Culture Jamming

[Urgent Block: BlackHole Exploit Kit redret Spam Domains]

FYI...

Urgent Block: BlackHole Exploit Kit redret Spam Domains
- http://www.malwaredomains.com/wordpress/?p=2220
December 6th, 2011 - "From the Internet Storm Center*... IP addresses to block are also in the article*. Also see this article**. Will be added here but you shouldn’t wait."

* https://isc.sans.edu/diary.html?storyid=12145
Last Updated: 2011-12-06 03:04:51 UTC - "... all domains still active/resolving that host BlackHole exploit kit, the actual one and not the links on the spams...
czredret .ru, curedret .ru, ctredret .ru, crredret .ru, bzredret .ru,  byredret .ru, bxredret .ru, bwredret .ru,
bvredret .ru, bsredret .ru,  bpredret .ru, boredret .ru, blredret .ru, bkredret .ru, biredret .ru, bhredret .ru,
bgredret .ru, bfredret .ru, beredret .ru, bdredret .ru, bcredret .ru, bbredret .ru, aredret  .ru, apredret .ru,
amredret .ru, alredret .ru, akredret .ru, ajredret .ru, airedret .ru, ahredret .ru, agredret .ru, afredret .ru,
aeredret .ru, adredret .ru, acredret .ru, abredret .ru, aaredret .ru
... they are resolving to:
95.163.89.193, 89.208.34.116, 94.199.51.108, 91.220.35.38, 77.79.7.136,  95.163.89.200, 91.228.133.120
In recent past, the following IPs were also observed hosting them:
188.190.99.26, 87.120.41.191, 94.199.53.14, 89.208.34.116...
Comments (12.06.2011, 19:21 UTC): 79.137.237.63 is hosting these domains crredret .ru, ctredret .ru,  curedret .ru, czredret .ru"

- https://blogs.msdn.com/themes/blogs/generic/post.aspx?WeblogApp=alexhomer&y=2011&m=02&d=06&WeblogPostName=blocking-malware-domains-in-isa-2006&GroupKeys=
"... malware that connects using an IP address instead of a domain name will -not- be blocked when you use just domain name lists..."

** http://blog.dynamoo.com/2011/11/bredretru-domains-to-block.html
23 November 2011

 

[Affected and abused domains]

FYI...

Affected and abused domains ...
- https://isc.sans.edu/diary.html?storyid=12178
Last Updated: 2011-12-10 17:42:46 UTC - "... covered the emergence of hacked DNS zones ("What's In A Name") a couple weeks ago*... domains affected have been abused for the past several days to push copies of the BlackHole Exploit Kit. The IP range used changes about every three, four days:
188.247.135.37 in use until Dec 2, AS34714, Opticnet, Romania
146.185.245.72 in use until Dec 5, AS43215, Monyson Group, Russia
... exploit code politely checks which version of Java is present, and only launches the exploit on Java installations that are not running the very latest update. Unfortunately, this seems to be the case for the majority of Java deployments out there. Today, almost two weeks after this latest wave of exploits started, the exploit code for CVE-2011-3544 is still only detected by roughly half the anti-virus companies on VirusTotal**... by far the most successful for the bad guys at the moment..."
* http://isc.sans.edu/diary.html?storyid=11770

** https://www.virustotal.com/file-scan/report.html?id=6035dd777149917b92741e6949c7ef01556e8afa3c5dd57a09c3429e7db60bb4-1323534647
File name: v1.class
Submission date: 2011-12-10 16:30:47 (UTC)
Result: 19/43 (44.2%)

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3544
Last revised: 11/24/2011
CVSS v2 Base Score: 10.0 (HIGH)

 

[100$ or a free iPad! - scam]

FYI...

100$ or a free iPad! - scam
- https://isc.sans.edu/diary.html?storyid=12184
Last Updated: 2011-12-12 23:21:39 UTC ...Version: -3- "... several misspellings of wikipedia are used in this scam, in addition to many other domains. wikipeida-org, wikepedia-org, wictionary-org, wikpedia-com, wikispaces-cm are all domains with a typo that redirect visitors to a "you won a prize" page... to claim the prize lots of personal information must be entered...
Update: Other prominent typo domains affected include youtrube-com, youotube-com, youzube-com..."
> https://isc.sans.edu/diaryimages/you-won.jpg

 

[CA incident report]

FYI...

