Dynamoo's Blog

Tuesday 14 October 2008

"Habitats Property and Service Inc." fake employement offer

Another bogus employment offer, this time from "Habitats Property and Service Inc", but there appears to be no such firm.. although there are plenty of legitimate companies with similar names who are nothing to do with this. It is most likely a money mule scam or package reshipping, or something similar. Avoid.

Subject: Real Estate company is looking for employees. You was selected.

JOB OFFER FROM: Habitats Property and Service Inc.

Big international company is urgently looking for permanent representatives within the whole territory of the United Kingdom. We need people at the age of 21 to 70 for rather easy work on processing of the incoming orders and performancing of simple management duties.

You don’t need to be a specialized professional or to have special training. We also do not require the working experience in this field; all you need for this job are:

* ability to accurately follow the instructions on the solving the required tasks
* be a confident computer user
* ability to work with MS Word
* ability to work with MS Excel
* have permanent Internet access

This job suits students, mothers, pensioners and people who are looking for the part-time job perfectly well. You need only 2-3 spare hours during the day to fulfill your working duties.

All the candidates will be checked and selected on the competitive basis. To submit your application, please, send us your resume/CV to the following address:

cv08.habitats@googlemail.com

Your request will be considered within 24-48 hours.

Originating IP in this case was 217.15.186.77 in Kazakhstan.

Friday 10 October 2008

FTC: Bank Failures, Mergers and Takeovers: A "Phish-erman's Special"

A timely warning from the FTC on the threat of criminals using the worldwide financial crisis to obtain banking details.. although as seen recently the payload could also be a trojan rather than a phishing attempt.

The FTC say:

If the recent changes in the financial marketplace have you confused, you’re not alone. The financial institution where you did business last week may have a new name today, and your checks and statements may come with a new look tomorrow. A new lender may have acquired your mortgage, and you could be mailing your payments to a new servicer. Procedures for the banking you do online also may have changed. According to the Federal Trade Commission (FTC), the nation’s consumer protection agency, the upheaval in the financial marketplace may spur scam artists to phish for your personal information.

They then go on to offer some excellent tips and examples of what to look out for. As I said before, it's worth warning any end-users you support of this risk because it would be relatively trivial to come up with a scam that looks very convincing indeed, and including a reference to the FTC warning might get at least some of them taking the threat seriously.

Thursday 9 October 2008

securityassurance@microsoft.com - "Security Update for OS Microsoft Windows"

A malicious EXE file is doing the rounds, pretending to be an update from Microsoft and including some social engineering such as a fake PGP signature. The payload is an executable called KB960312.exe. Detection rates are poor, but it's clearly some hideous piece of malware that you really don't want anywhere near your PC.

Subject: Security Update for OS Microsoft Windows
From: "Microsoft Official Update Center"

Dear Microsoft Customer,

Please notice that Microsoft company has recently issued a Security Update for OS
Microsoft Windows. The update applies to the following OS versions: Microsoft
Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows
XP, Microsoft Windows Vista.

Please notice, that present update applies to high-priority updates category. In
order to help protect your computer against security threats and performance
problems, we strongly recommend you to install this update.

Since public distribution of this Update through the official website
http://www.microsoft.com would have result in efficient creation of a malicious
software, we made a decision to issue an experimental private version of an update
for all Microsoft Windows OS users.

As your computer is set to receive notifications when new updates are available, you
have received this notice.

In order to start the update, please follow the step-by-step instruction:
1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.

If nothing changes after you have run the file, probably in the settings of your OS
you have an indication to run all the updates at a background routine. In that case,
at this point the upgrade of your OS will be finished.

We apologize for any inconvenience this back order may be causing you.

Thank you,

Steve Lipner
Director of Security Assurance
Microsoft Corp.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

3L0SDPQYESHKTVB7P898LE266163YL9LZQ6AU3LYK9JFM85HDX4S5FG0PEUY5HXP0
31Q8WAOREI4H0A7OF4UDTOG8HAXPAZMV91DI6B8XJEQ0636ND3XAWTCOOSNLIGHUN
ZSDHKKLZ099I6Y03BO91DGUTQMMFT0CWMCZQ4G0R0EYMNN199IEG0PKA6CE3ZPAB6
EJ4UN52NIIB4VF78224S7BCNFH3NP9V91T66QV0RKA2KOG0RA0EUM5VY17P41G016
I2YU34EL9XJQGS7C5GMDU4FJUIC3M3ZIAU6==
-----END PGP SIGNATURE-----

Update: KB231660.exe has also been spotted with a different PGP signature, although securityassurance@microsoft.com remains the same. Also KB986008.exe, KB415282.exe, KB985274.exe, KB166277.exe .. probably a load more will be sent out over the next few hours.

