Culture Jamming

[Ransomware uses false child porn accusations]

FYI...

Ransomware uses false child porn accusations
- http://www.malwarecity.com/blog/cyber-extortion-scam-issues-false-child-porn-accusations-1127.html
5 September 2011 - "Russian cyber-criminals are coupling false accusations of child pornography with real software damage in a new scam that attempts to extort 500-ruble ($17) payments out of victims, according to an analysis by Bitdefender. Once infected with Trojan.Agent.ARVP malicious software, spread via innocent-seeming links, the victim receives a note stating that child pornography has been found on the computer and the user must pay a “fine” via a payment service. To back up the demand, the Trojan blocks the computer, effectively holding the system ransom. The scam marks an extension of the traditional activities of Russian cyber-criminal gangs, many of whom specialize in offering fake anti-virus solutions, or in frauds such as the “Russian bride scam,” which seeks to con European or North American men out of money by posing as beautiful Russian women seeking husbands from abroad. The child-porn scam targets Russian speakers for now but such attacks are often translated into English and other languages to spread further... The ransom note is scaled to take up to 90 percent of the screen and whatever is behind it is invalidated. Other emergency tools such as Task Manager, Windows Explorer and User Init Logon Application are killed and overwritten with copies of the Trojan, which prevents the operating system from initializing and running properly. The scammers says the user must pay within 12 hours or the “child-porn” case will be forwarded to the local police and all data stored on the personal computer will be blocked or deleted, the operating system uninstalled and the BIOS erased. In reality, the data will still be there and the BIOS will not be affected after the 12-hour deadline passes... Paying the ransom will -not- unlock it. In-depth analysis of the malware revealed that there is no way to unlock the PC, so the promise of a code is false. Messages such as this should immediately raise suspicions... To remain safe from such scams, users are advised to scrutinize links they come across and avoid as much as possible clicking on URLs they have not specifically searched for."

 

[Corporate account credentials phished]

FYI...

Corporate account credentials phished...
- http://www.finextra.com/news/fullstory.aspx?newsitemid=22957
16 September 2011 - "The FBI is currently investigating over 400 reported cases of corporate account takeovers, where cyber crooks have used ACH and wire transfers to steal tens of millions of dollars from US businesses. The scale of the problem was revealed this week by the bureau's assistant director in the cyber division, Gordon Snow, in testimony to a House Financial Services Committee subcommittee. Smart says business employees are being targeted by phishing e-mails containing infected files or links to suspect Web sites, enabling criminals to install -malware- on their computers to harvest online banking credentials. The FBI is looking in to over 400 cases where crooks have used this information to steal money from firms' accounts, involving the attempted theft of over $255 million and the actual loss of around $85 million..."

 

[Malvertising on Bing and Yahoo]

FYI...

Malvertising on Bing and Yahoo...
- http://sunbeltblog.blogspot.com/2011/09/bing-yahoo-search-adverts-serve-up.html
September 16, 2011 - "... adverts being displayed in Bing that were directing end-users to malicious content. These adverts were promoting all manner of downloads including Firefox, Skype and uTorrent. Some of the search terms used:
FireFox Download - Download Skype - Download Adobe Player...
Clicking the adverts takes end-users to sites such as river-park(dot)net, and they do a pretty good job of convincing visitors that these sites are the real deal (incidentally, you'll notice that some of the ads display the "real" URL of the program mentioned, but take you to a rogue site such as the "Download uTorrent Free" advert... which actually takes you to aciclistaciempozuelos(dot)es/torrent)... All of the malicious downloads are coming from en-softonic(dot)net... the fake Firefox file installs a rootkit, runs IE silently in the background attempting clickfraud and also performs Google redirects. Current VirusTotal score for that one is 16/44*, and we detect it as Win32.Malware!Drop. These adverts were also appearing in Yahoo search - we notified both Yahoo and Microsoft, and both companies are in the process of killing these things off. It's entirely possible these sites will show up somewhere else..."
(Screenshots available at the sunbeltblog URL above.)
* https://www.virustotal.com/file-scan/report.html?id=d20c12348e014b782234cbff8d282cd9d566c86e6b2cda2cebee44aca43cf7aa-1316154205
File name: Backup.exe
Submission date: 2011-09-16 06:23:25 (UTC)
Result: 16/44 (36.4%)

 

[Scare tactics used in malicious emails]

FYI...

