Culture Jamming

[SPAM]

FYI...

SPAM - Virus Outbreak In Progress
- http://www.ironport.com/toc/
August 17, 2011

- http://tools.cisco.com/security/center/threatOutbreak.x?currentPage=1&sortOrder=d&pageNo=1&sortType=d

Fake Parcel Delivery Failure Notification E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23917
Fake Digital Telegram Notification E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23946
Fake Invoice Payment Notification E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23915
Fake Mobile Communication E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23916
Fake Traffic Ticket E-mail Msgs... *
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23945
Fake Personal Photo Attachment E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23881
Fake Antivirus Update E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23931
Malicious Changelog Attachment E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23588
___

- http://nakedsecurity.sophos.com/2011/08/18/trojans-spammed-out-in-malicious-wave-of-fake-dhl-emails/
August 18, 2011

* http://sunbeltblog.blogspot.com/2011/08/of-spam-and-speeding.html
August 18, 2011

* http://nakedsecurity.sophos.com/2011/08/17/uniform-traffic-ticket-malware-attack-widely-spammed-out/
August 17, 2011

- http://nakedsecurity.sophos.com/2011/08/15/malware-email-blocked-credit-card/
August 15, 2011

Malicious SPAM volume chart - last 28 days
- http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/5226.S4.png
18 Aug 2011

 

[Mass compromise ongoing, spreads fake antivirus]

FYI...

Mass compromise ongoing, spreads fake antivirus
- http://blog.armorize.com/2011/08/k985ytvhtm-fake-antivirus-mass.html
8.17.2011 - "On August 14, we started to see mass compromise of websites to inject malicious iframes that spread fake antivirus malware. The attack is ongoing... We estimate at least 22,400 unique DOMAINS. The attackers' first attempt was not successful and therefore google indexed more than 536,000 infected pages. However, since then the attackers have fixed the injected pattern and therefore the injected script is executed rather than displayed. Google therefore does not index infected websites any longer...
4. Browser Exploitation: Drive-by download script served by a modified version of the BlackHole exploit pack.
5. Malware: Fake antivirus, different names in different OS: "XP Security 2012" under Windows XP, "Vista Antivirus 2012" under Windows Vista, and "Win 7 Antivirus 2012" under Windows 7.
6. Injection method: Primarily via stolen FTP credentials, and then use automated program to FTP, retrieve files, inject iframe, and upload back. FTP credentials are stolen from personal Windows computers that have been infected with malware. Malware searches stored password files of FTP clients and also sniffs the FTP traffic. Stolen credentials are sent back to the attackers.
7. Malicious domains and IPs... (shown/listed at the armorize.com URL above.)
8. Antivirus detection rate: Currently 5 out of 43 on VirusTotal*..."
* https://www.virustotal.com/file-scan/report.html?id=a1bd3278d34d8484ef89dd679c5e2e241c18feebdc11cde042fc7ce1c325b061-1313382824
File name: contacts.exe_
Submission date: 2011-08-15 04:33:44 (UTC)
Result: 5/43 (11.6%)

 

[Google report - 4 years of experience in malware detection]

FYI...

Google report - 4 years of experience in malware detection
- http://h-online.com/-1325798
18 August 2011 - "Google has announced* the publication of a technical report entitled "Trends in Circumventing Web-Malware Detection". This report describes the results of analysing four years of data – from 160 million web pages hosted on approximately eight million sites – collected through the company's Safe Browsing initiative. The report comments that "Like other service providers, we are engaged in an arms race with malware distributors", and that each day Google issues around three million malware warnings to over four hundred million users that use browsers supporting the Safe Browsing API. The report looks into the four most commonly employed methods for detecting malware: virtual machine client honeypots, browser emulator client honeypots, classification based on domain reputation, and anti-virus engines and trends in how well they work in practice..."
* http://googleonlinesecurity.blogspot.com/2011/08/four-years-of-web-malware.html

See also:
- http://h-online.com/-1155534

- http://h-online.com/-986087
___

- http://www.darkreading.com/taxonomy/index/printarticle/id/231500264
Aug 18, 2011

 

[SPAM]

FYI...

