Sponsored by..

Showing posts with label Adobe. Show all posts
Showing posts with label Adobe. Show all posts

Monday, 20 October 2014

Adobe Billing "Adobe Invoice" spam / adb-102288-invoice.doc

This fake Adobe spam has a malicious Word document attached.

From:     Adobe Billing [billing@adobe.com]
Date:     20 October 2014 11:33
Subject:     Adobe Invoice

Adobe(R) logo    
Dear Customer,
Thank you for signing up for Adobe Creative Cloud Service.

Attached is your copy of the invoice.
Thank you for your purchase.

Thank you,
The Adobe Team
Adobe Creative Cloud Service
Adobe and the Adobe logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries. All other trademarks are the property of their respective owners.

© 2014 Adobe Systems Incorporated. All rights reserved. 

Attached is a malicious Word document adb-102288-invoice.doc which has a VirusTotal detection rate of just 1/53, the Malwr report shows there are macros in the document then try to run when it is open. If macros are enabled, this then downloads and executes a malicious binary from http://pro-pose-photography.co.uk/fair/1.exe which also has a pretty poor detection rate of 2/53.

According to the Malwr report, this binary then reaches out to the following URLs:

http://62.75.182.94/66mAzAj8ko%2Ch$n=pS%3FgfE@%3Dx%7Efa/%24ysusij%2B%2C%2C%20kCbh2tc8ex%3Dnsgr_/%26
http://208.89.214.177/xWmWEs0Br+3%26KH0/ES$B6JR%2C+j3K2./%20SB
http://208.89.214.177/6ly5iKYr&q$%2CIYA/9Y8STPqNxu/j2hfMb6S
http://208.89.214.177/O4tHj8hw9RA~P%3FkB69agw.ksFx_&ce@%2DV%24/%2BSUq%2DBP$%24zqFH.O%2BRg%20%20/T%2D
http://208.89.214.177/yr3=E~SS+/%2Df7Y.OZk3M/~Ww6A3~33YQ%24UT%3D

The IPs in question are 208.89.214.177 (Virpus, US) and 62.75.182.94 (Intergenia, Germany).

The Malware then drops another malicious binary 2.tmp (which looks like a DLL). The VirusTotal detection rate for this is only 1/54. The Malwr report is inconclusive.

Recommended blocklist:
208.89.214.177
62.75.182.94
pro-pose-photography.co.uk

Thursday, 18 October 2012

Adbobe CS4 spam / leprasmotra.ru

This fake Adobe spam leads to malware on leprasmotra.ru:

Date:      Thu, 18 Oct 2012 10:00:26 -0300
From:      "service@paypal.com" [service@paypal.com]
Subject:      Order N04833

Good morning,

You can download your Adobe CS4 License here -

We encourage you to explore its new and enhanced capabilities with these helpful tips, tutorials, and eSeminars.

Thank you for buying Adobe InDesign CS4 software.

Adobe Systems Incorporated

The malicious payload is at [donotclick]leprasmotra.ru:8080/forum/links/column.php hosted on:

72.18.203.140 (Las Vegas NV Datacenter, US)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNET, US)

Blocking access to those IPs is recommended.

Thursday, 11 October 2012

eFax spam / 173.255.223.77 and chase.swf

Two different eFax spam runs seem to be going on at the same time:
From: eFax Corporate [mailto:05EBD8C@poshportraits.com]
Sent: 11 October 2012 12:58
Subject: eFax notification



You have received a 50 page(-s) fax at Thu, 11 Oct 2012 07:58:06 -0400.
* The reference number for this fax is [2EA33CF].
Click the following link to view this message:
https://www.efaxcorporate.com/corp/twa/View?returnPageKey=2EA33CF
Please visit www.efaxcorporate.com/corp/twa/page/customerSupport if you have any questions regarding this message or your service. You may also e-mail our corporate support department at corporatesupport@mail.efax.com.
Thank you for using the eFax Corporate service!


© 2012 j2 Global, Inc. All rights reserved.
eFax Corporate is a registered trademark of j2 Global, Inc.
This account is subject to the terms listed in the eFax Corporate Customer Agreement.

