Classmates trojan: "Should I leave my Crazy Fat Wife for a younger woman?"

An unusual bit of social engineering here:

Subject: Classmates personal message: Please help me to decide which way to choose
From: "Gold - Classmates" online@groups.classmates.com

Special video report March 10, 2009
Message from your group member:

"Should I leave my Crazy Fat Wife for a younger woman? Please look video and Help me
to decide, please ........I need your help,
if possible - Write your opinion on the page wall"


Proceed to open full message text:

(removed)

Sincerely, Leslie Burks.
2009 Classmates Message Center.

If you click on the link (not advisable) you get the following page (hosted on a botnet somewhere):



You are then prompted to install and run a file called Adobemedia10.exe at which things will start to go seriously wrong.

The VirusTotal report indicates a very low detection rate for the binary (VBA32 flags it up as Embedded.Rootkit.Win32.Agent.ex). However, the ThreatExpert prognosis shows just how much damage this does, and identifies a C&C server at 58.65.232.17 which is a well-known malware server hosted by black hat hosting outfit Hostfresh.

This looks like a fairly horrible thing to try to clean up, and probably best to recover data, reformat and reinstall.

MikeCahil@gmail.com: "New Jobs"

There are several different layers of fraud and deception when it comes to offering and applying for jobs.

This particular approach is via a spam, and seems to be a deceptive way of offering cheap Indian contractors to companies. India is very much a centre for spam because of very lax laws, in this case "Mike Cahil" is offering to fill roles in a variety of fields, but why would you want to do business with a spammer in any case? Remember the Boulder Pledge.

Originating IP is 59.164.72.134, a subscriber to TATA Communications in India. The netblock is widely listed as being very spammy. A poke around at blacklists indicates that 59.164.0.0/16 is a real spam sewer, and strict mail administrators could consider blocking the entire lot.

From: "Mike Cahil" MikeCahil@gmail.com
Subject: New Jobs

Hi ,

I am doing a check with you, to see if there are any IT or Engineering jobs, I can help you today at [redacted]. I can help fill any Contractor positions or Direct-Hire positions or Contract-to-Hire positions.

Additionally, I can also help in the Accounting / HR / Sales / Management positions too.

Please do reply.

Thanks … Mike

email: [redacted]

Strange Tripod phish

Why anyone would want to phish for a Tripod account is beyond me, but for some reason webmail accounts seem to be a target. This phish for Tripod credentials has (so far) the following subjects:

Subject: For Tripod user
Subject: Important information from Tripod Team
Subject: Tripod Confirmation Form

The rest of the email is similar to the following:

From: "Tripod Customer Service" support@support.lycos.com


Dear Tripod user!Due to technical issues, the new Tripod software release is
currently on hold. However, a series of enhancements have been made. The new
client-server protocol is one of them. Now you need to complete Tripod Confirmation
Form to update your Tripod account.Please use the link below to access Tripod
Confirmation
Form:http://www.tripod.lycos.com/adm/redirect/www/form/tripodcf.aspx?[redacted]

Sincerely,
The Tripod Team
This message has been automatically generated.
Please do not reply to this message.
For information about the Lycos Privacy Policy Please see:
http://info.lycos.com/privacy
For information about the Terms and Conditions of this service Please see:
http://info.lycos.com/legal

The "http" link is fake, underneath the real URLs are www.tripod.lycos.comttlfile.eu/adm/redirect/www/form/tripodcf.aspx?=[redacted] and www.tripod.lycos.comproftd.tw/adm/redirect/www/form/tripodcf.aspx?=[redacted]. (I have redacted tracking information).

Oddly, the .eu and .tw hosts in question do not resolve at the moment, presumably these will be registered later. A trick that spammers sometimes use is to send out the spam and THEN register the domains, in order to trick spam filters.

It's probably a phish, it could be a drive-by download. In any case, best avoided and if you HAVE entered details into one of these phishing accounts then you should change your Tripod password and the password on any other site that uses the same username / password combination.