SPAM - Virus Outbreak In Progress
- http://www.ironport.com/toc/
August 20, 2011

- http://tools.cisco.com/security/center/threatOutbreak.x?currentPage=1&sortOrder=d&pageNo=1&sortType=d

Fake Security Update Notification E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23971
Malicious Images Attachment E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23970
Fake Personal Photo Attachment E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23881
August 19, 2011
___

Malware-laden spam jumps to 24 percent of all spam this week
- http://www.darkreading.com/taxonomy/index/printarticle/id/231500190
Aug 18, 2011

- http://labs.m86security.com/2011/08/massive-rise-in-malicious-spam/
August 16, 2011 - "... The majority of the malicious spam comes from the Cutwail botnet, although Festi and Asprox are among the other contributors..."
- http://labs.m86security.com/wp-content/uploads/2011/08/spammedmalware31.png

 

[SPAM]

FYI...

SPAM - Virus Outbreak In Progress
- http://www.ironport.com/toc/
Updated: August 26, 2011

- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Facebook Photo Notification E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23974
Fake Traffic Violation Ticket E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23982
Malicious Changelog Attachment E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23588
___

m86 Spam Volume Index
- https://www.m86security.com/images/trace/302/302-16-SVI_time.gif
"... representative sample of the honeypot domains that we monitor."

 

[RSA hack file found]

FYI...

RSA hack file found...
- http://www.f-secure.com/weblog/archives/00002226.html
August 26, 2011 - "... the hackers broke into RSA with a targeted email attack. They planted a backdoor and eventually were able to gain access to SecurID information that enabled them to go back to their original targets and succesfully break into there... we knew that the attack was launched with a targeted email to EMC employees (EMC owns RSA), and that the email contained an attachment called "2011 Recruitment plan.xls". RSA disclosed this information in their blog post... we had the original email. Turns out somebody (most likely an EMC/RSA employee) had uploaded the email and attachment to the Virustotal online scanning service on 19th of March. And, as stated in the Virustotal terms, the uploaded files will be shared to relevant parties in the anti-malware and security industry. So, we all had the file already. We just didn't know we did, and we couldn't find it amongst the millions of other samples... It was an email that was spoofed to look like it was coming from recruiting website Beyond.com. It had the subject "2011 Recruitment plan" and one line of content:
   "I forward this file to you for review. Please open and view it".
The message** was sent to one EMC employee and cc'd to three others... The embedded flash object shows up as a [X] symbol in the spreadsheet. The Flash object is executed by Excel (why the heck does Excel support embedded Flash is a great question). Flash object then uses the CVE-2011-0609*** vulnerability to execute code and to drop a Poison Ivy backdoor to the system. The exploit code then closes Excel and the infection is over. After this, Poison Ivy connects back to it's server at good.mincesur .com. The domain mincesur .com has been used in similar espionage attacks over an extended period of time... Once the connection is made, the attacker has full remote access to the infected workstation. Even worse, it has full access to network drives that the user can access. Apparently the attackers were able to leverage this vector further until they gained access to the critical SecurID data they were looking for. The attack email does not look too complicated. In fact, it's very simple. However, the exploit -inside- Excel was a zero-day at the time and RSA could not have protected against it by patching their systems..."
* http://blogs.rsa.com/rivner/anatomy-of-an-attack/

** http://www.f-secure.com/weblog/archives/sra2011_1.png

*** http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0609
Last revised: 04/21/2011
CVSS v2 Base Score: 9.3 (HIGH)
(-before- Flash Player 10.2.153.1 - see:
- https://www.adobe.com/support/security/advisories/apsa11-01.html March 14, 2011)

 
___

NEW: RSA enVision 3.x and 4.x before 4 SP4 P3...
- http://www.securitytracker.com/id/1025979
Aug 26 2011
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information
Solution: The vendor has issued a fix (4 SP4 P3)...
Vendor URL: https://www.rsa.com/

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2736
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2737
Last revised: 08/25/2011
CVSS v2 Base Score: 5.0 (MEDIUM)
"RSA enVision 3.x and 4.x before 4 SP4 P3..."

 

[Apple iCloud phishing attacks]

FYI...