==========



From: eFax.Corporate [mailto:2C4C2348@aieservices.com.au]
Sent: 11 October 2012 12:51
Subject: eFax: You have received new fax



You have received a 34 page(-s) fax at Thu, 11 Oct 2012 13:50:54 +0200.
* The reference number for this fax is [97ECE658].
Click the following link to view this message:
https://www.efaxcorporate.com/corp/twa/View?returnPageKey=97ECE658
Please visit www.efaxcorporate.com/corp/twa/page/customerSupport if you have any questions regarding this message or your service. You may also e-mail our corporate support department at corporatesupport@mail.efax.com.
Thank you for using the eFax Corporate service!


© 2012 j2 Global, Inc. All rights reserved.
eFax Corporate is a registered trademark of j2 Global, Inc.
This account is subject to the terms listed in the eFax Corporate Customer Agreement.


One leads to a malicious landing page at [donotclick]173.255.223.77/links/assure_numb_engineers.php hosted by Linode in the US.

The other one is a bit odder, referring to a file called chase.swf on a hacked site. VT analysis shows just 1/44 which is not good. That looks a bit like this:

{html}
{body}
{object width='255' height='57'}
 {param name='movie' value='infected.swf'} {/param}
 {param name='allowScriptAccess' value='sameDomain'} {/param}
 {embed width='255' height='57'
  src='hxxp:||[redacted].com/chase.swf' name='BridgeMovie'
  allowScriptAccess='sameDomain' type='application/x-shockwave-flash' }
 {/embed}
{/object}
{/body}
{/html}


Beats me what it is. Probably nothing good though...

Friday, 30 April 2010

Tuesday, 15 December 2009

Piradius.Net / Adobe Zero-Day threat

Another good reason not to have Adobe Reader on your PC - the ISC is reporting yet another zero-day threat being exploited by the bad guys, using the domain foruminspace.com.

And guess who is hosting it.. yes, our old friends at Piradius.net, going to show just how dark grey their hat is and demonstrating another very good reason to block 124.217.224.0 - 124.217.255.255.

Friday, 13 March 2009

Adobe9.0-PDF.com

Here's an oddity when typing "Adobe" into Google.

The first ad refers to a web site called Adobe9.0-PDF.com - that's not Adobe, surely?


Nope.. it doesn't look like Adobe. Let's scroll down a bit


The bit at the bottom is interesting:


All tademarks and copyrights are used for comparison and/or compatibility purposes only and are the property of their respective owners. This website has no affiliation whatsoever with the owner of this software program and does not re-sell or license software. All software is freeware and/or shareware with the understanding that the user may need or want to pay for it later. Membership is for unlimited access to our site's resources. We provide an organized website with links to third party freeware and shareware software, technical support, tutorials and step by step guides.
To cut a long story short, you have to pay to download this free software (this is for "support").. of course you could just download it directly from Adobe.

So, this is kind of curious. Who's running this site? A look at the WHOIS for 0-pdf.com shows an anonymous registration, so no clue there.

The site is hosted on 208.118.54.244 along with several others:

  • 0-pdf.com
  • 1-pdf.com
  • Burning-toolz.com
  • Downzfree.com
  • E-s0ftware.com
  • Es0ftware.com
  • Freedownloadhq.com
  • Freedownloadsnow.net
  • Grafix-viewer.com
  • Internet-callz.com
  • Mediaplayer-stop.com
  • Populartitlez.com
  • Security-bundle.com
  • Virus-tools.com
  • Xtremesoftware-ltd.com
They are all anonymous registrations apart from the last one:

Registrant: Xtreme Software Ltd.
7 Petworth Road

Haslemere,
Surrey GU27 2JB

United Kingdom

Domain Name: XTREMESOFTWARE-LTD.COM
Created on: 13-Apr-07
Expires on: 13-Apr-09
Last Updated on: 13-Apr-08
Administrative Contact:
Software Ltd, Xtreme Support@XtremeSoftware-Ltd.com
Xtreme Software Ltd.
7 Petworth Road
Haslemere,
Surrey GU27 2JB
United Kingdom
8007843167 Fax --
Technical Contact: Software Ltd, Xtreme Support@XtremeSoftware-Ltd.com
Xtreme Software Ltd.

