News: Cexx forums, with volunteers dedicated to helping you remove malware and stay protected
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
October 24, 2014, 04:40:25
Pages: 1 ... 7 8 [9] 10
 81 
 on: September 20, 2014, 04:54:51  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

MS14-046: Description of the security update for the .NET Framework 3.5
on Windows 8 and Windows Server 2012: Aug 12, 2014
* https://support.microsoft.com/kb/2966827
Last Review: Sep 19, 2014 - Rev: 3.0
 
Bulletin Information:
MS14-046 - Important
- https://technet.microsoft.com/library/security/ms14-046
  - Reason for Revision: V1.2 (Sep 19, 2014): Bulletin
    revised with a change to the 'Known Issues' entry in the Knowledge
    Base Article section from "None" to "Yes".
  - Originally posted: August 12, 2014
  - Updated: September 19, 2014
  - Bulletin Severity Rating: Important
  - Version: 1.2
___
 
Enabling the Microsoft .NET Framework 3.5 optional Windows feature on Windows 8
and Windows Server 2012 may -fail- after you install security update 2966827
- https://support.microsoft.com/kb/3002547
Last Review: Sep 19, 2014 - Rev: 2.0

 Exclamation Exclamation

 82 
 on: September 19, 2014, 09:10:47  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

PHP 5.5.17, 5.4.33 released

- http://php.net/archive/2014.php#id2014-09-18-1
18 Sep 2014 - "... immediate availability of PHP 5.5.17. Several bugs were fixed in this release. All PHP 5.5 users are encouraged to upgrade to this version..."

ChangeLog: http://www.php.net/ChangeLog-5.php#5.5.17
___

- http://php.net/archive/2014.php#id2014-09-18-2
18 Sep 2014 - "... immediate availability of PHP 5.4.33. -10- bugs were fixed in this release. All PHP 5.4 users are encouraged to upgrade to this version. This release is the -last- planned release that contains regular bugfixes. All the consequent releases will contain only security-relevant fixes, for the term of one year. PHP 5.4 users that need further bugfixes are encouraged to upgrade to PHP 5.6 or PHP 5.5..."

ChangeLog: http://www.php.net/ChangeLog-5.php#5.4.33

Downloads:
- http://php.net/downloads.php

- http://windows.php.net/download/

 Exclamation Exclamation

 83 
 on: September 19, 2014, 04:17:13  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake 'voice mail' SPAM ...
- http://blog.dynamoo.com/2014/09/this-fake-voice-mail-message-leads-to.html
19 Sep 2014 - "This -fake- voice mail message leads to malware:
   From:     Microsoft Outlook [no-reply@ victimdomain .com]
    Date:     19 September 2014 11:59
    Subject:     You have received a voice mail
    You received a voice mail : VOICE976-588-6749.wav (25 KB)
    Caller-Id: 976-588-6749
    Message-Id: D566Y5
    Email-Id: <REDACTED>
    Download and extract to listen the message.
    We have uploaded voicemail report on dropbox, please use the following link to download your file...
    Sent by Microsoft Exchange Server


The link in the email messages goes to www .prolococapena .com/yckzpntfyl/mahlqhltkh.html first and then downloads a file from www .prolococapena .com/yckzpntfyl/Invoice102740_448129486142_pdf.zip which contains exactly the -same- malicious executable being pushed in this earlier spam run*."
* http://blog.dynamoo.com/2014/09/natwest-statement-spam-yet-again.html
19 Sep 2014 - "... shows network activity to hallerindia .com on 192.185.97.223. I would suggest that this is a good domain to -block- ..."
Screenshot: https://2.bp.blogspot.com/-Oo5Lnrowt70/VBwJo-dVgRI/AAAAAAAAFpY/TzfWXXSEP88/s1600/natwest.png

192.185.97.223: https://www.virustotal.com/en/ip-address/192.185.97.223/information/

- http://myonlinesecurity.co.uk/natwest-statement-fake-pdf-malware/
19 Sep 2014
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/nat-west-statement.png
Current Virus total detections: 1/54*
* https://www.virustotal.com/en/file/a56ef62b4154849c04b28dd78ff2d4d383c98eb7e38785c10e9b58932f3dc0ca/analysis/1411120481/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

