News: Cexx forums, with volunteers dedicated to helping you remove malware and stay protected
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
October 25, 2014, 10:11:17
Pages: 1 ... 8 9 [10]
 91 
 on: September 17, 2014, 02:24:12  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake FAX SPAM - malware
- http://blog.dynamoo.com/2014/09/youve-received-new-fax-no-you-havent.html
17 Sep 2014 - "This tired old spam format comes with warmed-over malware attachment.
   From:     Fax [fax@ victimdomain .com]
    Date:     17 September 2014 09:32
    Subject:     You've received a new fax
    New fax at SCAN6405035 from EPSON by https ://victimdomain .com
    Scan date: Wed, 17 Sep 2014 16:32:29 +0800
    Number of pages: 2
    Resolution: 400x400 DPI
    You can secure download your fax message at ...
    (Google Disk Drive is a file hosting service operated by Google, Inc.)


The link in the email downloads an archive file Message_Document_pdf.zip from the same estudiocarraro .com .br site. This has a VirusTotal detection rate of 3/54*. The ThreatTrack report shows that the malware attempts to phone home to:
denis-benker .de/teilen/1709uk1.hit
188.165.204.210/1709uk1/NODE01/0/51-SP3/0/
188.165.204.210/1709uk1/NODE01/1/0/0/
188.165.204.210/1709uk1/NODE01/41/5/4/
Recommended blocklist:
188.165.204.210
denis-benker .de
estudiocarraro .com.br
"
* https://www.virustotal.com/en-gb/file/01e69a84cd47f38786affe7348fb334f2092984fa11444352ee5a0431c505f6d/analysis/1410943351/
... Behavioural information
UDP communications
137.170.185.211: https://www.virustotal.com/en-gb/ip-address/137.170.185.211/information/

188.165.204.210: https://www.virustotal.com/en-gb/ip-address/188.165.204.210/information/
___

Fake ADP Invoice SPAM – PDF malware
- http://myonlinesecurity.co.uk/adp-invoice-pdf-malware/
17 Sep 2014 - "'ADP Invoice' pretending to come from billing.address.updates@ adp .com is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... we always say don’t open any attachment or file sent to you in an email, but with fake or malicious PDF files that is quite difficult.

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/adp-invoice-with-malicious-pdf.png

17 September 2014: adp_invoice_46887645.pdf
Current Virus total detections: 8/55* . This ADP Invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2653224f479aa10f4e82b489987bb519f563786b676bacb76a5efba2963cd546/analysis/1410974477/
___

Android Malware uses SSL for Evasion
- http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-use-ssl-for-evasion/
Sep 17, 2014 - "... a double-edged sword. Android malware is now utilizing SSL to hide their routines and to evade detection. SSL servers have become a target of Android malware. Malware can use any of the three types of servers... This malware steals user and device information, such as the IMEI, phone number, and images stored in the SD card. Whenever the user starts the app or once the phone reboots, the app will start a backend service to dump the aforementioned information and use a hard-coded Gmail account and password to send the information to a particular email address... ANDROIDOS_TRAMP.HAT attempts to disguise itself as an official Google service. It collects user information like the phone number, location, and contact list. Upon execution, it registers GCMBroadCastReceiver. The malicious app will then post the -stolen- data via Google Cloud Messaging. Google Cloud Messaging is used for C&C communication of the malicious app. Commands such as “send message,” “block call,” and “get current location” are sent and received via Google Cloud Messaging... ANDROIDOS_BACKDOORSNSTWT.A triggers its C&C attack through Twitter. The malware crawls for Twitter URLs and combine the obtained information with a hard-coded string to generate a new C&C URL for attacks. The stolen information is sent to the generated URL... Cybercriminals may have also targeted SSL servers and services because because they do not need to exert much effort into gaining access to these sites. They can do so via normal and legal means, such as buying a virtual host from web-hosting services or registering a new account on Twitter. Should we see more use (and abuse) of SSL, detecting malicious apps may not be enough. Collaboration with server providers and services will be needed in removing related URLs, email addresses, and the like. Given the constant evolution of Android malware, we advise users to download Android apps only from legitimate sources. Third-party app stores may not be as strict when it comes to scanning for potentially malicious apps. We also advise users to use a security solution that can detect and block threats that may cause harm to mobile devices..."
(More detail at the trendmicro URL above.)
___

Fake UKFast invoice SPAM – malware attachment
- http://myonlinesecurity.co.uk/ukfast-invoice-fake-pdf-malware/
17 Sep 2014 - "'UKFast invoice' pretending to come from UKFast Accounts <accounts@ ukfast .co.uk> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The subject line and the to: lines on these emails are blank...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/ukfast-invoice.png

17 September 2014: Invoice-17009106-001.zip ( 137 kb): Extracts to:  Invoice 17009106-001.exe
Current Virus total detections: 0/55* . This UKFast invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/file/200ef318f11db4e3975159b378a48bf2d6420c3a48d7f4c75efe1cb2acbc22b8/analysis/1410939664/
___