Update 2: This has now been picked up by the folks at the ISC.

Citigroup/Wachovia "Security Certificates" trojan

These fake "security certificates" have been around for a while, but it has taken a little time for the Bad Guys to leverage the recent worldwide banking crisis. Expect to see a LOT more of these as more banks struggle or are taken over.

WACHOVIA CORPORATION NOTICE.

Citigroup announced a buyout of Wachovia brokered by the FDIC moments ago.
All Wachovia bank locations will be in the Citigroup merger to prevent failure of Wachovia.
The Citigroup/Wachovia would focus on upgrading banks' security certificates.
All Wachovia customers must fill the forms and complete installation of new Citigroup Standard digital signatures during 48 hours.
Please follow the installation steps below:

Read more here>>

Sincerely, Sophie Burkett.
2008 Wachovia Corporation.
All rights reserved.

The link goes to the insanely named domain commercial [dot] wachovia [dot] online [dot] financial [dot] service [dot] onlineupdate.iawyvy9gcv.bankonline.doexte.gbiexsse.com which is hosted on a fast-flux botnet. The target executable is InstallationPackWachovia.exe located in the root directory which triggers just a few heuristic scanners or generic detections according to VirusTotal.

If you work in IT in any kind of organisation, it is worth sending out a warning to end users to ensure that they are aware of these emails, either at work or at home. The current batch are not particularly credible, but the Bad Guys will probably keep working on their social engineering skills.

Fake "VM-Soft" job offer

VM-SOFT (www.vm-soft.com.ua) is a wholly legitimate Ukranian software developer, whose corporate identity is being used by a third party to perpetrate an apparent Money Mule scam, in an approach almost identical to this earlier fake email for another Ukranian company.

The email copies the name of the director, Viktor Marchenko, and even uses a very similar Gmail address (see the genuine contact page for the real one).

Hello Sir/Madam.

I Viktor Marchenko, I introduce VM-Soft specializes in innovative IT solutions and
complex software projects development.

My company based in Ukraine. We've earned ourselves a reputation of a reliable and
trustworthy partner working successfully with a number of West European companies
and providing them with reliable software development services in financial and
media sectors. Unfortunately we are currently facing some difficulties with
receiving payments for our services. It usually takes us 10-30 days to receive a
payment and clearing from your country and such delays are harmful to our business.
We do not have so much time to accept every wire transfer.

That's why we are currently looking for partners in your country to help us accept
and process these payments faster. If you are looking for a chance to make an
additional profit you can become our representative in your country. As our
representative you will receive 8% of every deal we conduct. Your job will be
accepting funds in the form of wire transfers and forwarding them to us. It is not a
full-time job, but rather a very convenient and fast way to receive additional
income. We also consider opening an office in your country in the nearest future and
you will then have certain privileges should you decide to apply for a full-time
job. Please if you are interested in transacting business with us we will be very
glad.

Please contact me for more information via email: offer.job.vmsoft.ua@gmail.com

and send us the following information about yourself:

Your Full Name as it appears on your resume.
Education.
Your Contact Address.
Telephone/Fax number.
Your present Occupation and Position currently held.
Your Age

Please respond and we will provide you with additional details on how you can become
our representative. Joining us and starting business today will cost you nothing and
you will be able to earn a bit of extra money fast and easy. Should you have any
questions, please feel free to contact us with all your questions.

Sincerely,
Viktor Marchenko ,
VM-Soft

If you're not familiar with this type of scam, then basically it amounts to laundering stolen money.

One important tip usually is that legitimate companies tend not to use free email addresses, but in this case the genuine VM-SOFT does, instead of using its own vm-soft.com.ua domain which is not so helpful.