Scare tactics used in malicious emails ...
- http://community.websense.com/blogs/securitylabs/archive/2011/09/20/_2200_We-are-going-to-sue-you_2200_-spam.aspx
20 Sep 2011 - "... Websense... has detected that an email campaign broke out on 19th September, 2011. In this campaign, emails are spoofed to appear as though they are sent from established companies. The emails even formally claims that legal action will be taken because of the spam you have sent. These emails with the fake warning even attach a ZIP file that contains a scanned copy of a document that is supposed evidence of your spam... The spam outbreak uses several alerting subject headings to attract readers' attention. The ZIP file is actually an EXE file disguised as a document after decompression. It's a kind of Trojan.Downloader virus confirmed by VirusTotal*. When the trojan triggers, it copies itself to the system path under the Startup folder and deletes itself. Whenever you start the computer, the trojan will execute. This trojan can connect to remote servers and download malicious files... This campaign could potentially contain other variants of the trojan as attachments..."
(Screenshots available at the websense URL above.)
* https://www.virustotal.com/file-scan/report.html?id=fb47da8e43e1387f5bccd07bf35b7b2c6ff93920a9ea3cf1817bd2006c4f0b5b-1316594716
File name: 2166218
Submission date: 2011-09-21 08:45:16 (UTC)
Result: 29/44 (65.9%)
___

- http://community.websense.com/blogs/securitylabs/archive/2011/09/22/fake-malware-notifications-from-websense-labs.aspx
22 Sep 2011

 

[Fake transfers are latest Bank Heist]

FYI...

Fake transfers are latest Bank Heist ...
- http://www.trusteer.com/blog/fictitious-transfers-are-latest-bank-heist
September 20, 2011 - "A number of banks, in an effort to validate and secure financial transactions, are utilising transaction verification systems. They’re doing this in the belief that, even if malware manages to change transaction details on the fly, the customer has an out of band channel to verify that it has not been modified. This is based on the assumption that malware cannot infect the out of band channel, and therefore the bank or the customer will be able to detect fraudulent transfers... the assumption that malware cannot influence the out of band channel is flawed. The easiest way to defeat transaction verification systems is using social engineering attacks. Over the years we've seen a number of different variants against transaction verification systems... Using malware fraudsters first gain control over the web channel. This means -any- information that customers view inside their browser, while connected to their bank, can be modified by the fraudsters. Unfortunately, customers are usually -unable- to distinguish whether what they are seeing was actually served by the bank, or in fact modified by malware! This is giving fraudsters the ability to launch extremely effective social engineering attacks. In the attack we've recently seen, fraudsters were simply waiting for customers to log on to their bank's website. The bank robber then ‘changed’ the content of the post login page, to a message, informing customers of an upgraded security system. The customer is invited to go through a training process that intends to help him/her deal with the bank's upgraded security system. As part of the training they’re asked to make a transfer, to a fictitious bank account, and confirm the transaction using the confirmation code that is sent by the bank to the registered mobile phone. Fraudsters claim that the user's account will not be debited and the recipient's account is fabricated... the transaction then happens, the money is transferred, and the criminal disappears off into the sunset..."
(More detail at the trusteer URL above.)

 

[Japan - MHI hacked]

FYI...

