Microsoft Security Bulletin MS08-067 – Critical: Vulnerability in Server Service Could Allow Remote Code Execution (958644)
Let's make it simple: PATCH NOW. Microsoft's say that this can spread from machine to machine without authentication, and reliable exploit code is likely. This makes it the ideal security flaw to hook a worm onto, like Blaster or Sasser.
If you're a corporate user with a firewall DO NOT imagine that the firewall will offer you much in the way of protection. Eventually either a worm-infected laptop will be plugged into your internal network, or possibly a infected machine may breach the firewall when it connects through the VPN. If there is a widespread outbreak and you're not prepared, then shutting off your VPN may buy you some time.
Thursday, 23 October 2008
"WorldPay CARD transaction Confirmation" / "Academic Resources Center Inc." trojan
This is a fake email message pretending to be from WorldPay relating to a payment to "Academic Resources Center Inc".
There's an attached ZIP file, The ZIP contains an EXE designed to look like a DOC.. but oddly with an icon that looks like Excel. Of course, this is actually a nasty trojan rather than a real document.
This is one good reason why you should not hide extensions for known file types on your PC - the icon on the left looks like it has the DOC extension, but only because the real EXE extension can been hidden and is revealed on the right.
VirusTotal indicates patchy detection rates including TrojanSpy:Win32/Zbot.gen!C, Trojan.Win32.FraudPack.gle, Trojan-Spy:W32/Zbot.VM, W32/Trojan3.DU, TROJ_FAKEALE.AI plus some generic heuristic detecions.
In this case, the ZIP is called WorldPay_CARD_Transaction_Confirmation_OrderNo76644.doc.zip and the EXE is WorldPay_CARD_Transaction_Confirmation_OrderNo76644.doc.exe but this may be randomly generated.
Subject: WorldPay CARD transaction Confirmation
From: "Jana Rivera"
Thank you!Your transaction has been processed by WorldPay, on behalf ofAcademic
Resources Center Inc.
The invoice file is attached to this message.
This is not a tax receipt.
We processed your payment.
Academic Resources Center Inc has received your order,
and will inform you about delivery.
Sincerely,
The AcaDemon TeamEnquiries This confirmation only indicates that your transaction
has been processed successfully. It does not indicate that your order has been
accepted. It is the responsibility of Academic Resources Center Inc to confirm that
your order has been accepted, and to deliver any goods or services you have ordered.
If you have any questions about your order, please email Academic Resources Center
Inc at:followup@acade66Smicresourcescenter.com, with the transaction details listed
above.Thank you for shopping with Academic Resources Center Inc.
UPDATE 24/4/09: There's a similar spam run happening again, details are here.
Labels:
EXE-in-ZIP,
Spam,
Viruses
Wednesday, 22 October 2008
"Better Business Bureaus Account Support" trojan
We have seen quite a lot of variants of this particular trojan recently, mostly aimed at banks. This one passes itself off as a some sort of digital certificate, but according to VirusTotal it is a trojan variously identified as TrojanDownloader:Win32/Suceret.gen!A, Win32.Stration, Trojan-Downloader.Win32.WebDown.10 and a number of other generic detections.
Subject: Better Business Bureaus, Attention: Don't leave mail in your mailbox.
From: "Better Business Bureaus Account Support"
Attention Better Business Bureaus Consumers!
We've enhanced web surfing process with new security measures to keep your online
data and personal information safer.
All registered and new BBB consumers must register new software and update contact
information until October 24, 2008.
Please read the following information carefully:
Register your BBB company certificate here>>>
As always, we appreciate your business. And thank you for working with us.
Sincerely, Ila Newell.
2008 Council of Better Business Bureaus
Tuesday, 21 October 2008
6700.cn browser hijack (bad), SUPERAntiSpyware (good)
I've just spent several days investigating a machine with a particularly nasty rootkit infection. Despite throwing several tools at it and rummaging around the hard disk, the rootkit remained. The most obvious sign was a browser hijack pointing at 6700.cn but there were dozens of malware components installed too.