SQL injection attack: telecom.dgnet.net

This seems to be an emergent threat at this moment - a number of ASP / SQL / Windows site have been hit with a SQL injection attack with the following injected Javascript: telecom.dgnet.net/images/pen.gif. Yeah it says GIF, but it isn't.

The site telecom.dgnet.net is at 121.14.137.36, this forwards to another site at www.batnigt.com/ver.htm (on obviously, do NOT visit that site) which tries to run a number of exploits on visitors PCs, including what appears to be an old ADODB.stream exploit (perhaps MS04-024), the Snapshot viewer exploit (MS08-041) and some sort of exploit for RealPlayer plus what MIGHT be an exploit for MS05-020 (but I need to look at this further). If a visitor's PC is up-to-date on Microsoft patches and does not have RealPlayer then it should probably be OK.

If you manage client PCs, then block or monitor for telecom.dgnet.net and batnigt.com. If your server has been infected with this attack then you need to clean up the database and then sanitize your SQL inputs.. try Googling for that term.

CA eTrust woes, Win32/Tnega.AC and widespead update failure

CA eTrust has thrown up a couple of problems - first a false positive identifying Win32/Tnega.AC in the setup.exe for Office 2000 Professional, with signature version 31.6.6361.0.

However, when having a poke at this it turns out that the current version is 31.6.6367 and 6361 is a few days old. A check of our distribution servers show that every single one of them worldwide failed to download version 31.6.6362 from the CA servers and fell over. This happened at around 2245 GMT on 17/2/09.

Log files are showing the following error: Error [0xc0010003] initializing redistribution job.

If you are running CA eTrust ITM, then it's worth checking that your signatures are up-to-date.

Point Focus LLC: "The offer you can not say no to!"

"The offer you can not say no to!" Really. I betcha I can. My notes are in bold.

Subject: The offer you can not say no to! ["No": just did, did you see that?]

Point Focus LLC is now expanding!

To deal with the international payments processings we are now looking for people willing to facilitate establishing of our all-round-the-globe business connections and assist saving considerably by tax disbursing reduction. This position of the Financial Assistant involves accepting payments from our Australian, UK and US ( rarer Spanish) clients to your account and resending to our partners.

You are getting paid right by the moment you cash the payment. It's the commission in amount equal to 4% out the sum posted on your account. This very amount you're deducting before sending anything out. So, estimated roughly, you can make up to 2000$ extra monthly.
[A straight money mule operation then, laundering stolen money. 4% for basically doing nothing. Except you will never actually get to keep the 4% when the police catch up with you]

Plus, you get:

- flexi-time (usually 2-3 hours a day)
- Saturdays & Sundays off [woo!]

Requirements:

- Have to be aged 21 or above
- No criminal record [don't worry, you will soon get a criminal record if you participate in this scheme]
- Regular Internet access
- Ability to accept payments using your bank account [for the transfer of stolen money, which will be nice and traceable for the cops]
- Ability to resend the money through Western Union [which is NOT traceable, and is therefore money laundering]


If feel qualified, please, attach the following info to start up with:
[information that we should have known if we were offering you a job]
- Fist Name:
- Last Name:
- Age:
- Sex:
- Country
- State, City, Zip
- Phone number (home and cell)
- Valid email address

NOTE!!!! the email address you use to contact us for the first time is: IBCGroup0@gmail.com , in the subject field put "interested".
[odd that the email address doesn't match the one you sent from]

Please, use only mentioned email address, otherwise we'll fail to receive your response.

Originating IP is 92.84.13.66 in Romania. Just say "no".

Weird spam #2: "BREAKING NEWS - The Pope has been discharged from his office"

A genuine "wtf" spam here:

Subject: BREAKING NEWS - The Pope has been discharged from his office
From: "Press Officer"

BREAKING NEWS

Feb. 2009 - The Pope has been discharged from his office!

Find out more at Urgent news
[http://208.91.200.49/interspire/link.php?M=00000&N=5&L=1&F=T]

Unsubscribe me from this contact list
[http://208.91.200.49/interspire/link.php?M=00000&N=5&L=2&F=T]

Powered by Interspire

The page 404s. But wait.. the email was sent from 208.91.200.49 and points to the same IP address. And the domain rcigi.com is hosted a few IPs over at 208.91.200.35.