Fake Invoice SPAM ...
- http://myonlinesecurity.co.uk/strabane-weekly-news-inv0071981-newspaper-copy-fake-pdf-malware/
17 Sep 2014 - "'Strabane Weekly News INV0071981 – Newspaper copy' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... - same- malware as one version of today’s UKFast invoice – fake PDF malware*... The email looks like:
   Dear Sir,
    Please find attached the copy of the advert for INV0071981 in the Strabane Weekly News.
    Thank you,
    Darragh


This 'Strabane Weekly News INV0071981 – Newspaper copy' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecurity.co.uk/ukfast-invoice-fake-pdf-malware/

 Evil or Very Mad  Sad

 92 
 on: September 16, 2014, 10:26:12  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Adobe Reader / Acrobat 11.0.09 released
- https://helpx.adobe.com/security/products/reader/apsb14-20.html
Sep 16, 2014
CVE Numbers: CVE-2014-0560, CVE-2014-0561, CVE-2014-0562, CVE-2014-0563, CVE-2014-0565, CVE-2014-0566, CVE-2014-0567, CVE-2014-0568
Platform: Windows and Macintosh
Summary: Adobe has released security updates for Adobe Reader and Acrobat for Windows and Macintosh. These updates address vulnerabilities that could potentially allow an attacker to take over the affected system. Adobe recommends users update their product installations to the latest versions:
- Users of Adobe Reader XI (11.0.08) and earlier versions should update to version 11.0.09.
- For users of Adobe Reader X (10.1.11) and earlier versions who cannot update to version 11.0.09, Adobe has made available version 10.1.12.
- Users of Adobe Acrobat XI (11.0.08) and earlier versions should update to version 11.0.09.
- For users of Adobe Acrobat X (10.1.11) and earlier versions, who cannot update to version 11.0.09, Adobe has made available version 10.1.12...
The product's default update mechanism is set to run automatic update checks on a regular schedule. Update checks can be manually activated by choosing Help > Check for Updates...
___

- http://www.securitytracker.com/id/1030853
CVE Reference: CVE-2014-0560, CVE-2014-0561, CVE-2014-0562, CVE-2014-0563, CVE-2014-0565, CVE-2014-0566, CVE-2014-0567, CVE-2014-0568
Sep 16 2014
Impact: Denial of service via network, Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 10.1.11 and prior; 11.0.08 and prior...
Solution: The vendor has issued a fix (10.1.12, 11.0.09).
___

- https://atlas.arbor.net/briefs/index#-778103136
Extreme Severity
19 Sep 2014

 Exclamation

 93 
 on: September 16, 2014, 08:41:33  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Tiny Banker Trojan - targets customers of major banks ...
- http://blog.avast.com/2014/09/15/tiny-banker-trojan-targets-customers-of-major-banks-worldwide/
Sep 15, 2014 - "After an analysis of a payload distributed by Rig Exploit kit, the AVAST Virus Lab identified a payload as Tinba Banker. This Trojan targets a large scope of banks like Bank of America, ING Direct, and HSBC.
> http://blog.avast.com/wp-content/uploads/2014/09/hsbc_bank.png
... How does Tiny Banker work?
1. The user visits a website infected with the Rig Exploit kit (Flash or Silverlight exploit).
2. If the user’s system is vulnerable, the exploit executes a malicious code that downloads and executes the malware payload, Tinba Trojan.
3. When the computer is infected and the user tries to log in to one of the targeted banks, webinjects come into effect and the victim is asked to fill out a form with his/her personal data.
4. If he/she -confirms- the form, the data is sent to the attackers. This includes credit card information, address, social security number, etc. An interesting field is “Mother’s Maiden Name”, which is often used as a security question to reset a password.
The example of an injected form targeting Wells Fargo bank customers is displayed in the image below.
> http://blog.avast.com/wp-content/uploads/2014/09/form.png
... Targeted financial institutions:
Bank of America, Associated Bank, America’s Credit Unions, Etrade Financial Corporation, US bank, Banco de Sabadell, Farmers & Merchants Bank, HSBC, TD Bank, BancorpSouth, Chase, Fifth third bank, Wells Fargo, StateFarm, Regions, ING Direct, M&T Bank, PNC, UBS, RBC Royal Bank,  RBS, CityBank, Bank BGZ, Westpack, Scotiabank, United Services Automobile Association
Screenshots of targeted banks:
- http://blog.avast.com/wp-content/uploads/2014/09/us_bank.png
...
- http://blog.avast.com/wp-content/uploads/2014/09/td_bank.png
... Conclusion: Keep your software up-to-date. Software -updates- are necessary to patch vulnerabilities. Unpatched vulnerabilities open you to serious risk which may lead to money loss. For more protection, use security software such as avast! Antivirus with Software Updater feature. Software Updater informs you about updates available for your computer..."