Increasingly, the scammers use names of genuine companies and even genuine directors. They may register domain names that look confusingly similar to the real thing, so sometimes the only concrete thing that you have to go on is common sense: if it looks too good to be true, then it probably isn't true.

Dating scams, onlineflh.com and 79.135.167.*

I have covered this particular group of dating scam sites before, but this time there's a slight shift in the way that it works. In this case, the parenthesis-laded email looks something like:

hey^) how are you?) do you have a girlfriend?)... i have not boyfriend(( I very
want to meet real men...which will know woman's need ...like in a cinema ... you
know))))lets chat!) i am pretty girl)) I have a lot of time for meetings and if you
have any ideas how to spend it with me... just email me back at
CAROLINE@onlineflh.com and i will reply back with some nice ;) photos with me
...and maybe, you will want to write me again))) CAROLINE@onlineflh.com

Perhaps "Caroline" is trying to data a LISP programmer? There's no website for onlineflh.com, but mail is handled by 79.135.167.51 which is the same as before.. although now the only two websites on that server are Ammae.com and Amnocx.com.

In these circumstances, a tool like Robtex can be useful. It turns out that 79.135.167.51 is a infrastructure server for a number of domains. The IP address noted as belonging to a ROKSO listed spammer, most likely some affiliate of the Russian Business Network (RBN).

Supported domains are:

alllam.com
cardrealc.com
ezshl.com
famplayfit.cn
firstlam.com
flasheon.com
gosfordw.com
llcam.com
morerd.com
onlineflh.com
onlineshl.com
planetflh.com
rdplanet.com
towadapointhalf.cn
virtuellmal.com

The whole 79.135.167.* block is a complete sewer of fake antivirus, dating, medication and codec sites. The netblock is registered to "TTNet Autonomous System Turk Telekom A S Aydinlikevler ANKARA 06103 TURKEY", but most likely under the control of the RBN. There's an interesting writeup about this netblock here.

The Spamhaus DROP list goes further and lists the entire 79.135.160.0/19 block (79.135.160.0 - 79.135.191.255) as being rogue. That's probably overkill as there do seem to be some legitimate (mostly Turkish) websites hosted in that range.

These were more fun when they had a picture of a pretty girl attached.

Monday 6 October 2008

Asprox: deryv.ru still active

The Asprox botnet is still active but has been remarkable stable with no new domains in the past week, and 88% of the traffic going to deryv.ru.

ctiry.ru (3%)
deryv.ru (88%)
mentoe.ru (4%)
mheop.ru (3%)
pormce.ru (2%)

Consistently, the malware code is encrypted with eval(function(p,a,c,k,e,d) presumably to avoid detection by anti-virus software. So, if you only check your logs for / block ONE Asprox domain, then deryv.ru seems to be the one to look at.

Monday 29 September 2008

Nokia's first touchscreen phone....?

There are plenty of rumours that Nokia will announce their "first" touchscreen phone sometime this week.. except that it won't be their first touchscreen phone. Here's a look at previous Nokia touchscreen devices which have mostly been forgotten.

Asprox: ctiry.ru, deryv.ru, mentoe.ru, mheop.ru, pormce.ru and xenbv.ru

Another bunch of Asprox domains that have been active over the past few days are listed below. As usual, block these or check your logs for activity.

ctiry.ru
deryv.ru
mentoe.ru
mheop.ru
pormce.ru
xenbv.ru

Thursday 25 September 2008

Asprox: "eval(function(p,a,c,k,e,r)"

There has been a slight shift in tactics by the Asprox gang in their SQL Injection Attacks in that they are now using a packer on their javascript. This doesn't seem to be for obfuscation reasons, as the script is relatively easy to decode. Presumably it's a way to get around virus and link scanners. (Click the image below for an example)

You can decode it easily enough by adding eval=alert; to the start of the script (follow the instructions here), but never mess around with malware scripts on a vulnerable production system because it is very easy to get infected.

mnicbre.ru and vtg43.ru seem to be two active domains, although perhaps check for all the ones on this list to be safe.

Packing tools are an easy way to avoid detection.. at least temporarily. But given the prevalence
of Javascript-based malware and the ever-increasing availability of bandwidth, Javascript packing is becoming an increasingly bad practice. There have been a couple of high-profile cases where a packing tool has effectively been blacklisted by anti-virus products (here and here), so perhaps if you use Javascript extensive and use a packing tool you might want to reconsider how you deploy Javascript on your site.

