirmation' SPAM
- http://blog.dynamoo.com/2014/10/fake-supertouchcom-allied-international.html
23 Oct 2014 - "This fake Order Confirmation spam pretends to come from supertouch.com / Allied International Trading Limited but doesn't. The email is a -forgery- originating from an organised crime ring, it does not originate from supertouch .com / Allied International Trading Limited nor have their systems been compromised in any way.
   From:     Elouise Massey [Elouise.Massey@ supertouch .com]
    Date:     23 October 2014 10:52
    Subject:     Order Confirmation
    Hello,
    Thank you for your order, please check and confirm.
    Kind Regards
    Elouise
    Allied International Trading Limited ...


In the sample I received, the attachment was -corrupt- but should have been a file a malicious Word document S-CON-A248-194387.doc. The document and payload is exactly the same as the one being sent out today with this spam run[1] (read that post for more details) and is very poorly detected, although blocking access to the following IPs and domains might help mitigate against it:
87.106.84.226
84.40.9.34
jvsfiles .com
"

1] http://blog.dynamoo.com/2014/10/fake-humber-merchants-group.html

62.75.182.94: https://www.virustotal.com/en/ip-address/62.75.182.94/information/
___

Fake 'bank detail' SPAM - trojan
- http://blog.mxlab.eu/2014/10/23/fake-email-regarding-bitstamp-new-banking-details-contains-trojan/
Oct 23, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “New bank details”. This email is sent from the spoofed address “”Bitstamp .net” <no_reply@ bitstamp .net>”, while the real SMTP sender is AmericanExpress@ welcome .aexp .com, and has the following body:
   New banking details
    Dear Bitstamp clients,
    We would like to inform you that Bitstamp now has new bank details, please check attached file.
    We would like to assure those of you who sent deposits to our old details that our old IBAN is still active and your transfers, if otherwise sent with correct information, should arrive without a problem.
    Please note that SEPA transfers usually take 1 to 3 business days to arrive and would kindly ask those waiting for your SEPA transfers longer than usually to please send us a transfer confirmation so that we can examine our bank account log and locate your transfers.
    Also for those waiting on deposits we ask for your patience; we have accumulated a long list of transfers which lack information or contain wrong information which means we need to manually go through all of them instead of our system sorting them automatically.
    Best regards
    CEO, Nejc Kodrič
    Bitstamp LIMITED


The attached ZIP file has the name bank details.zip and contains the 24 kB large file bank details.scr. The trojan is known as Troj.W32.Gen, a variant of Win32/Kryptik.COEK, HEUR/QVM20.1.Malware.Gen or Mal/Generic-S. At the time of writing, 4 of the 53 AV engines did detect the trojan at Virus Total*. Now, MX Lab has also intercepted some emails -without- the malicious attachment but be aware that this email is a risk..."
* https://www.virustotal.com/en/file/83fc76ba29762e28fc80c08085003b811a1fa3eae51635f99ff35b4022fd1769/analysis/1414073432/
... Behavioural information
DNS requests
VBOXSVR. ovh .net: 213.186.33.6: https://www.virustotal.com/en/ip-address/213.186.33.6/information/
___

Two exploit kits prey on Flash Player flaw patched only last week
- http://net-security.org/malware_news.php?id=2892
23.10.2014 - "Two exploit kits prey on Flash Player flaw patched only last week... The integer overflow vulnerability in question (CVE-2014-0569*) can allow attackers to execute arbitrary code via unspecified vectors, and is deemed critical (high impact, easily exploitable)... the time period was very short, and technical information about the vulnerability and exploit code hasn't yet been shared online... The exploit kits are used to deliver the usual assortment of malware, and some of the variants have an extremely low detection rate... If you use Adobe Flash Player, and you haven't implemented the latest patches, now would be a good time to rectify that mistake."
* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0569 - 10.0

