Sponsored by..

Saturday, 9 August 2008

"Hey, take a look!!" / "Yahoo Daily News"

Looks like another variant of the Storm Worm /Zapchast doing the rounds:

Subject: Hey, take a look!!
From: "Yahoo Daily News"

Hello friend !
You have just received a yahoo messenger ultimate version !!


Click Download Now to begin downloading and installing Yahoo Messenger ultimate version 10 ver 10.1



1. Download Now Click Download Now to begin downloading and installing Yahoo! Messenger ultimate version 10.
ver. 10.1
2. When prompted, please click the Run button in each window that appears.

Other versions: XP (9.0 Beta), Vista, Mac, Web, Mobile

Thank you for using our services !!!
Please take this opportunity to let your friends use about this new software by sending them the source.

Copyright © 2008 Yahoo! Inc. All rights reserved. Copyright/IP Policy | Terms of Service |Guide to Online Security

Relevant advertising creates a better web experience. See how

NOTICE: We collect personal information on this site.

To learn more about how we use your information, see our Privacy Policy
In this case the target file to download is msgr8.5us.exe, VirusTotal detection is pretty good.

Expect to see a LOT of these over the next few days, either themed for the Olympics or the war in South Ossetia. Although the subject will always change, a crash course in user education can help to mitigate the risk.

ISC: "More SQL Injections - very active right now"

The Internet Storm Center has published technical details on the Chinese-based SQL injection attack which may be of interest to SQL administrators and programmers and also security specialists. It also flags up another javascript file to look for: csrss/w.js

Keep an eye out for log activity pointing to this file. Blocking the entire .cn TLD will probably do very little harm for most businesses.

Asprox: block 91.203.93.4 and js.js

A shift in behaviour from the Asprox botnet - this time all traffic from infected sites is being redirected through a fixed IP at 91.203.93.4. Blocking 91.203.93.0/24 will probably do no harm.

Also, the name of the javascript file has changed to js.js, so look for this in your logs.

The Silent Noise blog is tracking Asprox domains too, with some interesting developments that we haven't had the chance to dig deeper into.

Tuesday, 5 August 2008

Asprox domains: 5/8/08

Current Asprox domains to look for in your blogs or block. These have all been active for 3 or 4 days now, which is an unusually long time for this current SQL injection attack.

  • 8hcs.ru
  • 98hs.ru
  • bgsr.ru
  • bywd.ru
  • ibse.ru
  • ncbw.ru
  • nwj4.ru
  • ojns.ru
  • porv.ru
  • uhwc.ru

Saturday, 2 August 2008

Asprox domains: 2/8/07

These are the currently active Asprox domains to check for. They are all very recently registrations.

  • 8hcs.ru
  • 98hs.ru
  • bgsr.ru
  • bywd.ru
  • ibse.ru
  • ncbw.ru
  • nwj4.ru
  • ojns.ru
  • porv.ru
  • uhwc.ru

Friday, 1 August 2008

Fake "Correspondence manager" job

Money mule scams are now very common - basically some poor fool ends up laundering money or reshipping goods following the instructions of someone they have never met and is likely to be untraceable.

This particular job offer seems to go a step further. This "correspondence manager" could well be another layer in the scammer's obfuscation. Perhaps the correspondence manager handles communications with the money mules?

One danger here is that this particular role is more credible that the "money for nothing" jobs that scammers usually offer. On the face of it, it doesn't involve handling money, but it does seem to be very easy and the salary looks attractive.

There's an interesting bit of social engineering where the email says "THE SELECTED CANDIDATE MUST PASS A CRIMINAL BACKGROUND CHECK". Of course, it is the employer who needs to pass a background check too. Always verify that your job offers are from a genuine, verifiable business.




Subject: Re: WELL - PAID JOB!
From: ls51@salud.gov.pr
Date: Fri, August 1, 2008 11:52 am

Dear, Job Seeker!

Our firm has an opening vacancy: Correspondence manager.

Please attach your resume in DOC or reach text format and apply right now. This
position is limited.



Company Name
Global Logistic


Job Category
Correspondence


Location
United States


Position Type
Part-Time/Home Based


Salary
$ 35,000 - $ 50,000


Experience
1+


Desired Education Level
High School or Equivalent


Date Posted
March 17, 2008



Job Summary:
You will make some basic tasks from your manager daily; manage personal assets;
making simple correspondence operations. You don't need to have any kind of
education or experience. We will make online training for position offered. You
will have more information in job description document. Apply now.
Requirements: US citizenship or US permanent residency

High school or College in relevant field or 1+ years experience in management;
basic computer, good verbal and grammar skills; must have a cellular phone for
urgent tasks; must be able to work part-time; must provide resume for
qualification process.