Apple iCloud phishing attacks ...
- http://nakedsecurity.sophos.com/2011/08/26/welcome-to-apple-icloud-phishing-attacks/
August 26, 2011 - "... The email claims to come from Apple, and appears to have targeted our correspondent because he is a user of Apple's MobileMe service. Apple is planning to shut down its MobileMe service in mid-2012, as it is readying its new iCloud service (which will store music, photos, calendars, documents etc in 'the cloud' and wirelessly push them to all of your devices). Understandably, a lot of MobileMe users are interested in how they will migrate to iCloud and this is the issue that the phishing email uses as bait... Yes, it's a phishing website. And just look what it's asking for: your credit card details, your address, your social security number, your full date of birth, your mother's maiden name and your Apple ID credentials... Imagine the harm a fraudster could cause with all that information. Make sure you have your eyes peeled for phishing attacks, and be on your guard regarding unsolicited messages you receive in your inbox..."
(Screenshots and more detail available at the Sophos URL above.)

 

[Hurricanes prompt phishing scams]

FYI...

Hurricanes prompt phishing scams...
- https://www.computerworld.com/s/article/9219530/DHS_warns_that_Irene_could_prompt_phishing_scams
August 26, 2011 - "... cybercriminals go into -overdrive- during highly publicized physical events such as hurricanes and earthquakes... The DHS is responsible for protecting critical infrastructure targets in the U.S. Until relatively recently, phishing -was- considered mostly a consumer problem. But the use of phishing emails to successfully breach the Oak Ridge National Laboratory, EMC's RSA security division, Epsilon and the Pacific Northwest National Laboratory have quickly changed that view. Over the past few years, phishers have increasingly taken advantage of natural disasters and other highly publicized incidents to slip infected emails and other malware onto users' desktops..."

- http://www.fbi.gov/news/news_blog/charity_082611
08.26.11 - "In light of Hurricane Irene, the public is reminded to beware of fraudulent e-mails and websites claiming to conduct charitable relief efforts. Disasters prompt individuals with criminal intent to solicit contributions purportedly for a charitable organization or a good cause. To learn more about avoiding online fraud, please see "Tips on Avoiding Fraudulent Charitable Contribution Schemes" at:
> http://www.ic3.gov/media/2011/110311.aspx "
___

- https://www.us-cert.gov/current/#potential_hurricane_irene_phishing_scams
August 29, 2011

 

[Morto worm spreads via RDP - Port 3389/TCP]

FYI...

Morto worm spreads via RDP - Port 3389/TCP
- http://www.theregister.co.uk/2011/08/28/morto_worm_spreading/
28 August 2011 - "... an Internet worm dubbed “Morto” spreading via the Windows Remote Desktop Protocol (RDP). F-Secure is reporting that the worm is behind a spike in traffic on Port 3389/TCP. Once it’s entered a network, the worm starts scanning for machines that have RDP enabled. Vulnerable machines get Morto copied to their local drives as a DLL, a.dll, which creates other files detailed in the F-Secure post*... SANS (ISC)**, which noticed heavy growth in RDP scan traffic over the weekend, says the spike in traffic is a “key indicator” of a growing number of infected hosts. Both Windows servers and workstations are vulnerable..."
* http://www.f-secure.com/weblog/archives/00002227.html

** https://isc.sans.edu/diary.html?storyid=11470
- https://isc.sans.edu/diary.html?storyid=11452
___

- http://h-online.com/-1332673
29 August 2011

 

[Malicious SPAM campaign - Facebook]

FYI...

Malicious SPAM campaign - Facebook
- http://labs.m86security.com/2011/08/want-to-be-friends-on-facebook-dont-click-the-link/
August 29, 2011 - "... we are now observing another large malicious spam campaign – this time without attachments. Like the majority of last week’s campaigns, this spam is being sent out from the Cutwail botnet. The message arrives as a fake Facebook friend invite notification. The message looks convincing, it appears the spammers have copied the actual Facebook template and substituted their own links. However, there are clues it is fake. The message doesn’t contain any profile photos, and they have omitted the recipient’s email address in the fine print at the bottom... Clicking the link fetches a web page that contains two ways you can infect yourself. First, there is a link pretending to be an Adobe Flash update where you can download and install malware manually. Second, there is a hidden iframe that loads data from a remote server hosting the Blackhole Exploit Kit, which attempts to automatically exploit vulnerabilites on your system, notably Java..."
(Screenshots available at the m86 URL above.)

 

[FTC malicious email campaign]

FYI...

