Sponsored by..

Tuesday 21 October 2008

"Data request" trojan

Another EXE-in-ZIP-disguised-as-a-DOC trojan, similar to this one.

Subject: Data request
From: "Billy Roark"


Please find the document attached to this message. The report was issued today.
Requested account details have been altered successfully.

Thank you for contacting us.

Respectfully,
Billy
The attachment in this case is called Statement_January-October.zip and contains an executable named Statement_January-October.doc[44 spaces].exe. The blank spaces are designed to push the .exe part of the filename down so that it is invisible.

It is a different binary from yesterday with better detection rates. But the best cure for this is avoidance, and blocking EXEs-in-ZIPs is the best cure.

Monday 20 October 2008

"Report Jan-Oct." trojan


This fake email contains an EXE in a ZIP designed to look like a Word document (complete with authentic looking icon), in this case "Statement1-10.doc .exe" (there are 75 spaces in the filename that blogger strips out)

Subject: [name] Report Jan-Oct.
From: "Clara Slaughter"

Dear Customer,

As you requested, we are sending you this report with details on your account
transactions made between 1/1/2008 and 10/1/2008.

At your service,
Clara
The attached ZIP file is called Statement1-10.zip. VirusTotal shows detection is poor with what look like generic detections only.

If you mail filter allows it, you should block EXEs in ZIP files. Postini allows this, I guess other filtering services do too.

Thursday 16 October 2008

"LV Electronics Inc." job offer scam

There are plenty of legitimate companies called "LV Electronics", but this job offer is not from one of them. In this case, the originating IP was 91.77.116.141 in Russia.




Subject: Job offer in the United States.

Greetings.

LV Electronics Inc. is searching for hardworking person, that will represent our
branch in local area.

The required country: UNITED STATES ONLY! (all states).

Prior experience is not necessary; entry level admin, customer service and good
people skills are all you need.
Perfect for anyone who wants to work from home and spend more time with their
family, or just make some extra money.
Be debt free fast making an additional $4,000-12,000 A MONTH!

WRITE US AND APPLY NOW: lvelectronicsinc@aol.com


Fake job offer: ias-jobs.org

One of a series of fake job offers that are doing the rounds, this time promoting a company called IAG ("Internet Auction Service"). It's most likely a money mule scam (i.e. money laundering), or package reshipping (handling stolen goods) or something similar. Avoid.



Subject: Current Vacancy at IAG

Internet Auction Service provides business support, retail distribution, franchise
operations,
direct sales, and a variety of auction as well as accounting and billing services.

We are currently recruiting for the positions of Virtual Office Assistants in the
United
Kingdom, part-time and full-time available. The positions focus on providing
administrative
assistance in online sales.

Part-time and full-time positions available:

Part-time: 3 hours per day during either one of these shifts:
9:00am-12:00pm 11:00am-2:00pm 12:00pm-3:00pm 2:00pm-5:00pm

Full Time: 6 hours per day during either one of these shifts:
9:00am-3:00pm 11:00am-5:00pm

Salary:

Part-time: 1,100GBP/month plus commission
Full-time: 2,200GBP/month plus commission

Professional Qualities:
- Customer focused decision maker
- Demonstrates a high level of personal accountability
- Thinks about the team first over personal agendas
- Learning adaptive
- Process driven

Basic Requirements for Virtual Office Assistant:
- Internet Access
- Microsoft Office
- Basic Accounting skills

If you are interested in this position please send us an email to
Jennifer.Edwards@ias-jobs.org
expressing your interest and we will forward you the detailed job description and
the agreement.

Best regards,
IAS Team



Unusually, the domain ias-jobs.org has been registered for these purposes. www.ias-jobs.org is hosted on 89.218.205.90 in Kazakhstan (again). Mail is handled by 12.192.82.225 in the US which is unusual. Nameservers are ns1.eurogolden.net (194.150.120.47) and ns2.eurogolden.net (62.157.74.89) which all tie into this scam. utl-jobs.com and korkdevelopers.com can also be tied into this.

As a general rule, you should always avoid job offers from companies that you cannot verify exist in real life.

Asprox: lang42.ru

Another Asprox SQL injection domain to block / check for is lang42.ru. The following domains have been active in the past 24 hours:
  • 53refer.ru
  • chk06.ru
  • driver95.ru
  • errghr.ru
  • lang42.ru
  • netcfg9.ru
  • sitevgb.ru
  • vrelel.ru
As I've said before, completely blocking access to .ru domains for most businesses would be a huge problem. Most .ru sites are in Russian, and if you don't use Russian in your business they you can probably live without them.

Wednesday 15 October 2008

Asprox: new domains

After being stable for some time, the Asprox SQL injection hacks are now redirecting through a new bunch of .ru domains.
  • 30area.ru
  • 4log-in.ru
  • 53refer.ru
  • chk06.ru
  • driver95.ru
  • errghr.ru
  • netcfg9.ru
  • sitevgb.ru
  • vrelel.ru
WHOIS details are:

domain: ERRGHR.RU
type: CORPORATE
nserver: ns2.errghr.ru. 68.6.180.109
nserver: ns3.errghr.ru. 68.12.194.192
nserver: ns1.errghr.ru. 199.126.149.144
state: REGISTERED, DELEGATED
person: Private Person
phone: +7 772 7727727
fax-no: +7 772 7727727
e-mail: retyi111@yahoo.com
registrar: NAUNET-REG-RIPN
created: 2008.10.09
paid-till: 2009.10.09
source: TC-RIPN

retyi111@yahoo.com has been used before for these domains and various other nasties. As usual, block these domains and/or check your logs for them.

Tuesday 14 October 2008

What the heck is Win32/Puloagem.B?

I've had a few CA-Vet alerts for Win32/Puloagem.B recently, with pretty sparse information on what Puloagem actually is. If you're being plagued with this, then it's worth knowing that this is basically just a variant of Zlob and it's a variety of fake anti-virus software. In our case, the executable was named winrar.exe.

VirusTotal has a good list of aliases, so if you're struggling with it then you can use some of the other names as references.

"Habitats Property and Service Inc." fake employement offer


Another bogus employment offer, this time from "Habitats Property and Service Inc", but there appears to be no such firm.. although there are plenty of legitimate companies with similar names who are nothing to do with this. It is most likely a money mule scam or package reshipping, or something similar. Avoid.

Subject: Real Estate company is looking for employees. You was selected.

JOB OFFER FROM: Habitats Property and Service Inc.

Big international company is urgently looking for permanent representatives within the whole territory of the United Kingdom. We need people at the age of 21 to 70 for rather easy work on processing of the incoming orders and performancing of simple management duties.