 Evil or Very Mad Evil or Very Mad  Sad

 94 
 on: September 16, 2014, 02:02:44  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

MS14-055 revised - Vulnerabilities in Lync could allow denial of service ...
- https://technet.microsoft.com/library/security/MS14-055
V2.0 (September 15, 2014): Bulletin revised to remove* Download Center links for Microsoft security update 2982385 for Microsoft Lync Server 2010...
* Update FAQ
Why was this bulletin revised on September 15, 2014?
Microsoft revised this bulletin to address a known issue that prevented users from successfully installing security update 2982385 for Microsoft Lync Server 2010. Microsoft is investigating behavior associated with the installation of this update, and will update this bulletin when more information becomes available. As an added precaution, Microsoft has removed the download links to the 2982385 security update...

Related: https://support.microsoft.com/kb/2990928
Last Review: Sep 16, 2014 - Rev: 2.0

 Exclamation

 95 
 on: September 16, 2014, 01:20:07  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake 'Payments' SPAM ...
- http://blog.mxlab.eu/2014/09/16/trojan-genvariant-graftor-155439-present-in-fake-emails-regarding-payments/
Sep 16, 2014 - "...  intercepted different campaigns where the trojan Gen:Variant.Graftor.155439 is present in the attached ZIP archive. The trojan is known as Gen:Variant.Graftor.155439 by most AV engines but it’s also known as Trojan/Win32.Zbot, HW32.Paked.1F59, Generic-FAUS!BA7599C952BE or PE:Malware.XPACK-HIE/Heur!1.9C48. The first email comes with the subject “Re: today payment done” is sent from a spoofed address and has the following body:
   Dear sir,
    Today we have able to remit the total amount of US$ 51,704.97 to your account. Details of our payments are as follows:
    Cont. #41 SPV001/APR/13 US$34,299.13 – 11,748.82 (50% disc. For R008 & R016) =
    Cont. #42 EXSQI013/MAY/13 US$29,154.66
    Total Remittance: US$ 51,704.97
    Attached is the TT copy, check with your bank and let us know when you will proceed with shipment.
    Thank you very much.
    Best regards,
    Me


The attached ZIP file has the name swift copy.zip and contains the swift copy.scr file. At the time of writing, 11 of the 54 AV engines did detect the trojan at Virus Total*...
* https://www.virustotal.com/en/file/db9eb842deb7cbda56c3df7c1e198fac5f0d65d0d8ef9df2f13618d18416c686/analysis/
The second email comes with the subject “Re: Balance payment” is sent from a spoofed address and has the following body:
   The attached TT copy is issued at the request of our customer. The advice is for your reference only.
    Yours faithfully,
    Global Payments and Cash Management
    Bank of America (BOA)
    This is an auto-generated email, please DO NOT REPLY. Any replies to this
    email will be disregarded...


The attached ZIP file has the name original copy.zip and contains the original copy.scr file. At the time of writing, 12 of the 55 AV engines did detect the trojan at Virus Total**..."
** https://www.virustotal.com/en/file/f7f1b10365b995c308d1cc4a3f025e5e7f249fbfee82f7bcd8297e1c5fcc1635/analysis/
___

Fake 'My new photo Wink' SPAM - malware attachment
- http://blog.mxlab.eu/2014/09/16/email-my-new-photo-contains-a-variant-of-trojan-win32-swizzor-2o-trojan/
Sep 16, 2014 - "... intercepted a new trojan variant distribution campaign by email with the subject “My new photo Wink”. This email is sent from a spoofed address and has the following short body in very poor English:
   my new photo Wink
    if you like my photo to send me u photo


The attached ZIP file has the name photo.zip, once extracted a folder photo is available with that contains the 127 kB large file photo.exe. The trojan is known as a variant of Trojan.Win32.Swizzor.2!O. At the time of writing, 1 of the 54 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/83d322707828350ba51301b1a0d02ee0c831b88bb9722036ade2b7d8827817cb/analysis/
... Behavioural information
TCP connections:
131.253.40.1: https://www.virustotal.com/en/ip-address/131.253.40.1/information/
137.254.60.32: https://www.virustotal.com/en/ip-address/137.254.60.32/information/
134.170.188.84: https://www.virustotal.com/en/ip-address/134.170.188.84/information/
157.56.121.21: https://www.virustotal.com/en/ip-address/157.56.121.21/information/
91.240.22.62: https://www.virustotal.com/en/ip-address/91.240.22.62/information/
___

Fake USPS SPAM - word doc malware
- http://myonlinesecurity.co.uk/usps-postal-notification-service-fake-word-doc-malware/
16 Sep 2014 - "'USPS Postal Notification Service' pretending to come from USPS  is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/usps-postal-notification-service.png

