cexx.org - Support Forums

FYI...

malspam, bhek domains
- http://www.malwaredomains.com/?p=3161
April 8th, 2013 - "101 malspam, malicious & bhek domains added..."

 

FYI...

Shylock starts targets New Countries ...
- http://atlas.arbor.net/briefs/index#801352216
April 08, 2013 - "The Shylock banking trojan continues to evolve, adding new functionality to increase its reach.
Analysis: Just like other banking trojans before it such as SpyEye, Shylock is evolving to offer more comprehensive attacks. By proxying through the infected computer, the attackers perform "man in the browser" banking transactions that don't arouse the immediate suspicion of the financial institution. Its ability to spread through other mechanisms such as Skype and it's FTP password grabbing functionality aren't new in the malware world, but they are new to Shylock. The ability to upload video to the attackers and the ability for the attackers to interactively take over the screen of the infected system are also new. While some recent arrests in Russia for the use and development of the Carberp banking trojan may slow down that particular malware family, innovations in other malware families will keep financial institutions and consumers on their toes.
- http://www.symantec.com/connect/blogs/shylock-beefing-and-looking-new-business-opportunities

> https://www.symantec.com/connect/sites/default/files/users/user-1013431/first_graph.png

  

FYI...

Chrome v26.0.1410.64 released
- https://secunia.com/advisories/52983/
Release Date: 2013-04-10
Criticality level: Highly critical
Impact: System access
Where: From remote ...
For more information: https://secunia.com/SA52931/
Solution: Update to version 26.0.1410.63 for Mac and Linux or 26.0.1410.64 for Windows.
Original Advisory:
http://googlechromereleases.blogspot.dk/2013/04/stable-channel-update.html
"... This release contains stability improvements, and a new version of Adobe Flash..."

 

FYI...

Linksys EA2700 firmware - update
- http://arstechnica.com/security/2013/04/using-a-linksys-wi-fi-router-it-could-be-ripe-for-remote-takeover/
Apr 9, 2013 - "... The most severe of the vulnerabilities in the "classic firmware" for the Linksys EA2700 Network Manager is a cross-site request forgery weakness in the browser-based administration panel... A statement issued by officials from Belkin, which recently acquired the Linksys brand, said the vulnerabilities documented by Purviance had been fixed in the Linksys Smart Wi-Fi Firmware that was released in June... link for the Linksys Smart Wi-Fi Firmware:
- http://support.linksys.com/en-us/support/routers/EA2700
EA Series Linksys Smart Wi-Fi Firmware
11/19/2012
Ver.1.1.39.145204
- http://downloads.linksys.com/downloads/977/542/EA2700_Firmware_Release_Note_11192012.txt

 

FYI...

Flash v11.7.700.169 released
- https://www.adobe.com/support/security/bulletins/apsb13-11.html
April 9, 2013
CVE number:
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1378 - 7.5 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1379 - 7.5 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1380 - 7.5 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2555 - 10.0 (HIGH)
Summary: Adobe has released security updates for Adobe Flash Player 11.6.602.180 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.275 and earlier versions for Linux, Adobe Flash Player 11.1.115.48 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.44 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe recommends users update their product installations to the latest versions:
- Users of Adobe Flash Player 11.6.602.180 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 11.7.700.169.
- Users of Adobe Flash Player 11.2.202.275 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.280.
- Adobe Flash Player 11.6.602.180 installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.7.700.179 for Windows and 11.7.700.169 for Macintosh and Linux.
- Adobe Flash Player 11.6.602.180 installed with Internet Explorer 10 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 11.7.700.169 for Windows 8.
- Users of Adobe Flash Player 11.1.115.48 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.54.
- Users of Adobe Flash Player 11.1.111.44 and earlier versions for Android 3.x and 2.x should update to Flash Player 11.1.111.50.
- Users of Adobe AIR 3.6.0.6090 and earlier versions for Windows, Macintosh and Android should update to Adobe AIR 3.7.0.1530.
- Users of the Adobe AIR 3.6.0.6090 SDK & Compiler and earlier versions should update to the Adobe AIR 3.7.0.1530 SDK & Compiler...