You don’t need to be a specialized professional or to have special training. We also do not require the working experience in this field; all you need for this job are:

* ability to accurately follow the instructions on the solving the required tasks
* be a confident computer user
* ability to work with MS Word
* ability to work with MS Excel
* have permanent Internet access

This job suits students, mothers, pensioners and people who are looking for the part-time job perfectly well. You need only 2-3 spare hours during the day to fulfill your working duties.

All the candidates will be checked and selected on the competitive basis. To submit your application, please, send us your resume/CV to the following address:

cv08.habitats@googlemail.com

Your request will be considered within 24-48 hours.

Originating IP in this case was 217.15.186.77 in Kazakhstan.

Friday 10 October 2008

FTC: Bank Failures, Mergers and Takeovers: A "Phish-erman's Special"

A timely warning from the FTC on the threat of criminals using the worldwide financial crisis to obtain banking details.. although as seen recently the payload could also be a trojan rather than a phishing attempt.

The FTC say:
If the recent changes in the financial marketplace have you confused, you’re not alone. The financial institution where you did business last week may have a new name today, and your checks and statements may come with a new look tomorrow. A new lender may have acquired your mortgage, and you could be mailing your payments to a new servicer. Procedures for the banking you do online also may have changed. According to the Federal Trade Commission (FTC), the nation’s consumer protection agency, the upheaval in the financial marketplace may spur scam artists to phish for your personal information.
They then go on to offer some excellent tips and examples of what to look out for. As I said before, it's worth warning any end-users you support of this risk because it would be relatively trivial to come up with a scam that looks very convincing indeed, and including a reference to the FTC warning might get at least some of them taking the threat seriously.

Thursday 9 October 2008

securityassurance@microsoft.com - "Security Update for OS Microsoft Windows"

A malicious EXE file is doing the rounds, pretending to be an update from Microsoft and including some social engineering such as a fake PGP signature. The payload is an executable called KB960312.exe. Detection rates are poor, but it's clearly some hideous piece of malware that you really don't want anywhere near your PC.




Subject: Security Update for OS Microsoft Windows
From: "Microsoft Official Update Center"

Dear Microsoft Customer,

Please notice that Microsoft company has recently issued a Security Update for OS
Microsoft Windows. The update applies to the following OS versions: Microsoft
Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows
XP, Microsoft Windows Vista.

Please notice, that present update applies to high-priority updates category. In
order to help protect your computer against security threats and performance
problems, we strongly recommend you to install this update.

Since public distribution of this Update through the official website
http://www.microsoft.com would have result in efficient creation of a malicious
software, we made a decision to issue an experimental private version of an update
for all Microsoft Windows OS users.

As your computer is set to receive notifications when new updates are available, you
have received this notice.

In order to start the update, please follow the step-by-step instruction:
1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.

If nothing changes after you have run the file, probably in the settings of your OS
you have an indication to run all the updates at a background routine. In that case,
at this point the upgrade of your OS will be finished.

We apologize for any inconvenience this back order may be causing you.


Thank you,

Steve Lipner
Director of Security Assurance
Microsoft Corp.


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

3L0SDPQYESHKTVB7P898LE266163YL9LZQ6AU3LYK9JFM85HDX4S5FG0PEUY5HXP0
31Q8WAOREI4H0A7OF4UDTOG8HAXPAZMV91DI6B8XJEQ0636ND3XAWTCOOSNLIGHUN
ZSDHKKLZ099I6Y03BO91DGUTQMMFT0CWMCZQ4G0R0EYMNN199IEG0PKA6CE3ZPAB6
EJ4UN52NIIB4VF78224S7BCNFH3NP9V91T66QV0RKA2KOG0RA0EUM5VY17P41G016
I2YU34EL9XJQGS7C5GMDU4FJUIC3M3ZIAU6==
-----END PGP SIGNATURE-----




Update: KB231660.exe has also been spotted with a different PGP signature, although securityassurance@microsoft.com remains the same. Also KB986008.exe, KB415282.exe, KB985274.exe, KB166277.exe .. probably a load more will be sent out over the next few hours.

Update 2: This has now been picked up by the folks at the ISC.

Citigroup/Wachovia "Security Certificates" trojan

These fake "security certificates" have been around for a while, but it has taken a little time for the Bad Guys to leverage the recent worldwide banking crisis. Expect to see a LOT more of these as more banks struggle or are taken over.

WACHOVIA CORPORATION NOTICE.

Citigroup announced a buyout of Wachovia brokered by the FDIC moments ago.
All Wachovia bank locations will be in the Citigroup merger to prevent failure of Wachovia.
The Citigroup/Wachovia would focus on upgrading banks' security certificates.
All Wachovia customers must fill the forms and complete installation of new Citigroup Standard digital signatures during 48 hours.
Please follow the installation steps below:

Read more here>>

Sincerely, Sophie Burkett.
2008 Wachovia Corporation.
All rights reserved.

The link goes to the insanely named domain commercial [dot] wachovia [dot] online [dot] financial [dot] service [dot] onlineupdate.iawyvy9gcv.bankonline.doexte.gbiexsse.com which is hosted on a fast-flux botnet. The target executable is InstallationPackWachovia.exe located in the root directory which triggers just a few heuristic scanners or generic detections according to VirusTotal.


If you work in IT in any kind of organisation, it is worth sending out a warning to end users to ensure that they are aware of these emails, either at work or at home. The current batch are not particularly credible, but the Bad Guys will probably keep working on their social engineering skills.

Fake "VM-Soft" job offer

VM-SOFT (www.vm-soft.com.ua) is a wholly legitimate Ukranian software developer, whose corporate identity is being used by a third party to perpetrate an apparent Money Mule scam, in an approach almost identical to this earlier fake email for another Ukranian company.

The email copies the name of the director, Viktor Marchenko, and even uses a very similar Gmail address (see the genuine contact page for the real one).


Hello Sir/Madam.


I Viktor Marchenko, I introduce VM-Soft specializes in innovative IT solutions and
complex software projects development.

My company based in Ukraine. We've earned ourselves a reputation of a reliable and
trustworthy partner working successfully with a number of West European companies
and providing them with reliable software development services in financial and
media sectors. Unfortunately we are currently facing some difficulties with
receiving payments for our services. It usually takes us 10-30 days to receive a
payment and clearing from your country and such delays are harmful to our business.
We do not have so much time to accept every wire transfer.


That's why we are currently looking for partners in your country to help us accept
and process these payments faster. If you are looking for a chance to make an
additional profit you can become our representative in your country. As our
representative you will receive 8% of every deal we conduct. Your job will be
accepting funds in the form of wire transfers and forwarding them to us. It is not a
full-time job, but rather a very convenient and fast way to receive additional
income. We also consider opening an office in your country in the nearest future and
you will then have certain privileges should you decide to apply for a full-time
job. Please if you are interested in transacting business with us we will be very
glad.