CA incident report...
- https://isc.sans.edu/diary.html?storyid=12205
Last Updated: 2011-12-14 17:39:34 UTC - "GlobalSign released a press release today to address concerns that they may have had a compromise of their CA infrastructure.
http://www.globalsign.co.uk/company/press/121411-security-incident-report.html
They did a good job of stating what they did find and what they didn’t. They also address new measures put in place to improve their overall security posture.
“We didn't find any evidence of
* Rogue Certificates issued.
* Customer data exposed.
* Compromised GlobalSign Root Certificate keys and associated Hardware Security Modules (HSM).
* Compromised GlobalSign Certificate Authority (CA) infrastructure.
* Compromised GlobalSign Issuing Authorities and associated HSMs.
* Compromised GlobalSign Registration Authority (RA) services.
What did happen
*  Peripheral web server, not part of the Certificate issuance infrastructure, hosting a public facing web property was breached.
*  What could have been exposed? Publicly available HTML pages, publicly available PDFs, the SSL Certificate and key issued to www .globalsign .com.
*  SSL Certificate and key for www .globalsign .com were deemed compromised and revoked. “

 

[Phish campaign targets users - timed with breach]

FYI...

Phish campaign targets users - timed with breach...
- http://nakedsecurity.sophos.com/2011/12/14/telstra-bigpond-users-targeted-in-post-data-breach-phishing-campaign/
December 14, 2011 - "A phishing campaign targeting customers of Telstra Bigpond, Australia's largest ISP, is urging users to confirm their billing information or risk the suspension of their account... All pretty run-of-the-mill - an access your account now by clicking on a link in this email or else spam - but neatly timed given that Telstra suffered a data breach last Friday. Personal information... was downloaded from an insecure Telstra customer portal last Friday (I have read numbers from 60,000 to 70,000), forcing Telstra to take down some of its services, including webmail, over the weekend. Ironically, the forced outage also prevented access to the Bigpond account management pages, making it hard for concerned users to change their passwords as a precaution against abuse, or, indeed, to check their account and billing information... an unpatched version of WordPress allowed the phishers to "borrow" services from an Aussie blogger... this email was obviously a phish:
- Bigpond doesn't send out access your account now by clicking on a link emails.
- The email contains numerous errors of orthography, spelling and grammar. Official Bigpond emails are professionally written.
- The link you are asked to click on has no obvious connection with Telstra or Bigpond.
- Official Bigpond emails to you aren't addressed to someone called "Duchess" with a competitor's webmail account (unless your name is Duchess, of course).
... if you run a WordPress blog, make sure you've applied the latest patches. Vulnerable blog sites can be a gold mine for cybercrooks."

 

[Ransomware impersonates the police]

FYI...

Ransomware impersonates the police
- https://blogs.technet.com/b/mmpc/archive/2011/12/19/disorderly-conduct-localized-malware-impersonates-the-police.aspx?Redirected=true
19 Dec 2011 - "... several samples of a ransomware family localized into different languages... We've so far seen variants localized into four languages: English, Spanish, German, and Dutch... Upon execution, the ransomware locks the computer, displays the localized screen.. and demands the payment of a "fine" for the supposed possession of illicit material. In order to make the computer functional again, the user is asked to transfer money via a legitimate online payment service, such as Paysafecard or Ukash, to the supposed authorities. These services are -not- involved in any way with the scammers' scheme; instead, they are being used for malicious purposes... In the case of Trojan:Win32/Ransom.DU... that impersonates the German Federal Police, 91.59% of the samples we received from July to November this year were found in Germany... this localized ransomware family can be distributed through drive-by downloads and that the Blackhole Exploit Kit is involved... nowadays Blackhole distributes many widespread malware families... PS: Just today we encountered a sample targeting residents of France..."
___

- http://blog.eset.com/2011/12/04/carberp-blackhole-growing-fraud-incidents
Dec. 4, 2011 - "... Based on the statistics obtained from one of the nodes hosting an active Black Hole exploit pack, the most frequently exploited vulnerabilities leading to system infection with malware are found in Java software... The exploited vulnerabilities aren’t really new: some of them are more than a year old... To prevent antivirus software detecting the dropper the Black Hole exploit kit includes functionality for measuring dropper detections by the most widely used antivirus software. When the number of detections reaches a defined value the dropper is repacked by the service responsible for it..."

