cexx.org - Support Forums

FYI...

Something evil on 188.241.86.33
- http://blog.dynamoo.com/2013/05/something-evil-on-1882418633.html
13 May 2013 - "188.241.86.33 (Megahost, Romania) is a malware server currently involved in injection attacks, serving up the Blackhole exploit kit, Zbot and a side order of Cdorked [1] [2]. This IP hosts a variety of domains, some of which are purely malicious, some of which are hijacked subdomains of legitimate ones. Blocking the IP address is the easiest approach..."
(More detail at the dynamoo URL above.)

1) http://urlquery.net/search.php?q=188.241.86.33&type=string&start=2013-04-28&end=2013-05-13&max=50

2) https://www.virustotal.com/en/ip-address/188.241.86.33/information/
___

Browser extension hijacks Facebook profiles
- https://blogs.technet.com/b/mmpc/archive/2013/05/10/browser-extension-hijacks-facebook-profiles.aspx?Redirected=true
10 May 2013 - "We have received reports about a wave of malicious browser extensions trying to hijack Facebook profiles. This threat was first discovered in Brazil. We detect it as Trojan:JS/Febipos.A. The malware is a malicious browser extension specifically targeting Chrome and Mozilla Firefox..."
- http://h-online.com/-1861398
13 May 2013 - "... The trojan extensions themselves monitor users' browser activity to see if they are logged into Facebook and then retrieve a configuration file from a site, disguised as a .php file, which contains commands for the extension. The extension is able to like pages, share pages, post, join groups, invite friends to groups, chat to friends or comment on posts... Microsoft recommends that users review their installed extensions..."
___

Fake BoA Paymentech Malicious Word Doc Attachment Spam
- http://threattrack.tumblr.com/post/50349361323/bank-of-america-paymentech-malicious-word-doc
13 May 2013 - "Subjects Seen:
   BOA Merchant Statement
Typical e-mail details:
    Attached (DOC|WORD file|document|file) is your Bank of America Paymentech electronic Merchant Billing Statement.
    If you need assistance, please (contact|message|call) your Account Executive or call Merchant Services at the telephone number listed on your statement.
    PLEASE DO NOT RESPOND BY USING REPLY. This (email|mail) is sent from an unmonitored email address, and your response will not be received by Bank of America Paymentech.
    Bank of America Paymentech will not be responsible for any liabilities that may result from or relate to any failure or delay caused by Bank of America Paymentech’s or the Merchant’s email service or otherwise. Bank of America Paymentech recommends that Merchants continue to monitor their statement information regularly.

Spam contains malicious attachment.

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/e97f4b74fb8abec483dfd265ee12678f/tumblr_inline_mmqx7bdxu51qz4rgp.png
___

Malicious Citibank Secure Message Spam
- http://threattrack.tumblr.com/post/50357500910/malicious-citibank-secure-message-spam
13 May 2013 - "Subjects Seen:
   You have received a secure message
Typical e-mail details:
   Read your secure message by opening the attachment, securedoc.html You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it with Internet Explorer.
    If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Citi Secure Email Help Desk at (866) 535-2504.
    First time users - will need to register after opening the attachment.
    About Email Encryption - citi .com/citi/citizen/privacy/email.htm

Malicious URLs
    mail.yaklasim .com:8080/forum/viewtopic.php
    116.122.158.195 :8080/forum/viewtopic.php
    vulcantire .net/forum/viewtopic.php
    westautorepair .com/forum/viewtopic.php
    metroimport-tires .com/forum/viewtopic.php
    iis1.ontera .net/AUWY5Z.exe

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/a56d101a2242f408aec441042ef617f2/tumblr_inline_mmr3owXmUI1qz4rgp.png
___

Fake AMEX SPAM / SecureMail.zip
- http://blog.dynamoo.com/2013/05/confidential-secure-message-from-amex.html
13 May 2013 - "This fake Amex email has a malicious attachment:
    Date:      Tue, 14 May 2013 01:34:36 +0600 [15:34:36 EDT]
    From:      American Express [Jarvis_Randall @aexp .com]
    Subject:      Confidential - Secure Message from AMEX   
    Secure Message
    The security of your personal information is of the utmost importance to American Express, so we have sent the attached as a secure electronic file.
    Note: The attached file contains encrypted data.
    If you have any questions, please call us at 800-748-8515, option 0. Representatives are available to assist you Monday through Thursday between 8:00 a.m. and 8:00 p.m. ET and Friday between 8:00 a.m. and 6:00 p.m. ET.
    The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.
    Thank you,
    American Express
    2012 American Express Company. All rights reserved.

