Tuesday, 27 October 2009

"Facebook Password Reset Confirmation" trojan

This trojan claims to be something to do with a Facebook password reset, but it's a plain old EXE-in-ZIP trojan attack.

Subject: Facebook Password Reset Confirmation.
From: "The Facebook Team" <>

Hey fortunes ,

Because of the measures taken to provide safety to our clients, your password has
been changed.

You can find your new password in attached document.

The Facebook Team


The Trojan is widely detected as a version of Bredolab. ThreatExpert report is here.

Remember, if you can block EXE-in-ZIP files at your mail gateway, it is well worth doing.

Monday, 26 October 2009 Yeah, right!

A tip about a site called proved interesting.. is this a real site, or is this a scam?

Well, let's put it this way.. a company selling a brand new $750 cell phone for $261.. especially when the phone isn't even out yet and won't be for some weeks.

Yes, this is another Chinese site where prices are "too good to be true", which usually means that they aren't. Let's dig a little closer, shall we?

The WHOIS details say:

Registrant Contact:
zhong jian ping
jian ping zhong
03165544345 fax: 03165544345
shanghai shanghai 332210

Who knows.. they might even be true! The domain was registered in June 2009, so it has been around for a couple of months. The fax number of 03165544345 is related to the domain which has a rotten reputation.

The server is which has been used to host a fake bank before, and has a lot of other "too good to be true" electronics sites, although there could be some legitimate sites here too. One in particular is with similar registrant details:

Registrant Contact:
zhong jian ping
jian ping zhong
010-3884111 fax: 010-3884111
beijing beijing 210012
The email address is also linked with which also has a rotten reputation.

These other domains seem to belong to the same person - it's easy enough to research them to draw your own conclusions:

  • (
  • (
  • (
  • (
  • (
  • (offline)
  • (
  • (
There are a lot, and I do mean a lot of potentially linked sites in this network. But if you avoid purchasing from sites where the prices are unreasonably low, then that will be a simple way of protecting yourself.

Saturday, 24 October 2009

Uh.. what?

A case of "WTF is this spam trying to do"? It looks like this noobie spammer thinks that sending out millions of copies of their banking details is going to be the path for riches.. rather than (say) identity theft. Spam originates from in Shannxi Province, China which matches with the banking details.

Out of a possibly misguided sense of pity, I have omitted some of the digits from the account number!

Subject: Electronic mail messages webmaster:
From: "The webmaster"

You will actively support god. Each user donated $500 a lifelong use
email. As senior members...

You are christians, please send email forwarded others thirty times,
and charitable donations to me, god will bless you! God will


Please send money into my account at Bank of China.
Bank name: the bank of China
A/CNO£º 2979 7702 0007 xxx
INA/CWITH£º Zhang Lu Xi
Address: 38 Juhua Yuan, Xi'an 710001, Shaanxi Prov., China
Swiftcode: BKCH CN BJ 620

You can use high-speed does not capture email

E-mail the webmaster 2009.10.23.

Tuesday, 20 October 2009

Police Fail

Never mind the slightly dubious issue of mapping crime hotspots, the announcement of a new service using data from the UK's police force to map crime was always going to generate a lot of interest.

The map is meant to look something like the image on the right (click to enlarge), but because this is the UK the server is clearly underspecified for the amount of interest that it is generating, because anyone who actually tries to visit gets the rather predictable result below:

It's all a bit reminiscent of when the 1901 Census site went offline for months. Is it beyond the capabilities of the people implementing to judge demand?

Incidentally, the Met have a similar mapping system sensibly powered by Google, which seems to work quite well.

Monday, 19 October 2009

Google indexing private Google Voice transcripts?

A disturbing item from the Boy Genius Report indicates that seemingly private Google Voice transcripts are appearing in Google search results with a seemingly simple search string. Although some of these are "test" messages, one or two do seem to be the real deal. Oops.

Wednesday, 14 October 2009

"A new settings file for the blah@blah.blah mailbox"

A clever bit of social engineering, looks like Zbot:

From: alert@blahblah.tld
Subject: A new settings file for the name@blahblah.tld mailbox

Dear user of the blahblah.tld mailing service!
We are informing you that because of the security upgrade of the mailing service your mailbox (name@blahblah.tld) settings were changed. In order to apply the new set of settings click on the following link:

Best regards, blahblah.tld Technical Support.

The link is a forgery, underneath it is actually
?email=name@blahblah.tld&from=blahblah.tld&fromname=name was registered just today, the registration details are:

October 14, 2009
Letzte Aktualisierung
October 14, 2009, 4:35 pm

Spasova, Galia
Galia Spasova
j.k. Droujba-1
44231 paris

Probably fake you might think, except that "j.k. Droujba-1" is an address in Sofia, not Paris. And it belongs to a company called GE-88 Ltd who have a website of So, the email address in the WHOIS does seem to trace back to a Bulgarian company. And what does GE-88 Ltd do? Ummm.. well, it appears to manufacture alloys. It could be fake, perhaps their mailserver is compromised..

Nameservers are and ( - Noc4Hosts Inc) (although the site is not resolving at the moment).

Just as I was typing this in, another one came through using the domain as a redirector:

Domain name:

Evelyn Wilson

Registrant type:
Non-UK Individual

Registrant's address:
805 E. Stocker

Webfusion Ltd t/a [Tag = 123-REG]

Relevant dates:
Registered on: 14-Oct-2009
Renewal date: 14-Oct-2011
Last updated: 14-Oct-2009

Registration status:
Registration request being processed.