Japan - MHI hacked ...
- http://www.itpro.co.uk/636271/japan-attacked-can-we-say-cyber-war-now
21 Sep 2011 - "... Mitsubishi Heavy Industries, one of Japan’s major weapons suppliers, admitted 45 of its servers and 38 computer terminals were infected. Targeted malware was allegedly used as part of a spear phishing attempt – similar to other attacks that have attempted to breach Governments in recent times, including in the UK. RSA was compromised by such tactics too – another situation in which some suspected a nation state’s involvement, as at least one of the eventual targets turned out to be major US defence contractor Lockheed Martin... In the case of MHI, no one has yet claimed responsibility for the infection. China, the number one suspect according to some sources, has denied any involvement. As with so many recent cases, no nation has been found guilty, nor has any Government admitted to being the perpetrator of an attack. When the DigiNotar attacks emerged last month, eventually resulting in the certificate authority’s demise, many pointed fingers at Iran. Yet in that case, ComodoHacker claimed responsibility, saying the Iranian regime had no hand in the hacks. For any onlookers, it’s near to impossible to know whom to trust. There is just too much obfuscation and potential for covert behaviour to lump any event under the ‘cyber war’ umbrella... As information remains a hugely valuable commodity, and hacking becomes an increasingly useful tool for acquiring it, cyber war will still focus heavily on data, rather than causing real-world havoc. Both public and private organisations will therefore be targets... individuals will be affected. There will be civilian casualties too, in the data sense at least..."

 

[Fake "browser update" worm]

FYI...

Fake "browser update" worm ...
- http://www.malwarecity.com/blog/update-your-browser-hmm-ill-pass-1155.html
23 September 2011 - "... As the DNS infrastructure is well defended against attacks, cyber-crooks often try to mess with the local DNS settings. This is the case of the infections with Worm.Rorpian.E that, once it successfully infects a computer on the network, starts acting as a DHCP server (an application that manages the connectivity of the network computers) and tampers with the local DNS servers to resolve all the requests to a rogue IP in Romania...
If you give in to the demand and “update your browser”, you’ll get infected with the same Worm.Rorpian.E, and your PC will start acting like a rogue DHCP server for the other clients connected to your network. Once the user clicks the “browser update” button, a php script fetches the malware from the server and names it as updbrowser[date].exe, where date is the current year, month and day. Of course, since we’re talking about cybercrime, the infection wasn’t only designed for fun. Once your PC has been infected with the “browser patch”, the worm starts bringing its friends to the party, cloaked by the infamous TDSS rootkit. Rorpian also has secondary spreading mechanisms: it “jumps” via network shares, exploits a couple of old, critical vulnerabilities such asthe .LNK (MS10-046) and the one in the Windows DNS RPC Interface (MS07-029) to download and execute further malware onto the infected PCs..."
(More detail at the malwarecity URL above.)

 

[mysql.com hacked - malware served to visitors]

FYI...

mysql.com hacked - malware served to visitors...
- http://blog.armorize.com/2011/09/mysqlcom-hacked-infecting-visitors-with.html
9.26.2011 - "Our HackAlert 24x7 Website malware monitoring platform today indicated that mysql.com has been hacked...
Step 1: http ://www .mysql .com
Causes the visiting browser to load the following:
Step 2: http ://mysql .com /common/js/s_code_remote.js?ver=20091011...
Step 3: http ://falosfax .in/info/in.cgi?5&ab_iframe=1&ab_badtraffic=1&antibot_hash=1255098964&ur=1&HTTP_REFERER=http ://mysql .com/
Throws out a 302 redirect to Step 4.
Step 4: http ://truruhfhqnviaosdpruejeslsuy .cx.cc/main.php
This domain hosts the BlackHole exploit pack. It exploits the visitor's browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java, ...), and upon successful exploitation, permanently installs a piece of malware into the visitor's machine, without the visitor's knowledge. The visitor doesn't need to click or agree to anything; simply visiting mysql .com with a vulnerable browsing platform will result in an infection.
Currently, 9 out of 44 vendors on VirusTotal* can detect this piece of malware."
(More detail at the armorize URL above.)