What is rcigi.com? It calls itself the RC-Institute for Global Individuation and hides behind an anonymous domain registration. The site is either a spoof, or perhaps the domain of some religious nutters. It is hard to tell. Interesting, it is in English and German, and the way the English is written makes me think that it might be a native German speaker writing it.

The site indicates that it is run by a "Dr" Eduard Schellhammer of either Barcelona or Alicante. All the sites linking FROM rcigi.com are registered to Eduard Schellhammer, however it is possible that this is a sophisticated Joe Job and Herr Schellhammer is completely innocent. Still, all very odd.

Weird spam #1: "Warning! Virus detected"

A couple of bits of weird spam today, number one:

Subject: Warning! Virus detected

A possible virus was found in this message.
The virus name is: W32/Netskyb@MM!zip

-----Original Message-----
Hello, check my postcard!
[skipped]
--------------------------

In all cases leading to what appears to be a page on a compromised PHP-powered site, but in each case the page is coming up with a 404. Is it related to this?

UNYK.com: spam or what?

I really, really hate these contact managers that spam out invites to everyone's contacts. UNYK.com seems to be the latest of these:

Subject: Personal invitation from ****************

Hello,

This is a way to never lose contact.

Finally, a smart and simple way to manage your contacts!

With UNYK, I put all my contacts together in one address book that is automatically updated. One of my contacts changes his or her information at UNYK.com: My address book is updated. I change information at UNYK.com: My contacts’ address books are updated. Simple, but life-changing!

Can I add you as one of my contacts? To accept, click here!

You too can create your own smart address book.

Life-changing my arse.. Plaxo has been doing this for years and that's a pretty worthless application to.

If you are a corporate mail administrator, then my advice has always been to block this kind of rubbish. As you might expect, it comes with some downloads that you probably don't want to let anywhere near your users' PCs, and it is bound to generate a load of support calls asking "is this spam?" / "this looks like a good idea, doesn't it?" / "is this a virus?" / "how do I install this?" etcetera.

No, I'm not saying that UNYK.com is evil in any way, it is just that for many sysadmins this sort of stuff costs real money when the users latch onto it. The best thing to do is apply an IP block to 204.92.8.159 to 204.92.8.220, and hopefully you will never be bothered by UNYK.com again.

BitDefender: Trojan.Generic.1423603 in winlogon.exe

This looks like a false positive: BitDefender is reporting Trojan.Generic.1423603 in C:\windows\system32\winlogon.exe. This name is sometimes used by malware, but in this case no other product is detecting anything malicious.

Current pattern is for BitDefender is 2640654, pushed out on Friday 13th February (!).

I will post the ThreatExpert prognosis when I get it.. in the mean time I would suggest that you do NOT try to remove winlogon.exe as you will render your system unbootable. (NOTE: Do NOT reboot your machine as this will most likely break it!)

Update: ThreatExpert indicates that it is clean. Several comments confirm that it is a false positive. The problem seems to be on Windows XP SP3, SP2 does not seem to have the same issue. The MD5 for this file is ed0ef0a136dec83df69f04118870003e

It seems that there are several reports at the BitDefender forum. I would guess that BitDefender are aware of the problem, temporarily disabling the anti-virus scanner may be a good idea else your system may become unusable. Usually these issues are fixed in 24 hours.

Update 2:
If you can't get the winlogon.exe out of quarantine, then this is a copy of the original (English US) file for XP SP3. Use at your own risk - password is "bitdefender".
winlogon_xpsp3.zip

Good new. Bad news.

A couple of items of interest from The Register:

OpenDNS rolls out Conficker tracking, blocking
This seems like a great idea, especially for small organisations without IDS or traffic monitoring. The problem.. well, OpenDNS has been awfully slow recently and personally I had to stop using it.

