Culture Jamming

[Zeus bot SPAM fakes CDC request]

FYI...

Zeus bot SPAM fakes CDC request
- http://www.symantec.com/connect/blogs/zeus-trojan-catches-swine-flu
December 1, 2009 - "... the Zeus bot crew... latest offering comes in the guise of an email purporting to come from the CDC (Center for Disease Control). The email contains a link to a bogus Web page that is made to look like an official CDC page... The content of the page asks you to create a profile that will then enable you to get the H1N1 flu vaccine... The subject lines used in the emails are quite variable; for example, the following have been seen:
• Instructions on creation of your personal Vaccination Profile
• Governmental registration program on the H1N1 vaccination
• Your personal Vaccination Profile
The domain used in these email links has the format of online.cdc.gov.[RANDOM CHARS].[TLD NAME].im
For example:
• online.cdc.gov.yhnbad.com.im
• online.cdc.gov.yttt4r.org.im
• online.cdc.gov.yhnbam.co.im
As is usually the case with these campaigns, the URL that is supposed to be a document actually leads to an executable file. This one is named vacc_profile.exe* and is detected by Symantec as Infostealer.Banker.C. Incidentally, the URL is also “personalized” with the email address of the recipient to make it look that little bit more authentic and less like mass-mailed spam..."

(Screenshots available at the Symantec URL above.)

- http://ddanchev.blogspot.com/2009/12/pushdo-injecting-bogus-swine-flu.html
December 02, 2009

* http://www.virustotal.com/analisis/4f1a5551a5fec27950ad99b6c63d568c7c712577121e6b1aa4cdf1ec7549c227-1259719511
File vacc_profile.exe received on 2009.12.02 02:05:11 (UTC)
Result: 14/41 (34.15%)

- http://www.m86security.com/trace/i/Pushdo,spambot.900~.asp

- http://www.threatexpert.com/report.aspx?md5=5767b2c6d84d87a47d12da03f4f376ad
1 December 2009

- http://www.us-cert.gov/current/#h1n1_malware_campaign_circulating
December 2, 2009

 

[Malware - Facebook pwd reset SPAM]

FYI...

Malware - Facebook pwd reset SPAM
- http://isc.sans.org/diary.html?storyid=7729
Last Updated: 2009-12-10 18:09:17 UTC - "... email today purporting to be from Facebook, which of course had an attachment. The file was Facebook_Password_833fd.zip*, which unzipped to be Facebook_Password_833fd.exe. The zip file is in fact a zip file, and the exe is in fact MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit (according to the file command). The subject line is "Facebook Password Reset Confirmation. Customer Support"... Which is an attempt to get you to first open the attachment, unzip the file, and then run the executable content... First set of Virustotal results were 20/41 today at 01:30:12 (UTC) https://www.virustotal.com/analisis/af6abaa7d0a29cdd4cf2680771d6d87e22d190a6a293572910ab89bd0653b322-1260408612 when I ran it again at 17:49:06 (UTC) they were up to 26/41 detection. It is a dropper which subsequently downloads and executes other badness.
Facebook does not send out passwords in attached files. If you have forgotten your password on Facebook reset it here: http://www.facebook.com/reset.php if you cannot login to your account (someone else has taken it over) go to this page: http://www.facebook.com/help.php?topic=login, which also has this advisory on it:
"Fake password reset emails
Some users have received fake password reset emails with attachments that contain viruses. Do not click on these emails or download the attachment. Also, please note that Facebook will -never- send you a new password as an attachment. To learn more visit our Security page:
http://www.facebook.com/security ..."

 

[Phish for FTP pwd's...]

FYI...

Phish for FTP pwd's...
- http://www.symantec.com/connect/blogs/phishing-wave-sniff-ftp-credentials
December 11, 2009 - "... attackers are targeting the FTP credentials of websites. The messages appear to come from various trusted Web hosting providers. So far we have observed that users of over 100 Web hosting providers are being targeted by this attack. The attackers asks users to click on the link provided in the spam message, which will lead the users to open an “FTP access confirmation” page where the FTP credentials of the recipients are stolen. Attackers use a phishing cPanel page to do this (cPanel* is a Web hosting administration tool)... The phishing URL contains a user’s email address and the domain name of a Web hosting service provider. Once FTP credentials are entered and submitted by clicking the “Confirm FTP Access” button, users are directed to their hosting site that is specified in a “service=” tag. Example:
http ://cpanel.[removed]. me.uk/scripts/cpanel-ftp-confirmation.php?session=[removed]&email=[removed]&service=[hosting domain name]
Giving up FTP details may lead to a further loss of confidential data, the hosting of illegal websites (child pronography sites, phishing sites, etc.), and/or delivery of malware to the victim's computer by the attacker..."
* http://www.cpanel.net/