Wednesday 24 September 2008

Asprox: h3x.info

Briefly popping up on the Asprox SQL Injection radar yesterday was h3x.info, specifically a call to h3x.info/index.php [dangerous site, do not visit].

h3x.info doesn't fit the normal pattern, perhaps it has been rotated in as a test. What's certain is that this is a malware distribution site.. and a pretty scary one at that.

Let's look at the domain details first of all. As you might expect, they're mostly bogus:

Domain ID
D23859712-LRMS
Domain Name
H3X.INFO
Created On
19-Feb-2008 22:04:56 UTC
Last Updated On
27-Aug-2008 12:38:06 UTC
Expiration Date
19-Feb-2009 22:04:56 UTC
Sponsoring Registrar
Registrar Company, INC (R315-LRMS)
Status
OK
Registrant ID
DI_7764637
Registrant Name
Alex
Registrant Organization
Vteam
Registrant Street1
vol. str. 221-122, 12
Registrant Street2

Registrant Street3

Registrant City
Novie
Registrant State/Province
Aveiro
Registrant Postal Code
19923
Registrant Country
PT
Registrant Phone
+12.56231321
Registrant Phone Ext.

Registrant FAX

Registrant FAX Ext.

Registrant Email
cy@bk.ru

[..snip..]

Name Server
ns1.mbhost.ru
Name Server
ns2.mbhost.ru

The domain itself is on 80.90.114.13 which appears to be a general purpose server belonging to Smartlogic Ltd in Moscow. There's no evidence to connect Smartlogic to this site, other than it belongs to a customer.. overall they seem to be a pretty clean outfit.

Visiting the top level of the h3x.info site (or the index.php page) reveals a very impressive bit of obfuscated scripting (a copy is here - h3x-info.zip - ZIP password is virus). There are some recognisable references to Outlook Express, Snapshot (probably MS08-041), Apple QuickTime (take your pick), plus an infected PDF (from hxxp:||h3x.info|cache|doc.pdf) variously identified as Exploit.HTML.Agent.AO [BitDefender] and Mal/JSShell-B [Sophos] (full VirusTotal report here) but otherwise detection rates are very poor.

Looking at the WHOIS history, it's quite possible that the h3x.info domain has been hijacked, so perhaps it will be cleaned up in the future. At the moment it does seem to be an interesting repository of malware if you're a researcher.

It was only active for a short while at about 1000 UTC (1100 BST, 1200 CET) on 23rd September before reverting to the same .ru domains that have been active for a few days.

Tuesday 23 September 2008

T-Mobile G1

It's kind of hard to tell if the T-Mobile G1 is the next big thing or just some sort of damp squib. It may not look as impressive as the iPhone on the top, but underneath the G1's Android operating system looks promising.

Oddly enough, it got me thinking about how I use my own phone.. and I tend to use web access more than anything else, but make only a couple of phone calls on it a week, sometimes I will listed to music or snap a photograph. I think I tried video calling once. So perhaps this G1 thingie is actually more in line with what a lot of sad geeky people like me actually want.

Anyway, this comes out in October in the US, November in the UK and early next year for other T-Mobile customers. Some more pictures are here.

Thursday 18 September 2008

Asprox: mnbenio.ru

mnbenio.ru is a new Asprox SQL injection domain that has been active in the past 24 hours, the following four domains are the most active:

mnbenio.ru
mnicbre.ru
pkseio.ru
vtg43.ru

It does seem that the SQL injection attacks are becoming less widespread, probably partly because SQL servers are being hardened, but some vulnerable SQL servers have remained untouched by the latest round of attacks. Possibly the SQL injection gangs are concentrating on bigger fish? Like the recent attack on BusinessWeek.com perhaps?