 

[Email Bank Deposit Scam]

FYI...

Email Bank Deposit Scam
- https://www.usaa.com/inet/pages/2011_19_12_deposit_phish_scam
12/19/2011 - "USAA's Enterprise Security Group has found an aggressive email phishing scam directed at USAA Members. The email has a subject line "Deposit Posted."  What makes this particular phishing email different is there is a randomly generated four-digit number placed in the USAA Security Zone section... While this email* does not ask the recipient to click on a link, it does ask the member to open an attached file. When this file is opened it launches a malicious banking virus that if successfully launched could provide access to your personal information and may require a complete reinstall of your computers operating system.
What Members Should Do:
USAA Members are encouraged to take the following action if they receive this email:
    Make certain the four digits in the Security Zone section match the last four digits of your USAA member number.
    If the numbers do not match your member information you can delete it..."
* https://content.usaa.com/mcontent/static_assets/Media/121911_phishing_scam.gif?cacheid=3947825466

- https://www.us-cert.gov/current/#usaa_phishing_scam_and_malware
December 20, 2011
___

- http://www.informationweek.com/news/government/security/232301104?printer_friendly=this-page
Dec 28, 2011 - "The U.S. military received an unwanted present this Christmas holiday season in the form of an "aggressive" phishing attack that's been making the rounds of .mil email accounts, according to the Army*. There are several attacks making the rounds, the most notable coming in the form of an email with the subject line "Deposit Posted" that appears to be from USAA, a financial services company that services members of the military as well as their families and veterans... The email asks people to open a file infected by Zeus malware that can access people's personal information and even require a complete reinstall of a computer's operating system..."
* http://www.army.mil/article/71306/Aggressive_phishing_attack_targets_military/
Dec 23, 2011 - "... Official-looking emails appear to come from a senior officer or other authority figure not known to the recipient, instructing the recipient to download and install software. This is often portrayed as a critical security measure that must be immediately deployed. What actually happens is that the software is either a Trojan Horse that will destroy systems and networks, or data-mining software that will now be past firewall defenses..."

 

[Holiday fakes]

FYI...

Holiday fakes...
... They might take it, but they won't give it away...
- http://techblog.avira.com/wp-content/uploads/2011/12/microsoft-head.png

Ref: http://techblog.avira.com/2011/12/21/no-microsoft-will-not-give-you-1-million-dollars/en/
December 21, 2011 - "... No matter how realistic it seems..."

 

[Fake browser addons spread SCAMS]

FYI...

Fake browser addons spread SCAMS
- http://www.theregister.co.uk/2011/12/22/browser_plug_in_facebook_scam/
22 December 2011 - "... spreading scams on Facebook. Instead of using status updates as a lure, the latest generation of Facebook scams attempt to trick marks into installing malicious browser extensions. The plug-ins are supposedly needed to view non-existent video clips supposedly posted by an earlier victim. Once installed, these malign browser ad-ons spread the scam from one user's profile to another... The bogus extensions come as add-ons for both Firefox and Chrome. More details of the scam, including screenshots, can be found in a blog post by Websense*..."
* http://community.websense.com/blogs/securitylabs/archive/2011/12/20/facebook-scams-kick-it-up-a-notch-with-firefox-chrome-plugins.aspx
"... The code checks which browser is installed and serves the compatible malicious plugin..."

 

[Amnesty Int'l site serving Java exploits]

FYI...

Amnesty Int'l site serving Java exploits...
- https://krebsonsecurity.com/2011/12/amnesty-international-site-serving-java-exploit/
December 22, 2011 - "Amnesty International‘s homepage in the United Kingdom is currently serving malware that exploits a recently-patched vulnerability in Java. Security experts say the attack appears to be part of a nefarious scheme to target human rights workers... The site’s home page has been booby trapped with code that pulls a malicious script from an apparently hacked automobile site in Brazil. The car site serves a malicious Java applet that uses a public exploit to attack a dangerous Java flaw*... The site remains compromised..."