Flash Download:
> https://www.adobe.com/products/flashplayer/distribution3.html

Flash test site:
- http://helpx.adobe.com/flash-player/kb/find-version-flash-player.html#main_Find_the_Flash_Player_version_installed_on_your_machine

>> http://get.adobe.com/air/

- https://secunia.com/advisories/52931/
Release Date: 2013-04-09
Criticality level: Highly critical
Impact: System access
Where: From remote...
Solution: Update to a fixed version.
___

Shockwave v12.0.2.122 released
- https://www.adobe.com/support/security/bulletins/apsb13-12.html
April 9, 2013
CVE number: CVE-2013-1383, CVE-2013-1384, CVE-2013-1385, CVE-2013-1386
Summary: Adobe has released a security update for Adobe Shockwave Player 12.0.0.112 and earlier versions on the Windows and Macintosh operating systems.  This update addresses vulnerabilities that could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 12.0.0.112 and earlier versions update to Adobe Shockwave Player 12.0.2.122 ...
Solution: Adobe recommends users of Adobe Shockwave Player 12.0.0.112 and earlier versions update to the newest version 12.0.2.122, available here: http://get.adobe.com/shockwave/

- https://secunia.com/advisories/52981/
Release Date: 2013-04-10
Criticality level: Highly critical
Impact: System access
Where: From remote...
Solution: Update to version 12.0.2.122
___

ColdFusion hotfix
- https://www.adobe.com/support/security/bulletins/apsb13-10.html
April 9, 2013
CVE number: CVE-2013-1387, CVE-2013-1388
Summary: Adobe has released a security hotfix for ColdFusion 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh and UNIX.  Adobe recommends users update their product installation...
Affected software versions: ColdFusion 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh and UNIX.
Solution: Adobe recommends ColdFusion customers update their installation using the instructions provided in the technote:
- http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb13-10.html

- https://secunia.com/advisories/52995/
Release Date: 2013-04-10
Criticality level: Moderately critical
Impact: Security Bypass, Spoofing
Where: From remote...
Solution: Apply hotfix.

 

FYI...

- https://technet.microsoft.com/en-us/security/bulletin/ms13-apr
April 09, 2013 - "This bulletin summary lists security bulletins released for April 2013...
(Total of -9-)

Microsoft Security Bulletin MS13-028 - Critical
Cumulative Security Update for Internet Explorer (2817183)
- https://technet.microsoft.com/en-us/security/bulletin/ms13-028
Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer

Microsoft Security Bulletin MS13-029 - Critical
Vulnerability in Remote Desktop Client Could Allow Remote Code Execution (2828223)
- https://technet.microsoft.com/en-us/security/bulletin/ms13-029
Critical - Remote Code Execution - May require restart - Microsoft Windows

Microsoft Security Bulletin MS13-030 - Important
Vulnerability in SharePoint Could Allow Information Disclosure (2827663)
- https://technet.microsoft.com/en-us/security/bulletin/ms13-030
Important - Information Disclosure - May require restart - Microsoft Office, Microsoft Server Software

Microsoft Security Bulletin MS13-031 - Important
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2813170)
- https://technet.microsoft.com/en-us/security/bulletin/ms13-031
Important - Elevation of Privilege - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS13-032 - Important
Vulnerability in Active Directory Could Lead to Denial of Service (2830914)
- https://technet.microsoft.com/en-us/security/bulletin/ms13-032
Important - Denial of Service - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS13-033 - Important
Vulnerability in Windows Client/Server Run-time Subsystem (CSRSS) Could Allow Elevation of Privilege (2820917)
- https://technet.microsoft.com/en-us/security/bulletin/ms13-033
Important - Elevation of Privilege - Requires restart - Microsoft Windows

