Culture Jamming

[More fake "Hallmark ecards"...]

FYI...

More fake "Hallmark ecards"...
- http://blog.trendmicro.com/greeting-cards-spread-no-cheer/
June 9, 2008 - "Thinking that someone just remembered you and sent you a Hallmark greeting card? Think again, before you open the email attachment. Today, we received a spam allegedly from Hallmark. Once you run the file named postcard.exe, it will automatically open Notepad with some garbage characters to distract users while the malware is being installed... Trend Micro detects this malware as TROJ_INJECTOR.DD... The malware drops copies of itself and creates registry entries to ensure its automatic execution at every system startup. This is not the first time malware authors tried to trick users by exploiting their curiosity and desire to receive good tidings via greeting cards: Storm started out much the same way, including the use of eCards, and well into 2007."

 

[Fake CareerBuilder jobs hit mailboxes]

FYI... (another to file under "FRAUD")

Fake CareerBuilder jobs hit mailboxes
- http://sunbeltblog.blogspot.com/2008/06/raft-of-fake-careerbuilder-jobs-hit.html
June 18, 2008 - "You may have seen a wave of fake job offers disguised as coming through CareerBuilder. The recipient is asked to contact the employer through an email address. Email addresses we have observed so far are:
ejobrt @gmail.com
rsmbcompany @gmail.com
homdepmb @gmail.com
...Sadly, if you're hoping you're going to get a job out of this, it's a scam..."

(Screenshots available at the URL above.)

 

[Fake news on Osama...]

FYI...

Fake news on Osama...
- http://securitylabs.websense.com/content/Alerts/3130.aspx
07.04.2008 - "Websense® Security Labs™ ThreatSeeker™ Network has discovered a substantial number of spam messages utilizing a social engineering tactic that lures users to download malicious software... The recent media coverage discussing Osama Bin Laden seem to have prompted spammers to quickly recycle an old spam campaign... We have seen the same malicious executable used throughout different spam campaigns bearing following email subjects lines:
Jennifer Aniston Interesting mp3!!!
Clara Morgane Shocking photo!!!
Kylie Minogue Interesting video without cowards!!!
Demi Moore New sexy songs!!!
Avril Lavigne Shocking porno dvd!!!
Nicole Richie Kick-up cd!!!
Beyonce Shocking sexy songs!!!
Keira Knightley Gallery photo!!!
Britney Spears Interesting cd!!! ..."

(Screenshots available at the URL above.)

 

[IRS Stimulus package phish]

FYI...

IRS Stimulus package phish
- http://sunbeltblog.blogspot.com/2008/07/irs-stimulus-package-phish.html
July 16, 2008 - "...The phishing site is still up, although the redirect from the email itself is down."

(Screenshots available at the URL above.)

 

[AntivirusXP2008]

FYI...

- http://pandalabs.pandasecurity.com/archive/Fake-UPS-Invoice-Email.aspx
15 July 08 - "...The aim of these emails is not to inform us of the impossibility to deliver a postal package, but to entice us to open the attached file to infect our computers (detected as Trj/Agent.JEN). This malware is copied in the system, replacing the Windows Userinit.exe (this file is the one which runs explorer.exe, the interface of the system and other important processes), copying the legitimate file as userini.exe, so that the computer can work properly. Additionally, it establishes a connection with a Russian domain, which has been used on some occassions by banker Trojans. From this domain it will redirect the request to a German domain in order to download a rootkit
and a rogue antivirus, detected as Rootkit/Agent.JEP and  Adware/AntivirusXP2008 respectively..."

* http://www.ups.com/content/us/en/about/news/service_updates/virus_us.html
"We have become aware there is a fraudulent email being sent that says it is coming from UPS and leads the reader to believe that a UPS shipment could not be delivered. The reader is advised to open an attachment reportedly containing a waybill for the shipment to be picked up. This email attachment contains a virus. We recommend that you do not open the attachment, but delete the email immediately. UPS may send official notification messages on occasion, but they rarely include attachments..."