ALL RESUMES WILL BE CONFIRMED AND VERIFIED. THE SELECTED CANDIDATE MUST PASS A
CRIMINAL BACKGROUND CHECK
If you're interested send your full name, phone number, age and RESUME
mailto:NannieHolderCE@gmail.com and I'll redirect it to our HR department.


Beware of unsolicited loan offers

Loan scams are a another variant of the advanced fee fraud scam (e.g. fake lotteries, dead dictator's fortunes etc). These seem to be more popular recently due to the "credit crunch". Fundamentally the approach is the same as any other advanced fee fraud: you apply for the loan only to discover that there is a fee payable up front. Of course, no legitimate lender would ask for an up front fee for a loan.

Although the wording for this particular example sounds like it is from Nigeria, the IP address is from the Hathway network in Bangalore. Oddly from "from" address is Hathway too.

Subject: LOAN OFFER
From: ramanks@hathway.com
Date: Thu, July 31, 2008 8:14 pm
Priority: Normal


Dear Customer
We are corporate lenders. we give out loans to
A very honest and reliable personalities. we give
out our loans at low interest rate and moderate
values as cheap as 3% rate. Because of scam
we tender our qualifications if it satisfies, you
can continue with the transaction, but if you are
not satisfied you can go to another lender.
Channel your response to this email.
thomassteve2@gmail.com
Greatest Regards
Marketing Manager
Mr Thomas Steve.
Although this particular one is pretty laughable, it is likely that the scammers will get better at it. Beware of unsolicited loan offers and remember that all fees and interest will come out of your repayments, not from an up front fee.

Wednesday, 30 July 2008

PestPatrol: Zuten detected in c:\windows\minidump

This one looks like a false positive.. CA PestPatrol with signature version 2008.7.29.15 seems to be detecting Zuten in the c:\windows\minidump folder.

A close examination of the description indicates that the following files may be being misdetected:

%windows%\minidump\mini072908-01.dmp
%windows%\minidump\mini072908-02.dmp
As you can see, yesterday's date in encoded into the .dmp files. If your computer system has generated a .dmp file in the past day, then PestPatrol may well be mis-detecting it.

Tuesday, 29 July 2008

The SQL Injection war

Dancho Danchev had has some very good writeups on the current round of SQL injection attacks. This post on copycat attacks caught my eye, because it shows that there's more than one crew at work here.

If anything, this situation is likely to get worse. The tools needed to carry out a SQL injection attack are now almost available off-the-shelf, the attacks are obviously financially successful because they have been ongoing now for some months, and enumeration of vulnerable servers can be done through Google or Yahoo if you don't want to bother crawling the web.

Identifying and blocking domains helps, but it isn't a real solution. Most of these attacks are thwarted by a fully patch client (and I do mean all the software on the client, the Secunia Software Inspector can help here or some other decent audit tool). Using Firefox + NoScript is a good idea for the technically savvy. But ultimately, the best way of fighting this is to secure or shut down infected SQL servers. Don't be afraid to use the abuse@ email address where a web site is posing a continuing threat.

Asprox domains: 29/7/08

These are this morning's active Asprox domains. New ones are in bold.

  • b4so.ru
  • bce8.ru
  • bjxt.ru
  • bnsr.ru
  • bosf.ru
  • bsko.ru
  • ch35.ru
  • gty5.ru
  • iroe.ru
  • jve4.ru
  • kj5s.ru
  • kjwd.ru
  • kpo3.ru
  • kr92.ru
  • ncb2.ru
  • ncwc.ru
  • nemr.ru
  • njep.ru
  • nmr43.ru
  • oics.ru
  • pfd2.ru
  • po4c.ru

Monday, 28 July 2008

Asprox domains: 28/7/08

These seem to be the current Asprox domains to block or check for. New ones are in bold.

  • bs04.ru
  • bce8.ru
  • bjxt.ru
  • bnsr.ru
  • bosf.ru
  • bsko.ru
  • ch35.ru
  • iroe.ru
  • jve4.ru
  • kjwd.ru
  • kodj.ru
  • kpo3.ru
  • kr92.ru
  • ncb2.ru
  • ncwc.ru
  • nemr.ru
  • nmr43.ru
  • oics.ru
  • pfd2.ru
  • po4c.ru
ngg.js still seems to be the name of the javascript file injected into compromised hosts.

Friday, 25 July 2008

Asprox domains: 25/7/08

These domains seem to be active today, new ones in bold.

  • bce8.ru
  • ch35.ru
  • iroe.ru
  • jve4.ru
  • kjwd.ru
  • kodj.ru
  • kpo3.ru
  • kr92.ru
  • ncwc.ru
  • nemr.ru
  • nmr43.ru
  • pfd2.ru
  • po4c.ru
One oddity - the URL zvz.cc/forums/8L0/join.upq has been spotted as a redirector for these Javascript exploits. Google list zvz.cc that as a malware infected site, it is hard to tell though if this is just another victim or part of the C&C for the botnet. For the record, these are the WHOIS details.. but they might not mean very much.