* http://www.virustotal.com/file-scan/report.html?id=d761babcb55d21b467dd698169c921995bf58eac5e9912596693fee52c8690a1-1317040603
File name: w.php
Submission date: 2011-09-26 20:23:24 (UTC)
Result: 9/44 (20.5%)
There is a more up-to-date report...
- https://www.virustotal.com/file-scan/report.html?id=d761babcb55d21b467dd698169c921995bf58eac5e9912596693fee52c8690a1-1317260745
File name: e1d511259779f6a02f2a61cfedc2551ec70885b6.bin
Submission date: 2011-09-29 01:45:45 (UTC)
Result: 28/43 (65.1%)
___

- https://krebsonsecurity.com/2011/09/mysql-com-sold-for-3k-serves-malware/
Monday, September 26th, 2011 at 3:52 pm - "... it appears the malicious scripts were injected into the site sometime within the last seven hours. If that’s accurate, that was enough time for approximately 120,000 Internet users to browse the site and expose their systems to the exploit kit..."
> http://www.alexa.com/search?q=mysql.com&r=home_home&p=bigtop

- https://www.computerworld.com/s/article/9220295/MySQL.com_hacked_to_serve_malware
September 26, 2011 03:19 PM ET - "... Armorize noticed the problem at around 5 a.m. Pacific Time Monday. Hackers had installed JavaScript code that threw a variety of known browser attacks at visitors to the site, so those with out-of-date browsers or unpatched versions of Adobe Flash, Reader or Java on their Windows PCs could have been quietly infected with malicious software. By just after 11 a.m., the issue had been cleaned up, said Wayne Huang, Armorize's CEO..."
___

- https://isc.sans.edu/diary.html?storyid=11638
Last Updated: 2011-09-26 21:50:32 UTC – “… now been cleaned up on mysql .com but no further words on the scope of the compromise. It also appears to be the second time this year*. In the last incident, SQL injection was used to gain access to the information on the site.”
* https://www.scmagazineus.com/oracles-mysqlcom-hacked-via-sql-injection/article/199419/
March 28, 2011

 

[Malicious emails with subject “ACH Payment xxxxx Canceled”]

FYI...

Malicious emails with subject “ACH Payment xxxxx Canceled”
- http://community.websense.com/blogs/securitylabs/archive/2011/09/28/malicious-emails-with-subject-ach-payment-xxxxx-canceled.aspx
28 Sep 2011 01:00 AM - "Have you got an email with subject “ACH Payment xxxxx Canceled” ?  Please don’t open the url in the email. Because it will take you to a malicious url. Websense... has detected that an email campaign broke out on 27th September, 2011. In this campaign,  all the emails with the subject “ACH Payment xxxxxx Canceled”, xxxx means random numbers generated from spamers. Each email in this campaign has one same url, after being clicked, victims will be led to various malicous links, via redirection, finally downloaded trojan files without any notice... Now we can see there is  a iframe in its payload, it will lead you to redirect to another malicious url. That malicious url hosts blackhole exploit kit, which is the most widely used exploit kits. It will download a Zbot file, which has been confirmed by VirusTotal*... more than 200,000 messages in this campaign..."
* https://www.virustotal.com/file-scan/report.html?id=8ccaf0c60797a663d1360af83e99f92522ddc977ec5510cbaf29ffefe6a225fc-1317198424
File name: calc[1].ex_e
Submission date: 2011-09-28 08:27:04 (UTC)
Result: 29/43 (67.4%)
___

- http://labs.m86security.com/2011/09/an-analysis-of-the-ach-spam-campaign/
September 6, 2011

 

[How to get infected with malware]

FYI...