The F-Secure online scanner and ComboFix removed quite a lot of the malware, but hats off to SUPERAntiSpyware which identified and removed the last, tricky part of the rootkit. I haven't come across this application before, but it is definitely worth a look and it has a free trial.
In retrospect, a lot of the rootkit is also plainly visible using Sysinternal Autoruns - the malware components tend to lack "Publisher" details and can be easily identified. You may well need to take the hard disk out and mount it in a USB drive on a second PC, but a word of caution - it is possible to infect the second PC too, so try to avoid using anything mission critical for the cleanup.
The F-Secure online scanner and ComboFix removed quite a lot of the malware, but hats off to SUPERAntiSpyware which identified and removed the last, tricky part of the rootkit. I haven't come across this application before, but it is definitely worth a look and it has a free trial.
In retrospect, a lot of the rootkit is also plainly visible using Sysinternal Autoruns - the malware components tend to lack "Publisher" details and can be easily identified. You may well need to take the hard disk out and mount it in a USB drive on a second PC, but a word of caution - it is possible to infect the second PC too, so try to avoid using anything mission critical for the cleanup.
"Data request" trojan
Another EXE-in-ZIP-disguised-as-a-DOC trojan, similar to this one.
It is a different binary from yesterday with better detection rates. But the best cure for this is avoidance, and blocking EXEs-in-ZIPs is the best cure.
Subject: Data requestThe attachment in this case is called Statement_January-October.zip and contains an executable named Statement_January-October.doc[44 spaces].exe. The blank spaces are designed to push the .exe part of the filename down so that it is invisible.
From: "Billy Roark"
Please find the document attached to this message. The report was issued today.
Requested account details have been altered successfully.
Thank you for contacting us.
Respectfully,
Billy
It is a different binary from yesterday with better detection rates. But the best cure for this is avoidance, and blocking EXEs-in-ZIPs is the best cure.
Labels:
Viruses
Monday, 20 October 2008
"Report Jan-Oct." trojan
This fake email contains an EXE in a ZIP designed to look like a Word document (complete with authentic looking icon), in this case "Statement1-10.doc .exe" (there are 75 spaces in the filename that blogger strips out)
Subject: [name] Report Jan-Oct.The attached ZIP file is called Statement1-10.zip. VirusTotal shows detection is poor with what look like generic detections only.
From: "Clara Slaughter"
Dear Customer,
As you requested, we are sending you this report with details on your account
transactions made between 1/1/2008 and 10/1/2008.
At your service,
Clara
If you mail filter allows it, you should block EXEs in ZIP files. Postini allows this, I guess other filtering services do too.
Labels:
Viruses
Thursday, 16 October 2008
"LV Electronics Inc." job offer scam
There are plenty of legitimate companies called "LV Electronics", but this job offer is not from one of them. In this case, the originating IP was 91.77.116.141 in Russia.
Subject: Job offer in the United States.
Greetings.
LV Electronics Inc. is searching for hardworking person, that will represent our
branch in local area.
The required country: UNITED STATES ONLY! (all states).
Prior experience is not necessary; entry level admin, customer service and good
people skills are all you need.
Perfect for anyone who wants to work from home and spend more time with their
family, or just make some extra money.
Be debt free fast making an additional $4,000-12,000 A MONTH!
WRITE US AND APPLY NOW: lvelectronicsinc@aol.com
Subject: Job offer in the United States.
Greetings.
LV Electronics Inc. is searching for hardworking person, that will represent our
branch in local area.
The required country: UNITED STATES ONLY! (all states).
Prior experience is not necessary; entry level admin, customer service and good
people skills are all you need.
Perfect for anyone who wants to work from home and spend more time with their
family, or just make some extra money.
Be debt free fast making an additional $4,000-12,000 A MONTH!