- http://atlas.arbor.net/briefs/index#1049793989
Elevated Severity
23 Oct 2014

- http://www.securitytracker.com/id/1031019
CVE Reference: CVE-2014-0558, CVE-2014-0564, CVE-2014-0569
Oct 14 2014
Impact: Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Solution: The vendor has issued a fix (13.0.0.250 extended support release, 15.0.0.189 for Windows/Mac, 11.2.202.411 for Linux)...
Flash 15.0.0.189 released: https://helpx.adobe.com/security/products/flash-player/apsb14-22.html
Oct 14, 2014

For I/E:  http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_15_active_x.exe

For Firefox (Plugin-based browsers):  http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_15_plugin.exe

Flash test site: http://www.adobe.com/software/flash/about/
___

Fake 'Order Confirmation' SPAM
- http://blog.dynamoo.com/2014/10/fake-supertouchcom-allied-international.html
23 Oct 2014 - "This -fake- Order Confirmation spam pretends to come from supertouch .com / Allied International Trading Limited - but doesn't. The email is a -forgery- originating from an organised crime ring, it does not originate from supertouch .com / Allied International Trading Limited nor have their systems been compromised in any way.
   From:     Elouise Massey [Elouise.Massey@ supertouch .com]
    Date:     23 October 2014 10:52
    Subject:     Order Confirmation
    Hello,
    Thank you for your order, please check and confirm.
    Kind Regards
    Elouise
    Allied International Trading Limited ...


In the sample I received, the attachment was corrupt but should have been a file a malicious Word document S-CON-A248-194387.doc. The document and payload is exactly the same as the one being sent out today with this spam run* (read that post for more details) and is very poorly detected, although -blocking- access to the following IPs and domains might help mitigate against it:
87.106.84.226
84.40.9.34
jvsfiles .com
"
* http://blog.dynamoo.com/2014/10/fake-humber-merchants-group.html
___

Fake VoiceMail SPAM
- http://blog.dynamoo.com/2014/10/voice-mail-voicemailsendervoicemailcom.html
23 Oct 2014 - "Before you open something like this.. think if you really get voice mail notifications through your email. No? Well, -don't- open it.
   From:  "Voice Mail" [voicemail_sender@ voicemail .com]
    Date:  Thu, 23 Oct 2014 14:31:22 +0200
    Subject:  voice message from 598-978-8974 for mailbox 833
    You have received a voice mail message from 598-978-8974
    Message length is 00:00:33. Message size is 264 KB.
    Download your voicemail message from dropbox service below (Google Disk
    Drive Inc.) ...


Clicking the link goes to a script that detects if the visitor is running Windows, if so it downloads a file doc_9231-92_pdf.zip from the target system which in turn contains a malicious executable doc_9231-92_pdf.exe which has a VirusTotal detection rate of 4/51*... 188.165.214.6 is rather unsurprisingly allocated to OVH France. It also drops a couple of executables onto the system... Recommended blocklist:
188.165.214.6
inaturfag .com
"
* https://www.virustotal.com/en-gb/file/d0d1c65304481df41fb55c9962e057a1029bd8a28f5a1b75835e1025c25887c0/analysis/1414075720/
___

Fake BoA SPAM – PDF malware
- http://myonlinesecurity.co.uk/mamie-french-bank-america-unknown-incoming-wire-fake-pdf-malware/
23 Oct 2014 - "'Mamie French Bank of America Unknown incoming wire' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    The banking activity with today’s posting date shows Electronic Fund Transfer (EFT) that has been received. Our bank has noted the following information:
    EFT Amount:                          $ 6,200.00
    Remitted From: SSA TREAS 310 MISC PAY
    Designated for:                       UNKNOWN
    Please download and open attachment with full imformation about this Electronic Fund Transfer payment.
    If you confirm that it belongs to your agency or department, please email back or give us a call. Then, our office needs to receive a completed General Deposit no later than 10:00 a.m. tomorrow.
    Note: If these funds cannot be identified or if no one claims this EFT, we are required to process the return of this EFT by 10:00 a.m., June 24, 2014.
    Thank you.
    Mamie French
    Senior Accountant
    Bank of America ...