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: ZVZ.CC

Registrant:
Himpet .Inc
Evgenij Novoberkov (zvz@tut.by)
Stahanov.St 120
Minsk
Missouri,222120
US
Tel. +022.2720771

Creation Date: 09-Apr-2008
Expiration Date: 09-Apr-2009

Domain servers in listed order:
ns2.zvz.cc
ns1.zvz.cc

Administrative Contact:
Himpet .Inc
Evgenij Novoberkov (zvz@tut.by)
Stahanov.St 120
Minsk
Missouri,222120
US
Tel. +022.2720771

Technical Contact:
Himpet .Inc
Evgenij Novoberkov (zvz@tut.by)
Stahanov.St 120
Minsk
Missouri,222120
US
Tel. +022.2720771

Billing Contact:
Himpet .Inc
Evgenij Novoberkov (zvz@tut.by)
Stahanov.St 120
Minsk
Missouri,222120
US
Tel. +022.2720771

Status:ACTIVE

Thursday, 24 July 2008

Asprox: jve4.ru, nmr43.ru and po4c.ru

Three new Asprox domains that have gone live in the past few hours, probably some more on the way. Either block these or check your logs if you are a network admin.
  • jve4.ru
  • nmr43.ru
  • po4c.ru

"ABT Solutions" scam email

Following on from the recent "Infopulse" scam, another Ukranian firm has been targeted by the money mule operators. ABT Solutions appears to be a legitimate and quite innocent company that has been around for a few years, but this email does not come from ABT Solutions. The [fake] name used in the email is very similar to the name used in the abtsolutions.net WHOIS data, it is likely that it has been lifted from there.

Two telltale signs - one is the use of a Google Mail address where you would expect it to come from abtsolutions.net, the other one is that the job offer appears to be too good to be true. The company name is also spelled incorrectly.




Subject: A proposal for collaboration. Additional revenue.
From: job.abtsolutions@gmail.com
Date: Wed, July 23, 2008 11:07 pm

Hello Sir/Madam,

I am Chebotar' Aurelian, Director of ABT Solutins
specializes in innovative IT solutions and complex software projects development.

My company based in Ukraine. We've earned ourselves a reputation of a
reliable and trustworthy partner working successfully with a number of
West European companies and providing them with reliable software
development services in financial and media sectors.
Unfortunately we are currently facing some difficulties with receiving
payments for our services. It usually takes us 10-30 days to receive
a payment and clearing from your country and such delays are harmful
to our business. We do not have so much time to accept every wire transfer.

That's why we are currently looking for partners in your country to help
us accept and process these payments faster.
If you are looking for a chance to make an additional profit you can
become our representative in your country. As our representative you will
receive 8% of every deal we conduct. Your job will be accepting funds in
the form of wire transfers and forwarding them to us.
It is not a full-time job, but rather a very convenient and fast way
to receive additional income. We also consider opening an office in your
country in the nearest future and you will then have certain privileges
should you decide to apply for a full-time job. Please if you are
interested in transacting business with us we will be very glad.

Please contact me for more information via email:

and send us the following information about yourself: job.abtsolutions@gmail.com

1. Your Full Name as it appears on your resume.
2. Education.
3. Your Contact Address.
4. Telephone/Fax number.
5. Your present Occupation and Position currently held.
6. Your Age

Please respond and we will provide you with additional details on how you
can become our representative. Joining us and starting business today will
cost you nothing and you will be able to earn a bit of extra money fast
and easy. Should you have any questions, please feel free to contact us
with all your questions.

Sincerely,
Chebotar' Aurelian,
Director of ABT Solutins.


Wednesday, 23 July 2008

Asprox domains: 23/7/08 - Part II

Just a couple more to add:

  • cgt4.ru
  • kc43.ru

Asprox domains: 23/7/08

A shift in domains used by the Asprox crew - these new domains are all in the .ru TLD and are registered via NauNet (contact details here). ngg.js is still the name of the Javascript file to look for, I suspect that vrcgoo.js might be a new name to keep an eye out for too.

  • 4cnw.ru
  • 4vrs.ru
  • 5kc3.ru
  • 90mc.ru
  • 9jsr.ru
  • bts5.ru
  • chds.ru
  • cvsr.ru
  • d5sg.ru
  • ecx2.ru
  • gb53.ru
  • h23f.ru
  • jex5.ru
  • jvke.ru
  • keec.ru
  • keje.ru
  • kgj3.ru
  • lkc2.ru
  • lksr.ru
For most organisations, blocking the entire .ru TLD will probably do no harm as these are usually always Russian language sites.