WRITE US AND APPLY NOW: lvelectronicsinc@aol.com
Labels:
Money Mule,
Scams,
Spam
Fake job offer: ias-jobs.org
One of a series of fake job offers that are doing the rounds, this time promoting a company called IAG ("Internet Auction Service"). It's most likely a money mule scam (i.e. money laundering), or package reshipping (handling stolen goods) or something similar. Avoid.
Subject: Current Vacancy at IAG
Internet Auction Service provides business support, retail distribution, franchise
operations,
direct sales, and a variety of auction as well as accounting and billing services.
We are currently recruiting for the positions of Virtual Office Assistants in the
United
Kingdom, part-time and full-time available. The positions focus on providing
administrative
assistance in online sales.
Part-time and full-time positions available:
Part-time: 3 hours per day during either one of these shifts:
9:00am-12:00pm 11:00am-2:00pm 12:00pm-3:00pm 2:00pm-5:00pm
Full Time: 6 hours per day during either one of these shifts:
9:00am-3:00pm 11:00am-5:00pm
Salary:
Part-time: 1,100GBP/month plus commission
Full-time: 2,200GBP/month plus commission
Professional Qualities:
- Customer focused decision maker
- Demonstrates a high level of personal accountability
- Thinks about the team first over personal agendas
- Learning adaptive
- Process driven
Basic Requirements for Virtual Office Assistant:
- Internet Access
- Microsoft Office
- Basic Accounting skills
If you are interested in this position please send us an email to
Jennifer.Edwards@ias-jobs.org
expressing your interest and we will forward you the detailed job description and
the agreement.
Best regards,
IAS Team
Unusually, the domain ias-jobs.org has been registered for these purposes. www.ias-jobs.org is hosted on 89.218.205.90 in Kazakhstan (again). Mail is handled by 12.192.82.225 in the US which is unusual. Nameservers are ns1.eurogolden.net (194.150.120.47) and ns2.eurogolden.net (62.157.74.89) which all tie into this scam. utl-jobs.com and korkdevelopers.com can also be tied into this.
As a general rule, you should always avoid job offers from companies that you cannot verify exist in real life.
Subject: Current Vacancy at IAG
Internet Auction Service provides business support, retail distribution, franchise
operations,
direct sales, and a variety of auction as well as accounting and billing services.
We are currently recruiting for the positions of Virtual Office Assistants in the
United
Kingdom, part-time and full-time available. The positions focus on providing
administrative
assistance in online sales.
Part-time and full-time positions available:
Part-time: 3 hours per day during either one of these shifts:
9:00am-12:00pm 11:00am-2:00pm 12:00pm-3:00pm 2:00pm-5:00pm
Full Time: 6 hours per day during either one of these shifts:
9:00am-3:00pm 11:00am-5:00pm
Salary:
Part-time: 1,100GBP/month plus commission
Full-time: 2,200GBP/month plus commission
Professional Qualities:
- Customer focused decision maker
- Demonstrates a high level of personal accountability
- Thinks about the team first over personal agendas
- Learning adaptive
- Process driven
Basic Requirements for Virtual Office Assistant:
- Internet Access
- Microsoft Office
- Basic Accounting skills
If you are interested in this position please send us an email to
Jennifer.Edwards@ias-jobs.org
expressing your interest and we will forward you the detailed job description and
the agreement.
Best regards,
IAS Team
Unusually, the domain ias-jobs.org has been registered for these purposes. www.ias-jobs.org is hosted on 89.218.205.90 in Kazakhstan (again). Mail is handled by 12.192.82.225 in the US which is unusual. Nameservers are ns1.eurogolden.net (194.150.120.47) and ns2.eurogolden.net (62.157.74.89) which all tie into this scam. utl-jobs.com and korkdevelopers.com can also be tied into this.
As a general rule, you should always avoid job offers from companies that you cannot verify exist in real life.