 

Visa targeted by ZBOT phish/SPAM
- http://blog.webroot.com/2009/12/11/visa-targeted-again-by-zbot-phishers/
December 11, 2009 - "... targeting Visa with a fake email alert that leads to a page hosting not only a Trojan-Backdoor-Zbot installer, but that performs a drive-by download as well. This is the second time in less than a month that malware distributors have targeted Visa... we saw a similar scam involving links to bunk Verified By Visa Web pages... malware distributors are using fraudulent transaction warnings as a method to infect users with a keylogger capable of stealing their credit card information when the victim enters it into a shopping Web site, but Visa doesn’t issue these kinds of warnings—the Visa-card-issuing bank warns customers of suspected fraud themselves, and they never do anything with that level of urgency via email... As in earlier iterations of this scam, Zbot isn’t just interested in transaction details or Website logins. Zbot also steals the login credentials for virtually every Windows FTP client application — the tools that Web designers and other website administrators use to upload files to Web sites. FTP logins are far more valuable, because it gives the malware distributors another means to spread their code onto the Web. If you’ve been wondering why so many otherwise legitimate Web sites seem to be getting hacked, and having malicious code uploaded to Web sites belonging to small businesses, private individuals, and others, this is why: Zbot is taking those passwords, and handing them off to people who trade not only in malicious code, but in abusing the good reputations of legitimate Website owners or the people who help manage them.
Don’t be a victim: Don’t follow the link in the message. Don’t download the “statement” on the page. If you see a page that looks like the screen above*, immediately kill your browser and scan your computer for Zbot. The drive-by download component of this scam means you could be infected merely by visiting the page using a vulnerable browser. Most importantly, if you suspect a credit card fraud report email may be real, pick up the telephone and call the number on the back of your card."
* Screenshot available at the Webroot URL above.

M86 Security
- http://www.m86security.com/labs/i/Pushdo-Distrubuting-Malicious-VISA-Statements,trace.1207~.asp
December 14, 2009

 

[ZBOT targets Facebook again (with SPAM)]

FYI...

ZBOT targets Facebook again (with SPAM)
- http://blog.trendmicro.com/zbot-targets-facebook-again/
Dec. 15, 2009 - "ZBOT has currently been spotted engaging in another spam run targeting Facebook yet again. By clicking the link embedded in the email, users will land on a Facebook phishing page. This time, however, the phishing page contains an iframe that points to a Web exploit toolkit. This exploit toolkit can deliver a variety of exploits, depending upon the user’s browser and OS. For users of Firefox, the toolkit will push a .PDF file (detected by Trend Micro as TROJ_PIDIEF.PAL) to exploit a known vulnerability in Collab.getIcon. If the user is not infected via the exploit toolkit, ZBOT is still left with the social engineering aspect. After a user enters credentials into the phishing page, the user is led to a download page of updatetool.exe -or- the ZBOT binary (detected as TSPY_ZBOT.CCB)..."
(Screenshot available at the URL above.)

DHL - SPAM appears to have come from known courier DHL
- http://blog.trendmicro.com/bredolab-regifts-old-spam/
Dec. 15, 2009 - "BREDOLAB set out on a spam rerun just in time for the holidays. This recent run is similar to the laptop delivery note spam run we reported in August. This time, however, the spammed message appears to have come from known courier, DHL. The spammed message makes it appear as though the users have received a notification from DHL, alerting them about an error in shipping a certain package. The message also prompts the users to open an attached file. The attached file DHL_package_label_cfb35.exe is detected as TROJ_BREDOLAB.CB. The dynamics of this spam run, although relatively old and simple, could still pack a punch, especially now that we are well within that part of the holiday season where most people do their gift shopping. People who may have purchased a laptop online and are expecting it to come through the mail are prone to being victimized by this attack..."
(Screenshot available at the URL above.)

[SPAM - Christmas e-cards]

FYI...