Please contact me for more information via email: offer.job.vmsoft.ua@gmail.com

and send us the following information about yourself:

Your Full Name as it appears on your resume.
Education.
Your Contact Address.
Telephone/Fax number.
Your present Occupation and Position currently held.
Your Age

Please respond and we will provide you with additional details on how you can become
our representative. Joining us and starting business today will cost you nothing and
you will be able to earn a bit of extra money fast and easy. Should you have any
questions, please feel free to contact us with all your questions.

Sincerely,
Viktor Marchenko ,
VM-Soft



If you're not familiar with this type of scam, then basically it amounts to laundering stolen money.

One important tip usually is that legitimate companies tend not to use free email addresses, but in this case the genuine VM-SOFT does, instead of using its own vm-soft.com.ua domain which is not so helpful.

Increasingly, the scammers use names of genuine companies and even genuine directors. They may register domain names that look confusingly similar to the real thing, so sometimes the only concrete thing that you have to go on is common sense: if it looks too good to be true, then it probably isn't true.

Dating scams, onlineflh.com and 79.135.167.*

I have covered this particular group of dating scam sites before, but this time there's a slight shift in the way that it works. In this case, the parenthesis-laded email looks something like:

hey^) how are you?) do you have a girlfriend?)... i have not boyfriend(( I very
want to meet real men...which will know woman's need ...like in a cinema ... you
know))))lets chat!) i am pretty girl)) I have a lot of time for meetings and if you
have any ideas how to spend it with me... just email me back at
CAROLINE@onlineflh.com and i will reply back with some nice ;) photos with me
...and maybe, you will want to write me again))) CAROLINE@onlineflh.com

Perhaps "Caroline" is trying to data a LISP programmer? There's no website for onlineflh.com, but mail is handled by 79.135.167.51 which is the same as before.. although now the only two websites on that server are Ammae.com and Amnocx.com.

In these circumstances, a tool like Robtex can be useful. It turns out that 79.135.167.51 is a infrastructure server for a number of domains. The IP address noted as belonging to a ROKSO listed spammer, most likely some affiliate of the Russian Business Network (RBN).

Supported domains are:
  • alllam.com
  • cardrealc.com
  • ezshl.com
  • famplayfit.cn
  • firstlam.com
  • flasheon.com
  • gosfordw.com
  • llcam.com
  • morerd.com
  • onlineflh.com
  • onlineshl.com
  • planetflh.com
  • rdplanet.com
  • towadapointhalf.cn
  • virtuellmal.com
The whole 79.135.167.* block is a complete sewer of fake antivirus, dating, medication and codec sites. The netblock is registered to "TTNet Autonomous System Turk Telekom A S Aydinlikevler ANKARA 06103 TURKEY", but most likely under the control of the RBN. There's an interesting writeup about this netblock here.

The Spamhaus DROP list goes further and lists the entire 79.135.160.0/19 block (79.135.160.0 - 79.135.191.255) as being rogue. That's probably overkill as there do seem to be some legitimate (mostly Turkish) websites hosted in that range.

These were more fun when they had a picture of a pretty girl attached.

Monday 6 October 2008

Asprox: deryv.ru still active

The Asprox botnet is still active but has been remarkable stable with no new domains in the past week, and 88% of the traffic going to deryv.ru.

  • ctiry.ru (3%)
  • deryv.ru (88%)
  • mentoe.ru (4%)
  • mheop.ru (3%)
  • pormce.ru (2%)

Consistently, the malware code is encrypted with eval(function(p,a,c,k,e,d) presumably to avoid detection by anti-virus software. So, if you only check your logs for / block ONE Asprox domain, then deryv.ru seems to be the one to look at.

Monday 29 September 2008

Nokia's first touchscreen phone....?

There are plenty of rumours that Nokia will announce their "first" touchscreen phone sometime this week.. except that it won't be their first touchscreen phone. Here's a look at previous Nokia touchscreen devices which have mostly been forgotten.

Asprox: ctiry.ru, deryv.ru, mentoe.ru, mheop.ru, pormce.ru and xenbv.ru

Another bunch of Asprox domains that have been active over the past few days are listed below. As usual, block these or check your logs for activity.

  • ctiry.ru
  • deryv.ru
  • mentoe.ru
  • mheop.ru
  • pormce.ru
  • xenbv.ru

Thursday 25 September 2008

Asprox: "eval(function(p,a,c,k,e,r)"

There has been a slight shift in tactics by the Asprox gang in their SQL Injection Attacks in that they are now using a packer on their javascript. This doesn't seem to be for obfuscation reasons, as the script is relatively easy to decode. Presumably it's a way to get around virus and link scanners. (Click the image below for an example)

You can decode it easily enough by adding eval=alert; to the start of the script (follow the instructions here), but never mess around with malware scripts on a vulnerable production system because it is very easy to get infected.

mnicbre.ru and vtg43.ru seem to be two active domains, although perhaps check for all the ones on this list to be safe.

Packing tools are an easy way to avoid detection.. at least temporarily. But given the prevalence
of Javascript-based malware and the ever-increasing availability of bandwidth, Javascript packing is becoming an increasingly bad practice. There have been a couple of high-profile cases where a packing tool has effectively been blacklisted by anti-virus products (here and here), so perhaps if you use Javascript extensive and use a packing tool you might want to reconsider how you deploy Javascript on your site.

Wednesday 24 September 2008

Asprox: h3x.info

Briefly popping up on the Asprox SQL Injection radar yesterday was h3x.info, specifically a call to h3x.info/index.php [dangerous site, do not visit].

h3x.info doesn't fit the normal pattern, perhaps it has been rotated in as a test. What's certain is that this is a malware distribution site.. and a pretty scary one at that.

Let's look at the domain details first of all. As you might expect, they're mostly bogus:

Domain ID
D23859712-LRMS
Domain Name
H3X.INFO
Created On
19-Feb-2008 22:04:56 UTC
Last Updated On
27-Aug-2008 12:38:06 UTC
Expiration Date
19-Feb-2009 22:04:56 UTC
Sponsoring Registrar
Registrar Company, INC (R315-LRMS)
Status
OK
Registrant ID
DI_7764637
Registrant Name
Alex
Registrant Organization
Vteam
Registrant Street1
vol. str. 221-122, 12
Registrant Street2

Registrant Street3

Registrant City
Novie
Registrant State/Province
Aveiro
Registrant Postal Code
19923
Registrant Country
PT
Registrant Phone
+12.56231321
Registrant Phone Ext.

Registrant FAX

Registrant FAX Ext.

Registrant Email
cy@bk.ru

[..snip..]