Wednesday 17 September 2008

Asprox: mnicbre.ru, pkseio.ru and vtg43.ru

The domains used in the Asprox SQL Injection attacks have been stable for a few days now, but yesterday some new .ru domains appeared: mnicbre.ru, pkseio.ru and vtg43.ru. The domains are registered through NAUNET again with the following registation details:

domain: MNICBRE.RU
type: CORPORATE
nserver: ns2.mnicbre.ru. 75.181.3.122
nserver: ns3.mnicbre.ru. 68.197.137.239
nserver: ns1.mnicbre.ru. 76.240.151.177
state: REGISTERED, DELEGATED
person: Private Person
phone: +7 772 7727091
fax-no: +7 772 7727091
e-mail: retyi1111@yahoo.com
registrar: NAUNET-REG-RIPN
created: 2008.09.16
paid-till: 2009.09.16
source: TC-RIPN

The following domains have been active over the past 24 hours. Block these or check your logs for them (new ones are in bold):

22net.ru
64asp.ru
92prt.ru
acr34.ru
asl39.ru
fst9.ru
mnicbre.ru
pkseio.ru
sel92.ru
vtg43.ru

Saturday 13 September 2008

Doug Stanhope

I first stumbled across US stand-up comic Doug Stanhope [link probably NSFW] some years ago and was in equal parts horrified and amused by his work. By chance, I found out that he was in the UK (at the Leicester Square Theatre) so Mrs Dynamoo and myself booked some tickets to go and see him live.

You have to understand that Stanhope is pretty much the definition of "edgy". He seems to have no taboos and no fear.. as long as he's had some beer. Understand that some of his topics include suicide, gynaecology, death, drug abuse, overpopulation, abortion and Sarah Palin. Sometimes combined (don't click if you are offended by.. well, offensive stuff).

Even people who aren't easily offended are likely to be offended by something he will say. But on the other hand, perhaps some of those observations on the human condition are more profound than you would think.

So, Stanhope was on form and really, really funny. And yes.. there were several times when I thought "no.. he can't be saying that!". I could go into details, but if you like this kind of thing then it would spoil the surprise... I think it's the first time I've ever had to watch a gig like this from between my fingers.

Anyway, Stanhope is in London and Manchester for most of September, and then back in the US doing a tour for October and November (itinerary here). Or you could purvey yourself one of his fine DVDs on Amazon.

Thursday 11 September 2008

Dating scams

Dating scams are usually a variant of the advanced fee fraud - some pretty girl (probably some ugly bloke in reality) sends you some random photos and explains that they want to move to your country and move in with you.. but can they have some money first? The basic operation of these scams is described here. To make it look more credible, sometimes fake dating sites are set up to give the whole thing an air of legitimacy.

This current batch of fake sites is being advertised with an email similar to the following:

i need you

i am Nice Girl good looking girl who is looking to chat with you.
e-mail me back at UcWkS@lam2you.com

i will reply back with some really nice pictures.

The domain lam2you.com has a corresponding web site on 79.135.167.51 calling itself "Online sexiest dating site". As it happens, there are a whole bunch of other domains on the same server, also describing themselves as "Online sexiest dating site", all best avoided.

Amnocx.com
Anandaperumal.com
Bardline.com
Benrd.com
Bestdre.info
Cardrealc.com
Centralrd.com
Cowarddean.com
Direktmal.com
Dracingsite.info
Dracingworld.info
Draic.info
Dreguide.info
Drkin.info
Drmarksite.info
Drmarkworld.info
Drseusssite.info
Equipyard.com
Evram.info
Ezelive.info
Ezrdhome.com
Firstlam.com
Fordhx.com
Frcis.info
Freegbl.info
Freeksite.info
Freeldp.info
Friguide.info
Frutis-basket.info
Gardevin.com
Gbbed.info
Gbizc.info
Gbladx.info
Gblhome.info
Gblwizard.info
Gbowrxx.info
Glocentral.info
Gloplanet.info
Gobobrom.com
Gocarthq.com
Gocartutah.com
Goldpug.info
Gosfordw.com
Greatrom.com
Guyvr.info
Hardjam.com
Hote2youx.info
Hyperlam.com
Imalonline.com
Justgbl.info
Justrd.com
Justvre.info
Ldphome.info
Ldpwizard.info
Lesdv.com
Lesjr.com
Letsgocart.com
Lgbidxx.info
Maldirekt.com
Malkostenlos.com
Malplatz.com
Malprojekt.com
Malwelt.com
Malzentrale.com
Mediagocart.com
Medmallist.com
Meinmal.com
Menziesmalvern.com
Moonboardm.com
Morerd.com
Mygbl.info
Nitgbx.info
Nvromx.info
Officialgbl.info
Officialldp.info
Officialrd.com
Oldpee.info
Onlinegbl.info
Ovrom.info
Pacanimal.com
Phillymedicalmal.com
Qualitaetmal.com
Razales.com
Rd2you.com
Rdnation.com
Rdplanet.com
Saravanaperumal.com
Searchesrom.com
Shemalglobal.com
Supergbl.info
Superldp.info
Superrd.com
Superromics.com
Tomalonline.com
Topeguidex.info
Virtualgbl.info
Virtualglo.info
Virtualldp.info
Virtuellmal.com
Vrehome.info
Warmalonline.com
Wildpin.info
Wirelesamerica.com
Wizardrd.com
Worldpivot.info
Worldplayservices.info
Yourfr.info
Yourgbl.info
Yourldp.info
Capvr.info
Davidre.info
Virtualvre.info
Vreproject.info
Vrewizard.info