Labels:
Money Mule,
Scams,
Spam
Asprox: lang42.ru
Another Asprox SQL injection domain to block / check for is lang42.ru. The following domains have been active in the past 24 hours:
- 53refer.ru
- chk06.ru
- driver95.ru
- errghr.ru
- lang42.ru
- netcfg9.ru
- sitevgb.ru
- vrelel.ru
Labels:
Asprox,
SQL Injection,
Viruses
Wednesday, 15 October 2008
Asprox: new domains
After being stable for some time, the Asprox SQL injection hacks are now redirecting through a new bunch of .ru domains.
retyi111@yahoo.com has been used before for these domains and various other nasties. As usual, block these domains and/or check your logs for them.
- 30area.ru
- 4log-in.ru
- 53refer.ru
- chk06.ru
- driver95.ru
- errghr.ru
- netcfg9.ru
- sitevgb.ru
- vrelel.ru
domain: ERRGHR.RU
type: CORPORATE
nserver: ns2.errghr.ru. 68.6.180.109
nserver: ns3.errghr.ru. 68.12.194.192
nserver: ns1.errghr.ru. 199.126.149.144
state: REGISTERED, DELEGATED
person: Private Person
phone: +7 772 7727727
fax-no: +7 772 7727727
e-mail: retyi111@yahoo.com
registrar: NAUNET-REG-RIPN
created: 2008.10.09
paid-till: 2009.10.09
source: TC-RIPN
retyi111@yahoo.com has been used before for these domains and various other nasties. As usual, block these domains and/or check your logs for them.
Labels:
Asprox,
SQL Injection,
Viruses
Tuesday, 14 October 2008
What the heck is Win32/Puloagem.B?
I've had a few CA-Vet alerts for Win32/Puloagem.B recently, with pretty sparse information on what Puloagem actually is. If you're being plagued with this, then it's worth knowing that this is basically just a variant of Zlob and it's a variety of fake anti-virus software. In our case, the executable was named winrar.exe.
VirusTotal has a good list of aliases, so if you're struggling with it then you can use some of the other names as references.
VirusTotal has a good list of aliases, so if you're struggling with it then you can use some of the other names as references.
"Habitats Property and Service Inc." fake employement offer
Another bogus employment offer, this time from "Habitats Property and Service Inc", but there appears to be no such firm.. although there are plenty of legitimate companies with similar names who are nothing to do with this. It is most likely a money mule scam or package reshipping, or something similar. Avoid.
Subject: Real Estate company is looking for employees. You was selected.
JOB OFFER FROM: Habitats Property and Service Inc.
Big international company is urgently looking for permanent representatives within the whole territory of the United Kingdom. We need people at the age of 21 to 70 for rather easy work on processing of the incoming orders and performancing of simple management duties.
You don’t need to be a specialized professional or to have special training. We also do not require the working experience in this field; all you need for this job are:
* ability to accurately follow the instructions on the solving the required tasks
* be a confident computer user
* ability to work with MS Word
* ability to work with MS Excel
* have permanent Internet access
This job suits students, mothers, pensioners and people who are looking for the part-time job perfectly well. You need only 2-3 spare hours during the day to fulfill your working duties.
All the candidates will be checked and selected on the competitive basis. To submit your application, please, send us your resume/CV to the following address:
cv08.habitats@googlemail.com
Your request will be considered within 24-48 hours.
Originating IP in this case was 217.15.186.77 in Kazakhstan.
Labels:
Money Mule,
Scams,
Spam
Friday, 10 October 2008
FTC: Bank Failures, Mergers and Takeovers: A "Phish-erman's Special"
A timely warning from the FTC on the threat of criminals using the worldwide financial crisis to obtain banking details.. although as seen recently the payload could also be a trojan rather than a phishing attempt.