16 September 2014: Label.zip ( 82 kb): Extracts to:  Label.exe            
Current Virus total detections: 20/54* . This USPS Postal Notification Service is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Microsoft Word .doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/6678ff966e942e4bf669d8a240acbab79971c871152f3c16478a3ec0c3f5c805/analysis/1410841682/
___

Fake 'inovice' SPAM ...
- http://blog.dynamoo.com/2014/09/inovice-0293991-september-spam.html
16 Sep 2014 - "This spam mis-spells "invoice" in the subject line, and has an .arj file attached that contains a malicious binary.
Example subjects:
inovice 8958508 September
inovice 7682161 September
inovice 4868431 September
inovice 0293991 September
Body text:
This email contains an invoice file attachment


The name of the attachment varies, but is in the format invoice_8958508.arj which contains a malicious executable invoice_38898221_spt.exe which has a VirusTotal detection rate of just 3/54*. The ThreatTrack report...and Anubis report show a series a DGA domains... that are characteristic of Zbot, although none of these domains are currently resolving. If your organisation can -block-  .arj files at the mail perimeter then it is probably a good idea to do so."
* https://www.virustotal.com/en-gb/file/ee43410ecaba583a03eb3cfbf1af1afb38a5f25cd8742b47372b853d83fc7089/analysis/1410860283/
... Behavioural information
TCP connections:
208.91.197.27: https://www.virustotal.com/en/ip-address/208.91.197.27/information/
___

Fake FAX SPAM... again
- http://blog.dynamoo.com/2014/09/youve-received-new-fax-spam.html
16 Sep 2014 - "... a facsimile transmission...
From:     Fax
Date:     16 September 2014 11:05
Subject:     You've received a new fax
New fax at SCAN0204102 from EPSON by ...
Scan date: Tue, 16 Sep 2014 15:35:59 +0530
Number of pages: 2
Resolution: 400x400 DPI
You can download your fax message at: ...
(Google Disk Drive is a file hosting service operated by Google, Inc.) ...


The link is so obviously not anything to do with Google. Clicking on it loads another script from triera .biz.ua/twndcrfbru/zjliqkgppi.js which in turn downloads a ZIP file from www .yerelyonetisim .org.tr/pdf/Message_2864_pdf.zip which has a VirusTotal detection rate of 3/55*. This malware then phones home... Recommended blocklist:
188.165.204.210
brisamarcalcados .com.br
triera .biz.ua
yerelyonetisim .org.tr
ngujungwap .mobi.ps
"
* https://www.virustotal.com/en-gb/file/8f0aab0abbbe1519dadff8bc206568b144dfd36b605be090fe3098898e926832/analysis/1410862754/
... Behavioural information
TCP connections
188.165.204.210: https://www.virustotal.com/en/ip-address/188.165.204.210/information/
198.143.152.226: https://www.virustotal.com/en/ip-address/198.143.152.226/information/
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

Fake forgeries 'Copied invoices' SPAM
- http://blog.dynamoo.com/2014/09/kifilwe-shakong-copied-invoices-spam.html
16 Sep 2014 - "Kifilwe Shakong is a real person who works for Cashbuild in South Africa. She is  not the person sending these messages, they are forgeries. Cashbuild's systems have not been compromised in any way. As you might guess, these messages have a malicious attachment.
From:     Kifilwe Shakong [kshakong@ cashbuild .co.za]
Date:     16 September 2014 12:17
Subject:     Copied invoices
The attached invoices are copies. We will not be able to pay them. Please send clear invoices.
This outbound email has been scanned by the IS Mail Control service.
For more information please visit http ...
The attached invoices are copies. We will not be able to pay them. Please send clear invoices...


Attached is a file with a filename in the format SKMBT_75114091015230.zip which in turn contains a malicious executable SKMBT_75114091015230.exe which has a very low detection rate at VirusTotal of just 1/54*... the malware attempts to phone home to the following domains and IPs which are worth blocking:
golklopro .com
94.100.95.109
31.134.29.175
176.213.10.114
176.8.72.4
176.99.191.49
78.56.92.46
195.114.159.232
46.98.234.76
46.185.88.110
46.98.122.183
46.211.198.56
195.225.147.101
176.53.209.231
..."
(More detail at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/file/e324d73b36f1fd31c53f6ae21457c2fd57f90be56dcd776efbe06b01fdaf3d5d/analysis/1410866733/
... Behavioural information
DNS requests
golklopro .com
cosjesgame .su
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

Fake 'Unpaid invoice' SPAM - leads to Angler Exploit Kit
- http://blog.dynamoo.com/2014/09/unpaid-invoice-notification-spam-leads.html
16 Sep 2014 - "This convincing-looking but -fake- spam leads to an exploit kit.
   From:     Christie Foley [christie.foley@ badinsky .sk]
    Reply-to:     Christie Foley [christie.foley@ badinsky .sk]
    Date:     16 September 2014 13:55
    Subject:     Unpaid invoice notification ...