How to get infected with malware...
- https://www.csis.dk/en/csis/news/3321
2011-09-27 - "When a Microsoft Windows machine gets infected by viruses/malware it does so mainly because users forget to update the Java JRE, Adobe Reader/Acrobat and Adobe Flash... CSIS has over a period of almost three months actively collected real time data from various so-called exploit kits. An exploit kit is a commercial hacker toolbox that is actively exploited by computer criminals who take advantage of vulnerabilities in popular software. Up to 85 % of all virus infections occur as a result of drive-by attacks automated via commercial exploit kits. The purpose of this study is to reveal precisely how Microsoft Windows machines are infected with the virus/malware and which browsers, versions of Windows and third party software that are at risk. We have monitored more than 50 different exploit kits on 44 unique servers/IP addresses... The statistical material covers all in all more than half a million user exposures out of which as many as 31.3 % were infected with the virus/malware due to missing security updates... On the basis of the total statistical data of this study it is documented that following products frequently are abused by malware in order to infect Windows machines: Java JRE, Adobe Reader/Acrobat, Adobe Flash and Microsoft Internet Explorer... The conclusion of this study is that as much as 99.8 % of all virus/malware infections caused by commercial exploit kits are a direct result of the lack of updating five specific software packages*..."
* https://www.csis.dk/images/infection.Png

> https://www.csis.dk/images/browser.Png

> https://www.csis.dk/images/os.Png

 

[More bad ads in Bing]

FYI...

More bad ads in Bing
- http://sunbeltblog.blogspot.com/2011/09/more-bad-ads-in-bing.html
September 29, 2011 - "... they're back again - this time promoting fake Firefox downloads whose ads are displayed when searching for... "Firefox download"... they missed a trick there, advertising Firefox 6 instead of the freshly minted Firefox 7. The URLs involved are hotelcrystalpark(dot)com/firefox_1 and firefox(dot)dl-labs(dot)com, with the rogue downloads being hosted at the dl-labs URL. VirusTotal score* currently gives us 6/43, with VIPRE detecting this as Trojan.Win32.Kryptik.cqw (v)..."
* https://www.virustotal.com/file-scan/report.html?id=1417e815b627d079f3809a941904781b947345e9e5cfd59dd563ebc5c772c285-1317230589
File name: firefox_6.s0.1.exe_
Submission date: 2011-09-28 17:23:09 (UTC)
Result: 6/43 (14.0%)
There is a more up-to-date report...
- https://www.virustotal.com/file-scan/report.html?id=1417e815b627d079f3809a941904781b947345e9e5cfd59dd563ebc5c772c285-1318368926
File name: firefox_6.s0.1.exe_
Submission date: 2011-10-11 21:35:26 (UTC)
Current status: finished
Result: 27/43 (62.8%)

 

[Fake pharma domains suspended]

FYI...

Fake pharma domains suspended
- http://www.theregister.co.uk/2011/09/30/nominet_suspends_fake_pharma_addresses/
30 September 2011 - "Nominet, the .uk address registry, has suspended hundreds of internet domain names as part of a global police crackdown on crime gangs peddling fake pharmaceuticals. Operation Pangea IV saw almost 13,500 websites taken down and dozens of suspects arrested in 81 countries, according to Interpol, which coordinated the swoop. Over 2.4 million potentially harmful counterfeit pills, worth about £4m, were seized in raids between 20 and 27 of September, Interpol said. Confiscated medicines included everything from diet pills to anti-cancer drugs. Cops worked with customs agencies, ISPs, payment processors and delivery companies to close down the allegedly criminal operations, Interpol said. In the UK, Nominet acted upon advice given by the Medicines and Healthcare products Regulatory Agency and the Police Central e-Crime Unit to suspend about 500 .uk domains.."

 

[Facebook malvertisement leads to Exploits]

FYI...

Facebook malvertisement leads to Exploits
- http://blog.trendmicro.com/facebook-malvertisement-leads-to-exploits/
Oct. 4, 2011 - "... We encountered an infection chain wherein the user is led from a page within Facebook to a couple of ad sites then, finally, to a page that hosts exploits. When we traced the connection between the ad sites and Facebook, we found that the ad providers were affiliated with a certain Facebook application. We checked out the said application and found that it is indeed ad supported. We were able to come up with the likely infection chain... Upon accessing the application, the malvertisement gets loaded, triggering a series of redirections. The redirections finally lead to a malicious site, which then loads several exploits, particularly those related to Java and ActiveX:
• CVE-2006-0003: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0003
• CVE-2010-4452: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4452
• CVE-2010-1423: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1423
The exploits were loaded to download more malicious files although we weren’t able to trace these anymore since the URLs they accessed were already inaccessible... Malvertisements are considered grave threats, especially since much like website compromises, attacks related to these usually involve trusted sites that users already typically visit without risk of system infection..."
(More detail at the trendmicro URL above.)