SPAM - Christmas e-cards...
- http://blog.trendmicro.com/christmas-greetings-from-spammers/
Dec. 25, 2009 - "Spammers are clearly putting the holidays to (their) good use, as they have made Christmas just another reason to spread malware. Trend Micro threat analysts recently received a spammed message purporting to come from 123greetings.com, a legitimate site that users can access to send e-cards to family and friends. The email message even sported the site’s logo... However, upon further investigation of the spammed message’s header, we noticed that the sender’s IP address did not match that of the legitimate 123greetings.com site... The spammed message urges the user to download and open the .ZIP file attachment, which is actually an .EXE file detected by Trend Micro as WORM_PROLACO.Z, in order to view the greeting card... To keep your system malware-free this festive season, do -not- open unsolicited email messages..."

(Screenshots available at the URL above.)

 

[Fox Sports site - injected with malicious code]

FYI...

Fox Sports site - injected with malicious code
- http://securitylabs.websense.com/content/Alerts/3516.aspx?
12.29.2009 - Malicious Web Site / Malicious Code - "Websense... has detected that the Fox Sports site has been compromised and injected with malicious code... Our research shows that the site has been injected with two pieces of malicious code. One of them is the latest Gumblar campaign, and the other redirects individuals to a malicious Web site, whose link was unreachable at the time of this alert. The ThreatSeeker Network has detected that thousands of Web sites have been compromised by the latest Gumblar campaign. The Gumblar page is highly obfuscated. After deobfuscation, the page uses PDF and Flash exploits to run malware in order to control a victim's computer. In addition, a piece of VBScript is executed to download malware..."

(Screenshots available at the Websense URL above.)

 

[New year related malware]

FYI...

New year related malware...
- http://www.f-secure.com/weblog/archives/00001847.html
December 31, 2009 - "The first signs of New Year malware for this year were already sighted a while back, but the current one we're seeing in circulation wishes "Happy New Year 2010" and points to a fast flux domain site which serves up Trojan-Downloader:W32/Agent.MUG. This particular trojan will try to install further malware, though the content it's pointing to seems to not yet be online, at least at the time of this post. Be careful when reading electronic happy New Year's wishes also this year..."

 

[SCAM spreading on Facebook and SEO]

FYI...

SCAM spreading on Facebook and SEO...
- http://securitylabs.websense.com/content/Alerts/3518.aspx?
01.05.2010 - " Websense... has discovered several spam messages on Facebook that trick the user into visiting BINSSERVICESONLINE(dot)INFO. When the link in the message is clicked, the Web site -redirects- the user to an online scam site similar to the one we published in the blog Google Scam Kits* in mid-December. The use of Facebook to distribute links that lead to Google scam kits is fairly new, and is sure to trick some users into buying the kits. A lot of users have apparently received this message, as it quickly became a popular search string on Google. As we've seen in the past, there are criminal groups monitoring the popular search terms on Google and other search engines to start their own malicious attacks, so it didn't take long until we started seeing Google search results for BINSSERVICESONLINE leading to rogue AV products. Note that the two attacks are done by separate groups of criminals. One group started the spam attacks on Facebook and another started manipulating Google results..."
* http://securitylabs.websense.com/content/Blogs/3512.aspx

(Screenshots available at the Websense URL above.)

 

[Outlook Web Access SPAM Campaign]

FYI...

Outlook Web Access SPAM Campaign...
- http://isc.sans.org/diary.html?storyid=7918
Last Updated: 2010-01-08 21:57:40 UTC ...(Version: 3) - "... an email campaign targeting OWA users that leads to malware infections... When you review the SPAM, notice the link that is displayed shows it is from our.org but the actual hyper link is to our.org .molendf.co .kr...  traced the IP and am blocking it so if others get through the SPAM filter our users will not be able to get to the site... submitted the file to VirusTotal* to see what they found and it is very new..."
* http://www.virustotal.com/analisis/26efaeec869a31abb49fdcc6ef82207f1234f92b73de01589e8294a053f31d7b-1262953493
File settings-file.exe received on 2010.01.08 12:24:53 (UTC)
Result: 16/41 (39.02%)

Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
- http://ddanchev.blogspot.com/2010/01/outlook-web-access-themed-spam-campaign.html
UPDATED: January 10, 2010

Don't Update Your Email Settings
- http://www.m86security.com/labs/i/Don-t-Update-Your-Email-Settings,trace.1215~.asp
January 10, 2010

 

[Bogus IRS W-2 form leads to malware]

FYI...