Screenshot: https://1.bp.blogspot.com/-4dVURai9zaE/VBg551t4f-I/AAAAAAAAFoA/l2blM5UgsbU/s1600/invoice.png

The link in the email goes to:
[donotclick]tiragreene .com/aspnet_client/system_web/4_0_30319/invoice_unn.html
Which in turn goes to an Angler EK landing page at:
[donotclick]108.174.58.239:8080 /wn8omxftff
You can see the URLquery report for the EK here*. I would strongly recommend blocking web traffic to 108.174.58.239 (ColoCrossing, US)."
* http://urlquery.net/report.php?id=1410873578924

- http://myonlinesecurity.co.uk/notification-amount-overdue-recent-invoice-java-exploit-malware/
16 Sep 2014
___

Fake 'PAYMENT SCHEDULE' email -  419 SCAM
- http://myonlinesecurity.co.uk/reyour-payment-schedule-pretending-come-dr-mrs-ngozi-o-iweala/
16 Sep 2014 - "'RE:YOUR PAYMENT SCHEDULE' pretending to come from Dr Mrs Ngozi O. Iweala is a -scam- . After all the current batches of very nasty and tricky malware being attached to emails or as links in emails, it really is a change to see a good old fashioned 419 scam:
   Attn:Beneficiary,
     My name is Mrs Ngozi Okonjo Iweala,I am the current minister of finance of Nigeria.
     Your payment file has been in our desk since two weeks ago and Mr.Croft from Australia submitted claims on your funds stating that
    you have given him the authority to claim the funds but we stopped him first until we receive a confirmation from any of you. You are
    therefore requested to get back to us to confirm the authenticity of the application of claim submitted by Mr Croft or if you did not
    authorized him for any reason,urgently get back to us so that we can direct you on how you are going to receive your fund via Automated
    Teller Machine System( ATM CARD).
     Please,response back with all your full details mostly your confidential address where you will have the ATM card delivered to you. Your urgent response is highly needed.
     Reply also to : fminister88 @gmail .com
     Your faithfully.
     Dr Mrs Ngozi O. Iweala.
    Finance Of Minister.


[Arrgghh...]
___

Fake Nat West SPAM - PDF malware
- http://myonlinesecurity.co.uk/nat-west-bacs-transfer-remittance-jsag828gbp-fake-pdf-malware/
16 Sep 2014 - "'Nat West BACS Transfer : Remittance for JSAG828GBP' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    We have arranged a BACS transfer to your bank for the following amount : 4933.00
    Please find details at our secure link below: ...


This is another version of the same upatre zbot downloaders that have been spammed out today with exactly the same payload as 'NatWest You have a new Secure Message – file-4430 – fake PDF malware'*. This 'Nat West BACS Transfer : Remittance for JSAG828GBP' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecurity.co.uk/natwest-new-secure-message-file-4430-fake-pdf-malware/

- https://www.virustotal.com/en/file/8f0aab0abbbe1519dadff8bc206568b144dfd36b605be090fe3098898e926832/analysis/1410862754/
... Behavioural information
TCP connections
188.165.204.210: https://www.virustotal.com/en/ip-address/188.165.204.210/information/
198.143.152.226: https://www.virustotal.com/en/ip-address/198.143.152.226/information/
UDP communications
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

Fake 'Dhl Delivery' SPAM - contains trojan
- http://blog.mxlab.eu/2014/09/16/fake-email-fwd-dhl-delivery-attempt-contains-trojan/
Sep 16, 2014 - "... intercepted a new trojan distribution campaign by email with the subject 'Fwd: Dhl Delivery Attempt (Invoice Documents)'. This email is sent from the spoofed address 'enquiry@ dhl .com' and has the following body:
    We attempted to deliver your item at 17:32pm on Sept 15th, 2014.
    The delivery attempt failed because nobody was present at the shipping address, so this notification has been automatically generated.
    You may rearrange delivery by visiting the link on the attached document or pick up the item at the DHL depot/office indicated on the receipt attached.
    If the package is not rescheduled for delivery or picked up within 48 hours, it will be returned to the sender.
    Airway Bill No: 7808130095
    Class: Package Services
    Service(s): Delivery Confirmation
    Status: eNotification sent
    Print this label to get this package at our depot/office.
    Thank you
    © 2014 Copyright© 2013 DHL. All Rights Reserved...