There is an attachment SecureMail.zip which in turn contains an executable file SecureMail .exe which has an icon designed to look like a PDF file. VirusTotal results for the malware are just 15/46*. Comodo CAMAS reports the following characteristics and also a connection to a known malware C&C server mail.yaklasim .com on 212.58.4.13 (DorukNet, Turkey).
Size   137216
MD5   20de8bad8bf8279e4084e9db461bd140
SHA1   caacc00d68f41dad9b1abb02f9e243911f897852
SHA256   18e2fc0b9386cadc31fb15cb38d9fa5d274f42b8127b349a14c962329b691ee7
The ThreatTrack report*** also shows a connection to 212.58.4.13 as well as 62.233.104.156 (IOMART, UK) and several other IPs that may form part of a botnet. Blocking EXE-in-ZIP files at the perimeter is a good move if you can do it.
Blocklist:
mail.yaklasim .com
212.58.4.13
62.233.104.156 ..."
* https://www.virustotal.com/en/file/18e2fc0b9386cadc31fb15cb38d9fa5d274f42b8127b349a14c962329b691ee7/analysis/1368476716/
File name: SecureMail.exe
Detection ratio: 15/46
Analysis date:    2013-05-13

** http://camas.comodo.com/cgi-bin/submit?file=18e2fc0b9386cadc31fb15cb38d9fa5d274f42b8127b349a14c962329b691ee7

*** http://www.dynamoo.com/files/analysis_30572_20de8bad8bf8279e4084e9db461bd140.pdf

 

FYI...

malspam, iframe, typosquatting, malvertising domains
- http://www.malwaredomains.com/?p=3204
May 10th, 2013 - "... 98 rogue, malspam, typosquatting, malvertising domains. Sources: isc.sans.edu, blog.dynamoo.com, urlquery.net, blog.sucuri.net..."

 

FYI...

Malicious Facebook Friend Notification Spam
- http://threattrack.tumblr.com/post/50026329673/malicious-facebook-friend-notification-spam
9 May 2013 - "Subjects Seen:
   [removed] wants to be friends on Facebook
Typical e-mail details:
    [removed] wants to be friends with you on Facebook Facebook.

Malicious URLs
    web.jen-pages .de/fbreq.html
    job.bgita .ru/fbreq.html
    yup.mumbailocaltraintimetable .net/ensure/specified_drop_similarly.php?jnlp=7ad5b52a64
    yup.mumbailocaltraintimetable .net/ensure/specified_drop_similarly.php?zvvsj=edwwqnl&wit=tjm
    yup.mumbailocaltraintimetable .net/ensure/specified_drop_similarly.php?mf=1i:1f:32:33:2v&le=1m:2v:31:1k:2w:1k:1h:2v:1l:1j&u=1f&yj=i&cp=j&jopa=5216591

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/36bb654b369128a847231d5b86b7c58e/tumblr_inline_mmjo2ooht71qz4rgp.png
___

Something evil on 151.248.123.170, Part IV
- http://blog.dynamoo.com/2013/05/something-evil-on-151248123170-part-iv.html
10 May 2013 - "Here are some additional malicious domains from a very evil malware server on 151.248.123.170 (Reg.ru, Russia)... you can download a full list of everything that I can find here** [.txt]. This server is currently being used as the payload for injection attacks. Blocking the IP address is the obvious solution, or you could block the Dynamic DNS domains listed here*..."
* http://blog.dynamoo.com/2013/05/something-evil-on-151248123170-part-iii.html

** http://www.dynamoo.com/files/151-248-123-170.txt
___

USAA Credentials Phish
- http://threattrack.tumblr.com/post/50108697070/usaa-credentials-phish
10 May 2013 - "Subjects Seen:
   Important Message From Usaa
Typical e-mail details:
    Dear Valued Customer,
    We have created new dedicated security servers to keep all our
    online banking customers account safe and secure. This is server< /span>
    has been tested,now we are asking all our online banking customers
    to register for the new security server to keep them safe.
    To register for this new security server quickly click on the button
    below to complete registration immediately.
    Click Here To Register
    We hope you find our Internet Banking service easy and convenient to use.
    Yours sincerely
    USAA,
    Digital Banking Director