Fake 'Police Suspect' SPAM - PDF malware
- http://myonlinesecurity.co.uk/city-london-police-homicide-suspect-fake-pdf-malware
19 Sep 2014 - "'City of London Police Homicide Suspect' pretending to come from City of London Police is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
   Bulletin Headline: HOMICIDE SUSPECT
    Sending Agency: London City Police
    Sending Location: GB – London – London City Police
    Bulletin Case#: 14-62597
    Bulletin Author: BARILLAS #1169
    Sending User #: 92856
    APBnet Version: 684593
    The bulletin is a pdf attachment to this email.
    The Adobe Reader (from Adobe .com) will display and print the bulletin best.
    You can Not reply to the bulletin by clicking on the Reply button in your email software.


Of course it is -fake- and -not- from any Police force or Police service in UK or worldwide.
19 September 2014: Homicide-case#15808_pdf.zip : Extracts to:   Homicide-case#15808_pdf.exe
Current Virus total detections: 4/55* . This 'City of London Police Homicide Suspect' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/ae7f419e0093fd2d4892ea6920aaa2c12c95cede9c97cb0a1f096496d4ff93ea/analysis/1411120670/
... Behavioural information
TCP connections
188.165.204.210: https://www.virustotal.com/en/ip-address/188.165.204.210/information/
192.185.97.223: https://www.virustotal.com/en/ip-address/192.185.97.223/information/
___

Fake 'Courier Svc' SPAM - PDF malware
- http://myonlinesecurity.co.uk/tnt-courier-service-tnt-uk-limited-package-tracking-fake-pdf-malware/
19 Sep 2014 - "'TNT UK Limited Package tracking' pretending to come from TNT COURIER SERVICE <tracking@tnt.co.uk> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    TNT COURIER SERVICE (TCS)
    Customer/Delivery Services Department
    Central Pk Est/Mosley Rd, Trafford Park
    Manchester, M17 1TT UK.
    DETAILS OF PACKAGE
    Reg order no: 460911612900
    Your package have been picked up and is ready for dispatch.
    Connote #           :               460911612900
    Service Type      :               Export Non Documents – Intl
    Shipped on         :               18 Sep 14 12:00
    Order No                    :       4240629
    Status          :       Driver’s Return
    Description     :      Wrong Address
    Service Options: You are required to select a service option below.
    The options, together with their associated conditions.
    Please check attachment to view information about the sender and package.


19 September 2014: Label_GB1909201488725UK_pdf.zip: Extracts to: Label_GB1909201488725UK_pdf.exe
Current Virus total detections: 5/55* . This 'TNT UK Limited Package tracking' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/ae7f419e0093fd2d4892ea6920aaa2c12c95cede9c97cb0a1f096496d4ff93ea/analysis/1411121703/
... Behavioural information
DNS requests
hallerindia .com (192.185.97.223)
TCP connections
188.165.204.210: https://www.virustotal.com/en/ip-address/188.165.204.210/information/
192.185.97.223: https://www.virustotal.com/en/ip-address/192.185.97.223/information/
___

Bitcoin Ponzi scheme ...
- http://www.reuters.com/article/2014/09/19/us-sec-bitcoin-fraud-idUSKBN0HE1Z820140919
Sep 19, 2014 - "A U.S. federal judge in Texas ordered Bitcoin Savings and Trust and its owner to pay a combined $40.7 million after the Securities and Exchange Commission established that the company, which sold investments using the virtual currency, was a Ponzi scheme. In a decision dated Thursday, U.S. Magistrate Judge Amos Mazzant said Trendon Shavers "knowingly and intentionally" operated his company "as a sham and a Ponzi scheme," misleading investors about the use of their bitcoin, how he would generate promised returns and the safety of their investments... The SEC said Shavers used the online moniker "pirateat40" to raise more than 732,000 bitcoin from February 2011 to August 2012, promising investors up to 7 percent in weekly interest to be paid based on his ability to trade the currency. But according to the decision, Shavers used new bitcoin to repay earlier investors, diverted some to personal accounts at the now-bankrupt Mt. Gox exchange and elsewhere, and spent some investor funds on rent, food, shopping and casino visits..."
___

Apple Phish ...
- https://isc.sans.edu/diary.html?storyid=18669
2014-09-18 23:58:53 UTC - "... this in this morning:
Dear Client,
We inform you that your account is about to expire in less 48 hours, it's imperative to update your information with our audit forms, otherwise your session and/or account will be a limited access.
just click the link below and follow the steps our request form
Update now...
This is an automatically generated message. Thank you not to answer.  If you need help, please visit the Apple Support.
Apple Client Support.