Name Server
ns1.mbhost.ru
Name Server
ns2.mbhost.ru
The domain itself is on 80.90.114.13 which appears to be a general purpose server belonging to Smartlogic Ltd in Moscow. There's no evidence to connect Smartlogic to this site, other than it belongs to a customer.. overall they seem to be a pretty clean outfit.

Visiting the top level of the h3x.info site (or the index.php page) reveals a very impressive bit of obfuscated scripting (a copy is here - h3x-info.zip - ZIP password is virus). There are some recognisable references to Outlook Express, Snapshot (probably MS08-041), Apple QuickTime (take your pick), plus an infected PDF (from hxxp:||h3x.info|cache|doc.pdf) variously identified as Exploit.HTML.Agent.AO [BitDefender] and Mal/JSShell-B [Sophos] (full VirusTotal report here) but otherwise detection rates are very poor.

Looking at the WHOIS history, it's quite possible that the h3x.info domain has been hijacked, so perhaps it will be cleaned up in the future. At the moment it does seem to be an interesting repository of malware if you're a researcher.

It was only active for a short while at about 1000 UTC (1100 BST, 1200 CET) on 23rd September before reverting to the same .ru domains that have been active for a few days.


Tuesday 23 September 2008

T-Mobile G1

It's kind of hard to tell if the T-Mobile G1 is the next big thing or just some sort of damp squib. It may not look as impressive as the iPhone on the top, but underneath the G1's Android operating system looks promising.

Oddly enough, it got me thinking about how I use my own phone.. and I tend to use web access more than anything else, but make only a couple of phone calls on it a week, sometimes I will listed to music or snap a photograph. I think I tried video calling once. So perhaps this G1 thingie is actually more in line with what a lot of sad geeky people like me actually want.

Anyway, this comes out in October in the US, November in the UK and early next year for other T-Mobile customers. Some more pictures are here.

Thursday 18 September 2008

Asprox: mnbenio.ru

mnbenio.ru is a new Asprox SQL injection domain that has been active in the past 24 hours, the following four domains are the most active:

  • mnbenio.ru
  • mnicbre.ru
  • pkseio.ru
  • vtg43.ru
It does seem that the SQL injection attacks are becoming less widespread, probably partly because SQL servers are being hardened, but some vulnerable SQL servers have remained untouched by the latest round of attacks. Possibly the SQL injection gangs are concentrating on bigger fish? Like the recent attack on BusinessWeek.com perhaps?

Wednesday 17 September 2008

Asprox: mnicbre.ru, pkseio.ru and vtg43.ru

The domains used in the Asprox SQL Injection attacks have been stable for a few days now, but yesterday some new .ru domains appeared: mnicbre.ru, pkseio.ru and vtg43.ru. The domains are registered through NAUNET again with the following registation details:

domain: MNICBRE.RU
type: CORPORATE
nserver: ns2.mnicbre.ru. 75.181.3.122
nserver: ns3.mnicbre.ru. 68.197.137.239
nserver: ns1.mnicbre.ru. 76.240.151.177
state: REGISTERED, DELEGATED
person: Private Person
phone: +7 772 7727091
fax-no: +7 772 7727091
e-mail: retyi1111@yahoo.com
registrar: NAUNET-REG-RIPN
created: 2008.09.16
paid-till: 2009.09.16
source: TC-RIPN
The following domains have been active over the past 24 hours. Block these or check your logs for them (new ones are in bold):
  • 22net.ru
  • 64asp.ru
  • 92prt.ru
  • acr34.ru
  • asl39.ru
  • fst9.ru
  • mnicbre.ru
  • pkseio.ru
  • sel92.ru
  • vtg43.ru

Saturday 13 September 2008

Doug Stanhope

I first stumbled across US stand-up comic Doug Stanhope [link probably NSFW] some years ago and was in equal parts horrified and amused by his work. By chance, I found out that he was in the UK (at the Leicester Square Theatre) so Mrs Dynamoo and myself booked some tickets to go and see him live.

You have to understand that Stanhope is pretty much the definition of "edgy". He seems to have no taboos and no fear.. as long as he's had some beer. Understand that some of his topics include suicide, gynaecology, death, drug abuse, overpopulation, abortion and Sarah Palin. Sometimes combined (don't click if you are offended by.. well, offensive stuff).

Even people who aren't easily offended are likely to be offended by something he will say. But on the other hand, perhaps some of those observations on the human condition are more profound than you would think.

So, Stanhope was on form and really, really funny. And yes.. there were several times when I thought "no.. he can't be saying that!". I could go into details, but if you like this kind of thing then it would spoil the surprise... I think it's the first time I've ever had to watch a gig like this from between my fingers.

Anyway, Stanhope is in London and Manchester for most of September, and then back in the US doing a tour for October and November (itinerary here). Or you could purvey yourself one of his fine DVDs on Amazon.

Thursday 11 September 2008

Dating scams

Dating scams are usually a variant of the advanced fee fraud - some pretty girl (probably some ugly bloke in reality) sends you some random photos and explains that they want to move to your country and move in with you.. but can they have some money first? The basic operation of these scams is described here. To make it look more credible, sometimes fake dating sites are set up to give the whole thing an air of legitimacy.

This current batch of fake sites is being advertised with an email similar to the following:

i need you

i am Nice Girl good looking girl who is looking to chat with you.
e-mail me back at UcWkS@lam2you.com

i will reply back with some really nice pictures.

The domain lam2you.com has a corresponding web site on 79.135.167.51 calling itself "Online sexiest dating site". As it happens, there are a whole bunch of other domains on the same server, also describing themselves as "Online sexiest dating site", all best avoided.