The FTC say:
The FTC say:
If the recent changes in the financial marketplace have you confused, you’re not alone. The financial institution where you did business last week may have a new name today, and your checks and statements may come with a new look tomorrow. A new lender may have acquired your mortgage, and you could be mailing your payments to a new servicer. Procedures for the banking you do online also may have changed. According to the Federal Trade Commission (FTC), the nation’s consumer protection agency, the upheaval in the financial marketplace may spur scam artists to phish for your personal information.They then go on to offer some excellent tips and examples of what to look out for. As I said before, it's worth warning any end-users you support of this risk because it would be relatively trivial to come up with a scam that looks very convincing indeed, and including a reference to the FTC warning might get at least some of them taking the threat seriously.
Thursday, 9 October 2008
securityassurance@microsoft.com - "Security Update for OS Microsoft Windows"
A malicious EXE file is doing the rounds, pretending to be an update from Microsoft and including some social engineering such as a fake PGP signature. The payload is an executable called KB960312.exe. Detection rates are poor, but it's clearly some hideous piece of malware that you really don't want anywhere near your PC.
Subject: Security Update for OS Microsoft Windows
From: "Microsoft Official Update Center"
Dear Microsoft Customer,
Please notice that Microsoft company has recently issued a Security Update for OS
Microsoft Windows. The update applies to the following OS versions: Microsoft
Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows
XP, Microsoft Windows Vista.
Please notice, that present update applies to high-priority updates category. In
order to help protect your computer against security threats and performance
problems, we strongly recommend you to install this update.
Since public distribution of this Update through the official website
http://www.microsoft.com would have result in efficient creation of a malicious
software, we made a decision to issue an experimental private version of an update
for all Microsoft Windows OS users.
As your computer is set to receive notifications when new updates are available, you
have received this notice.
In order to start the update, please follow the step-by-step instruction:
1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.
If nothing changes after you have run the file, probably in the settings of your OS
you have an indication to run all the updates at a background routine. In that case,
at this point the upgrade of your OS will be finished.
We apologize for any inconvenience this back order may be causing you.
Thank you,
Steve Lipner
Director of Security Assurance
Microsoft Corp.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
3L0SDPQYESHKTVB7P898LE266163YL9LZQ6AU3LYK9JFM85HDX4S5FG0PEUY5HXP0
31Q8WAOREI4H0A7OF4UDTOG8HAXPAZMV91DI6B8XJEQ0636ND3XAWTCOOSNLIGHUN
ZSDHKKLZ099I6Y03BO91DGUTQMMFT0CWMCZQ4G0R0EYMNN199IEG0PKA6CE3ZPAB6
EJ4UN52NIIB4VF78224S7BCNFH3NP9V91T66QV0RKA2KOG0RA0EUM5VY17P41G016
I2YU34EL9XJQGS7C5GMDU4FJUIC3M3ZIAU6==
-----END PGP SIGNATURE-----
Update: KB231660.exe has also been spotted with a different PGP signature, although securityassurance@microsoft.com remains the same. Also KB986008.exe, KB415282.exe, KB985274.exe, KB166277.exe .. probably a load more will be sent out over the next few hours.
Update 2: This has now been picked up by the folks at the ISC.
Subject: Security Update for OS Microsoft Windows
From: "Microsoft Official Update Center"
Dear Microsoft Customer,
Please notice that Microsoft company has recently issued a Security Update for OS
Microsoft Windows. The update applies to the following OS versions: Microsoft
Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows
XP, Microsoft Windows Vista.
Please notice, that present update applies to high-priority updates category. In
order to help protect your computer against security threats and performance
problems, we strongly recommend you to install this update.
Since public distribution of this Update through the official website
http://www.microsoft.com would have result in efficient creation of a malicious
software, we made a decision to issue an experimental private version of an update
for all Microsoft Windows OS users.
As your computer is set to receive notifications when new updates are available, you
have received this notice.
In order to start the update, please follow the step-by-step instruction:
1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.
If nothing changes after you have run the file, probably in the settings of your OS
you have an indication to run all the updates at a background routine. In that case,
at this point the upgrade of your OS will be finished.
We apologize for any inconvenience this back order may be causing you.
