FYI...Fake Citibank Commercial Form email – PDF malware
11 July 2014 - "FW: Important – Commercial Form is another one from the current zbot runs
which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:Commercial Banking Form
To: < redacted >
Please scan attached document and fax it to +1 800-285-5021 .
All web filed documents (with the exception of downloaded accounts templates) are available to view / download for 10 days after their original submission. Once accepted, these changes will be displayed on the public record. Not yet filing your accounts online? See how easy it is… For enquiries, please telephone the Service Desk on +1 800-285-6575 or email enquiries@ citibank .com. This email was sent from a notification-only email address which cannot accept incoming mail. Please do not reply directly to this message. .
Leanne Davis Commercial Banking Citibank N.A Leanne.Davis@ citibank .com
Copyright © 2014 Citigroup Inc.
11 July 2014: C1293101.zip (9kb): Extracts to C100714.scr
Current Virus total detections: 0/53 * . This FW: Important – Commercial Form is another one of the spoofed icon files
that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
___A cunning way to deliver malware
July 11, 2014 - "Potentially unwanted programs, also known as PUPs, continue to be a real nuisance. A recent blog post by Will Dormann on CERT.org* shows the prevalence of such applications lurking on every corner of the web: search engines results, software portals, popups, ads, etc... Here is an example of an unwanted warning pushed as a pop-up:
... The following page shows that our browser (Internet Explorer) may be out of date and urges us to download a program to check for outdated software.
It is worth noting that this webpage was totally unsolicited and is in fact very misleading... In other words, the program they want you to download bundles other applications, something we know all too well. Attempting to close the page brings up yet another warning:
We could argue with advertisers that these practices are not okay until we are blue in the face. But here’s the catch with this one: while the page is saying our system could be at risk we are silently being infected with a drive-by download
... two malware payloads are subsequently dropped (#1, #2) detected as Spyware.Zbot.VXGen... We have reported this incident to Akamai’s Abuse department so that they can take immediate action against these bad actors."
7/07/2014 - "... depending on what the application is, where you downloaded it from, and how carefully you paid attention to the installation process, you could have some extra goodies that came along for the ride. You might have components referred to as adware, foistware, scareware, potentially unwanted programs (PUPs), or worse
. Sure, these may be annoyances, but there's an even more important security aspect to these types of applications: attack surface
___Fake 'E-ZPass Unpaid Toll' SPAM - links to Malware
July 11, 2014 - "Email purporting to be from US toll collection system E-ZPass claims that the recipient has not paid for driving on a toll road and should click a link to download an invoice... The email is -not- from E-ZPass. It is a criminal ruse designed to trick you into downloading malware
... If you receive this message, do -not- click any links or open -any- attachments that it contains..."
9 July 2014 - E-ZPass themed emails lead to Asprox
___GameOver Zeus mutates - launches Attacks
July 10, 2014 - "... -new- trojan based heavily on the GameOver Zeus
binary. It was distributed as the attachment to three spam email templates, utilizing the simplest method of infection through which this trojan is deployed... we saw spam messages claiming to be from NatWest
... we saw spam messages with the subject “Essentra PastDue” like these:
... The longest lasting of the spam campaigns was imitating M&T Bank, with a subject of “E100 MTB ACH Monitor Event Notification. That campaign is still ongoing as of this writing.
The three spam campaigns each had a .zip attachment. Each of these contained the same file in the form of a “.scr” file with the hash:
At this timestamp (1600 Central time, 7 hours after we first noticed the spam campaign) the detection rate at VirusTotal is 10/54:
Once the attachment was opened and the malware payload executed, the malware began to make attempts to contact certain websites in accordance with a domain generation algorithm. The goal of these contact attempts is to make contact with a server that can in turn provide instructions to the malware. Many sandboxes would have failed to launch the malware, as the presence of VMWare Tools will stop the malware from executing. Other sandboxes would not have noticed the successful connection
, because the malware took between 6 and 10 minutes to randomly generate the single domain name that was used successfully to launch the new Zeus trojan and download the bank information “webinject” files from the server. The Domain Generation Algorithm is a method for a criminal to regain access to his botnet. Based on the current date, random-looking domain names are calculated and the malware reaches out via the Internet to see if that domain exists... Malcovery analysts confirmed with the FBI and Dell Secure Works that the original GameOver Zeus is still "locked down". This new DGA list is not related to the original GameOver Zeus but bears a striking resemblance to the DGA utilized by that trojan. In addition to a new DGA, the malware seems to have traded its Peer to Peer Infrastructure for a new Fast Flux hosted C&C strategy
... This discovery indicates that the criminals responsible for GameOver’s distribution do not intend to give up on this botnet even after suffering one of the most expansive botnet takeovers/takedowns in history..."
13 June 2014
___SCAMS: Free Movies - Reel Deal?
July 11, 2014 - "... We often see Netflix themed sites used as a -bait-
so this one immediately caught our eye... The end user is presented with a number of surveys and offers, one of which has to be completed to obtain the “free account”. They lead to a variety of places:
We tried to “unlock” the supposed text file to see what happened next, by installing two separate offers – a “TV toolbar” and a “We love games community toolbar”.
In both cases, nothing was unlocked and we saw no evidence of text files. What we did have, were two potentially unwanted programs
which a regular user would only have installed to get the text file in the first place. You’re better off avoiding sites which promise “free” signups to websites and services, and buying directly from the real thing. More often than not, you can never be sure if what you’re receiving is legit or will be shut down by the service provider. And of course, in many cases what you’ll be getting your hands on after signing up to offers or downloading programs will be little more than thin air..."