  • Amnocx.com
  • Anandaperumal.com
  • Bardline.com
  • Benrd.com
  • Bestdre.info
  • Cardrealc.com
  • Centralrd.com
  • Cowarddean.com
  • Direktmal.com
  • Dracingsite.info
  • Dracingworld.info
  • Draic.info
  • Dreguide.info
  • Drkin.info
  • Drmarksite.info
  • Drmarkworld.info
  • Drseusssite.info
  • Equipyard.com
  • Evram.info
  • Ezelive.info
  • Ezrdhome.com
  • Firstlam.com
  • Fordhx.com
  • Frcis.info
  • Freegbl.info
  • Freeksite.info
  • Freeldp.info
  • Friguide.info
  • Frutis-basket.info
  • Gardevin.com
  • Gbbed.info
  • Gbizc.info
  • Gbladx.info
  • Gblhome.info
  • Gblwizard.info
  • Gbowrxx.info
  • Glocentral.info
  • Gloplanet.info
  • Gobobrom.com
  • Gocarthq.com
  • Gocartutah.com
  • Goldpug.info
  • Gosfordw.com
  • Greatrom.com
  • Guyvr.info
  • Hardjam.com
  • Hote2youx.info
  • Hyperlam.com
  • Imalonline.com
  • Justgbl.info
  • Justrd.com
  • Justvre.info
  • Ldphome.info
  • Ldpwizard.info
  • Lesdv.com
  • Lesjr.com
  • Letsgocart.com
  • Lgbidxx.info
  • Maldirekt.com
  • Malkostenlos.com
  • Malplatz.com
  • Malprojekt.com
  • Malwelt.com
  • Malzentrale.com
  • Mediagocart.com
  • Medmallist.com
  • Meinmal.com
  • Menziesmalvern.com
  • Moonboardm.com
  • Morerd.com
  • Mygbl.info
  • Nitgbx.info
  • Nvromx.info
  • Officialgbl.info
  • Officialldp.info
  • Officialrd.com
  • Oldpee.info
  • Onlinegbl.info
  • Ovrom.info
  • Pacanimal.com
  • Phillymedicalmal.com
  • Qualitaetmal.com
  • Razales.com
  • Rd2you.com
  • Rdnation.com
  • Rdplanet.com
  • Saravanaperumal.com
  • Searchesrom.com
  • Shemalglobal.com
  • Supergbl.info
  • Superldp.info
  • Superrd.com
  • Superromics.com
  • Tomalonline.com
  • Topeguidex.info
  • Virtualgbl.info
  • Virtualglo.info
  • Virtualldp.info
  • Virtuellmal.com
  • Vrehome.info
  • Warmalonline.com
  • Wildpin.info
  • Wirelesamerica.com
  • Wizardrd.com
  • Worldpivot.info
  • Worldplayservices.info
  • Yourfr.info
  • Yourgbl.info
  • Yourldp.info
  • Capvr.info
  • Davidre.info
  • Virtualvre.info
  • Vreproject.info
  • Vrewizard.info
One thing of note is that the name servers used here are ns1.droreal.com and ns2.droreal.com which appears to be a domain name used to support other dating scam sites.

Asprox: 22net.ru, 4net9.ru, 64asp.ru, 92prt.ru and fst9.ru

These are the domains active in the Asprox SQL Injection attack in the past 24 hours, new ones are in bold. Block these and/or check your logs for them.

  • 22net.ru
  • 4net9.ru
  • 51com.ru
  • 64asp.ru
  • 92prt.ru
  • acr34.ru
  • fst9.ru
  • sel92.ru

Wednesday 10 September 2008

SpamCop phish

Some people will phish for anything - in this case they are trying to get access to SpamCop accounts. Go figure. Reply to address is 2020sarah@live.com.




Subject: UPDATE YOUR ACCOUNT / SPAMCOP.NET
From: "Admin@spamcop.net"
Date: Wed, September 10, 2008 4:54 pm
Cc: recipient list not shown:;
Priority: Normal

This is a WebNews Email Account Update
Please see the bottom of this mailing on this information.
-----------------------------------------------------------
SPAMCOP.NET WEBMAIL
INTERNET SERVICE WEBSITE WISH TO INFORM YOU THAT WE HAVE
SOME PROBLEMS ABOUT EACH CUSTOMER ACCOUNT EMAIL. DUE TO
ERROR CODE 334409.

WE DISCOVERD THAT IN FEW DAYS FROM NOW EACH CUSTOMER WILL
NOT BE ABLE TO ACCESS HIS OR HER EMAIL ACCOUNT. IN THAT
REGARD,YOU ARE REQUIRED TO SEND YOUR EMAIL ADDRESS AND
PASSWORD FOR A NEW ACCOUNT UPDATE.

YOU ARE ADVISED TO IMMEDIATELY SEND US THE REQUIRED
INFORMATION SO AS TO ENABLE US IMMEDIATELY UPDATE YOUR
ACCOUNT.

Note:You have to understand that the reason why we are not
sending this message from our own private account.This is
due to some technical problem we are having right now.

BELOW THE INFORMATION RQRUIRED FOR ACCOUT UPDATE

1)Full Email Address:
2)password:
3)date of birth:

Thanks for your understanding.

SPAMCOP.NET WEBMAIL INTERNET SERVICE


PestPatrol: SillyDl FFL in wuauclt.exe

It looks like CA PestPatrol might have a false positive, detecting SillyDl FFL in C:\windows\system32\wuauclt.exe. This is a component of Windows Update, and in the case of the false positive it is a 124,184 byte file with an internal version number of 5.8.0.2469.

PestPatrol does not appear to be trying to delete the file, it is merely blocking access to it. Updating your Windows Update components should clear the problem. CA usually fix these false positives in a day or so.

The current signature version is 2008.9.9.15. Note that the PestPatrol engine is used in some other products, not all of which have the CA name on them.

Asprox: net83.ru, acr34.ru, asl39.ru and net83.ru

Another bunch of very fresh Asprox domains being used in the Asprox SQL Injection attack, registered at Naunet to email address retyi111@yahoo.com. Check your logs or block access to these sites.

  • 51com.ru
  • acr34.ru
  • asl39.ru
  • net83.ru

Tuesday 9 September 2008

SQL Injection: ave2.cn / %61%76%65%32%2E%63%6E

This SQL Injection attack seems to be aimed at Chinese language sites. The code injected points to http://%61%76%65%32%2E%63%6E which is trivially encoded and is a reference to ave2.cn hosted on 219.129.239.251.

ave2.cn then calls asp-18.cn, asp-12.cn and www.hxg006.cn (all hosted on 219.129.239.251).

Between them, these sites carry a VERY wide variety of exploits, including MS06-014, GLIEDown (for the Baofeng Storm StormPlayer), MS snpvw.Snapshot viewer (Outlook Express), DPClient.Vod (Xunlei Thunder DapPlayer), Flash Player and RealPlayer. There are possibly other exploits mixed in, so I would regard ave2.cn as being VERY dangerous.

Robtex reports the following domains on 219.129.239.251, all of which are probably worth avoiding:

  • hs7yue.cn
  • hxg008.cn
  • jzm015.cn
  • doups.cn
  • hxg008.cn
  • jzm013.cn
  • jzm014.cn
  • jzm015.cn
  • qingfeng01.cn

Monday 8 September 2008

Asprox: 64do.com

Possibly the final Asprox domain on the day in 64do.com - add this to your block or scan list.

Asprox: "aspx" domains

Keep an eye out for these following Asprox domains, all recently registered to the email address druid00091@aol.com. Block them or scan your logs for them.

  • 24aspx.com
  • 2aspx.net
  • 6aspx.com
  • 9aspx.net
  • aspx46.com
These domains follow the same pattern as this one and this one.