Bogus IRS W-2 form leads to malware
- http://blog.trendmicro.com/bogus-irs-w-2-form-leads-to-malware/
Jan. 11, 2010 - "... spammers now are capitalizing on the upcoming tax season. Recently, Trend Micro threat analysts found spammed messages purporting to come from the Internal Revenue Service (IRS). The spammed message bears the subject, “W-2 Form update,” and informs users to update the said form because of supposed “important changes.” The W-2 form states an employee’s annual salary and total tax. The spammed message looks normal since the URLs and phone numbers in it are legitimate. This was probably done so users will not suspect anything. It also encourages users to open the attached .RTF file (Update.doc), which is supposed to be the W-2 form. When users open the .RTF file, however, they will see an embedded .PDF file. This supposedly PDF file is actually an .EXE file that uses the PDF icon. This is detected by Trend Micro as BKDR_POISON.BQA. BKDR_POISON.BQA is a component of the Darkmoon Remote Administration Tool (RAT), which enables a malicious user to execute commands on the affected system. Interestingly, this backdoor attempts to connect to a private IP address (192.168.29.1). This may be the attacker’s misconfiguration, or an attack targeting a specific internal network environment... Users are strongly advised not to open any suspicious-looking emails even though they came from a supposedly known source. It is also recommended that users verify with IRS if the email they received is legitimate or not..."

(Screenshots available at the TrendMicro URL above.)

- http://www.viruslist.com/en/weblog?weblogid=208188001
January 07, 2010

- http://www.us-cert.gov/current/#irs_warns_of_online_scams
January 13, 2010 - "... The U.S. Internal Revenue Service has issued a news release* on its website warning consumers about potential scams. These scams are circulating via fraudulent email or other online messages appearing to come from the IRS. They attempt to convince consumers to reveal personal and financial information that can be used to gain access to bank accounts, credit cards, and other financial institutions..."
* http://www.irs.gov/newsroom/article/0,,id=217794,00.html

 

[40 trillion SPAM messages]

FYI...

40 trillion SPAM messages were sent in 2009...
- http://www.symantec.com/connect/blogs/2000-2009-spam-explosion
January 12, 2010

(Interesting 2001-2009 Growth chart available at the URL above.)


 

[Banker Scams - SPAM]

FYI...

Banker Scams - SPAM...
- http://blog.trendmicro.com/banker-scams-new-spam-victims/
Jan. 14, 2010 - "Two new spam campaigns spreading variants of the BANKER family of identity-stealing Trojans have recently emerged. The first campaign features spammed messages containing malicious links to supposed pictures. Once clicked, however, users ended up with TSPY_BANKER.OCN infections. This campaign made use of standalone files... The second campaign was more elaborate, as the involved malware (detected as TSPY_BANKER.MTX) had two components - one steals banking-related information while the other steals email account information... Both campaigns may, however, be related, as the information they steal from users end up in drop zones that are hosted on the same Web server:
* {BLOCKED}unicaobr .com/phps/procopspro .php
* {BLOCKED}unicaobr .com/working/lisinho .php
Looking for more details on webcomunicaobr .com revealed the following details:
IP: 69.162.102.130 Hosted in the USA
ASN: AS46475 LIMESTONENETWORKS Limestone Networks Inc. Primary ASN
ns1 .brasilrevenda .com
ns2 .brasilrevenda .com
Digging a little bit deeper still, three interesting pages cropped up that revealed the number of systems each contracted spammer has infected so far... a list of PHP servers where stolen information is sent... and a list of files that contained encrypted information downloaded by infected hosts..."

(Screenshots available at the TrendMicro URL above.)

 

[Targeted e-mail examples relating to MS IE 0-day CVE-2010-0249]

FYI...