Microsoft Security Bulletin MS13-034 - Important
Vulnerability in Microsoft Antimalware Client Could Allow Elevation of Privilege (2823482)
- http://technet.microsoft.com/en-us/security/bulletin/ms13-034
Important - Elevation of Privilege - Requires restart - Microsoft Security Software

Microsoft Security Bulletin MS13-035 - Important
Vulnerability in HTML Sanitization Component Could Allow Elevation of Privilege (2821818)
- https://technet.microsoft.com/en-us/security/bulletin/ms13-035
Important - Elevation of Privilege - May require restart - Microsoft Office, Microsoft Server Software

Microsoft Security Bulletin MS13-036 - Important
Vulnerabilities in Kernel-Mode Driver Could Allow Elevation Of Privilege (2829996)
- https://technet.microsoft.com/en-us/security/bulletin/ms13-036
Important - Elevation of Privilege - Requires restart - Microsoft Windows
V2.0 (April 11, 2013): Added links to Microsoft Knowledge Base Article 2823324 and Microsoft Knowledge Base Article 2839011 under Known Issues. Removed Download Center links for Microsoft security update 2823324. Microsoft recommends that customers uninstall this update. See the Update FAQ for details.

MS13-036: Description of the security update for the Windows file system kernel-mode driver (ntfs.sys):
* http://support.microsoft.com/kb/2823324/en-us
Last Review: April 11, 2013 - Revision: 2.1 - See: "Known issues with this security update... Microsoft recommends that customers -uninstall- this update..."

MS13-036: Description of the security update for the Windows kernel-mode driver (win32k.sys)
- http://support.microsoft.com/default.aspx?scid=kb;en-us;2808735
Last Review: April 9, 2013 - Revision: 1.0 - "Known issues with this security update: After you install this security update, certain Multiple Master fonts cannot be installed..."
___

Bulletin Deployment Priority
- https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/6354.20130409_2D00_Slide2.PNG

Severity and Exploitability Index
- https://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-45-71/8637.20130409_2D00_Slide1.PNG

- http://blogs.technet.com/b/msrc/archive/2013/04/09/out-with-the-old-in-with-the-april-2013-security-updates.aspx?Redirected=true

- http://blogs.technet.com/b/srd/archive/2013/04/09/assessing-risk-for-the-april-2013-security-updates.aspx?Redirected=true
9 Apr 2013 - "... nine security bulletins addressing 13 CVE’s..."
___

ISC Analysis
- https://isc.sans.edu/diary.html?storyid=15577
Last Updated: 2013-04-09 17:59:33 UTC
___

- https://secunia.com/advisories/52874/ - MS13-028
- https://secunia.com/advisories/52911/ - MS13-029
- https://secunia.com/advisories/52914/ - MS13-030
- https://secunia.com/advisories/52916/ - MS13-031
- https://secunia.com/advisories/52917/ - MS13-032
- https://secunia.com/advisories/52919/ - MS13-033
- https://secunia.com/advisories/52921/ - MS13-034
- https://secunia.com/advisories/52928/ - MS13-035
- https://secunia.com/advisories/52930/ - MS13-036
___

MSRT
- https://support.microsoft.com/?kbid=890830
Last Review: April 9, 2013 - Revision: 121.0

- http://www.microsoft.com/security/pc-security/malware-families.aspx
"... added in this release...
• Babonock
• Redyms
• Vesenlosow..."

- https://blogs.technet.com/b/mmpc/archive/2013/04/09/msrt-april-2013-vesenlosow.aspx?Redirected=true

Download:
- https://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16
File Name: Windows-KB890830-V4.19.exe - 18.7 MB
- https://www.microsoft.com/download/en/details.aspx?id=9905
x64 version of MSRT:
File Name: Windows-KB890830-x64-V4.19.exe - 19.4 MB

.

FYI...