A variation on the -many- phishing emails we see regularly, just taking advantage of two public events, the celebrity photos and the release of the new phone. Maybe a reminder to staff as well as friends and family to -ignore- emails that say "click here" ..."
___

Hack the ad network like a boss...
- https://www.virusbtn.com/blog/2014/08_15.xml
4 Sep 2014 - "... Exploit kits have been the scourge of the web for many years. Typically starting with a single line of inserted code, they probe for a number of vulnerabilities in the browser or its plug-ins and use this to drop malware onto the victim's machine. Given the high proportion of Internet users that haven't fully patched their systems, it is a successful way to spread malware.
> https://www.virusbtn.com/images/news/general_malicious_ads.png
... in order for exploit kits to do their work, a vulnerable website must first be infected, or the user must be enticed into clicking a malicious link. But by purchasing ad space, and using this to place malicious ads, attackers have discovered a cheap and effective way to get their malicious code to run inside the browser of many users. They can even tailor their advertisements to target specific languages, regions or even website subjects... We learned last month that this is a serious problem - when researchers found that cybercriminals had purchased advertising space on Yahoo in order to serve the 'Cryptowall' ransomware.
> https://www.virusbtn.com/images/news/youtube_malicious_ads.png
Ideally... advertising networks would block malicious ads as they are added to their systems... this is easier said than done: given the size of such networks, it would take a lot of time and resources - plus, technically, it's difficult to block most malicious ads without a certain percentage of false positives..."

 Evil or Very Mad Evil or Very Mad  Sad

 84 
 on: September 19, 2014, 03:25:09  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Home Depot breach - 56 million cards ...
- http://www.reuters.com/article/2014/09/18/us-home-depot-dataprotection-idUSKBN0HD2J420140918
Sep 18, 2014 - "Home Depot Inc Thursday said some 56 million payment cards were likely compromised in a cyberattack at its stores, suggesting the hacking attack at the home improvement chain was larger than last year's unprecedented breach at Target Corp. Home Depot, in providing the first clues to how much the breach would cost, said that so far it has estimated costs of $62 million. But it indicated that costs could reach much higher. It will take -months- to determine the full scope of the fraud, which affected Home Depot stores in both the United States and Canada and ran from April to September. Retailer Target incurred costs of $148 million in its second fiscal quarter related to its breach. Target hackers stole at least 40 million payment card numbers and 70 million other pieces of customer data. Home Depot said that criminals used unique, custom-built software that had not been seen in previous attacks and was designed to evade detection in its most complete account of what had happened since it first disclosed the breach on Sept. 8. The company said that the hackers’ method of entry has been closed off, the malware eliminated from its network, and that it had rolled out "enhanced encryption of payment data" to all U.S. stores... Of the estimated cost so far of $62 million, which covers such items as credit monitoring, increased call center staffing, and legal and professional services, Home Depot said it believes that $27 million of the amount will be paid for by insurers. But the company said it has not yet estimated the impact of "probable losses" related to the possible need to reimburse banks for fraud and card replacement, as well as covering costs of lawsuits and government investigations... Criminals have frequently used software that evades detection, but retailers are expected to closely monitor their networks using tools that are designed to uncover signs of a crime in progress..."

 Evil or Very Mad  Shocked

 85 
 on: September 18, 2014, 15:26:44  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Firefox 32.0.2 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

Release notes
- https://www.mozilla.org/en-US/firefox/32.0.2/releasenotes/
Sep 18, 2014
Fixed: 32.0.2 - Corrupt installations cause Firefox to crash on update

 Exclamation

 86 
 on: September 18, 2014, 03:38:03  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake NatWest SPAM - malware attached
- http://blog.dynamoo.com/2014/09/important-new-account-invoice-spam.html
18 Sep 2014 - "This -fake- NatWest invoice (since when did banks send invoices?) leads to a malicious ZIP file.
   From:     NatWest Invoice [invoice@ natwest .com]
    Date:     18 September 2014 11:06
    Subject:     Important - New account invoice
      Your latest NatWest invoice has been uploaded for your review. If you have any questions regarding this invoice, please contact your NatWest service team at the number provided on the invoice for assistance.
    To view/download your invoice please click here or follow the link below ...
    Thank you for choosing NatWest...