Malicious URLs
    sehyup .com/08_dev/board/file/bbs_notice/vi.htm
    philanthropyexpert .org/ass/index.html

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/f7ea6a1ae0534f4394386635bb0eb294/tumblr_inline_mmln1qLK0n1qz4rgp.png
___

Phone phish ...
- https://www.ic3.gov/media/2013/130508.aspx
May 08, 2013 - "The Internet Crime Complaint Center has received numerous reports of phishing attacks targeting various telecommunication companies' customers. Individuals receive automated telephone calls that claim to be from the victim's telecommunication carrier. Victims are directed to a phishing site to receive a credit, discount, or prize ranging from $300 to $500. The phishing site is a replica of one of the telecommunication carrier's sites and requests the victims' log-in credentials and the last four digits of their Social Security numbers. Once victims enter their information, they are -redirected- to the telecommunication carrier’s actual website. The subject then makes changes to the customer's account.
The IC3 urges the public to be cautious of unsolicited telephone calls, e-mails and text messages, especially those promising some type of compensation for supplying account information. If you receive such an offer, verify it with the business associated with your account before supplying any information. Use the information supplied on your account statement to contact the business."

   

FYI...

Cdorked.A malware redirection spreads ...
- https://atlas.arbor.net/briefs/index#-69874705
May 09, 2013 - "The previously reported Cdorked / Darkleech attack campaign, previously observed affecting Apache servers, has been observed to infect other webservers. The attack has been associated with the delivery of malware.
Analysis: Nginx and Lighttpd have also been seen to be infected as part of this campaign. Original exploitation vectors are not yet well known but past experience suggests that weak passwords and vulnerable web applications could be likely vectors.
ESET offer a tool to detect in-memory traces of this malware - please see: http://www.welivesecurity.com/wp-content/uploads/2013/04/dump_cdorked_config.c
Source: http://www.theregister.co.uk/2013/05/08/cdorked_latest_details/

- http://www.welivesecurity.com/2013/05/07/linuxcdorked-malware-lighttpd-and-nginx-web-servers-also-affected/
7 May 2013 - "... We have observed more than 400 webservers infected with Linux/Cdorked.A. Out of these, 50 are ranked in Alexa’s top 100,000 most popular websites... In a typical attack scenario, victims are redirected to a malicious web server hosting a Blackhole exploit kit. We have discovered that this malicious infrastructure uses compromised DNS servers, something that is out of the ordinary... one point needs to be clear about Linux/Cdorked.A. We still don’t know for sure how this malicious software was deployed on the web servers. We believe the infection vector is not unique. It cannot be attributed solely to installations of cPanel because only a fraction of the infected servers are using this management software. One thing is clear, this malware does not propagate by itself and it does not exploit a vulnerability in a specific software. Linux/Cdorked.A is a backdoor, used by the malicious actor to serve malicious content from legitimate websites... we recommend keeping browsers, browser extensions, operating systems, and third party software like Java, PDF readers and Flash players fully up-to-date to avoid being infected by this on-going campaign. Use of an antivirus program is also recommended..."

   

FYI...

Name.com hacked...
- https://www.computerworld.com/s/article/9239050/Name.com_forces_customers_to_reset_passwords_following_security_breach
May 9, 2013 - "Domain registrar Name.com forced its customers to reset their account passwords on Wednesday following a security breach on the company's servers that might have resulted in customer information being compromised. Hackers might have gained access to usernames, email addresses, encrypted passwords as well as encrypted credit card information, the company said in an email message sent to customers that was later posted online by users. The credit card information was encrypted with private keys stored in a separate location that wasn't compromised, Name.com said in the email. The company did not specify the type of encryption used, but referred to it as being "strong." The alert email instructed recipients to click on a link in order to perform a password reset, a method that was criticized by some users and security researchers, because it resembles that used in phishing attacks... A hacker group called Hack the Planet (HTP) claimed earlier this week that they compromised Name.com in their attempt to hack into Linode, a virtual private server hosting firm. In a recently published "hacker zine," HTP said that they managed to acquire the domain login for Linode, as well as for Stack Overflow, DeviantArt and others from Name.com. Name.com did not immediately respond to an inquiry seeking confirmation of HTP's claims and other information about the attack..."