7 Petworth Road

Haslemere,
Surrey GU27 2JB

United Kingdom

8007843167 Fax --

Domain servers in listed order:

NS1.COVERTTECHNOLOGY.NET
NS3.COVERTTECHNOLOGY.NET
NS2.COVERTTECHNOLOGY.NET


Incidentally, shuffle across a few IPs to 208.118.54.247 and there seems to be another server belonging to the same outfit.
  • 11-now.com
  • 7-now.com
  • 8-now.com
  • 8-pdf.com
  • 8-software.com
  • 8-ultra.com
  • 9-express.com
  • 9-now.com
  • 9-ultra.com
  • Anti-viruz.net
  • Antiviruz-now.com
  • Avast-hq.com
  • D0wnloadz.net
  • Download-9.com
  • Downloadcenterz.com
  • Downloadzcenter.com
  • Downloadznow.net
  • Downloadzsoftware.com
  • Dvdshrink-hq.com
  • Ed0wnloads.com
  • Esoftware-now.com
  • Irfanview-center.com
  • Irfanview-hq.com
  • Mediaplayer-hq.com
  • Panda-hq.com
  • Pdf-now.com
  • Pdf-soft.net
  • Powerdvd-7.com
  • Rarsoftware.com
  • S0ftware-now.com
  • S0ftware.com
  • S0ftwarez.com
  • Software-hq.net
  • Softwarecenterz.com
  • Swhq-cs.com
  • Tutorial-hq.com
  • Winamp-hq.com
  • Winrar-hq.com
So, it looks like a UK company - and indeed Companies House lists XTREME SOFTWARE LTD (company 05604124) at being associated with that address, but states that it is dissolved. Another company, XTREME-SOFT LTD 05723281 is listed at the same address.

Company records for Xtreme Software Ltd indicate that it was forcibly dissolved, and the director was:

DIRECTOR: SHULLICK, DAVE
Appointed: 07/11/2005
Date of Birth: (redacted)
Nationality: HUNGARIAN
No. of Appointments: 1
Address: 6434 BAY CEDAR LANE
BRADENTON
MANATEE
FLORIDA 34203
USA

Dave Shullick is also linked with the domain xtremetransactions.com and Xtreme Innovations, LLC of Ohio. Shullick and another site was mentioned in the Guardian article enetitled Money for nothing in 2006. But as the company was forcibly dissolved in December 2008, the who is running these web sites?

Xtremetransactions.com is also linked to from the Adobe9.0-PDF.com site, showing that the two are closely related.



The UK address isn't much of a clue - it belongs to a company called Fletcher Kennedy, who specialise in forming other companies. Fletcher Kennedy are nothing to do with the site, but they have fulfilled the legal role of company secretary for both "Xtreme" companies, but they appear to have terminated that relationship.

Is the other XTREME-SOFT company any relation? It's odd that they both have very similar names and the same address, but the only director listed for XTREME-SOFT LTD is in Saudi Arabia:

DIRECTOR: QUBAISI, MOHSEN
Appointed: 22/03/2006
Nationality: SAUDI
No. of Appointments: 1
Address: 31952 KOBAR STREET
SAUDI ARABIA
It's not clear if these two entities are actually related in any way.

So, here's an outfit that is hiding its details and appears to have been operating by a firm that had been forcibly dissolved. So who exactly is running it now?

Anyway, that's enough foreplay. Let's get down to the money shot. Let's say that you want to download the software, first there's a registration screen.. then you get to see what this is all about:

Yup, they're trying to stiff you with a £27 charge plus 83p per month to download a free bit of software. Goodness only knows what "download accelerator plus" is.

Here we go.. £37 for something that you can get for free. My advice? Avoid this one at all costs!



If you have paid money to this company any want a refund, this RipoffReport suggests the following:

MONEY RETRIEVED!

Don't let these people get away with what they do.

Keep on emailing them as well as the third-party that bills their accounts. I got a full refund, including the so-called $5.99 service charge.

Explore you options on the next. Report them to the internet fraud site. Contact your bank and report them. In fact, do everything that you need to do.

I did not stop, until I got everything back.
Allegedly, the contact email address is support@software-hq.net (and that domain seems to have generated a lot of complaints) but you may be better off contacting your bank if you believe that you have been misled in any way.