Thank you,
Steve Lipner
Director of Security Assurance
Microsoft Corp.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
3L0SDPQYESHKTVB7P898LE266163YL9LZQ6AU3LYK9JFM85HDX4S5FG0PEUY5HXP0
31Q8WAOREI4H0A7OF4UDTOG8HAXPAZMV91DI6B8XJEQ0636ND3XAWTCOOSNLIGHUN
ZSDHKKLZ099I6Y03BO91DGUTQMMFT0CWMCZQ4G0R0EYMNN199IEG0PKA6CE3ZPAB6
EJ4UN52NIIB4VF78224S7BCNFH3NP9V91T66QV0RKA2KOG0RA0EUM5VY17P41G016
I2YU34EL9XJQGS7C5GMDU4FJUIC3M3ZIAU6==
-----END PGP SIGNATURE-----
Update: KB231660.exe has also been spotted with a different PGP signature, although securityassurance@microsoft.com remains the same. Also KB986008.exe, KB415282.exe, KB985274.exe, KB166277.exe .. probably a load more will be sent out over the next few hours.
Update 2: This has now been picked up by the folks at the ISC.
Citigroup/Wachovia "Security Certificates" trojan
These fake "security certificates" have been around for a while, but it has taken a little time for the Bad Guys to leverage the recent worldwide banking crisis. Expect to see a LOT more of these as more banks struggle or are taken over.
The link goes to the insanely named domain commercial [dot] wachovia [dot] online [dot] financial [dot] service [dot] onlineupdate.iawyvy9gcv.bankonline.doexte.gbiexsse.com which is hosted on a fast-flux botnet. The target executable is InstallationPackWachovia.exe located in the root directory which triggers just a few heuristic scanners or generic detections according to VirusTotal.
If you work in IT in any kind of organisation, it is worth sending out a warning to end users to ensure that they are aware of these emails, either at work or at home. The current batch are not particularly credible, but the Bad Guys will probably keep working on their social engineering skills.
WACHOVIA CORPORATION NOTICE.
Citigroup announced a buyout of Wachovia brokered by the FDIC moments ago.
All Wachovia bank locations will be in the Citigroup merger to prevent failure of Wachovia.
The Citigroup/Wachovia would focus on upgrading banks' security certificates.
All Wachovia customers must fill the forms and complete installation of new Citigroup Standard digital signatures during 48 hours.
Please follow the installation steps below:
Read more here>>
Sincerely, Sophie Burkett.
2008 Wachovia Corporation.
All rights reserved.
The link goes to the insanely named domain commercial [dot] wachovia [dot] online [dot] financial [dot] service [dot] onlineupdate.iawyvy9gcv.bankonline.doexte.gbiexsse.com which is hosted on a fast-flux botnet. The target executable is InstallationPackWachovia.exe located in the root directory which triggers just a few heuristic scanners or generic detections according to VirusTotal.
If you work in IT in any kind of organisation, it is worth sending out a warning to end users to ensure that they are aware of these emails, either at work or at home. The current batch are not particularly credible, but the Bad Guys will probably keep working on their social engineering skills.
Fake "VM-Soft" job offer
VM-SOFT (www.vm-soft.com.ua) is a wholly legitimate Ukranian software developer, whose corporate identity is being used by a third party to perpetrate an apparent Money Mule scam, in an approach almost identical to this earlier fake email for another Ukranian company.
The email copies the name of the director, Viktor Marchenko, and even uses a very similar Gmail address (see the genuine contact page for the real one).
Hello Sir/Madam.
I Viktor Marchenko, I introduce VM-Soft specializes in innovative IT solutions and
complex software projects development.
My company based in Ukraine. We've earned ourselves a reputation of a reliable and
trustworthy partner working successfully with a number of West European companies
and providing them with reliable software development services in financial and
media sectors. Unfortunately we are currently facing some difficulties with
receiving payments for our services. It usually takes us 10-30 days to receive a
payment and clearing from your country and such delays are harmful to our business.
We do not have so much time to accept every wire transfer.