Kaspersky breach exposes sensitive database, hacker claims
This looks like a case of an insecure SQL database, leading to a potentially nasty compromise. Kaspersky isn't the first AV vendor to be shown to have poor SQL security. Trend was hit last year, as was CA. In this case, it looks like a potential data breach which is embarrassing. There's no evidence that any Kaspersky product has been compromised, but you can see that it might be possible to leverage credentials exposed in the SQL injection attack and use them elsewhere.

Snow

It really doesn't usually snow this much around here...

Snow bear

The heaviest snowfall for a zillion years or something in the UK.. it appears to have brought out this snow bear which is lurking in the garden.


I think he's probably harmless enough.

Drive-by cloning of RFID passports

Here's a different type of drive-by attack than the usual one.. security researcher Chris Paget shows that it is possible to read RFID tages from a passing moving vehicle and clone all the information they contain.. for the price of $250 worth of kit off eBay.

UkrTeleGroup vanishes, morphs.

First some good news (via the WaPo Security Fix blog): well known black hat web host UkrTeleGroup appears to have vanished from the internet. The bad news is that seems to have morphed into a company called Internet Path which is masquerading as a US company.

Unfortunately, it does not appear that this is an Atrivo / McColo / Estdomains style situation where the bad guys are permanently shut down.. yet. But perhaps continued pressure on upstream providers might have some effect.. who knows?

Uh-oh

No doubt the whole of the south of England will grind to a halt under this stuff, to the amusement of people who get REAL snow.. but a rear wheel drive sports car with no snow tyres is not exactly ideal for these conditions.

"Zhudian Machinery" / zhudian-m.com scam

A strange, tersely worded email from some scammer or other:

Subject: Representative Needed
From: "ZHUDIAN MACHINERY"

How would you feel to work for the Zhudian Machinery and earn good money? Contact Qi
Par via email: employment@zhudian-m.com

How would I feel? Well, alarmed and upset probably when the police kick down my door with a warrant because of the money laundering I've been doing for this so called "Zhudian Machinery".

Oddly, the domain is registered with a set of fake details pointing at the UK:

Domain name: ZHUDIAN-M.COM
Created on: 2008-11-05
Updated on: 2008-11-05
Expires on: 2009-11-05
Registrant Name: PETER LLEWELLYN-JONES
Contact: Peter Llewellyn-Jones
Registrant Address: no 43567 broad street
Registrant City: england
Registrant Postal Code: ch1 1lt
Registrant Country: GB
Administrative Contact Organization: Peter Llewellyn-Jones
Administrative Contact Name: Peter Llewellyn-Jones
Administrative Contact Address: no 43567 broad street
Administrative Contact City: england
Administrative Contact Postal Code: ch1 1lt
Administrative Contact Country: GB
Administrative Contact Email: kedenor@gmail.com
Administrative Contact Tel: +44 701 1130444
Administrative Contact Fax: +44 701 1130444
Technical Contact Organization: Technical Support
Technical Contact Name:
Technical Contact Address: Via A Ponti, 6
Technical Contact City: Bergamo
Technical Contact Postal Code: 24126
Technical Contact Country: IT
Technical Contact Email: support@register.it
Technical Contact Phone: +39 035 3230400
Technical Contact Fax: +39 035 3230312
Primary Name Server Hostname: NS1.REGISTER.IT
Secondary Name Server Hostname: NS2.REGISTER.IT

The "CH1 1LT" postcode given is the Chester Grosvenor Hotel but the rest of the address doesn't match and is clearly nonsense. The +44 701 1130444 number given looks like a UK number, but in fact it's a "follow me anywhere" number that is probably just forwarding to another number outside the UK.

Originating IP address is 206.47.199.87 which is well known for spam. Email address was harvested from a "free webspace provider".

Asprox: dbrgf.ru

Another domain to look for in SQL injection attacks is dbrgf.ru, still calling script.js. Checking your proxy logs for ".ru/script.js" is a good idea at the moment.

It might also be worth checking for the string "google-analitycs" as the attacks redirect through a subdomain containing that mis-spelled phrase.