The attached ZIP file has the name DHL EXPRESS DELIVERY ATTEMPT.zip and contains the 293 kB large file DHL EXPRESS DELIVERY ATTEMPT.exe. The trojan is known as Trojan/Win32.Necurs, a variant of Win32/Injector.BLYN, W32/Injector.GLA!tr, Backdoor.Bot or Win32.Trojan.Bp-generic.Ixrn. At the time of writing, 6 of the 55 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/57d37614dd81d48c25bec02f4481e1757cd7a5b84ccc31904635a51d70db1a44/analysis/1410870424/

 Evil or Very Mad Evil or Very Mad  Sad

 96 
 on: September 15, 2014, 02:15:43  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake Termination SPAM – malware
- http://myonlinesecurity.co.uk/termination-due-policy-violation-malware/
15 Sep 2014 - "There can’t be a much more alarming email to open first thing on a Monday Morning than one that pretends to say that you have been fired... 'Termination due to policy violation #33205939124' pretending to come from random names at random companies is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Today’s email template  attaches an arj file. This sort of compressed file is rarely used nowadays and many popular zip file programs will not automatically extract them. -Any- email received with an ARJ attachment should be immediately -deleted- . NO legitimate company or program ever uses that form of compression nowadays. To make it even harder to quickly detect, all the attachments are randomly named and extract to a different randomly named file and each one has a totally different SH1 or MD5#. Loads of slightly different subjects with this one, including
    Policy violation #59892665326
    Termination due to policy violation #33205939124
    Termination #59147901198
All the alleged infringements or violations have different numbers... The email looks like:
    Hello,
    We regret to inform you that your employment with A&M Defence & Marine Services Ltd is being terminated. Your termination is the result of the following violations of company policy:
    - 0A4 44 12.09.2011
    - 0A4 46 12.09.2011
    - 0A4 85 12.09.2011
     You were issued written warnings on 19.08.2014. As stated in your final warning, you needed to take steps to correct your behavior by 15.09.2014. Your failure to do so has resulted in your termination. To appeal this termination, you must return written notification of your intention to appeal to Wynona Kinnare in A&M Defence & Marine Services Ltd no later than 06:00PM on 21.09.2014.
     Sincerely,
    Pauletta Stephens ...


15 September 2014: disturbance_2014-09-15_08-38-12_33205939124.arj:
Extracts to:  disturbance_2014-09-15_08-38-12_33205939124.exe
Current Virus total detections: 3/53* . This 'Termination due to policy violation #33205939124' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/eb62d2fc255b934706b15eb5fa4f07fdf3a900810820ef60db62b77de1d4c4ef/analysis/
... Behavioural information
TCP connections:
187.45.193.139: https://www.virustotal.com/en/ip-address/187.45.193.139/information/
213.186.33.87: https://www.virustotal.com/en/ip-address/213.186.33.87/information/
23.62.99.33: https://www.virustotal.com/en/ip-address/23.62.99.33/information/
66.96.147.117: https://www.virustotal.com/en/ip-address/66.96.147.117/information/
UDP communications:
137.170.185.211: https://www.virustotal.com/en/ip-address/137.170.185.211/information/
___

LinkedIn feature exposes Email Addresses
- http://krebsonsecurity.com/2014/09/linkedin-feature-exposes-email-addresses/
Sep 15, 2014 - "One of the risks of using social media networks is having information you intend to share with only a handful of friends be made available to everyone. Sometimes that over-sharing happens because friends betray your trust, but more worrisome are the cases in which a social media platform itself exposes your data in the name of marketing... According to researchers at the Seattle, Wash.-based firm Rhino Security Labs, at the crux of the issue is LinkedIn’s penchant for making sure you’re as connected as you possibly can be. When you sign up for a new account, for example, the service asks if you’d like to check your contacts lists at other online services (such as Gmail, Yahoo, Hotmail, etc.). The service does this so that you can connect with any email contacts that are already on LinkedIn, and so that LinkedIn can send invitations to your contacts who aren’t already users... Rhino Security founders Benjamin Caudill and Bryan Seely have a recent history of revealing how trust relationships between and among online services can be abused to expose or divert potentially sensitive information... In an email sent to this reporter last week, LinkedIn said it was planning at least two changes to the way its service handles user email addresses..."
(More at the krebsonsecurity URL above.)
___

Fake Overdue invoice SPAM - malicious .arj attachment  
- http://blog.dynamoo.com/2014/09/overdue-invoice-6767390-spam-has.html
15 Sep 2014 - "This -fake- invoice email has a malicious attachment:
   From:     Mauro Reddin
    Date:     15 September 2014 10:32
    Subject:     Overdue invoice #6767390
    Morning,
    I was hoping to hear from you by now. May I have payment on invoice #84819995669 today please, or would you like a further extension?
    Best regards,
    Mauro Reddin ...