Asprox: 19ssl.net

Another "druid00091@aol.com" domain (following on from this one and this one) , this type 19ssl.net, which is being actively used as part of the SQL injection attacks. The top level of this domain also has a copy of the (presumably legitimate) nescodirect.com site (this behavious is noted elsewhere).

Domain name: 19ssl.net

Registrant Contact:
City22 llc
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us

Administrative Contact:
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us

Technical Contact:
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us

Billing Contact:
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us

DNS:
ns1.19ssl.net
ns2.19ssl.net
ns3.19ssl.net

Asprox: 24aspx.com

The latest domain name used in the recent Asprox SQL Injection attacks appears to be 24aspx.com. Perhaps the Asprox guys are boasting a little with the domain name? Certainly these SQL injection attacks still seem to serve a useful purpose for them, although the number of vulnerable servers keeps dropping. Anyway, block this one or check your logs for it.

The email addressed used to register this domain is identical to the one used for the "Luksus Jobs" scam email. No big news here, the Asprox botnet is used for a wide variety of things, it's just odd to see druid00091@aol.com come up twice in such a short period.

It's also notable that they've switched back to .com from .ru, but this time registered through Chinese registrar BIZCN.COM.


Domain name: 24aspx.com

Registrant Contact:
City22 llc
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us

Administrative Contact:
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us

Technical Contact:
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us

Billing Contact:
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us

DNS:
ns1.24aspx.com
ns2.24aspx.com
ns3.24aspx.com

Created: 2008-09-06
Expires: 2009-09-06

"Job Opportunity at Luksus" / luksus-jobs.org scam

Luksus Media is a wholly legitimate Finnish company, but this attempt to recruit a money mule does not come from Luksus, just from a company trying to trade on its name.

This scam is being run by the same people behind the Asprox SQL injection attacks that have been doing to rounds (more information after the email).




Subject: Job Opportunity at Luksus

We have reviewed your resume and would like to introduce you to our
current vacancy.
Luksus, with headquarters in Helsinki, Finland, serves the luxury
lifestyle and offers unparalleled access to the finest luxury
goods. We offer a unique mix of brands, partnerships, and product
expertise. We are currently hiring, work at home positions, to
provide administrative assistance with sales in North America.
Candidates for the job should possess excellent organizational
skills as well as the ability to efficiently multi-task. Ideal
candidates have a strong focus on day-to-day operational
excellence. The candidate should be motivated, proactive, be able
to learn and adapt quickly.

Other duties include, but are not limited to:

* Incorporating effective priorities for the virtual office function
* Administer day-to-day financial responsibilities for clients
* Reporting online daily
* Preparing brief summary reports, and weekly financial reports

Salary part-time (3 hours per day, Monday-Friday): $1,200/month,
plus commission.

If you are interested in this position please send us an email to
Sandra.Collins@luksus-jobs.org expressing your interest and we will
forward you the detailed job description and the working agreement.

Thank You,
Luksus Team



Normally, WHOIS data is pretty useless, but sometimes the email address can give a clue:

Domain ID: D153950800-LROR
Domain Name: LUKSUS-JOBS.ORG
Created On: 28-Aug-2008 11: 34: 57 UTC
Last Updated On: 28-Aug-2008 14: 23: 25 UTC
Expiration Date: 28-Aug-2009 11: 34: 57 UTC
Sponsoring Registrar: Bizcn.com, Inc. (R1248-LROR)
Status: CLIENT TRANSFER PROHIBITED
Status: TRANSFER PROHIBITED
Registrant ID: orgfm19923291709
Registrant Name: Fero Muia
Registrant Organization: Fero Muia
Registrant Street1: 3213 po box
Registrant Street2:
Registrant Street3:
Registrant City: New York
Registrant State/Province: NY
Registrant Postal Code: 12310
Registrant Country: US
Registrant Phone: +1.9917721121
Registrant Phone Ext.:
Registrant FAX: +1.9917721121
Registrant FAX Ext.:
Registrant Email: druid00091@aol.com
Admin ID: orgfm19923292728
Admin Name: Fero Muia
Admin Organization: Fero Muia
Admin Street1: 3213 po box
Admin Street2:
Admin Street3:
Admin City: New York
Admin State/Province: NY
Admin Postal Code: 12310
Admin Country: US
Admin Phone: +1.9917721121
Admin Phone Ext.:
Admin FAX: +1.9917721121
Admin FAX Ext.:
Admin Email: druid00091@aol.com
Tech ID: orgfm19923293349
Tech Name: Fero Muia
Tech Organization: Fero Muia
Tech Street1: 3213 po box
Tech Street2:
Tech Street3:
Tech City: New York
Tech State/Province: NY
Tech Postal Code: 12310
Tech Country: US
Tech Phone: +1.9917721121
Tech Phone Ext.:
Tech FAX: +1.9917721121
Tech FAX Ext.:
Tech Email: druid00091@aol.com
Name Server: NS1.RELEASEBPB.COM
Name Server: NS2.RELEASEBPB.COM


druid00091@aol.com is an address being used to register today's latest SQL injection domains too, proving that they are linked. releasebpb.com is a set of name servers which are only associated with malware domains, ns1.releasebpb.com is on 194.150.120.47 on ns2.releasebpb.com is on 20.31.85.15.

This type of fraud doesn't use a website to entice people, but it is looking for an email response. In this case, email is delivered to mx.luksus-jobs.org on 12.192.82.225 which is on the AT&T network.

It's hard to tell which of these IPs are part of the Asprox botnet and which ones are rented (usually with fake credit card details). Nonetheless, it gives a glimpse into just how large and efficient these operations can be.

Thursday 4 September 2008

CNOOC (www.cnooc.com.cn) scam

CNOOC (www.cnooc.com.cn) are a legitimate oil exploration and petrochemicals firm in China. The following job offer is a money mule scam, NOT from CNOOC but from someone pretending to be them. Don't be tempted.





CNOOC Oil Base Group Ltd.
Address:6 Dongzhimenwai Xiaojie,
Dongcheng District, Beijing, China 100027
Telephone:010-8452101, 010-8453198
Fax:010-6460250
EMail:cnooccorporation@yahoo.com.hk
Website:www.cnooc.com.cn


Good Day,

JOB OPPORTUNITY


We are exporters base in China , we deal on Oilexploitation, technical
service, chemicals, fertilizar production, refining,natural gas, power
generation,financial services, logistic services and new energies
development. Visit our corporate website: www.cnooc.com.cn


We have costumers in Asia, Europe, America , Australia , Canada and
Africa.

Our company (CNOOC) was established in 1982. We are interested in
employing
company services, to work with us as our payment agent our north America
customers will make payment to you on our behalf for goods and raw
materials we supplied to our customers in North America.