- http://www.barracudalabs.com/wordpress/index.php/2011/12/22/authoritarian-regime-uses-human-rights-group-to-spy-on-activists/
Comment: Emerson Povey @ amnesty.org.uk - December 23, 2011 - "... we have been working with our hosting service to resolve the issue. They have cleaned our servers, rebooted the system and removed the script from the default page. At 2pm today they confirmed that the problem is now fixed."

- http://www.barracudalabs.com/wordpress/index.php/2011/12/22/authoritarian-regime-uses-human-rights-group-to-spy-on-activists/
December 22, 2011 - "... compromised on or before Friday, December 16... Amnesty International UK has been notified... Java content (stolen from the Metasploit project), which targets CVE-2011-3544. If the exploit is successful, malware is installed on the visitor’s system..."
VirusTotal Detections for Exploit
... a more up-to-date report (24/43) for this file:
- https://www.virustotal.com/file-scan/report.html?id=1cc214cee10f02d37359c0e3d04fd57899333c4b1eaa81489c74e5c2fa17c3a8-1324550847
File name: 542b24f1da13f0b1d647f3865b09e026bf00d4ef.bin
Submission date: 2011-12-22 10:47:27 (UTC)
Current status: finished
Result: 24/43 (55.8%)
VirusTotal Detections for Exploit Payload
... a more up-to-date report (22/43) for this file:
- https://www.virustotal.com/file-scan/report.html?id=0e53832e1c36d34a3d05c05f73ebab22a74ade95c5f3b7d9f74fad4f56d10023-1324397991
File name: f91dd927fd78a36176a68998304d70c8
Submission date: 2011-12-20 16:19:51 (UTC)
Result: 22/43 (51.2%)

* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3544
Last revised: 11/24/2011
CVSS v2 Base Score: 10.0 (HIGH)

Current versions of Java here*:
* http://www.oracle.com/technetwork/java/javase/downloads/index.html

 

[.nl.ai?]

FYI...

.nl.ai?
- https://isc.sans.edu/diary.html?storyid=12280
Last Updated: 2011-12-28 00:51:54 UTC - "Now .. where is nl.ai ?? Dot-ai is Anguilla, a speck of land in the Caribbean, to the east of Puerto Rico. And probably has nothing at all to do with what follows. Dot-nl-dot-ai, on the other hand, appears to be a free domain name registrar.
If you're into malware analysis, you've probably seen your fair share of .nl.ai domains recently. And not just these. Feeding "nl.ai" into RUS-CERTs Passive DNS collector http://www.bfk.de/bfk_dnslogger.html?query=ns1.cd.am#result gives us the name server for .nl.ai (one ns1.cd.am), which in turn shows a couple of other domains that are currently very familiar to the malware analyst. Like .c0m.li, and .cc.ai.
If you are blocking domains on your gateway or DNS server, blackholing these few:
.cc.ai
.nl.ai
.c0m.li
.cd.am
.coom.in
 ... might be a reasonable move, at least until someone in your business can show that they have a legitimate need to access one of the sub domains of these pseudo top level domains. Mind you, chances are that not all domains hosted there in fact are bad. But all the ones that I've seen in my logs so far: were."

 

[QR code malware]

FYI...

QR code malware ...
- http://www.darkreading.com/taxonomy/index/printarticle/id/232301147
Dec 29, 2011 - "... QR codes, hackers are starting to take advantage of these square, scannable bar codes as a new way to distribute malware. Like all mobile attack vectors, it is a new frontier that security researchers say is not extremely prevalent but which has a lot of potential to wreak havoc if mobile developers and users stand by unaware... Just point your mobile device's camera on the code, scan it and the reading will take you to the website or mobile app download that its promoter promises to provide... There are a number of ways they are already using malicious codes to perpetrate their scams. On iOS devices, for example, hackers are re-purposing jail-break exploits to send users to websites that will jailbreak the device and install additional malicious malware... attackers are using QR codes to redirect users to fake websites for phishing..."
___

- http://community.websense.com/blogs/securitylabs/archive/2012/01/09/spam-emails-link-to-qr-codes.aspx
9 Jan 2012

 

[Web hijacks with AJAX]

FYI...