- http://blog.trendmicro.com/trojans-deliver/
July 16, 2008 (Screenshots...)

 

[here]

FYI...

- http://www.customs.gov/xp/cgov/newsroom/alerts/email_virus.xml
(07/25/2008) - "CBP has been notified that a malicious e-mail has been distributed that may include an attachment with a computer virus. These e-mails are not authentic and have not been sent from any Department of Homeland Security or CBP system or authorized individual. CBP will not initiate contact to citizens by e-mail for customs declarations issues.
The e-mail claims to be from “US Customs Service” with a subject line similar to “Parcel requires declaration.” It indicates that a parcel has been received addressed to the recipient of the e-mail. It asks the recipient to fill out a Customs Declaration attached to the e-mail. The message is signed by different names purporting to be employees of the
U.S. Customs Service. This attachment may contain a damaging computer virus..."

- http://www.us-cert.gov/current/#u_s_customs_and_border
July 25, 2008

 

[here]

FYI...

- http://blog.trendmicro.com/malicious-spam-news-ufo-lands-in-new-york/
July 30, 2008 - "...It would appear that news such as this still appeals to the imagination of some people. The video evidence (fake, of course) can lead victims who click the link to the following malicious URLs:
    * hxxp :// www.{BLOCKED}v.com/funn/up.php
    * hxxp :// {BLOCKED}.167.49/vid_1.avi.exe
Trend Micro detects the file VID_1.AVI.EXE as TROJ_DLOAD.XY. Other than the spammers’ poor English, analysis of the original email message showed that it was sent from a specific location in Russia. Advanced Threats Researcher Paul Ferguson further says that he sees “a renewed Russian/Ukrainian cyber criminal push occurring right now…with [the same] social engineering [and] malware campaigns, but most importantly: direct-delivery mechanisms for malware execution via .PHP” ..."

 

[eTicket#1721.exe]

FYI...

Attachment contains same Trojan horse that stole 1.6M records from Monster.com last year
- http://preview.tinyurl.com/66ayhz
July 28, 2008 (Computerworld) - "Several airlines, including Delta Air Lines Inc. and Northwest Airlines Corp., have warned customers that bogus e-mails posing as ticket invoices contain malware and urged them to immediately delete the messages. A researcher at McAfee Inc. confirmed the campaign in a post to the company's blog*. The e-mails, which purport to be from an airline, thank the recipient for using a new "Buy flight ticket Online" service on the airline's site, provide a log-in username and password, and say the person's credit card has been charged an amount usually in the $400 range. An attachment claims to be the invoice for the ticket and credit card charge..."
* http://www.avertlabs.com/research/blog/index.php/2008/07/25/invoice-spam-takes-flight/

More...
- http://www.f-secure.com/weblog/archives/00001477.html
July 30, 2008 - "... Today when we saw a large spam run sending out fake JetBlue etickets... The mail contains a ZIP file that contains the file eTicket#1721.exe which we detect as Trojan-Spy:W32/Zbot.QO. The malware itself tries to steal usernames and passwords to online banks..."
(Screenshot available at the F-secure URL above.)

- http://www.us-cert.gov/current/#airline_e_ticket_email_attack
July 31, 2008

 

[get_flash_update.exe]

FYI...

- http://isc.sans.org/diary.html?storyid=4828
Last Updated: 2008-08-05 00:45:33 UTC - "If you missed last week's chance to get your "airplane ticket", you currently have a second opportunity. Emails are making the rounds that claim to come from CNN, and carry a subject of "CNN.com Daily Top 10". Well, they are neither. But the emails contain click-friendly headlines with enticing subjects like "Will all Americans be obese by 2030?" Now who wouldn't want to read THAT?!
Clicking takes you to the netherworld, of course. You currently receive a file called "get_flash_update.exe" (yeah, sure!). Detection for the sample is coming on line, see http://www.virustotal.com/analisis/258fbdfb7eb6ecfedbf236533b03c945
[Result: 10/35 (28.57%)]
The domain "idoo .com" seems to be up to no good. Other involved domains are too numerous to list, but about 50 of them currently resolve to 200.46.83.233. That's in Panama."