If your company is interested in working with us,we will be
very glad, Subject to your satisfaction, your company reward of
working with us as a Payment Officer is 5% of any Payment
your company receive from our costumers.

Most payment ranges from $300,000.00 to $3.3 Million US Dollars
Please if you are interested forward the following info to us:

1. Your Full Name:
2. Payment should be made to: Company?s Name:
3. Your Full Contact Address:
4. Phone/Fax Number:
5. Occupation:


Thanks for your corporations.


Yours Sincerely,


Mr. Wu Mengfei
Chief Financial Officer.



Asprox: jic2.ru

Another new addition to the list of Asprox domains is jic2.ru, again registered via Naunet, so block this or check your logs for access. Again, searching your logs for ".ru/script.js"will help locate suspect activity.

Wednesday 3 September 2008

"Bangui" malware domains

A whole set of domains distributing malware, currently based on 206.53.51.119 and allegedly registered to someone in Bangui (although most likely it is the RBN again). These domains are being used in blog spam and also what appears to be PHP and ASP injection attacks.

Unlike some injection attacks, the pages carry some scraped text that's relevant to the URL. Combine this with the inbound links created through spam and injection attacks and you have a very black hat SEO campaign. Yahoo! seems to be more prone to this type of SEO than Google.

The pages on these domains use a javascript redirector (menu.js) to end up at a set of fake video and rogue anti-malware sites that install all sorts of nasty things.. again, these endpoints have the hallmark of the RBN.

  • Afwwwf.info
  • Apostit.info
  • Bcuioc.info
  • Bglkhg.org
  • Bihuru.org
  • Biiwhw.info
  • Bikgfjr.info
  • Bioblor.info
  • Bioqw.info
  • Biowfr.info
  • Bkjksl.org
  • Bkssdoue.info
  • Bloiw.org
  • Bocaca.org
  • Cascaa.info
  • Cbasoa.info
  • Cbr1000rrxx.info
  • Csccons.org
  • Cskaa.org
  • Eomnb.info
  • Fasca.info
  • Fasfw555.info
  • Fasw.org
  • Fbkshk.org
  • Fdsaa.org
  • Firstnax.org
  • Fjkjfjoi.info
  • Fjwiojnc.info
  • Flsab.info
  • Foeww.org
  • Foxrat.info
  • Fsaff.org
  • Fsafvn.info
  • Fsancao.info
  • Fsanp.org
  • Fsaqq.info
  • Fsaw.org
  • Fsfa22rr.info
  • Fsfkg.info
  • Fsfworg
  • Fsgkle.org
  • Fsjklhg.info
  • Fskjhgkb.info
  • Fullmediabase.net
  • Fwe75r4fyf65.cn
  • Fwfds.org
  • Fwfisow.org
  • Fwjijc.org
  • Fwoijwh.org
  • Gcoigkm.org
  • Gewop.info
  • Gjgkgjhew.org
  • Golodnijya.org
  • Gucwd.org
  • Hellodolly5k.net
  • Hellodomy5k.net
  • Hhkjj.org
  • Hkljccc.info
  • Hodnejgreat.info
  • Hofhwbc.info
  • Hohotv.org
  • Homosapien5k.net
  • Hrr553.info
  • Hudinarjiii.cn
  • Itgfbn.org
  • Jfldsh.org
  • Jflhg.info
  • Jlbyuo.org
  • Jnbq.info
  • Jowely.org
  • Jplhnh.info
  • Juiok.org
  • Jumpsert.org
  • Jwionw.info
  • Kiwedox.org
  • Kjhiofw.org
  • Kjhlfsh.org
  • Knwponc.org
  • Madnes.info
  • Mazafaker.com
  • Mfpwjmc.org
  • Mkmcsss.org
  • Mpfwmcs.org
  • Mpkcmzz.org
  • Mpmccz.org
  • Mybestz5k.net
  • Nado1000traffa.info
  • Nfeow.org
  • Nfwojw.org
  • Nfwon.org
  • Nhphpkj.info
  • Nifa422.info
  • Njpaw.info
  • Nosdsh.org
  • Pokoder.org
  • Sonvfs.org
  • Werbin.org
  • Wfwcn.org
  • Wn59whgp3w.cn
  • Workfox.info
  • Yzfr1yamahad.info

Tuesday 2 September 2008

Asprox: 2b24.ru

These domains seem to be today's current Asprox SQL Injection domains - check for them in your logs or block them. 2b24.ru seems to be new, the rest have been around for a few days. The exploit is still using a script called script.js to run.

  • 2b24.ru
  • cg33.ru
  • cv2e.ru
  • cv32.ru
  • mc2n.ru
  • mj5f.ru
  • oc32.ru
  • vwsc.ru

Monday 1 September 2008

"WorldWide Offshore Integrated Systems Inc"

Another money mule scam, this time claiming to be from "WorldWide Offshore Integrated Systems Inc" of New York, a company that does not exist according to the New York Division of Corporations. Also, there are no Google matches for that search term... except that there will be since I've posted this. Oh, you can figure out what I mean.

Originating IP is 78.175.218.143 in Turkey. Also, I can't think of many "WorldWide " corporations that have to use Yahoo!'s free email service.




Subject: Looking for a job? Good chance for you!
Date: Mon, September 1, 2008 4:38 pm



Hello.

WorldWide Offshore Integrated Systems Inc. is a custom software development company
located in New York, USA.

We offer full cycle custom software programming services, from product idea,
offshore software development to outsourcing support and enhancement.
WorldWide Offshore Integrated Systems Inc. employs a large pool of software
engineers coming from different backgrounds.
We are able to balance product development efforts and project duration to your
business needs.

WorldWide Offshore Integrated Systems Inc. customer service department is currently
offering employment for residents
in order to provide it's new branch with qualified personnel.
The private client support desk is responsible for following up client enquiries,
helping the clients to understand how WorldWide Offshore Integrated Systems Inc. can
save them money on foreign
currency transactions, and developing new business through referrals.

First of all you need no prior experience, even though we are value
your current knowledge, but we will provide all necessary training when
you will join us.

If you're a customer service fanatic, and enjoy working in a challenging and
rewarding environment,
please see below for our current list of opportunities.

Requirements:

è Proficiency in MS Word, Excel & Internet
è Excellent communication skills both oral and written

- This work does not require any experience!
- This is a work at home

You will be paid USD 2500 per 2 weeks.

Should you have any questions regarding this letter,
our offer of employment or anything else, please write me an e-mail.
We are excited to have you join our organization and look forward to working with you.