The attachment is an archive file invc_2014-09-15_15-07-11_6767390.arj so in order to get infected you would need an application capable of handling ARJ archives. Once unpacked, there is a malicious executable called invc_2014-09-15_15-07-11_88499270.exe which has a VirusTotal detection rate of just 1/55*... recommend that you apply the following blocklist (Long list at the dynamoo URL above.) ..."
* https://www.virustotal.com/en-gb/file/c21b719a9cf4c5aa9d8927c185be4181d7c465b01fa85e38c7a3d459930e2203/analysis/1410773681/
___

Fake Sage 'Outdated Invoice' SPAM ...
- http://blog.dynamoo.com/2014/09/sage-outdated-invoice-spam_15.html
15 Sep 2014 - "... another -fake- Sage email leading to malware:

Screenshot: http://4.bp.blogspot.com/-knPfcbJT0Q4/VBbJyysrTNI/AAAAAAAAFnI/YbEjR56dgRU/s1600/sage.png

... This ZIP file contains a malicious executable Invoice18642.scr which has a VirusTotal detection rate of just 1/55*. The ThreatTrack report... shows that it attempts to communicate with the following resources:
188.165.204.210/1509uk1/NODE01/0/51-SP3/0/
188.165.204.210/1509uk1/NODE01/1/0/0/
green-fuel .us/upload/box/1509uk1.ltc
www .green-fuel .us/upload/box/1509uk1.ltc
Recommended blocklist:
188.165.204.210
green-fuel .us
petitepanda .net
florensegoethe .com.br
coursstagephoto .com
vicklovesmila .com
flashsavant .com
"
* https://www.virustotal.com/en/file/90ad158dd663e0bfc1f848d8a00890dbd9a24618d7a25d377d9de6baac0b61f4/analysis/1410779812/
___

Fake 'secure' NatWest SPAM – PDF malware
- http://myonlinesecurity.co.uk/received-new-secure-message-natwest-fake-pdf-malware/
15 Sep 2014 - "'You have received a new secure message from NatWest' pretending to come from NatWest <secure@natwest.com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
[ NatWest logo ]
You have a new private message from NatWest
To view/read this your secure message please click here
Email Encryption Provided by NatWest. Learn More.
Email Security Powered by Voltage IBE
Copyright 2014 National Westminster Bank Plc. All rights reserved.
Footer Logo NatWest
To unsubscribe please click here ...

   
15 September 2014: SecureMessage.zip ( 8kb) : Extracts to:   SecureMessage.scr
Current Virus total detections: 1/55* . This 'You have received a new secure message from NatWest' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/90ad158dd663e0bfc1f848d8a00890dbd9a24618d7a25d377d9de6baac0b61f4/analysis/1410779812/

- http://threattrack.tumblr.com/post/97567721558/natwest-secure-message-spam
Sep 15, 2014
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/65aed37f33dcaf8e16e0b2e828d4f53e/tumblr_inline_nby6ovZu2c1r6pupn.png
___

Phish - LLoyds 'Secure' SPAM...
- http://myonlinesecurity.co.uk/lloyds-bank-new-secure-message-phishing/
15 Sep 2014 - "There are a few major common subjects in a phishing attempt. The majority are either PayPal or your Bank or Credit Card, with a message saying some thing like:
- There have been unauthorised or suspicious attempts to log in to your account, please verify
- Your account has exceeded its limit and needs to be verified
- Your account will be suspended !
- You have received a secure message from < your bank>
- New Secure Message
- We are unable to verify your account information
- Update Personal Information
- Urgent Account Review Notification
- We recently noticed one or more attempts to log in to your PayPal account  from a foreign IP address
- Confirmation of Order
This one is 'LLoyds bank New Secure Message' pretending to come from Eli.Ray@ lloydsbank .com or David.Ricard@ lloydsbank .com... Email looks like:
[ Lloyds TSB logo ]    
    (New users may need to verify their email address)
    If you do not see or cannot click “Read Message” / click here
    Desktop Users:
    You will be prompted to open (view) the file or save (download) it to your computer. For best results, click Read Message button.
    Mobile Users:
    Install the mobile application.
    Protected by the Voltage SecureMail Cloud
    SecureMail has a NEW LOOK to better support mobile devices!
    Disclaimer: This email and any attachments are confidential and for the sole use of the recipients. If you have received this email in error please notify the sender...


Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/lloyds_bank_secure_message.png

This one wants your personal details and bank details..."
___

Fake Fax SPAM - malware attachment
- http://myonlinesecurity.co.uk/received-fax-fake-pdf-malware/
15 SEP 2014 - "'You have received a fax' pretending to come from fax .co.uk <fax@ documents55 .com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
   You have received a new fax. This fax was received by Fax Server.
    The fax has been downloaded to dropbox service (Google Inc).
    To view your fax message, please download from the link below. It’s
    operated by Dropbox and safety...
    Received Fax Details
    Received on:1 5/09/2014 10:14 AM
    Number of Pages: 1 ...