FTC malicious email campaign
- http://community.websense.com/blogs/securitylabs/archive/2011/09/01/return-of-the-ftc-malicious-email-campaign.aspx
01 Sep 2011 - "Websense... has detected malicious emails posing as a consumer complaint notice from the Federal Trade Commission... The exact email format seen in this case was also used a few years back... Malware authors constantly change the malicious file involved in their campaigns. The malware is poorly detected by AV engines*..."
(Screenshot available at the websense URL above.)
* https://www.virustotal.com/file-scan/report.html?id=45bf8a3b21d05a31224e5cb718746d2e4c2e6d486ccd4c33fcf4a8ac53919d28-1314955779
File name: complaint9302.vcr
Submission date: 2011-09-02 09:29:39 (UTC)
Result: 18/44 (40.9%)
There is a more up-to-date report...
- https://www.virustotal.com/file-scan/report.html?id=45bf8a3b21d05a31224e5cb718746d2e4c2e6d486ccd4c33fcf4a8ac53919d28-1315065041
File name: 1315064295.complaint9302.scr
Submission date: 2011-09-03 15:50:41 (UTC)
Result: 25/44 (56.8%)
___

- http://www.ftc.gov/opa/2011/09/scamemail.shtm
09/01/2011 - "The FTC is warning small businesses that an email with a subject line “URGENT: Pending Consumer Complaint” is -not- from the FTC. The email says that a complaint has been filed with the agency against their company. The FTC advises not to click on any of the links or attachments with the email. Clicking on the links may install a virus on the computer. The FTC’s advice: Delete the email..."

 

[DNS hijacks]

FYI...

DNS hijacks ...
- http://h-online.com/-1336589
5 September 2011 - "A number of popular web sites were hit by a DNS hijack attack; The Daily Telegraph, UPS, The Register, National Geographic, Vodafone, Betfair and Acer were all affected. By modifying the DNS records for the sites, rather than directly attacking them, visitors to the sites were redirected to a site by "TurkGuvenligi" which declares "h4ck1n9 is not a cr1m3". Some of the sites shut down password protected services during the attack to ensure that users attempting to log in were not compromised. Correct DNS records have now been generated and have been propagating in the DNS system overnight..."

> http://zone-h.org/news/id/4741
"... all use NetNames as their registrar. It appears that the turkish attackers managed to hack into the DNS panel of NetNames using an SQL injection..."

- http://nakedsecurity.sophos.com/2011/09/04/dns-hack-hits-popular-websites-telegraph-register-ups-etc/
September 4, 2011

- http://blog.sucuri.net/2011/09/ascio-registrar-compromised-brings-down-ups-com-theregister-and-others.html
September 4, 2011

 

[Fake Offers with Fake Trust Seals]

FYI...

Fake Offers with Fake Trust Seals
- http://www.symantec.com/connect/blogs/fake-offers-fake-trust-seals
Sep. 5, 2011 - "... Symantec observed a phishing site that utilized a number of new tricks. The phishing site masqueraded as a well known software company and claimed to offer associated software products at discounted rates. The phishing page highlighted these fake offers as “summer offerings” and stated that customers could save 80% on their purchases. Users were prompted to enter their billing information, personal information, and credit card details to complete their purchases... If any users had fallen victim to the phishing site, the phishers would have successfully stolen their confidential information for financial gain... The phishing site was hosted on a newly registered domain name, and this new domain name was indexed in several popular search engines and had a very high page ranking. Phishers achieved the boosted page ranking by using common search keywords for the products within the domain name. For example, the domain would look like “common-search-keywords.com”. Thus, if a user searched with these keywords in a search engine, they could end up with the phishing site as a high-ranked result... The phishing page also contained fake trust seals at the bottom of the page. A legitimate trust seal is a seal provided to Web pages by a third party, typically a software security company, to certify that the website in question is genuine. Clicking on a trust seal will pop up a window provided by the third party, which contains details of the site name and the encryption data used to secure the site...
Internet users are advised to follow best practices to avoid phishing attacks:
• Do not click on suspicious links in email messages.
• Avoid providing any personal information when answering an email.
• Never enter personal information in a pop-up page or screen.
• When entering personal or financial information, ensure the website is encrypted with an SSL certificate by looking for the padlock, ‘https’, or the green address bar.
• Frequently update your security software..."
(Screenshots available at the symantec URL above.)

 

[Fake e-mails from Electronic Payments Association NACHA]

FYI...

