FYI...The ThreatCon is currently at Level 2: Elevated
Mar 2, 2014 - "On February 19, 2014, Microsoft released a security advisory confirming a limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 9 and 10. The exploit is now being used in mass attacks
. Customers are advised to update to Internet Explorer 11 or apply the Microsoft Fix it* solution described in the Microsoft Security Advisory. A security patch has yet to be released.
Microsoft Security Advisory (2934088) Vulnerability in Internet Explorer Could Allow Remote Code Execution"
Feb 2014 - IE: 58%
___Fake Companies House SPAM
28 Feb 2014 - "This -fake- Companies House spam leads to malware
: From: Companieshouse.gov.uk [web-filing@companies-house .gov .uk]
Date: 28 February 2014 12:55
Subject: Spam FW: Case - 6569670
A company complaint was submitted to Companies House website.
The submission number is 6569670
For more details please click : https ://companieshouse .gov .uk/Case?=6569670
Please quote this number in any communications with Companies House.
All Web Filed documents are available to view / download for 10 days after their
original submission. However it is not possible to view copies of accounts that
were downloaded as templates.
Companies House Executive Agency may use information it holds to prevent
and detect fraud. We may also share such information, for the same purpose,
with other organisations that handle public funds.
If you have any queries please contact the Companies House Contact Centre ...
The link in the email goes to:
in turn this runs one or more of the following scripts:
which in turn leads to a payload site at:
According to this URLquery report*, the payload site has some sort of Java exploit.
Recommended blocklist:digitec-brasil .com.br
___Fake Urgent eviction notification - Asprox
Feb 28, 2014 - "The latest Asprox / Kuluoz spam template
consists of an unsolicited email appearing to be from ppmrental .com. Prospectors Property Management is a Real Estate Agency located in Morgan Hill, California. The emails arrive with the subject line "Urgent eviction notification". The spammed out message notifies the recipient that as a trespasser they need to move out from their property before the 21 March 2014 and leave the property empty of their belongings and trash. The addressee must contact the Real Estate without delay in order to make arrangements to move out. Failure to do so could result in being locked out of the house. A detailed bank statement as well as the Real Estate's contact information can be found in the attachment. The executable file inside the ZIP archive poses as a Microsoft Word Document. This is one of the main reasons why you should never trust a file by its icon. Make sure that Windows Explorer is set to show file extensions and always pay attention to the file extension instead. The payload, Urgent_notice_of_eviction.exe will start up an instance of svchost.exe before accessing the internet. A copy of the executable will be copied under a random name to the %User Profile%\Local Settings\Application Data folder. A small downloader - bqoqusgj.exe in our analysis - will be fetched from the C&C together with 3 other files:
vbxghrke - 66.5 KB (68,161 bytes)
kqrbfxel - 12.0 KB (12,326 bytes)
ihxqgwcu.exe - 140 KB (143,360 bytes)
A new start up entry will be created for ihxqgwcu.exe so that the program starts each time Windows starts but the executable isn’t launched yet. In meanwhile bqoqusgj.exe will download two files posing as Updates for the Flash Player: updateflashplayer_9e26d2b2.exe (libs5.8/jquery directory) and UpdateFlashPlayer_266a0199.exe (libs5.8/ajax directory).
... Updateflashplayer_9e26d2b2.exe will instantly shutdown and reboot the computer. A series of error messages will appear upon reboot as the malicous binary has deleted several critical registry keys belonging to Antivirus / Firewall / HIPS applications...The Asprox ad fraud binary also makes sure that the computer can’t boot in Safe Mode by deleting the corresponding registry entries. As seen below, booting the computer in safe mode results in a blue screen
... For an in-depth analysis of Asprox / Kuluoz please refer to: Analysis of Asprox and its New Encryption Scheme*... Email:
... IP Details 220.127.116.11
..."(More detail at the stopmalvertising URL above.)
2014 Mar 03