MS - End of Support ...
- https://blogs.technet.com/b/rmilne/archive/2013/04/08/exchange-support-save-the-date-8th-april-2014.aspx?Redirected=true
8 Apr 2013 - "...
Outlook 2003 will transition out of extended support on 8th of April 2014
Exchange Server 2003 will transition out of extended support on 8th of April 2014
Windows XP will transition out of extended support on 8th of April 2014
Exchange 2010 SP2 will transition out of support on 8th April 2014
And as non Exchange specific item, please also note Windows 2003:
Windows Server 2003 will transition out of extended support on 14th of July 2015 ..."

 

FYI...

Fake HP ScanJet SPAM / jundaio .ru
- http://blog.dynamoo.com/2013/04/hp-scanjet-spam-jundaioru.html
9 Apr 2013 - "This fake printer spam leads to malware on jundaio .ru:
   Date:      Tue, 9 Apr 2013 10:07:40 +0500 [01:07:40 EDT]
    From:      Scot Crump [ScotCrump @hotmail .com]
    Subject: Re: Scan from a Hewlett-Packard ScanJet  #0437
    Attachment: HP-ScannedDoc.htm
    Attached document was scanned and sent
    to you using a HP HPAD-400812P.
    SENT BY : Scot S.
    PAGES : 9
    FILETYPE: .HTM [INTERNET EXPLORER/MOZILLA FIREFOX]

The attachment HP-ScannedDoc.htm leads to malware on [donotclick]jundaio .ru:8080/forum/links/column.php (report here*) hosted on:
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
94.103.45.34 (ANKARAHOSTING, Turkey)
208.94.108.238 (Fibrenoire, Canada)
Blocklist:
91.191.170.26
93.187.200.250
94.103.45.34
208.94.108.238 ..."
* http://urlquery.net/report.php?id=1894750
... Detected live BlackHole v2.0 exploit kit 91.191.170.26

- http://nakedsecurity.sophos.com/2013/04/04/has-your-hewlett-packard-scanjet-printer-just-tried-to-infect-your-pc-with-malware/
April 4, 2013
___

Fake BoA Bill Payment SPAM / BILL_04092013_Fail.exe
- http://blog.dynamoo.com/2013/04/unable-to-process-your-most-recent-bill.html
9 Apr 2013 - "This spam contains a attachment 04092013.zip which in turn contains a malicious file BILL_04092013_Fail.exe
   Date:      Tue, 9 Apr 2013 10:44:03 -0500 [11:44:03 EDT]
    From:      Bank of America [bill.payment @bankofamerica .com]
    Subject:      Unable to process your most recent Bill Payment
    You have a new e-Message from Bank of America
    This e-mail has been sent to you to inform you that we were unable to process your most recent payment of bill.
    Please check attached file for more detailed information on this transaction.
    Pay To Account Number:     **********3454
    Due Date:     05/01/2013
    Amount Due:     $ 508.60
    Statement Balance:     $ 2,986.26
    IMPORTANT: The actual delivery date may vary from the Delivery By date estimate. Please make sure that there are sufficient available funds in your account to cover your payment beginning a few days before Delivery By date estimate and keep such funds available until the payment is deducted from your account.
    If we fail to process a payment in accordance with your properly completed instructions, we will reimburse you any late-payment-related fees.
    We apologize for any inconvenience this may cause. .
    Please do not reply to this message. If you have any questions about the information in this e-Bill , please contact your Bill Pay customer support . For all other questions, call us at 800-887-5749.
    Bank of America, N.A. Member FDIC. Equal Housing Lender
    Š2013 Bank of America Corporation. All rights reserved...