Fake e-mails from Electronic Payments Association NACHA
- http://community.websense.com/blogs/securitylabs/archive/2011/09/06/fraudulent-messages-from-electronic-payments-association-nacha.aspx
06 Sep 2011 - "Websense... has been tracking a large number of messages masquerading as legitimate messages from the Electronic Payment Association NACHA. The messages bear legitimate traits, as the display name and routing details seem to confirm. Further analysis of the message and attachments prove these to be malicious in intent... an unsuspecting member or patron of the service might just fall for this... The use of a double extension on a file name as well as the exact format of the message, including the Subject, attests to the reuse of the campaign... Although this might seem to have come from NACHA, the routing details suggest otherwise as they do not originate from the publicly-known MX records for the organization... VirusTotal results*..."
(Screenshots available at the websense URL above.)
* https://www.virustotal.com/file-scan/report.html?id=06f4a26124cc408c85e864abd3b51ff4de2b74cad75d920e953281cc9a6fde91-1315379402
File name: FormApp_23131.zip
Submission date: 2011-09-07 07:10:02 (UTC)
Result: 30/44 (68.2%)

ACH spam campaign analysis...
- http://labs.m86security.com/2011/09/an-analysis-of-the-ach-spam-campaign/
September 6, 2011 - "... Automated Clearing House (ACH) is an an electronic network for financial transactions in the United States overseen by NACHA. Last week, we came across a suspicious looking spam campaign with the unusual subject line “UAE Central Bank Warning: Email scam alert”. After closer investigation, we determined that it was indeed a fake ACH notification. The message contained an attached malicious file using the filename “document.zip”. As suspected, the malicious file attachment was a downloader that we have seen a lot of lately – Chepvil... The Chepvil downloader, unsurprisingly, proceeded to retrieve more than just one piece of additional malware. First was the password stealing malware, Zbot... downloading the file “s.exe” – a Zbot variant**... The file “22.exe” was interesting because we had not encountered it before. It was detected*** by 22 out of 45 antivirus programs... Upon execution, the proxy spambot drops a copy of itself in the Windows TEMP folder as svchost.exe... This spambot’s recent spamming activities includes both pharmaceutical, and further ACH campaigns that appears to be from NACHA.org; and are very similar to the one which led to this infection in the first place..."
** https://www.virustotal.com/file-scan/report.html?id=14c231ee3a70b07bcf622c91a34d60a6219166ccfd3e47b8db58412dd8b2f6fd-1315391834
File name: file
Submission date: 2011-09-07 10:37:14 (UTC)
Result: 34/44 (77.3%)
*** https://www.virustotal.com/file-scan/report.html?id=9d4abcbb25590c398c693822cc6f7f15bae6ad50a005a95a34ad7137cf5ee3ee-1315187924
File name: svchost.exe
Submission date: 2011-09-05 01:58:44 (UTC)
Result: 31/44 (70.5%)
___

Virus Outbreak In Progress
- http://www.ironport.com/toc/
Sep. 7, 2011

- http://tools.cisco.com/security/center/threatOutbreak.x?i=77

Malicious Account Information E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=24092
Fake Parcel Delivery Failure Notification E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23917
Fake Presentation E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=24082
Fake FDIC Document E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=24028
Malicious Changelog Attachment E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23588

 

[Ransomware posing as Microsoft]

FYI...

Ransomware posing as Microsoft
- http://pandalabs.pandasecurity.com/ransomware-posing-as-microsoft/
09/6/11 - "... Once you get infected (you can receive it in a number of different ways, most likely via spam messages and P2P), your computer is restarted. What for? Well, the malware installs itself to run every time your computer is started... The threat is clear: your Microsoft Windows authenticity could not be verified, you need to have it fixed, which is just a 100€ payment. They give you the payment instructions and before saying goodbye they let you know that in case you don’t pay you’ll lose access to the computer and will lose all your data, as well as that the district attorney’s office has already your IP address and that you’ll be prosecuted in case you fail to pay... that would scare anyone that doesn’t know this is a ransomware attack... for all of you that wouldn’t like to pay anything to these bastards, this is the code you can use to deactivate it:
 QRT5T5FJQE53BGXT9HHJW53YT
Doing that your computer will be restarted and the registry key created by this malware (detected as Ransom.AN) will be removed, as well as the malware file..."