 

[here]

FYI...

- http://blog.trendmicro.com/phishers-play-the-olympics/
08.04.2008 - "Olympic tickets anyone? They are available in the Internet of course, but users beware: the bad guys are still working hard to steal from online users as the 2008 Beijing Olympic approaches... fake Beijing Olympics Web site supposedly selling tickets. The Los Angeles Times reports* that Olympics officials have already asked federal courts to shut down certain Web sites that pose as sellers of tickets but actually are stealing credit card numbers and other confidential information..."
* http://www.latimes.com/technology/la-sp-olytickets2-2008aug02,0,7568966.story

- http://securitylabs.websense.com/content/Alerts/3152.aspx
08.05.2008 - "Websense... has discovered a rogue Beijing Olympics ticket lottery Web site. The Web site uses the hostname beij***2008.cn, a clear typo-squat to the official Olympic Games Web site at http://www.beijing2008.cn/. Benefiting from the hype around the purchasing of tickets for the Games, the social engineering tactic behind this scam is to lure users into dialling a toll number to retrieve an access code for an available ticket. The toll number is likely an additional revenue generator for the scammers as callers would then be charged a premium rate for making that phone call. Users who input the supplied access code are forwarded to a further Web page designed to collect personal information. They then have the incentive to enter credit card details, to pay a relatively small sum of RMB600 for the ticket (approximately 87 USD). This phishing Web site goes a step further than most phishing sites by employing a phone-call "verification" step. This higher level of interactivity and supposed verification garners more trust from unsuspecting users..."

(Screenshots available at the TrendMicro and Websense URLs above.)

 

[FAKE Adobe Flash Player]

FYI...

FAKE Adobe Flash Player
- http://www.us-cert.gov/current/#malware_targeting_adobe_flash_player
August 5, 2008 - "Adobe has issued a Security Bulletin* warning of malware spreading via a fraudulent Flash Player installer. Adobe warns that a worm is making fraudulent posts on social networking sites. These posts include links that lead to fake sites that prompt users to update their versions of Flash Player. If users attempt to use the installer to make the update, malware may be downloaded and installed onto their systems..."
* http://blogs.adobe.com/psirt/2008/08/verifying_installers.html
"...do -not- download Flash Player from a site other than adobe.com... If the download is from an unfamiliar URL or an IP address, you should be suspicious..."

 

[Compromised Web Servers Serving Fake Flash Players]

More...

Compromised Web Servers Serving Fake Flash Players
- http://ddanchev.blogspot.com/2008/08/compromised-web-servers-serving-fake.html
August 05, 2008 - "...This campaign serving fake flash players is getting so prevalent these days due to the multiple spamming approaches used, that it's hard not to notice it - and expose it... As far as the owner's are concerned, it appears that some of them are already seeing the malware page popping-up on the top of their daily traffic stats, and have taken measures to remove it... The structure of the malware campaign is pretty static, with several exceptions where they also take advange of client-side vulnerabilities (Real player exploit) attempting to automatically deliver the fake flash update or player depending on the campaign. On each and every site, there are dnd.js and master.js scripts shich serve the rogue download window, and another .html file, where an IFRAME attempts to access the traffic management command and control, in a random URL it was 207.10.234.217/cgi-bin/index.cgi?user200. A sample list of participating URLs, most of which are still active and running... (the list is way too long to post here - see ddanchev.blogspot URL above.)...
Sample detection rate : flashupdate.exe
Scanners Result: 35/36 (97.23%)
Trojan-Downloader.Win32.Exchanger.hk; Troj/Cbeplay-A
File size: 78848 bytes
MD5...: c81b29a3662b6083e3590939b6793bb8
SHA1..: d513275c276840cb528ce11dd228eae46a74b4b4

The downloader then "phones back home" at 72.9.98.234 port 443 which is responding to the rogue security software AntiSpy Spider...
Sample detection rate : antispyspider.msi
Scanners Result: 11/35 (31.43%)
FraudTool.Win32.AntiSpySpider.b;
File size: 1851904 bytes
MD5...: 2f1389e445f65e8a9c1a648b42a23827
SHA1..: e32aa6aa791e98fe6fdef451bd3b8a45bad0acd8

The bottom line - over a thousand domains are participating, with many other apparently joining the party proportionally with the web site owner's actions to get rid of the malware campaign hosted on their servers."