That's why we are currently looking for partners in your country to help us accept
and process these payments faster. If you are looking for a chance to make an
additional profit you can become our representative in your country. As our
representative you will receive 8% of every deal we conduct. Your job will be
accepting funds in the form of wire transfers and forwarding them to us. It is not a
full-time job, but rather a very convenient and fast way to receive additional
income. We also consider opening an office in your country in the nearest future and
you will then have certain privileges should you decide to apply for a full-time
job. Please if you are interested in transacting business with us we will be very
glad.
Please contact me for more information via email: offer.job.vmsoft.ua@gmail.com
and send us the following information about yourself:
Your Full Name as it appears on your resume.
Education.
Your Contact Address.
Telephone/Fax number.
Your present Occupation and Position currently held.
Your Age
Please respond and we will provide you with additional details on how you can become
our representative. Joining us and starting business today will cost you nothing and
you will be able to earn a bit of extra money fast and easy. Should you have any
questions, please feel free to contact us with all your questions.
Sincerely,
Viktor Marchenko ,
VM-Soft
If you're not familiar with this type of scam, then basically it amounts to laundering stolen money.
One important tip usually is that legitimate companies tend not to use free email addresses, but in this case the genuine VM-SOFT does, instead of using its own vm-soft.com.ua domain which is not so helpful.
Increasingly, the scammers use names of genuine companies and even genuine directors. They may register domain names that look confusingly similar to the real thing, so sometimes the only concrete thing that you have to go on is common sense: if it looks too good to be true, then it probably isn't true.
The email copies the name of the director, Viktor Marchenko, and even uses a very similar Gmail address (see the genuine contact page for the real one).
Hello Sir/Madam.
I Viktor Marchenko, I introduce VM-Soft specializes in innovative IT solutions and
complex software projects development.
My company based in Ukraine. We've earned ourselves a reputation of a reliable and
trustworthy partner working successfully with a number of West European companies
and providing them with reliable software development services in financial and
media sectors. Unfortunately we are currently facing some difficulties with
receiving payments for our services. It usually takes us 10-30 days to receive a
payment and clearing from your country and such delays are harmful to our business.
We do not have so much time to accept every wire transfer.
That's why we are currently looking for partners in your country to help us accept
and process these payments faster. If you are looking for a chance to make an
additional profit you can become our representative in your country. As our
representative you will receive 8% of every deal we conduct. Your job will be
accepting funds in the form of wire transfers and forwarding them to us. It is not a
full-time job, but rather a very convenient and fast way to receive additional
income. We also consider opening an office in your country in the nearest future and
you will then have certain privileges should you decide to apply for a full-time
job. Please if you are interested in transacting business with us we will be very
glad.
Please contact me for more information via email: offer.job.vmsoft.ua@gmail.com
and send us the following information about yourself:
Your Full Name as it appears on your resume.
Education.
Your Contact Address.
Telephone/Fax number.
Your present Occupation and Position currently held.
Your Age
Please respond and we will provide you with additional details on how you can become
our representative. Joining us and starting business today will cost you nothing and
you will be able to earn a bit of extra money fast and easy. Should you have any
questions, please feel free to contact us with all your questions.
Sincerely,
Viktor Marchenko ,
VM-Soft
If you're not familiar with this type of scam, then basically it amounts to laundering stolen money.
One important tip usually is that legitimate companies tend not to use free email addresses, but in this case the genuine VM-SOFT does, instead of using its own vm-soft.com.ua domain which is not so helpful.
Increasingly, the scammers use names of genuine companies and even genuine directors. They may register domain names that look confusingly similar to the real thing, so sometimes the only concrete thing that you have to go on is common sense: if it looks too good to be true, then it probably isn't true.
Labels:
Money Mule,
Scams,
Spam
Dating scams, onlineflh.com and 79.135.167.*
I have covered this particular group of dating scam sites before, but this time there's a slight shift in the way that it works. In this case, the parenthesis-laded email looks something like:
Perhaps "Caroline" is trying to data a LISP programmer? There's no website for onlineflh.com, but mail is handled by 79.135.167.51 which is the same as before.. although now the only two websites on that server are Ammae.com and Amnocx.com.