The link in this particular email goes to bnsoutlaws .co.uk/qvgstopmdi/njfeziackv.html which then downloads a ZIP file from bnsoutlaws .co.uk/qvgstopmdi/Account_Document.zip which in turn contains a malicious executable Account_Document.scr which has a VirusTotal detection rate of just 1/53*. The ThreatTrack report [pdf] shows that the malware attempts to call home...
Recommended blocklist:
188.165.204.210
liverpoolfc .bg
bnsoutlaws .co.uk
"
* https://www.virustotal.com/en-gb/file/9202af35dbf5620096a42766582f231654c74677ee3dcb70a5af6d178fcc0163/analysis/1411032337/
... Behavioural information
TCP connections
91.215.216.52: https://www.virustotal.com/en-gb/ip-address/91.215.216.52/information/
188.165.204.210: https://www.virustotal.com/en-gb/ip-address/188.165.204.210/information/
UDP communications
137.170.185.211: https://www.virustotal.com/en-gb/ip-address/137.170.185.211/information/

UPDATE: The -same- malware is also being pushed by a fake Lloyds Bank email..
From:     Lloyds Commercial Bank [secure@ lloydsbank .com]
Date:     18 September 2014 11:45
Subject:     Important - Commercial Documents
Important account documents
Reference: C146
Case number: 68819453
Please review BACs documents.
Click link below, download and open document. (PDF Adobe file) ...


- http://myonlinesecurity.co.uk/nat-west-important-new-account-invoice-fake-pdf-malware/
18 Sep 2014
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/Nat-West-New-account-invoice.png
___

USAA Phish ...
- https://blog.malwarebytes.org/fraud-scam/2014/09/steer-clear-of-usaa-phishing-campaigns/
Sep 18, 2014 - "... phish pages targeting the United Services Automobile Association (USAA), a Fortune 500 financial company that offers banking, investing, and insurance to US Military soldiers and their families. Here is what the fake page looks like:
> https://blog.malwarebytes.org/wp-content/uploads/2014/09/default-1024x851.png
... Users are then led to this page:
> https://blog.malwarebytes.org/wp-content/uploads/2014/09/ask-pin-1024x665.png
... Clicking the “Next” button opens this page wherein users can supply their secret questions and their respective answers:
> https://blog.malwarebytes.org/wp-content/uploads/2014/09/qna-1024x789.png
... Clicking “Next” opens the last page, which asks for more information that needs “updating”, including full name and date of birth:
> https://blog.malwarebytes.org/wp-content/uploads/2014/09/more-info-967x1024.png
... Users are then shown the door by redirecting them to the legitimate USAA page one sees when they log out... In case you receive emails claiming to be from USAA, please note that they do -not- send out emails to their clients, or to anyone for that matter, asking for their information. Here is a short list of tips to help you steer clear of USAA phishing attempts:
- Remain aware of phishing cases involving USAA. It’s also good to have their contact details handy in the event of fraud or account compromise.
- The legitimate USAA website, www.usaa.com, is a verified domain. As such, look for the green box beside its URL on the browser address bar. This site also uses SSL encryption, which means that it uses the https protocol, making it safe to access even over public networks.
- Ensure that the anti-phishing feature of your Internet browser is enabled. Do this for your antivirus software as well..."
___

Fake eFax SPAM - PDF malware
- http://myonlinesecurity.co.uk/efax-report-fake-pdf-malware/
18 Sep 2014 - "'eFax Report' pretending to come from eFax Report <noreply@ efax-reports .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
   INCOMING FAX REPORT
    Date/Time: Thursday, 18.09.2014
    Speed: 353bps
    Connection time: 08:02
    Page: 4
    Resolution: Normal
    Remote ID: 611-748-177946
    Line number: 3
    DTMF/DID:
    Description: Internal only ...