Wednesday, 16 July 2008

"Infopulse Ukraine Ltd" Money Mule Scam

Infopulse Ukraine appears to be a legitimate software development company, but this email that claims to be from them is certainly not legitimate. Tell-tale signs are the free email address (rather than using infopulse.com.ua and the fact that this sort of money transfer operation appears to be an easy way to earn money doing very little.. which means that it will be some sort of money laundering operation. Avoid.




Subject: Earning additional salary with us!
From: jobinfopulse@gmail.com
Date: Wed, July 16, 2008 4:56 pm

Hello Sir/Madam,

I am Alexey Sigov, Director of Infopulse Ukraine Ltd
specializes in innovative IT solutions and complex software projects development.

My company based in Ukraine. We've earned ourselves a reputation of a
reliable and trustworthy partner working successfully with a number of
West European companies and providing them with reliable software
development services in financial and media sectors.
Unfortunately we are currently facing some difficulties with receiving
payments for our services. It usually takes us 10-30 days to receive
a payment and clearing from your country and such delays are harmful
to our business. We do not have so much time to accept every wire transfer.

That's why we are currently looking for partners in your country to help
us accept and process these payments faster.
If you are looking for a chance to make an additional profit you can
become our representative in your country. As our representative you will
receive 8% of every deal we conduct. Your job will be accepting funds in
the form of wire transfers and forwarding them to us.
It is not a full-time job, but rather a very convenient and fast way
to receive additional income. We also consider opening an office in your
country in the nearest future and you will then have certain privileges
should you decide to apply for a full-time job. Please if you are
interested in transacting business with us we will be very glad.

Please contact me for more information via email:

and send us the following information about yourself: jobinfopulse@gmail.com

1. Your Full Name as it appears on your resume.
2. Education.
3. Your Contact Address.
4. Telephone/Fax number.
5. Your present Occupation and Position currently held.
6. Your Age

Please respond and we will provide you with additional details on how you
can become our representative. Joining us and starting business today will
cost you nothing and you will be able to earn a bit of extra money fast
and easy. Should you have any questions, please feel free to contact us
with all your questions.

Sincerely,
Alexey Sigov,
Director of Infopulse Ukraine Ltd


Asprox domains: 16/7/08

The following Asprox SQL Injection domains appear to be active today. New ones are in bold.

  • adwnetw.com
  • adpzo.com
  • ausbnr.com
  • brcporb.ru
  • btoperc.ru
  • cdport.eu
  • cdrpoex.com
  • gbradde.tk
  • grtsel.ru
  • korfd.ru
  • movaddw.com
  • tctcow.com
  • usabnr.com
ngg.js still seems to be the name of the script file. Block these sites and/or check your logs.

Tuesday, 15 July 2008

Asprox domains: 15/7/08

Another bunch of Asprox SQL Injection domains, new ones are in bold.

  • adpzo.com
  • adwnetw.com
  • ausbnr.com
  • bkpadd.mobi
  • butdrv.com
  • cdport.eu
  • cdrpoex.com
  • cliprts.com
  • gbradde.tk
  • gbradp.com
  • gitporg.com
  • hdrcom.com
  • loopadd.com
  • movaddw.com
  • nopcls.com
  • porttw.mobi
  • pyttco.com
  • tctcow.com
  • tertad.mobi
  • usabnr.com
These are still using ngg.js in the injected code.

Friday, 11 July 2008

"I'm customer from Singapore.."

If you sell any kind of high-value goods (or even if you have a web site that just mentions them) then you probably get all sorts of fraudulent emails.

One in particular is the "Customer from Singapore" email of which the following is an example.



Subject: special order
From: "Tony Canna"
Date: Fri, July 11, 2008 7:45 am

I'm customer from Singapore ,and I would like to purchase some products from your
company,but before we doing bussines,I need your answers for my questions
below.

1.Do you accept credit card for payment?
2.Do you ship overseas via UPS,DHL or FedEX Service ?

Thanks before for the attentions and we are glad to doing more bussines with
your company.

I look Forward to hearing from you soon.

Best Regards,
Tony Canna



Singapore is a pretty good place to do business with. Crime and corruption are very low, and you could be reasonably certain that business transactions from with Singapore would be 100% legitimate. The problem with this email is that the sender isn't from Singapore at all, but from neighbouring Indonesia as an examination of the mail headers shows. At the risk of offending Indonesian readers.. well.. put it this way - Indonesia is a much more tricky place to do business with.

Another telltale mark of a fraud is the phrase "Special order". I don't know why, but these scammers often like to mark their emails with this. Go figure.

This Indonesian/Singaporean scam is actually quite common, so be cautious about people claiming to be from Singapore, check mail headers carefully and check that the delivery address is a real business or residential address if you can (rather than some warehouse at an airport, for example).