Sponsored by..

Showing posts with label Bredolab. Show all posts
Showing posts with label Bredolab. Show all posts

Friday, 6 August 2010

"Thank you for scheduling your online payment" email leads to malware

The spammers seem to be busy today, using an old trick of embedded a spam in a template lifted from a legitimate business. This particular one is from Chase bank in the US, they key "hook" they use to get people to click is:
Thank you for scheduling your recent credit card payment online. Your ($USD) $117.00 payment will post to your credit card account (CREDIT CARD) on 08/06/2010. 

This seems to be exactly the same attack as used here and here, although in this case the intermediate site had already been cleaned up and the malicious payload could not be delivered.

Best Buy "Thank You, Your Anti-Virus Protection Plan has been renewed" email leads to malware

To prove that the Bad Guys have a sense of humour at least, this fake email claims to be a renewal subscription for Webroot:

From: Best Buy Subscription Software [mailto:noresponse@softwaresubscription.bestbuy.com]
Sent: 06 August 2010 11:23
Subject: Thank You, Your Anti-Virus Protection Plan has been renewed

Dear [victim]

Your Webroot Spysweeper with AntiVirus Product Protection Plan has been successfully renewed and charged to the credit card you have on file with us. With this automatic renewal, you will continue to have uninterrupted anti-virus software protection on your PC for another year plus these great benefits:

òÀâ Best in Class Security Software
òÀâ No hassle automatic renewals makes sure that you will never go unprotected
òÀâ Receive all version updates free of charge
òÀâ Cancel at any time and received a refund for any unused months of protection
òÀâ Simple Customer Support, Call 1-888-BESTBUY with any questions

-------------------------------------------------------------
Here are the details of your renewed Protection Plan:
-------------------------------------------------------------
Product: Webroot Spysweeper with AntiVirus Product
Protection Plan: Annual
Best Buy Serial Number: WBR00AV000044180817
Transaction Date: 7/19/2010
Renewal Price: $43.54


If you have any questions about your protection plan or your recent renewal, please contact our Customer Support Team at 1-888-BESTBUY (1-888-237-8289), and ask for the Subscription Software Team.

Thank you again for your business, and being a Best Buy Customer.

Sincerely,

Best Buy Stores, L.P.
ddd

Payload and approach seem to be exactly the same as this one, with a Bredolab dropper. Again, it routes through yummyeyes.ru and you should look for the same log entries of .ru:8080 and /x.html to make sure you are clean.

In this case the intermediate step is a hacked site at peninsula.co.nz/x.html but it probably varies.

If you are not in the US, then blocking bestbuy.com at your mail perimeter will do no harm.

"Thanks for planning your event with Evite" mail leads to malware

We're seeing a batch of fake emails "from" Evite [info@mailva.evite.com] with the subject "Thanks for planning your event with Evite"

Hi [victim],
Did you and your guests take photos at your event:
Curt's 30th Birthday!?
Click the button below to create an email asking your guests to share their photos.

Or click the button below to upload your own photos.


The link in the email leads to a hacked site (so far beroemdnaakt.net/x.html and www.myadexpert.org/x.html) but these are just intermediate steps, the payload site is at yummyeyes.ru:8080/index.php?pid=10 which then tries to download a poorly detected version of the Bredolab trojan.

yummyeyes.ru is multihomed on the OVH network:
188.165.95.133
188.165.192.106
188.165.212.54
91.121.108.61
91.121.122.81

Best bet is to block evite.com at your mail gateway, block yummyeyes.ru and monitor your outbound web logs files for hits to .ru:8080 and /x.html.

Monday, 8 February 2010

Old pitch, new payload

This particular pitch from the badly-spelled "Internet Service Provider Consorcium" was doing the rounds back in September 2008, and it appears to have been recycled again to deliver a brand new Bredolab payload.


Subject: Your internet access is going to get suspended
From: "ICS Monitoring Team" <*****>
Date: Mon, February 8, 2010 9:34 pm
To: *****
--------------------------------------------------------------------------

Your internet access is going to get suspended

The Internet Service Provider Consorcium was made to protect the rights of software authors, artists.
We conduct regular wiretapping on our networks, to monitor criminal acts.

We are aware of your illegal activities on the internet wich were originating from

You can check the report of your activities in the past 6 month that we have attached. We strongly advise you to stop your activities regarding the illegal downloading of copyrighted material of your internet access will be suspended.

Sincerely
ICS Monitoring Team
Attachment is report.zip which contains report.exe and of course you can probably guess that it contains something nasty.


Who know what other oldies this crew might try to use?