18 September 2014: fax-id9182719182837529.zip ( 189 kb): Extracts to: fax-id9182719182837529.scr
Current Virus total detections: 1/54* . This eFax Report is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5a6c3fdd158c157b0c7e4293ad0a56b8ef2b2ececd68b4c075fc4b8cc16f6922/analysis/1411049220/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

Line Voice Message Spam
- http://threattrack.tumblr.com/post/97827881718/line-voice-message-spam
18 Sep 2014 - "Subjects Seen:
    You have a voice message
Typical e-mail details:
    LINE Notification
    You have a voice message, listen it now.
    Time: 21:12:45 14.10.2014, Duration: 45sec


Malicious URLs:
    iagentnetwork .com/sql.php?line=gA7EF9bA7ns68jJ0eBi8ww
Malicious File Name and MD5:
    LINE_Call_<phone number>.zip (7FC6D33F62942B55AD94F20BDC7A3797)
    LINE_Call_<phone number>.exe (C3E0F4356A77D18438A38110F8BD919E)


Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/ad77337f36ff7e57db548378c0b961b2/tumblr_inline_nc4325Jmds1r6pupn.png

Tagged: Line.me, Kuluoz

147.202.201.24: https://www.virustotal.com/en/ip-address/147.202.201.24/information/
___

Chinese hacked U.S. military contractors ...
- http://www.reuters.com/article/2014/09/18/us-usa-military-cyberspying-idUSKBN0HC1TA20140918
Sep 18, 2014 - "Hacks associated with the Chinese government have repeatedly infiltrated the computer systems of U.S. airlines, technology companies and other contractors involved in the movement of U.S. troops and military equipment, a U.S. Senate panel has found. The Senate Armed Services Committee's year-long probe, concluded in March but made public on Wednesday, found the military's U.S. Transportation Command, or Transcom, was aware of only two out of at least -20- such cyber intrusions within a single year. The investigation also found gaps in reporting requirements and a lack of information sharing among U.S. government entities. That in turn left the U.S. military largely unaware of computer compromises of its contractors..."

 Evil or Very Mad  Sad

 87 
 on: September 17, 2014, 19:13:03  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

iOS 8 released
- http://www.securitytracker.com/id/1030866
CVE Reference: CVE-2014-4352, CVE-2014-4353, CVE-2014-4354, CVE-2014-4356, CVE-2014-4357, CVE-2014-4361, CVE-2014-4362, CVE-2014-4363, CVE-2014-4364, CVE-2014-4366, CVE-2014-4367, CVE-2014-4368, CVE-2014-4369, CVE-2014-4371, CVE-2014-4372, CVE-2014-4373, CVE-2014-4374, CVE-2014-4375, CVE-2014-4377, CVE-2014-4378, CVE-2014-4379, CVE-2014-4380, CVE-2014-4381, CVE-2014-4383, CVE-2014-4384, CVE-2014-4386, CVE-2014-4388, CVE-2014-4389, CVE-2014-4404, CVE-2014-4405, CVE-2014-4407, CVE-2014-4408, CVE-2014-4409, CVE-2014-4410, CVE-2014-4411, CVE-2014-4412, CVE-2014-4413, CVE-2014-4414, CVE-2014-4415, CVE-2014-4418, CVE-2014-4419, CVE-2014-4420, CVE-2014-4421, CVE-2014-4422, CVE-2014-4423
Sep 18 2014
Impact: Denial of service via local system, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 8.0 ...
Solution: The vendor has issued a fix (8.0).
The vendor's advisory is available at:
- http://support.apple.com/kb/HT6441
Sep 17, 2014

- http://support.apple.com/kb/HT1222
17 Sept 2014
iOS 8 - iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
___

Safari 6.2 and 7.1
- http://support.apple.com/kb/HT6440
Sep 18, 2014

OS X Mavericks v10.9.5 and Security Update 2014-004
- http://support.apple.com/kb/HT6443
Sep 18, 2014

OS X Server v3.2.1
- http://support.apple.com/kb/HT6448
Sep 18, 2014
___

- http://atlas.arbor.net/briefs/index#2074331089
High Severity
Sep 26, 2014

 Exclamation

 88 
 on: September 17, 2014, 02:44:57  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

- https://www.wireshark.org/news/20140916.html

Wireshark 1.12.1 released
- https://www.wireshark.org/download.html
Sep 16, 2014 - "The current stable release of Wireshark is 1.12.1. It supersedes all previous releases..."
Release Notes
- https://www.wireshark.org/docs/relnotes/wireshark-1.12.1.html
Bug Fixes
- https://www.wireshark.org/docs/relnotes/wireshark-1.12.1.html#_bug_fixes