Targeted e-mail examples relating to MS IE 0-day CVE-2010-0249
- http://securitylabs.websense.com/content/Alerts/3536.aspx
01.21.2010 - "Websense... has reports that emails linking to malicious web-based exploit code that utilizes the vulnerability CVE-2010-0249 have been sent to organizations in a targeted manner since December 2009, and the attack is still on-going. This same vulnerability was used to target Google, Adobe, and approximately 30 other companies in mid-December 2009.... Investigation has so far lead to the conclusion that these targeted attacks appear to have started during the week of 20 December 2009, and are on-going to government, defence, energy sectors and other organizations in the United States and United Kingdom. Within the malicious emails the sender's domain is spoofed to match the recipient's domain making the targeted emails more convincing to the recipient. The malicious executables that are delivered by the exploit code include hxxp ://cnn[removed]/US/20100119/ update.exe or hxxp ://usnews[removed]/ svchost.exe. These exhibit traits of an information-stealing Trojan with Backdoor capabilities. As of today only 25% of AV vendors protect against the payload according to this VT report*. Example email subjects include:
"Helping You Serve Your Customers"
"Obama Slips in Polls as Crises Dominate First Year as President"
"2010 ***** Commercial SATCOM"
"The Twelve Days of Christmas" ...
* http://www.virustotal.com/analisis/ee6d60ade4f20dd305ab27100623718d0ea8409be524d45e7b375269857fd797-1264090078
File update-exe-.txt received on 2010.01.21 16:07:58 (UTC)
Result: 11/41 (26.83%)

>>> http://boards.cexx.org/index.php?topic=18628.msg80254#new

 

[40% of a month’s malware - Troj/JSRedir-AK]

FYI...

40% of a month’s malware - Troj/JSRedir-AK
- http://www.sophos.com/blogs/sophoslabs/v/post/8338
January 25, 2010 - "It has been a month since we added detection for Troj/JSRedir-AK* and figures generated today show that over 40% of all web-based detections have been from this malicious code. Translating the numbers into a more human comprehensible form: 1 site every 15 secs was being detected as Troj/JSRedir-AK. The affected sites include well-known names, including:
• Energy Companies
• Retail Companies
• Automobile Club
• Hotels
...Using the JavaScript .replace the malware deobfuscates itself and dynamically writes an iframe point to a Russian website on port 8080 which serves up scripts detected as Troj/Iframe-DL. This new script will write an iframe that will attempt to load a PDF (detected as Troj/PDFJs-FY) and a file claiming to be a JPG (detected as Exp/VidCtl-A). These then will install various other malware. Troj/JSRedir-AK is a continuation of the Gumblar gang’s exploits using Russian domains instead of Chinese ones... very similar to the one we saw for Troj/JSRedir-R and the infection mechanisms seem to be the same (i.e. FTP credentials)."

(Interesting graph available at the URL above.)

* http://www.sophos.com/security/analyses/viruses-and-spyware/trojjsredirak.html
"More Info... Troj/JSRedir-AK will redirect the web browser to other malicious websites."

 

[Q4 '09 web-based malware data and trends]

FYI...

Q4 '09 web-based malware data and trends
- http://blog.dasient.com/2010/01/q409-web-based-malware-data-and-trends.html
January 26, 2010 - "... the way malware is being distributed is undergoing a fundamental shift, with more attackers focusing on "drive-by downloads" from legitimate sites that have been compromised, or from sites designed specifically for malicious purposes. In nearly all the variations on this kind of attack, no user action is required for the infection to occur, beyond loading the site in a browser - and there are very few signs that malicious code has been downloaded... Based on the telemetry data we've gathered from the web, we estimate that more than 560,000 sites and approximately 5.5 million pages were infected in Q4'09, compared with more than 640,000 sites and 5.8 million pages in Q3'09. By the end of the year, we had identified more than 100,000 web-based malware infections... we saw a more significant drop in the number of infected sites than we did in the number of infected pages because each infection tended to spread to a larger number of pages on each site... more than four of every 10 sites infected in the quarter were reinfected within a space of three months... the file names most often used in drive-by downloads included things like "setup.exe," "update.exe" (which was used in the Google attack), and "install_flash_player.exe"... In previous years, a drive-by download would often initiate 10 or more extra processes, ostensibly in an attempt to maximize the return from each infected endpoint. In response, the search providers and anti-virus vendors who scan the web for infected sites began using the number of extra processes initiated as a signal that the webpage might be malicious. But in Q4'09, the average number of extra processes initiated was just 2.8 -- enough for a downloader and perhaps one or two pieces of malware. Clearly, attackers are getting smarter about the way they structure their attacks, opting for a smaller fingerprint on an infected machine in exchange for a greater likelihood of evading detection..."