In these circumstances, a tool like Robtex can be useful. It turns out that 79.135.167.51 is a infrastructure server for a number of domains. The IP address noted as belonging to a ROKSO listed spammer, most likely some affiliate of the Russian Business Network (RBN).
Supported domains are:
The Spamhaus DROP list goes further and lists the entire 79.135.160.0/19 block (79.135.160.0 - 79.135.191.255) as being rogue. That's probably overkill as there do seem to be some legitimate (mostly Turkish) websites hosted in that range.
These were more fun when they had a picture of a pretty girl attached.
hey^) how are you?) do you have a girlfriend?)... i have not boyfriend(( I very
want to meet real men...which will know woman's need ...like in a cinema ... you
know))))lets chat!) i am pretty girl)) I have a lot of time for meetings and if you
have any ideas how to spend it with me... just email me back at
CAROLINE@onlineflh.com and i will reply back with some nice ;) photos with me
...and maybe, you will want to write me again))) CAROLINE@onlineflh.com
Perhaps "Caroline" is trying to data a LISP programmer? There's no website for onlineflh.com, but mail is handled by 79.135.167.51 which is the same as before.. although now the only two websites on that server are Ammae.com and Amnocx.com.
In these circumstances, a tool like Robtex can be useful. It turns out that 79.135.167.51 is a infrastructure server for a number of domains. The IP address noted as belonging to a ROKSO listed spammer, most likely some affiliate of the Russian Business Network (RBN).
Supported domains are:
- alllam.com
- cardrealc.com
- ezshl.com
- famplayfit.cn
- firstlam.com
- flasheon.com
- gosfordw.com
- llcam.com
- morerd.com
- onlineflh.com
- onlineshl.com
- planetflh.com
- rdplanet.com
- towadapointhalf.cn
- virtuellmal.com
The Spamhaus DROP list goes further and lists the entire 79.135.160.0/19 block (79.135.160.0 - 79.135.191.255) as being rogue. That's probably overkill as there do seem to be some legitimate (mostly Turkish) websites hosted in that range.
These were more fun when they had a picture of a pretty girl attached.
Labels:
Dating Scams,
Scams,
Spam
Monday, 6 October 2008
Asprox: deryv.ru still active
The Asprox botnet is still active but has been remarkable stable with no new domains in the past week, and 88% of the traffic going to deryv.ru.
Consistently, the malware code is encrypted with eval(function(p,a,c,k,e,d) presumably to avoid detection by anti-virus software. So, if you only check your logs for / block ONE Asprox domain, then deryv.ru seems to be the one to look at.
- ctiry.ru (3%)
- deryv.ru (88%)
- mentoe.ru (4%)
- mheop.ru (3%)
- pormce.ru (2%)
Consistently, the malware code is encrypted with eval(function(p,a,c,k,e,d) presumably to avoid detection by anti-virus software. So, if you only check your logs for / block ONE Asprox domain, then deryv.ru seems to be the one to look at.
Labels:
Asprox,
SQL Injection,
Viruses
Monday, 29 September 2008
Nokia's first touchscreen phone....?
There are plenty of rumours that Nokia will announce their "first" touchscreen phone sometime this week.. except that it won't be their first touchscreen phone. Here's a look at previous Nokia touchscreen devices which have mostly been forgotten.
Labels:
Phones
Asprox: ctiry.ru, deryv.ru, mentoe.ru, mheop.ru, pormce.ru and xenbv.ru
Another bunch of Asprox domains that have been active over the past few days are listed below. As usual, block these or check your logs for activity.
- ctiry.ru
- deryv.ru
- mentoe.ru
- mheop.ru
- pormce.ru
- xenbv.ru
Labels:
Asprox,
SQL Injection,
Viruses
Subscribe to:
Posts (Atom)