23 October 2014: electronic_fund_transfer.zip: Extracts to: electronic_fund_transfer.scr
Current Virus total detections: 10/53* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d0d1c65304481df41fb55c9962e057a1029bd8a28f5a1b75835e1025c25887c0/analysis/1414081814/

 Evil or Very Mad  Sad

 9 
 on: October 22, 2014, 05:16:37  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake Debt Recovery SPAM - PDF malware
- http://myonlinesecurity.co.uk/bd-digital-supplies-commercial-debt-recovery-fake-pdf-malware/
22 Oct 2014 - "An email coming from random senders pretending to be B&D Digital Supplies or B&D Computers which is all about debt recovery and threatening legal action with a subject of  'Commercial Debt Recovery' , Ref No: [ random numbers]is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer... The email looks like:

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/10/commercial-debt-recovery.png

Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
___

Fake customer service SPAM - doc malware
- http://myonlinesecurity.co.uk/customer-service-word-doc-malware/
22 Oct 2014 - "an email pretending to have a word document invoice attachment with a subject of Reference: [random characters] coming from [random name] 'customer service' at an unspecified company is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer... The email looks like:

   This email contains an invoice file attachment ID:VZY563200VA
    Thanks!
    Kelli Horn .


22 October 2014: ENC094126XJ.doc - Current Virus total detections: 0/54* . Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* https://www.virustotal.com/en/file/d328ceac71beead36034d6f74671a84c197cf2fa9e2155885aa720363045eb0e/analysis/1413973355/
___

Fake Malformed or infected word docs with embedded macro viruses
- http://myonlinesecurity.co.uk/malformed-infected-word-docs-embedded-macro-viruses/
22 Oct 2014 - "We are seeing loads of  emails with  Malformed or infected word docs with embedded macro viruses they are what appears to be a genuine word doc attached which is malformed and contains a macro or vba script virus. Modern versions of Microsoft office, that is Office 2010 and 2013 and Office 365 have Macros disabled by default, UNLESS you or your company have enabled them.  Opening this malicious word document will infect you if Macros are enabled and simply previewing it in  windows explorer or your email client might well be enough to infect you... Do -not- open word docs received in an email without scanning them with your antivirus first and be aware that there are a lot of dodgy word docs spreading that WILL infect you with no action from you if you are still using an outdated or vulnerable version of word. This is a good reason to update your office programs to a recent version and stop using office 2003 and 2007. The risks in using older version are starting to outweigh the convenience, benefits and cost of keeping an old version going... All modern versions of word and other office programs, that is 2010, 2013 and 365, should open word docs, excel files and PowerPoint etc  that are downloaded from the web or received in an email automatically in “protected view” that stops any embedded malware or macros from being displayed and running. Make sure protected view is set in all office programs to protect you and your company from these sorts of attacks..."

- http://blog.dynamoo.com/2014/10/this-email-contains-invoice-file.html
22 Oct 2014
Screenshot: https://3.bp.blogspot.com/-1zwDnotABo4/VEeoiHJ74iI/AAAAAAAAF3Y/mKs9rkfW_oY/s1600/image1.gif
VT1: https://www.virustotal.com/en-gb/file/992fefe6c60d93693be7790a03880cc39a6cc7eb197c8e28bafd53c5ebbfe638/analysis/1413981604/
... Behavioural information
DNS requests
VBOXSVR.ovh.net: 213.186.33.6: https://www.virustotal.com/en-gb/ip-address/213.186.33.6/information/
TCP connections
178.250.243.114: https://www.virustotal.com/en-gb/ip-address/178.250.243.114/information/
91.240.238.51: https://www.virustotal.com/en-gb/ip-address/91.240.238.51/information/
VT2: https://www.virustotal.com/en-gb/file/73602b79321bc8190aed0aa9dd8ea0ef8997a37e92a64932ec258cb1b74f0788/analysis/1413982865/
___