- http://www.welivesecurity.com/2013/05/09/name-com-warns-customers-and-resets-passwords-after-breach/
9 May 2013

   

FYI...

- https://technet.microsoft.com/en-us/security/bulletin/ms13-may
May 09, 2013 - "This is an advance notification of security bulletins that Microsoft is intending to release on May 14, 2013...
(Total of -10-)

Bulletin 1 - Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer
Bulletin 2 - Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer
Bulletin 3 - Important - Denial of Service - Requires restart - Microsoft Windows
Bulletin 4 - Important - Spoofing - May require restart - Microsoft Windows, .NET Framework
Bulletin 5 - Important - Remote Code Execution - May require restart - Microsoft Lync
Bulletin 6 - Important - Remote Code Execution - May require restart - Microsoft Office
Bulletin 7 - Important - Remote Code Execution - May require restart - Microsoft Office
Bulletin 8 - Important - Information Disclosure - May require restart - Microsoft Office
Bulletin 9 - Important - Information Disclosure - May require restart - Microsoft Windows Essentials
Bulletin 10 - Important - Elevation of Privilege - Requires restart - Microsoft Windows
___

- https://blogs.technet.com/b/msrc/archive/2013/05/08/advance-notification-service-for-the-may-2013-security-bulletin-release.aspx?Redirected=true
9 May 2013 - "... 10 bulletins for release on Tuesday, May 14, 2013. This release brings two Critical and eight Important-class bulletins, which address -34- unique vulnerabilities..."

.

FYI...

- https://tools.cisco.com/security/center/publicationListing.x

Cisco Prime Data Center Network Manager Remote Command Execution Vuln
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121031-dcnm
Last Updated: 2013 May 8 Revision 2.0 - "Summary: Cisco Prime Data Center Network Manager (DCNM) contains a remote command execution vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands on the computer that is running the Cisco Prime DCNM application. Cisco has released free software updates that address this vulnerability...
- Revision 2.0 - 2013-May-08 - Updated advisory to indicate that the DCNM LAN server component of DNCM is also affected by this vulnerability. Added corresponding Cisco bug ID CSCua31204 and updated fixed software..."

Multiple Vulnerabilities in Cisco Unified Customer Voice Portal Software
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130508-cvp
2013 May 8 Revision 1.0 - "Summary: Cisco Unified Customer Voice Portal Software (Unified CVP) contains multiple vulnerabilities. Various components of Cisco Unified CVP are affected; see the "Details" section for more information on the vulnerabilities. These vulnerabilities can be exploited independently; however, more than one vulnerability could be exploited on the same device. Cisco has released free software updates that address these vulnerabilities..."

 

FYI...

PHP 5.4.15, 5.3.25 released
- http://php.net/archive/2013.php#id2013-05-09-1
09-May-2013 - "The PHP development team announces the immediate availability of PHP 5.4.15 and PHP 5.3.25. These releases fix about 10 bugs as well as upgrading the bundled libmagic library. All users of PHP are encouraged to upgrade to PHP 5.4.15..."

ChangeLog
- http://www.php.net/ChangeLog-5.php

- http://php.net/downloads.php

- http://windows.php.net/download/

 

FYI...

0-day ColdFusion critical vulnerability - https://isc.sans.edu/diary.html?storyid=15770
- https://www.adobe.com/support/security/advisories/apsa13-03.html
May 8, 2013
CVE number: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3336
Summary: Adobe has identified a critical vulnerability affecting ColdFusion 10, 9.0.2, 9.0.1 and 9.0 and earlier versions for Windows, Macintosh and UNIX. This vulnerability (CVE-2013-3336) could permit an unauthorized user to remotely retrieve files stored on the server.
There are reports that an exploit for this vulnerability is publicly available.  ColdFusion customers who have restricted public access to the CFIDE/administrator, CFIDE/adminapi and CFIDE/gettingstarted directories (as outlined in the ColdFusion 9 Lockdown Guide* and ColdFusion 10 Lockdown Guide**) are already mitigated against this issue. Customers who have not already applied these steps can protect themselves from CVE-2013-3336 by implementing the following configuration settings:
- Restrict public access to the CFIDE/administrator, CFIDE/adminapi and CFIDE/gettingstarted directories by following the hardening guidance in the ColdFusion 9 Lockdown Guide and ColdFusion 10 Lockdown Guide**
We are in the process of finalizing a fix for this issue and expect a hotfix for ColdFusion 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh and UNIX to be available on May 14, 2013...
* http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/91025512-cf9-lockdownguide-wp-ue.pdf

** http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion-enterprise/pdf/CF10%20Lockdown%20Guide.pdf

Revisions - May 9, 2013: Revised to clarify the CFIDE/gettingstarted directory is only applicable to ColdFusion version 8.x and earlier.