---

* http://www.adobe.com/go/getflashplayer
Current Adobe Flash Player version 9.0.124.0

 

[Bogus CNN Custom Alerts]

FYI...

Bogus CNN Custom Alerts
- http://securitylabs.websense.com/content/Alerts/3154.aspx
08.08.2008 - " Websense... has discovered replica CNN Custom Email Alerts being sent out via spam emails. These emails contain links to a legitimate news page, but have been designed to encourage users to download a malicious application posing as a video codec. Over the last few days, the ThreatSeeker Network has seen huge volumes of spam wrapped up in CNN-themed templates - most recently email alerts listing the Daily Top 10 Stories and Videos, which also encouraged users to download a video codec (again a malicious file)... The malicious payload is only accessed when the user clicks on the ‘FULL STORY’ link - the first link behind the story title leads to a legitimate news page hosted on CNN. The news story is a recent article centered around the Beijing Olympics. The ‘FULL STORY’ link takes users to a Web page by the name of cnn****.html. This issues a pop-up encouraging users to download a ‘missing’ video codec, a file called adobe_flash.exe... Our Security Labs have also seen evidence of this campaign and recent others being distributed via blog spam to further increase the chance of success..."

(Screenshots available at the URL above.)

 

[Fake IE 7 update SPAM]

FYI...

Fake IE 7 update SPAM...
- http://isc.sans.org/diary.html?storyid=4852
Last Updated: 2008-08-10 09:56:42 UTC - "A number of readers have alerted us to a round of IE7 update spam being sent out. The e-mails read:

"You are receiving this e-mail because you subscribed to MSN Featured Offers. Microsoft respects your privacy. If you do not wish to receive this MSN Featured Offers e-mail, please click the "Unsubscribe" link below. This will not unsubscribe you from e-mail communications from third-party advertisers that may appear in MSN Feature Offers. This shall not constitute an offer by MSN. MSN shall not be responsible or liable for the advertisers' content nor any of the goods or service advertised. Prices and item availability subject to change without notice."

Well, true enough Microsoft will not be responsible as its not from them! (Shock / Horror). For the sample we received, VT has good coverage:
- http://www.virustotal.com/analisis/18b97fb3bc30251051a8542a90401b6f ..."

 

[IM: Instant Malware]

FYI...

IM: Instant Malware... Yahoo! Messenger fraud
- http://blog.trendmicro.com/instant-malware/
08.10.2008 - "Instant messaging (IM) applications are popular infection vectors — malware authors are known to use instant messaging platforms to spread malware by sending either malicious files or URLs. Trend Micro researchers have recently witnessed spammed email messages that use the popular IM application Yahoo! Messenger in propagating malware, but in a very different way than previosuly mentioned... Clicking the Download now link downloads the file msgr8.5us.exe into the affected system. When executed, it drops the following files:
    * mirc.ini - detected by Trend Micro as Mal_Zap
    * csrss.exe - detected by Trend Micro as BKDR_ZAPCHAST.AX
    * sup.exe - detected by Trend Micro as BKDR_MIRCHACK.CE
For targeted victims which do, in fact, use Yahoo! Messenger, the promised update may prove hard to resist. The same email message even instructs users to pass the news to friends by sending them the source - not very friendly if the supposed update would lead one’s contacts to malware... Downloading from the software vendors themselves still is the safest way to go."

(Screenshot available at the URL above.)