15 September 2014: Docs0972.zip ( 8kb): Extracts to:  Docs0972.scr
Current Virus total detections: 0/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/bec0ac2711f99f90f27a29a9e021bedfede02c139f26dcfae36e2d8895babf52/analysis/1410804563/
___

Twitch users shook by money spending malware
- http://www.theinquirer.net/inquirer/news/2367489/twitch-users-shook-by-money-spending-malware
15 Sep 2014 - "... F-Secure has warned gamers that the Twitch video streaming service has been hit with malware that can spend users' money. The firm revealed its concerns in a blog post on Friday*, shining a dark light on the new gaming console darling and its role in the world of Steam. F-Secure said that an alarmed Twitch user - not Amazon - approached it with some concerns, explaining that a lure in the Twitch chat feature offers access to a raffle. We all know what can and usually does follow the clicking an unsolicited link, and that is the start of a one-way trip to malware. This link, which purports to offer gaming gewgaws, is yet another lie, said F-Secure. It explained that a "Twitch-bot" account "bombards" the chat feature and tickles users with its lure..."
More detail here:
* http://www.f-secure.com/weblog/archives/00002742.html

 Evil or Very Mad Evil or Very Mad  Sad

 97 
 on: September 14, 2014, 17:28:19  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

9/8 and 9/12 Updates
- http://www.malwaredomains.com/?p=3655
September 13th, 2014 - "Added -258- domains on 9/8 and -348- on 9/12 (malvertising, zeus, phishing etc). Sources include mwsl.org.cn, blog.dynamoo.com and others..."

 Exclamation

 98 
 on: September 14, 2014, 16:47:10  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Phish - Paypal ...
- http://myonlinesecurity.co.uk/paypal-account-will-limited-hear-phishing/
14 Sep 2014 - "'Paypal Your account will be limited until we hear from you' pretending to come from service_paypal=cczazmam .com@ wpengine .com; on behalf of; service_paypal@ cczazmam .com. There are a few major common subjects in a phishing attempt. The majority are either PayPal or your Bank or Credit Card... The original email looks like this. It will NEVER be a genuine email from  PayPal or Your Bank so don’t ever follow the links in the email...
    PayPal account information :
    Hello,
    Dear PayPal user ,
    Your account will be limited if you not confirm it .
    Need Assistance?
    Some information on your account appears to be missing or incorrect.
    Please update your account promptly so that you can continue to enjoy
    all the benefits of your PayPal account.
    If you don’t update your account within 37 days, we’ll limit what you can do with your PayPal account.
    Please Login to confirm your information :
    http ://rangeviewrentals .com//wp-content/themes/twentytwelve/wester.html
    Reference Number: PP-003-211-347-423
    Yours sincerely,
    PayPal


This particular phishing campaign starts with an email with a link. In this case to a hacked compromised website, which looks nothing like any genuine PayPal page:
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/rangeview_paypal_phishing-scam.png
This one wants your personal details, your Paypal account log in details and your credit card and bank details and your email log in details . Many of them are also designed to specifically steal your facebook and other social network log in details..."

 Evil or Very Mad  Shocked

 99 
 on: September 13, 2014, 05:37:57  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

JPMorgan still seeks to determine extent of Attack
- http://www.nytimes.com/2014/09/13/technology/after-breach-jpmorgan-still-seeks-to-determine-extent-of-attack.html
Sep 12, 2014 - "The headache caused by the attack on JPMorgan Chase’s computer network this summer may not go away anytime soon. Over two months, hackers gained entry to dozens of the bank’s servers, said three people with knowledge of the bank’s investigation into the episode who spoke on the condition of anonymity. This, they said, potentially gave the hackers a window into how the bank’s individual computers work. They said it might be difficult for the bank to find every last vulnerability and be sure that its systems were thoroughly secured against future attack. The hackers were able to review information about a million customer accounts and gain access to a list of the software applications installed on the bank’s computers. One person briefed said more than -90- of the bank’s servers were affected, effectively giving the hackers high-level administrative privileges in the systems. Hackers can potentially crosscheck JPMorgan programs and applications with known security weaknesses, looking for one that has not yet been patched so they can regain access. A fourth person with knowledge of the matter, also speaking on condition of anonymity, said hackers had not gained access to account holders’ financial information or Social Security numbers, and may have reviewed only names, addresses and phone numbers. The hack began in June and was not detected until late July. JPMorgan briefed financial regulators on the extent of the damage last week. Investigators say they believe that at least four other banks or financial institutions were also affected..."

 Shocked  Sad

 100 
 on: September 12, 2014, 16:38:19  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Firefox 32.0.1 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

Release notes
- https://www.mozilla.org/en-US/firefox/32.0.1/releasenotes/
Sep 12, 2014
Fixed: 32.0.1 - Stability issues for computers with multiple graphics cards
Fixed: 32.0.1 - Mixed content icon may be incorrectly displayed instead of lock icon for SSL sites
Fixed: 32.0.1 - WebRTC: setRemoteDescription() silently fails if no success callback is specified...

Mobile:
- https://www.mozilla.org/en-US/mobile/32.0.1/releasenotes/
Fixed: 32.0.1 - Link tap selection is offset on some Android devices
Fixed: 32.0.1 - WebRTC: setRemoteDescription() silently fails if no success callback is specified...

 Exclamation

Pages: 1 ... 8 9 [10]
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines Page created in 0.675 seconds with 16 queries.