- http://atlas.arbor.net/briefs/index#366717635
Severity: High Severity
May 09, 2013 17:23
"... being exploited in the wild..."
___

Prenotification Security Advisory for Adobe Reader and Acrobat
- https://www.adobe.com/support/security/bulletins/apsb13-15.html
May 9, 2013 - "Summary: Adobe is planning to release security updates on Tuesday, May 14, 2013 for Adobe Reader and Acrobat..."

   

FYI...

Fake Citibank SPAM / Statement ID 64775-4985.doc
- http://blog.dynamoo.com/2013/05/citibank-spam-statement-id-64775-4985doc.html
9 May 2013 - "This fake Citibank spam contains a malicious Word document that leads to malware.
   Date:      Thu, 9 May 2013 01:22:21 +0200 [05/08/13 19:22:21 EDT]
    From:      CITIBANK [noreply @citybank .com]
    Subject:      Merchant Statement
    Enclosed DOC is your Citibank Paymentech electronic Merchant Billing Statement. If you need help, please contact your Account Executive or call Merchant Services at the telephone number listed on your statement. PLEASE DO NOT RESPOND BY USING REPLY. This email is sent from an unmonitored email address, and your response will not be received by Citibank Paymentech. Citibank Paymentech will not be responsible for any liabilities that may result from or relate to any failure or delay caused by Citibank Paymentech's or the Merchant's email service or otherwise. Citibank Paymentech recommends that Merchants continue to monitor their statement information regularly. ---------- Learn more about Citibank Paymentech Solutions, LLC payment processing services at Citibank. ---------- THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information intended only for the use of the recipient(s) named above. If you are not the intended recipient, you may not print, distribute, or copy this message or any attachments. If you have received this communication in error, please notify the sender by return e-mail and delete this message and any attachments from your computer.

The attached document Statement ID 64775-4985.doc contains an exploit (analysis pending) with a VirusTotal detection rate of just 10/46*. It appears to exploit a flaw in the RTF converter... making sure that your copy of Microsoft Office is up-to-date and fully patched will help to mitigate against this sort of threat."
* https://www.virustotal.com/en/file/2cf2fbe92004b98b8dd5ff4631787dcf8241723020f1216b89a1a706addf9347/analysis/
File name: Statement ID 64775-4985.doc
Detection ratio: 10/46
Analysis date:    2013-05-09

Update: another version is using the filename Statement ID 4657-345-347-0332.doc. It looks like it is exploiting CVE-2012-0158* aka MS12-027.
* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0158 - 9.3 (HIGH)
Last revised: 03/07/2013
___

Fake Traffic Ticket serves malware
- http://blog.webroot.com/2013/05/09/cybercriminals-impersonate-new-york-states-department-of-motor-vehicles-dmv-serve-malware/
9 May 2013 - "Cybercriminals are currently spamvertising tens of thousands of -bogus- emails impersonating New York State’s Department of Motor Vehicles (DMV) in an attempt to trick users into thinking they’ve received an uniform traffic ticket, that they should open, print and send to their town’s court. In reality, once users open and execute the malicious attachment, their PCs will automatically join the botnet operated by the cybercriminal/cybercriminals behind the campaign...
Sample screenshot of the spamvertised email:
> https://webrootblog.files.wordpress.com/2013/05/new_york_state_dmv_uniform_traffic_ticket_fake_email_spam_malware_malicious_software_social_engineering.png?w=423&h=290
Detection rate for the malicious executable: MD5: 247c67cb99922fd4d0e2ca5d6976fc29 * ... Trojan-Spy.Win32.Zbot.lhim..."
(More detail available at the webroot URL above.)
* https://www.virustotal.com/en/file/dae8aa7d95823779ae29f74571f42bf70bbb1e3a294842470c9f75f757ca43b1/analysis/
File name: Unihl.exe
Detection ratio: 30/45
Analysis date:    2013-05-08