One thing of note is that the name servers used here are ns1.droreal.com and ns2.droreal.com which appears to be a domain name used to support other dating scam sites.

Asprox: 22net.ru, 4net9.ru, 64asp.ru, 92prt.ru and fst9.ru

These are the domains active in the Asprox SQL Injection attack in the past 24 hours, new ones are in bold. Block these and/or check your logs for them.

22net.ru
4net9.ru
51com.ru
64asp.ru
92prt.ru
acr34.ru
fst9.ru
sel92.ru

Wednesday 10 September 2008

SpamCop phish

Some people will phish for anything - in this case they are trying to get access to SpamCop accounts. Go figure. Reply to address is 2020sarah@live.com.

Subject: UPDATE YOUR ACCOUNT / SPAMCOP.NET
From: "Admin@spamcop.net"
Date: Wed, September 10, 2008 4:54 pm
Cc: recipient list not shown:;
Priority: Normal

This is a WebNews Email Account Update
Please see the bottom of this mailing on this information.
-----------------------------------------------------------
SPAMCOP.NET WEBMAIL
INTERNET SERVICE WEBSITE WISH TO INFORM YOU THAT WE HAVE
SOME PROBLEMS ABOUT EACH CUSTOMER ACCOUNT EMAIL. DUE TO
ERROR CODE 334409.

WE DISCOVERD THAT IN FEW DAYS FROM NOW EACH CUSTOMER WILL
NOT BE ABLE TO ACCESS HIS OR HER EMAIL ACCOUNT. IN THAT
REGARD,YOU ARE REQUIRED TO SEND YOUR EMAIL ADDRESS AND
PASSWORD FOR A NEW ACCOUNT UPDATE.

YOU ARE ADVISED TO IMMEDIATELY SEND US THE REQUIRED
INFORMATION SO AS TO ENABLE US IMMEDIATELY UPDATE YOUR
ACCOUNT.

Note:You have to understand that the reason why we are not
sending this message from our own private account.This is
due to some technical problem we are having right now.

BELOW THE INFORMATION RQRUIRED FOR ACCOUT UPDATE

1)Full Email Address:
2)password:
3)date of birth:

Thanks for your understanding.

SPAMCOP.NET WEBMAIL INTERNET SERVICE

PestPatrol: SillyDl FFL in wuauclt.exe

It looks like CA PestPatrol might have a false positive, detecting SillyDl FFL in C:\windows\system32\wuauclt.exe. This is a component of Windows Update, and in the case of the false positive it is a 124,184 byte file with an internal version number of 5.8.0.2469.

PestPatrol does not appear to be trying to delete the file, it is merely blocking access to it. Updating your Windows Update components should clear the problem. CA usually fix these false positives in a day or so.

The current signature version is 2008.9.9.15. Note that the PestPatrol engine is used in some other products, not all of which have the CA name on them.

Asprox: net83.ru, acr34.ru, asl39.ru and net83.ru

Another bunch of very fresh Asprox domains being used in the Asprox SQL Injection attack, registered at Naunet to email address retyi111@yahoo.com. Check your logs or block access to these sites.

51com.ru
acr34.ru
asl39.ru
net83.ru