Fake Wells Fargo SPAM – PDF malware
- http://myonlinesecurity.co.uk/wells-fargo-new-secure-message-fake-pdf-malware/
22 Oct 2014 - "An email pretending to come from Wells Fargo with a subject of 'You have a new Secure Message' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
 You have received a secure message
     Read your secure message by download AccountDocuments-10345.zip. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
     In order to view the secure message please download it using our Cloud Hosting...


22 October 2014: document_013982_pdf.zip: Extracts to: document_013982_pdf.exe
Current Virus total detections: 5/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/file/de18e69c371dbd2f684e2dbcb40fa768c5ed8739182e75f4be90d81907e9e247/analysis/1413986180/
... Behavioural information
TCP connections
188.165.214.6: https://www.virustotal.com/en-gb/ip-address/188.165.214.6/information/
82.98.161.71: https://www.virustotal.com/en-gb/ip-address/82.98.161.71/information/
188.165.237.144: https://www.virustotal.com/en-gb/ip-address/188.165.237.144/information/
80.157.151.17: https://www.virustotal.com/en-gb/ip-address/80.157.151.17/information/
UDP communications
173.194.71.127: https://www.virustotal.com/en-gb/ip-address/173.194.71.127/information/
___

Flash Player exploit in-the-wild - CVE-2014-0569
- https://blog.malwarebytes.org/exploits-2/2014/10/cyber-criminals-quickly-adopt-critical-flash-player-vulnerability/
Oct 22, 2014 - "... less than a week ago, a critical flaw in the Flash Player (CVE-2014-0569*) was patched and made public:
* https://helpx.adobe.com/security/products/flash-player/apsb14-22.html
The vulnerability had been privately reported to Adobe through the Zero Day Initiative group giving the firm the time to fix the issue before it became known to the world. Typically security researchers and criminals will be very attentive to such news and skilled reverse engineers will start looking at the patch to be able to reconstruct the exploit. All things considered, there is normally a certain amount of time before a proof of concept is released and then a little more time before that poc is weaponized by the bad guys... Kafeinee**...  stumbled upon that same CVE in a real world exploit kit (Fiesta EK) only one -week- after the official security bulletin had been published... That means we have less and less time to deploy and test security patches. Perhaps this is not too much of a deal for individuals, but it can be more difficult for businesses which need to roll out patches on dozens of machines, hoping doing so will not cause malfunctions in existing applications. In any case, this was our first chance to test CVE-2014-0569 in the wild by triggering the Fiesta EK against Malwarebytes Anti-Exploit:
> https://blog.malwarebytes.org/wp-content/uploads/2014/10/FiestaCVE-2014-0569.png
It is crucial to patch any system running outdated Flash Player versions as soon as possible! You can check the version you are running (make sure to do this in all the browsers you use) by going here:
>> http://www.adobe.com/software/flash/about/
The bad guys are not going to run short of vulnerabilities they can weaponize at a quicker rate than ever before. This leaves end-users with very little room for mistakes such as failing to diligently apply security patches -sooner- rather than later..."
** http://malware.dontneedcoffee.com/2014/10/cve-2014-0569.html

> https://blog.malwarebytes.org/tag/fiesta-ek/

 Evil or Very Mad  Sad

 10 
 on: October 22, 2014, 04:34:14  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

384 New Domains
- http://www.malwaredomains.com/?p=3673
October 20th, 2014 - "Added -384- domains from safebrowsing.clients.google.com, osint.bambenekconsulting.com, sandbox.1d4.us, cybertracker.malwarehunterteam.com and others..."

- http://mirror1.malwaredomains.com/files/

 Exclamation

Pages: [1] 2 3 ... 10
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines Page created in 0.286 seconds with 16 queries.