Name servers:

Again, this one isn't resolving yet but it was just registered today.

Suspect ad network leads to PDF exploit

This was picked up from an ad apparently running on

An ad from loads an ad from so far, pretty normal.

The next step is:

This domain is protected by DomainsByProxy, registered in December 2007 and is hosted

The site has the following contact details:

Bootcamp Media
121 Wyndham St. N.
Suite 202
Guelph, Ontario, Canada
N1H 4E9


1-519-515-0151 has a near-zero profile, but it may well be a legitimate company.

After this, the visitor starts to go well off the beaten track. The next hop is is registered to:

Domain Owner
15156 SW 5th
Scottsdale, Arizona 85260
United States

Registered through:, Inc. (
Created on: 15-Sep-09
Expires on: 15-Sep-10
Last Updated on: 15-Sep-09

Administrative Contact:
Owner, Domain
15156 SW 5th
Scottsdale, Arizona 85260
United States
(800) 555-1212 Fax --

Technical Contact:
Owner, Domain
15156 SW 5th
Scottsdale, Arizona 85260
United States
(800) 555-1212 Fax --

That email address of is well known. The subdomain is dual-homed on and (both NTT America, Inc).

The next hop is;b=2;c=0;z=406377 was regisitered on 17th September with the same "" contact details as is dual homed on, (both NTT America, Inc).

Yet another hop, this time to{munged} was created on 7th August 2009, registered to (again). is hosted on at some outfit called Linode.

Yet another hop, this time to which is currently down but was hosted on (Netdirekt E.k) who are pretty well known for hosting bad sites (but they may well have nuked this one already, and if so.. well done!)

The owners of have something to hide..

96 Mowat Ave
Toronto, ON M6K 3M1

Domain name: WINCKAG.COM

Administrative Contact:,
96 Mowat Ave
Toronto, ON M6K 3M1
Technical Contact:,
96 Mowat Ave
Toronto, ON M6K 3M1

Registration Service Provider:,
This company may be contacted for domain login/passwords,
DNS/Nameserver changes, and general domain support questions.

Registrar of Record: TUCOWS, INC.
Record last updated on 04-Oct-2009.
Record expires on 04-Oct-2010.
Record created on 04-Oct-2009.

Registrar Domain Name Help Center:

Domain servers in listed order:

This loads an image from multihomed on,, (some sort of cloud hosting) and then loads the following:

Those nameservers on are interesting, that's who are well known for supporting malware.

Finally, appears to try to load a Troj/PDFJs-DY trojan onto the victim's machine.

You should certainly avoid ads running on,,, or any domain registered to Make up your own mind about Boot Camp Media - these small ad networks are very often targeted by the bad guys, but they really need to get their act together.

Tuesday, 13 October 2009 running Zbot infrastructure servers appears to be up to its dark grey hat antics again with a server at which is providing services to the current run of Zbot trojans, as seen (for example) with this recent ThreatExpert report.

Robtex reports the the server is also being used as the NS for a number of Zbot related domains, notably,,,,,, and several others connected with this spam run. is also the download server for various Zbot components.

Although probably has many legitimate customers (primarily from Malaysia, Thailand and South-East Asia), it seems to have a lot of bad ones too (including Prudent network administrators may want to consider blocking - which will probably not cause too many problems.

Wednesday, 7 October 2009

Orwellian Black Opel

I thought I'd get a photo of the Google Streetview car while it was having a rest.. and before it got me :)

Tuesday, 6 October 2009 injection attack

Another injection attack following on from this one, htmlads.js looks like it is being injected into IIS 6.0 servers. In this case, the string to look for in your logs in htmlads.js/ads. js which is worth checking for and blocking if you can.

For the records, the domain registration details are:

domain: HTMLADS.RU
person: Private person
phone: +7 496 4047474
registrar: REGRU-REG-RIPN
created: 2009.10.05
paid-till: 2010.10.05
source: TC-RIPN

Monday, 5 October 2009

Are your personal details on

An interesting post caught my eye about a site called over at the CluBlog. It's a sort of collective where people trade other people's business card information, and it might well be the reason why my number of irrelevant direct marketing calls has gone through the roof.

The blog post also usefully tells you how to remove your details - recommended reading!

Sunday, 4 October 2009

Injection attacks: seems to be the latest domain to be used by the bad guys in this current round of injection attacks. The injected code to look for is (obviously don't visit that page unless you know what you are doing). That leads to a heavily obfuscated piece of Javascript which I haven't dissected yet.. but really there is no doubt that it is going to try to do something very bad to your computer!

Domain is registered to:
domain: ADBNR.RU
person: Private person
phone: +7 812 5706062
registrar: REGRU-REG-RIPN
created: 2009.09.29
paid-till: 2010.09.29
source: TC-RIPN

Both the telephone number and email address have been connected with malware attacks before.

Looks like it is using a fast flux botnet for hosting, but blocking should be effective.

Thursday, 1 October 2009 and Asprox is back

I haven't had time to look at this fully, but it seems that a fresh round of Asprox attacks have started after several months of inactivity - in this case the domains and are in use.

Read more at CyberCrime & Doing Time.