Web hijacks with AJAX
- http://labs.m86security.com/2012/01/web-hijacks-with-ajax/
January 3, 2012 - "... a malicious site which loads parts of its attack using AJAX (Asynchronous JavaScript and XML), a method for client-side code to asynchronously exchange data with web servers. The following attack was observed on a currently running server located in China, which is serving malware... This code is very similar to code commonly used in so many web pages nowadays. The main difference is the extra parameters it accepts, which are used to “cut” certain parts from the accepted content, so it could be processed and executed as code later on... Using the exact same technique, this web page can load various browser or plugin exploit attempts. In this specific case, the page loads an SWF file exploiting CVE-2010-1297. Other pages on this server are exploiting CVE-2010-0806 and CVE-2010-0249. The main reason that malware authors use AJAX is the ability to write generic attack pages which look benign and become malicious only once the dynamic content is loaded. This provides an advantage which is also very useful for evading AV detection, since tiny bits of the attack can be loaded one at a time, thus making it very difficult to provide a signature..."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0249 - 9.3 (HIGH)
MS10-002 - IE "... as exploited in the wild..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0806 - 9.3 (HIGH)
MS10-018 - IE "... as exploited in the wild..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1297 - 9.3 (HIGH)
Adobe Flash Player, Reader, and Acrobat "... as exploited in the wild..."

Also: https://isc.sans.edu/diary.html?storyid=12313
Last Updated: 2012-01-03 09:37:04 UTC - "... very nasty JavaScript... potentially malicious JavaScript files..."

 

[Post Transaction fraud schemes erase evidence of account theft]

FYI...

Post Transaction fraud schemes erase evidence of account theft ...
- https://www.trusteer.com/blog/gift-wrapped-attacks-concealed-online-banking-fraud-during-2011-holiday-season
January 04, 2012 - "... During the final few weeks of 2011, we saw fraudsters take advantage of this trend with their latest fraud scheme... we’ve typically seen man-in-the-browser attacks take place at one of the three possible online banking phases... There is another, less discussed, form of man-in-the-browser attack – the post transaction attack... as the name implies, occur after the evil deed has already been done and the account holder has closed the online banking session. These are designed to conceal illegitimate activity for as long as possible to either allow money to transfer to its final destination – uninterrupted, or continue to control the account and perform further transactions... Just before the recent holiday season, we came across a SpyEye configuration which attacks banks in the USA and UK. Instead of intercepting, or diverting, email messages... the attack automatically manipulates the bank account transaction webpage the customer views... a post transaction attack is launched that hides fraudulent transactions from the victim..."
(More detail at the trusteer URL above.)

 

[Worm on Facebook steals 45,000 logins]

FYI...

Worm on Facebook steals 45,000 logins ...
- http://blog.seculert.com/2012/01/ramnit-goes-social.html
January 5, 2012 - "... Seculert's research lab has discovered that Ramnit recently started targeting Facebook accounts with considerable success, stealing over 45,000 Facebook login credentials worldwide, mostly from people in the UK and France... Recently, our research lab identified a completely new 'financial' Ramnit variant aimed at stealing Facebook login credentials. Since the Ramnit Facebook C&C URL is visible and accessible it was fairly straightforward to detect that over 45,000 Facebook login credentials have been stolen worldwide, mostly from users* in the United Kingdom and France...
* http://1.bp.blogspot.com/-F2YMFY8HB-o/TwWh91V2TFI/AAAAAAAAADw/FJHGPgCHcVY/s1600/ramnitbycountry.png
... We suspect that the attackers behind Ramnit are using the stolen credentials to log-in to victims' Facebook accounts and to transmit malicious links to their friends, thereby magnifying the malware's spread even further. In addition, cybercriminals are taking advantage of the fact that users tend to use the same password in various web-based services (Facebook, Gmail, Corporate SSL VPN, Outlook Web Access, etc.) to gain remote access to corporate networks... With the recent ZeuS Facebook worm and this latest Ramnit variant, it appears that sophisticated hackers are now experimenting with replacing the old-school email worms with more up-to-date social network worms. As demonstrated by the 45,000 compromised Facebook subscribers, the viral power of social networks can be manipulated to cause considerable damage to individuals and institutions when it is in the wrong hands..."
___

- http://www.theregister.co.uk/2012/01/19/ramnit_re_visited/
19 January 2012