- https://www.wireshark.org/lists/wireshark-announce/201409/msg00000.html
___

Wireshark 1.10.10 released
- https://www.wireshark.org/lists/wireshark-announce/201409/msg00001.html
Release Notes
- https://www.wireshark.org/docs/relnotes/wireshark-1.10.10.html
Bug Fixes
- https://www.wireshark.org/docs/relnotes/wireshark-1.10.10.html#_bug_fixes
___

- http://www.securitytracker.com/id/1031111
CVE Reference: CVE-2014-6421, CVE-2014-6422, CVE-2014-6423, CVE-2014-6424, CVE-2014-6425, CVE-2014-6426, CVE-2014-6427, CVE-2014-6428, CVE-2014-6429, CVE-2014-6430, CVE-2014-6431, CVE-2014-6432
Oct 22 2014
Impact: Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.10.0 to 1.10.9, 1.12.0 ...
Solution: The vendor has issued a fix (1.10.10, 1.12.1)...

 Exclamation

 89 
 on: September 17, 2014, 02:24:12  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake FAX SPAM - malware
- http://blog.dynamoo.com/2014/09/youve-received-new-fax-no-you-havent.html
17 Sep 2014 - "This tired old spam format comes with warmed-over malware attachment.
   From:     Fax [fax@ victimdomain .com]
    Date:     17 September 2014 09:32
    Subject:     You've received a new fax
    New fax at SCAN6405035 from EPSON by https ://victimdomain .com
    Scan date: Wed, 17 Sep 2014 16:32:29 +0800
    Number of pages: 2
    Resolution: 400x400 DPI
    You can secure download your fax message at ...
    (Google Disk Drive is a file hosting service operated by Google, Inc.)


The link in the email downloads an archive file Message_Document_pdf.zip from the same estudiocarraro .com .br site. This has a VirusTotal detection rate of 3/54*. The ThreatTrack report shows that the malware attempts to phone home to:
denis-benker .de/teilen/1709uk1.hit
188.165.204.210/1709uk1/NODE01/0/51-SP3/0/
188.165.204.210/1709uk1/NODE01/1/0/0/
188.165.204.210/1709uk1/NODE01/41/5/4/
Recommended blocklist:
188.165.204.210
denis-benker .de
estudiocarraro .com.br
"
* https://www.virustotal.com/en-gb/file/01e69a84cd47f38786affe7348fb334f2092984fa11444352ee5a0431c505f6d/analysis/1410943351/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustotal.com/en-gb/ip-address/137.170.185.211/information/

188.165.204.210: https://www.virustotal.com/en-gb/ip-address/188.165.204.210/information/
___

Fake ADP Invoice SPAM – PDF malware
- http://myonlinesecurity.co.uk/adp-invoice-pdf-malware/
17 Sep 2014 - "'ADP Invoice' pretending to come from billing.address.updates@ adp .com is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... we always say don’t open any attachment or file sent to you in an email, but with fake or malicious PDF files that is quite difficult.

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/adp-invoice-with-malicious-pdf.png

17 September 2014: adp_invoice_46887645.pdf
Current Virus total detections: 8/55* . This ADP Invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2653224f479aa10f4e82b489987bb519f563786b676bacb76a5efba2963cd546/analysis/1410974477/
___