VirusTotal results are only 11/46*.
MD5: 3cb04da2747769460a7ac09d1be44fc6
SHA256: 141751e9ae18ec55c8cd71e2e464419f3030c21b21e3f0914b0b320adce3bf70
ThreatExpert reports** that the malware attempts to phone home to 64.34.70.31 and 64.34.70.32 (iDigital Internet Inc, Canada) and includes a keylogger."
* https://www.virustotal.com/en/file/141751e9ae18ec55c8cd71e2e464419f3030c21b21e3f0914b0b320adce3bf70/analysis/1365522944/
File name:    BILL_04092013_Fail.exe
Detection ratio: 11/46
Analysis date:    2013-04-09
** http://www.threatexpert.com/report.aspx?md5=3cb04da2747769460a7ac09d1be44fc6

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/d70d268c60fce31566a75c8a73fe28b0/tumblr_inline_ml0415dYQ91qz4rgp.png
___

Malicious American Airlines Spam
- http://threattrack.tumblr.com/post/47544751293/malicious-american-airlines-spam
April 9, 2013 - "Subjects Seen:
   Please download your ticket #[removed]
Typical e-mail details:
   Customer Notification
    Your bought ticket is attached to the letter as a scan document.
    To use your ticket you should Download It .

Malicious URLs
    bikemania .org/components/.5wl0rb.php?request=ss00_323

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/3ef8e1da24b73673aa9ff90d05d8abdd/tumblr_inline_mkzwnbhOy21qz4rgp.png
___

Fake LinkedIn SPAM / jonahgkio .ru
- http://blog.dynamoo.com/2013/04/linkedin-spam-jonahgkioru.html
9 Apr 2013 - "This fake LinkedIn spam leads to malware on jonahgkio .ru:
   Date:      Tue, 9 Apr 2013 10:03:31 -0300
    From:      "service @paypal .com" [service @paypal .com]
    Subject:      Join my network on LinkedIn
    LinkedIn
    Marcelene Bruno has indicated you are a Friend
    I'd like to add you to my professional network on LinkedIn.
    - Marcelene Bruno
    Accept
        View invitation from Marcelene Bruno
    WHY MIGHT CONNECTING WITH Marcelene Bruno BE A GOOD IDEA?
    Marcelene Bruno's connections could be useful to you
    After accepting Marcelene Bruno's invitation, check Marcelene Bruno's connections to see who else you may know and who you might want an introduction to. Building these connections can create opportunities in the future.
    © 2012, LinkedIn Corporation

The link leads to a malicious payload on [donotclick]jonahgkio .ru:8080/forum/links/column.php which doesn't seem to be working at the moment. However, it is multihomed on some familiar looking IPs:
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Canada)
Blocklist:
91.191.170.26
93.187.200.250
208.94.108.238 ..."
___

Fake Intuit SPAM / juhajuhaa .ru
- http://blog.dynamoo.com/2013/04/intuit-spam-juhajuhaaru.html
9 Apr 2013 - "This fake Intuit spam leads to malware on juhajuhaa .ru:
   Date:      Tue, 9 Apr 2013 11:21:18 -0430 [11:51:18 EDT]
    From:      Tagged [Tagged @taggedmail .com]
    Subject:      Payroll Account Holded by Intuit
    Direct Deposit Service Informer
    Communicatory Only
    We cancelled your payroll on Tue, 9 Apr 2013 11:21:18 -0430.
        Finances would be gone away from below account # ending in 6780 on Tue, 9 Apr 2013 11:21:18 -0430
        amount to be seceded: 4053 USD
        Paychecks would be procrastinated to your personnel accounts on: Tue, 9 Apr 2013 11:21:18 -0430
        Log In to Review Operation
    Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.
    Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
    QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.
    Thank you for your business.
    Regards,
    Intuit Payroll Services

The link in the email goes through a legitimate but hacked site to a malware landing page at [donotclick]juhajuhaa .ru:8080/forum/links/column.php (report here*) hosted on some familiar-looking IP addresses that we saw earlier:
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Canada)
Blocklist:
91.191.170.26
93.187.200.250
208.94.108.238 ...
* http://urlquery.net/report.php?id=1900207
... Detected suspicious URL pattern... Blackhole 2 Landing Page 91.191.170.26

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/07085e6981b95f10a1cb4d56a04d57de/tumblr_inline_ml0a50NPus1qz4rgp.png
___