 

[Halloween malware, scares, scams]

FYI...

Halloween malware, scares, scams ...
- http://community.websense.com/blogs/securitylabs/archive/2011/10/05/first-wave-of-halloween-scare.aspx
5 Oct 2011 - "... malware authors have already concocted a brew of early scares: blackhat SEO, fake Adobe Flash notification, and a malicious file download... start with the search term "halloween skeleton templates," which brings up a poisoned search result. The link redirects users to what appears to be a fake YouTube site... The fake YouTube site uses nude images of celebrities like Emma Watson and Paris Hilton as a ploy. These, along with salacious captions, are meant to entice users into playing the apparent video. When users click any of the links on the page, they are prompted to update Adobe Flash Player... Users who fall for the trick are prompted to download a malicious file called scandsk.exe, identified by 15/43 VirusTotal* engines..."
* https://www.virustotal.com/file-scan/report.html?id=0716b10d60f7f82b28d04c81654f64a37069354b66da3a2082f3619860c9d774-1317839174
File name: scandsk.exe
Submission date: 2011-10-05 18:26:14 (UTC)
Result: 15/43 (34.9%)
There is a more up-to-date report...
- https://www.virustotal.com/file-scan/report.html?id=0716b10d60f7f82b28d04c81654f64a37069354b66da3a2082f3619860c9d774-1318022043
File name: afe4e70aa3210b8b04c53330d6037378a0aeaf7f.bin
Submission date: 2011-10-07 21:14:03 (UTC)
Result: 21/43 (48.8%)

 

[Blackhole Exploit + Rogue AV capitalizes on Steve Jobs' passing]

FYI...

Blackhole Exploit + Rogue AV capitalizes on Steve Jobs' passing
- http://community.websense.com/blogs/securitylabs/archive/2011/10/06/blackhole-exploit-rogue-av-capitalizes-on-steve-jobs-passing.aspx
6 Oct 2011 - "Websense... has detected malicious email messages claiming that the late Apple founder and CEO, Steve Jobs, is still alive... Some of the email subjects used in this attack include :
    Steve Jobs: Not Dead Yet!
    Steve Jobs Alive!
    Steve Jobs Not Dead
The email messages contain links to compromised web sites that redirect to Blackhole Exploit Kit and install Rogue AV malware. The malicious file used in this attack is poorly detected by AV engines*. As always, don't click on links in emails you didn't expect to receive, they tend to be bad news."
(Screenshots available at the websense URL above.)
* https://www.virustotal.com/file-scan/report.html?id=545de2c3a1f0d50949da842601fa699fb741efc9baef6b22c99192923d80f19c-1317941431
File name: contacts.exe
Submission date: 2011-10-06 22:50:31 (UTC)
Result: 5/43 (11.6%)
There is a more up-to-date report...
- https://www.virustotal.com/file-scan/report.html?id=545de2c3a1f0d50949da842601fa699fb741efc9baef6b22c99192923d80f19c-1318232093
File name: worms.exe
Submission date: 2011-10-10 07:34:53 (UTC)
Current status: finished
Result: 18/43 (41.9%)

Facebook scammers exploit Steve Jobs' death
- http://nakedsecurity.sophos.com/2011/10/06/steve-jobs-death-facebook-scam/
6 October 2011

Malicious SPAM...
- http://blog.trendmicro.com/steve-jobs-proclaimed-alive-by-spam/
Oct. 7, 2011

- http://labs.m86security.com/2011/10/steve-jobs-alive-spam-campaign-leads-to-exploit-page/
October 7, 2011