Android Malware uses SSL for Evasion
- http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-use-ssl-for-evasion/
Sep 17, 2014 - "... a double-edged sword. Android malware is now utilizing SSL to hide their routines and to evade detection. SSL servers have become a target of Android malware. Malware can use any of the three types of servers... This malware steals user and device information, such as the IMEI, phone number, and images stored in the SD card. Whenever the user starts the app or once the phone reboots, the app will start a backend service to dump the aforementioned information and use a hard-coded Gmail account and password to send the information to a particular email address... ANDROIDOS_TRAMP.HAT attempts to disguise itself as an official Google service. It collects user information like the phone number, location, and contact list. Upon execution, it registers GCMBroadCastReceiver. The malicious app will then post the -stolen- data via Google Cloud Messaging. Google Cloud Messaging is used for C&C communication of the malicious app. Commands such as “send message,” “block call,” and “get current location” are sent and received via Google Cloud Messaging... ANDROIDOS_BACKDOORSNSTWT.A triggers its C&C attack through Twitter. The malware crawls for Twitter URLs and combine the obtained information with a hard-coded string to generate a new C&C URL for attacks. The stolen information is sent to the generated URL... Cybercriminals may have also targeted SSL servers and services because because they do not need to exert much effort into gaining access to these sites. They can do so via normal and legal means, such as buying a virtual host from web-hosting services or registering a new account on Twitter. Should we see more use (and abuse) of SSL, detecting malicious apps may not be enough. Collaboration with server providers and services will be needed in removing related URLs, email addresses, and the like. Given the constant evolution of Android malware, we advise users to download Android apps only from legitimate sources. Third-party app stores may not be as strict when it comes to scanning for potentially malicious apps. We also advise users to use a security solution that can detect and block threats that may cause harm to mobile devices..."
(More detail at the trendmicro URL above.)
___

Fake UKFast invoice SPAM – malware attachment
- http://myonlinesecurity.co.uk/ukfast-invoice-fake-pdf-malware/
17 Sep 2014 - "'UKFast invoice' pretending to come from UKFast Accounts <accounts@ ukfast .co.uk> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The subject line and the to: lines on these emails are blank...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/ukfast-invoice.png

17 September 2014: Invoice-17009106-001.zip ( 137 kb): Extracts to:  Invoice 17009106-001.exe
Current Virus total detections: 0/55* . This UKFast invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/file/200ef318f11db4e3975159b378a48bf2d6420c3a48d7f4c75efe1cb2acbc22b8/analysis/1410939664/
___

Fake Invoice SPAM ...
- http://myonlinesecurity.co.uk/strabane-weekly-news-inv0071981-newspaper-copy-fake-pdf-malware/
17 Sep 2014 - "'Strabane Weekly News INV0071981 – Newspaper copy' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... - same- malware as one version of today’s UKFast invoice – fake PDF malware*... The email looks like:
   Dear Sir,
    Please find attached the copy of the advert for INV0071981 in the Strabane Weekly News.
    Thank you,
    Darragh


This 'Strabane Weekly News INV0071981 – Newspaper copy' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecurity.co.uk/ukfast-invoice-fake-pdf-malware/

 Evil or Very Mad  Sad

 90 
 on: September 16, 2014, 10:26:12  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Adobe Reader / Acrobat 11.0.09 released
- https://helpx.adobe.com/security/products/reader/apsb14-20.html
Sep 16, 2014
CVE Numbers: CVE-2014-0560, CVE-2014-0561, CVE-2014-0562, CVE-2014-0563, CVE-2014-0565, CVE-2014-0566, CVE-2014-0567, CVE-2014-0568
Platform: Windows and Macintosh
Summary: Adobe has released security updates for Adobe Reader and Acrobat for Windows and Macintosh. These updates address vulnerabilities that could potentially allow an attacker to take over the affected system. Adobe recommends users update their product installations to the latest versions:
- Users of Adobe Reader XI (11.0.08) and earlier versions should update to version 11.0.09.
- For users of Adobe Reader X (10.1.11) and earlier versions who cannot update to version 11.0.09, Adobe has made available version 10.1.12.
- Users of Adobe Acrobat XI (11.0.08) and earlier versions should update to version 11.0.09.
- For users of Adobe Acrobat X (10.1.11) and earlier versions, who cannot update to version 11.0.09, Adobe has made available version 10.1.12...
The product's default update mechanism is set to run automatic update checks on a regular schedule. Update checks can be manually activated by choosing Help > Check for Updates...
___

- http://www.securitytracker.com/id/1030853
CVE Reference: CVE-2014-0560, CVE-2014-0561, CVE-2014-0562, CVE-2014-0563, CVE-2014-0565, CVE-2014-0566, CVE-2014-0567, CVE-2014-0568
Sep 16 2014
Impact: Denial of service via network, Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 10.1.11 and prior; 11.0.08 and prior...
Solution: The vendor has issued a fix (10.1.12, 11.0.09).
___

- https://atlas.arbor.net/briefs/index#-778103136
Extreme Severity
19 Sep 2014

 Exclamation

Pages: 1 ... 7 8 [9] 10
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines Page created in 0.616 seconds with 16 queries.