Top porn sites lead to malware
- http://blog.dynamoo.com/2013/04/top-porn-sites-lead-to-malware.html
9 Apr 2013 - "... the greatest risk comes from external sites such as crakmedia .com (report*), trafficjunky .net (report**) and traffichaus .com (report***) plus several others. These too are intermediaries being abused by third parties.. but this is part of the problem with poorly regulated banner ads and traffic exchangers. Bad things slip into pages easily, and very few people want to kick up a fuss... If you are going to look at the shady side of the web, then it is very important to make sure that your system is fully patched... and a combination of Firefox + NoScript is very good at locking down your browser (note that this isn't really for novices). Logging in as something other than an administrator can also help to reduce the impact of malware.. and of course a good and up-to-date anti-virus or security package is essential."
(More detail at the dynamoo URL above.)
* http://www.google.com/safebrowsing/diagnostic?site=crakmedia.com
** http://www.google.com/safebrowsing/diagnostic?site=trafficjunky.net
*** http://www.google.com/safebrowsing/diagnostic?site=traffichaus.com

___

"Your naked photos online" SPAM ...
- https://www.net-security.org/malware_news.php?id=2460
Apr 9, 2013 - "Malware peddlers continue to use the old "your naked photos online" lure to trick users into following malicious links or downloading malicious attachments, warns Total Defense's* Alex Polischuk. The attached EPS00348.zip file contains an executable of the same name, and sports an icon depicting a natural landscape in order to trick the user into opening it. Unfortunately for those who do, the file is actually a backdoor Trojan that also has the ability to download additional malware onto the compromised computer, allowing the attackers to have total control of it and using it for their own malicious purposes. As always, users are advised -never- to follow links or download files contained in unsolicited emails - no matter the claims they contain and how urgent they sound."
* http://www.totaldefense.com/blogs/2013/04/08/Win32/GysA-Trojan.aspx

 

FYI...

Cogent DataHub v7.3 released
- https://secunia.com/advisories/52945/
Release Date: 2013-04-08
Criticality level: Moderately critical
Impact: DoS, System access
Where: From local network
CVE Reference(s):
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0680 - 7.5 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0681 - 5.0
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0682 - 7.5 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0683 - 7.1 (HIGH)
...  vulnerabilities are reported in the following products and versions:
* Cogent DataHub versions 7.2.2 and prior
* OPC DataHub versions 6.4.21 and prior
* Cascade DataHub for Windows versions 6.4.21 and prior
Solution: Update to a fixed version.
- http://www.cogentdatahub.com/ReleaseNotes.html

 

FYI...

Botnet - spreading Android trojans
- http://h-online.com/-1837356
8 April 2013 - "The Cutwail botnet, which has already been spreading the banking trojan known as Zeus, is now also trying to pass around a new Android trojan called Stels. Stels infects Android devices by pretending to be an update for Adobe Flash Player***. In case potential victims aren't on an Android device, the developers of the malware have come up with a backup plan – if the dangerous -spam- links are opened in a browser, such as Internet Explorer, on a desktop or laptop computer, users are redirected to web pages where the Blackhole exploit kit lies in wait. A security team at Dell has published a more detailed analysis* of the attack scenario..."
* http://www.secureworks.com/cyber-threat-intelligence/threats/stels-android-trojan-malware-analysis/
"The Stels malware is a multi-purpose Android Trojan horse that can harvest a victim's contact list, send and intercept SMS (text) messages, make phone calls (including calls to premium numbers), and install additional malware packages... Many of the campaigns have used the IRS as a lure** due to the March 15 corporate tax return deadline and the April 15 individual tax return filing deadline..."
** http://www.secureworks.com/assets/image_store/png/page.intelligence.threats.stels.1.png

*** http://www.secureworks.com/assets/image_store/png/page.intelligence.threats.stels.2.png

- http://www.f-secure.com/weblog/archives/00002539.html
April 8, 2013