Asprox: lijg.ru and dbrgf.ru

A fresh round of SQL injections seem to be on the march, with (at least) two new domains being injected into vulnerable sites: www.lijg.ru and www.dbrgf.ru, calling a script named script.js.

This script redirects through an IFRAME pointing to google-analitycs.lijg.ru, although the payload is unclear.

Including some older domains, the following list seem to be active, either calling script.js or style.js.

• www.lijg.ru
• www.dbrgf.ru
• www.bnmd.kz
• www.nvepe.ru
• www.mtno.ru
• www.wmpd.ru
• www.msngk6.ru
• www.dft6s.kz

For the record, the domain registrations are as follows:

domain: LIJG.RU
type: CORPORATE
nserver: ns2.lijg.ru. 68.4.124.142
nserver: ns5.lijg.ru. 74.129.255.164
nserver: ns1.lijg.ru. 68.6.180.109
nserver: ns3.lijg.ru. 67.38.2.113
nserver: ns4.lijg.ru. 76.240.151.177
state: REGISTERED, DELEGATED
person: Andrey G Chalkov
phone: +7 495 9385996
e-mail: chalkov@laptopmix.net
registrar: NAUNET-REG-RIPN
created: 2009.01.20
paid-till: 2010.01.20
source: TC-RIPN


domain: DBRGF.RU
type: CORPORATE
nserver: ns5.dbrgf.ru. 74.196.121.117
nserver: ns4.dbrgf.ru. 68.105.25.64
nserver: ns1.dbrgf.ru. 75.156.152.67
nserver: ns2.dbrgf.ru. 68.197.137.239
nserver: ns3.dbrgf.ru. 146.57.249.100
state: REGISTERED, DELEGATED
person: Andrey G Chalkov
phone: +7 495 9385996
e-mail: chalkov@laptopmix.net
registrar: NAUNET-REG-RIPN
created: 2009.01.20
paid-till: 2010.01.20
source: TC-RIPN

"Soft Fund Ltd" scam

Soft Fund Ltd is a wholly legitimate Ukrainian company. This email claims to be from Soft Fund Ltd, but isn't.

From: support.softfund@gmail.com

Hello Sir/Madam.

I Alex Feigin,
Director of Soft Fund Ltd specializes in innovative IT solutions and complex software projects development.

My company based in Ukraine. We've earned ourselves a reputation of a reliable and trustworthy partner working successfully with a number of West European companies and providing them with reliable software development services in financial and media sectors. Unfortunately we are currently facing some difficulties with receiving payments for our services. It usually takes us 10-30 days to receive a payment and clearing from your country and such delays are harmful to our business. We do not have so much time to accept every wire transfer.

That's why we are currently looking for partners in your country to help us accept and process these payments faster. If you are looking for a chance to make an additional profit you can become our representative in your country. As our representative you will receive 8% of every deal we conduct. Your job will be accepting funds in the form of wire transfers and forwarding them to us. It is not a full-time job, but rather a very convenient and fast way to receive additional income. We also consider opening an office in your country in the nearest future and you will then have certain privileges should you decide to apply for a full-time job. Please if you are interested in transacting business with us we will be very glad.

Please contact me for more information via email: SoftFundjob@gmail.com

and send us the following information about yourself:

1. Your Full Name as it appears on your resume.
2. Education.
3. Your Contact Address.
4. Telephone/Fax number.
5. Your present Occupation and Position currently held.
6. Your Age

Please respond and we will provide you with additional details on how you can become our representative. Joining us and starting business today will cost you nothing and you will be able to earn a bit of extra money fast and easy. Should you have any questions, please feel free to contact us with all your questions.

Thank you,
Director
Alex Feigin ,
Soft Fund Ltd

Alexander Feigin is a director of the REAL Soft Fund Ltd, but this email is completely fake. It is a standard money mule scam, one of many pretending to be from legitimate IT firms in the Ukraine. Soft Fund Ltd have nothing to do with the email, and you should not respond to it.

The originating IP is 209.239.38.111. Two sample subject lines are "Not give a convenient time for you extra income" and "We work closely together! Additional income for you!". Avoid.