If you are interested in our position reply to e-mail worldwide61@yahoo.com


Best regards,
Katrin Olley
Employment Manager


Asprox: cg33.ru, cv2e.ru, cv32.ru, mc2n.ru, oc32.ru and vwsc.ru

Another bunch of Asprox SQL injection domains to block or monitor for, all quite new:

  • cg33.ru
  • cv2e.ru
  • cv32.ru
  • mc2n.ru
  • oc32.ru
  • vwsc.ru
Alternatively, look for .ru/script.js in your logs which should pick up most of them.

Update: here's another one - mj5f.ru

Friday 29 August 2008

Atrivo / Intercage

Atrivo, Inc (also known as Intercage) and their main customer, Esthost (related to Estdomains) might well be a familiar name to people working in IT security. Atrivo is based is California and is run by one Emil Kacperski, so it has always surprised me that such a small operator should be a persistent host of malware.

Well, Atrivo's activities have not gone un-noticed by HostExploit.com who have produced a whitepaper and diagram and a YouTube video explaining how Atrivo's network is involved in a typical PC exploit.

Brian Krebs at the Washington Post has a comprehensive commentary. Note in particular the comments from "Emil K." at the bottom of the article. The RBN blog also has a comment here. Fascinating stuff.

Thursday 28 August 2008

Where a link turns into a lawsuit

I've seen some daft excesses in local politics in my time, but over Sheboygan, Wisconsin, things have taken a new twist... with a lawsuit over a link.

Jennifer Reisinger operates a website called Sheboygan Spirit which appears to be very critical of local officials and also a now defunct web design business called Brat City Web Design. She was also involved in a campaign to recall the elected mayor, which probably didn't endear her to some city officials.

Last year, the city filed a lawsuit against Ms Reisinger. Why? Because one of her sites carried a link to the Sheboygan Police Department (oops). First, the city sent a cease and desist asking her to remove it, and when she refused to do so they initiated a criminal investigation and legal proceedings.

Remember, this is just a link to the local police department. Not a link to illegal or confidential material. Of course, really the city didn't have a leg to stand on and in November 2007 decided not to pursue the case.

But Ms Reisinger wasn't finished, and a few days ago filed a counter-suit alleging loss of business and a violation of first amendment rights. It looks like it could be a significant case.. depending on the outcome.

There's more information in this item at the Milwaukee Journal Sentinel, and also here at the Citizen Media Law Project.

Wednesday 27 August 2008

"Bank of America Installation and Upgrade Warning."

The bad guys are busy today, here's another fake bank "upgrade" leading to malware, following on from this one.


Subject: Bank of America Installation and Upgrade Warning.
From: "Bank Of America Update Service Department"
Date: Wed, August 27, 2008 2:23 pm

Attention All Bank of America Customers.
Security & Fraud Protection Update.

At Bank of America, were committed to keeping your information confidential and
secure, and we take that responsibility very seriously.
Our Fraud detection solution helps to protect your business against the risk of
fraudulent transactions alerting you to potential risks.
We have developed the following protection tools to insure you confidentiality.

You can download the latest security pack from our Customer Service Department>>

Sincerely, Jodie William.
2008 Bank of America Corporation. All rights reserved.
This leads to a very convoluted URL with an executable Setup_BankofAmericaclientno4508832.exe - virus detection for this one is a bit poor. Malware is identified variously as TR/ATRAPS.Gen (AntiVir & WebWasher), DeepScan:Generic.Malware.dld!!.083539B0 (BitDefender) and one or two others come up with a generic detection.

Incidentally, the URLs used in both attacks are incredibly long and convoluted.. and not terribly convicincing.

Avoid these "bank certificates" at all costs.

Tilde.exe in C:\Windows\System32 folder


This isn't really about tilde.exe at all, but a file called C:\Windows\System32\~.exe that has a habit of showing up on laptops that have been playing up with frequent browser crashes.

~.exe is kind of an odd name for a file, and crucially it's an ungoogleable name, because Google uses the tilde mark for its Synonym Search function.

Probing more deeply at the file shows that is is 34,616 bytes in size and is described internally as "Microsoft® Remote Std I/O Shell". The version information gives the following details:

  • Company: Microsoft Corporation
  • File Version: 6.0.6001.16470 (fbl_tools(patst).070215-1229)
  • Internal name: remote.exe
  • Language: Language Neutral
  • Original File name: remote.exe
  • Product Name: Microsoft® Windows® Operating System
  • Product Version: 6.0.6001.16470
The icon is identical to the remote.exe sometimes supplied with various Microsoft debugging or support tools. Indeed, it does seem to be just another version of remote.exe which is a component of Microsoft's SMS server.

The ~.exe file may also be accompanied by a couple of strange-looking .dat files, for example __c0084F92.dat or __c00E460A.dat which on closer examination are actually executables.

It does genuinely seem to be a bit of Microsoft software, but in this case it would appear to be acting as a trojan downloader. The .dat files are lilely to be the second stage of the infection, and this could well be related to all the fake anti-virus products that have been promoted recently.

~.exe is detected variously as Trojan-Downloader.Win32.Agent.abnd, Win32/TrojanDownloader.Agent.ABND or Trojan:Win32/Vundo.gen!V (VirusTotal results here). The .dat file shows up variously as Trojan-Downloader:W32/FakeAlert.AN, TROJ_TIBS.CKN, Tibs.gen222, not-a-virus:AdWare.Win32.Agent.ekj (VirusTotal results here and here).

Removal: delete the ~.exe file and any unusual looking .dat files that match the above pattern. If the trojan is active, then one of the .dat files will be locked. The F-Secure Online Scanner seems to be able to safely remove this trojan, although a reboot will be required.

This is the first time that I have seen a Microsoft SMS component used in this way. Presumably it attempts to connect up to a back-end server that I have not yet been able to identify. It may well be that a corporate firewall would block such behaviour.

Tuesday 26 August 2008

"Colonial Bank Emergency Alert System"

Emergency alert system? Nope, malware download more likely.

Subject: Colonial Bank Emergency Alert System.
From: "Colonial Bank Account Support"
Date: Tue, August 26, 2008 8:35 pm

Dear Colonial Bank Customers. Protect your passwords!

- Never write down your passwords.
- Never share passwords with anyone.
- Change your password every few months.
- Change your password if you think it has been compromised.

For a password to be strong and hard to break, it should be at least nine characters
long, contain characters from each of the following three groups: letters (uppercase
and lowercase), numerals, symbols (all characters not defined as letters or
numerals), not contain your name or user name and not be a common word or name.
Be sure your computer is up-to-date with security patches, anti-virus, and
anti-spyware protection.
Download our latest all-in-one Internet software from our Customer Service
Department to make your online life completely secured.

Press here to Start>>

Sincerely, Parker Wheeler.
2003-2008 Colonial bank Support Team
VirusTotal detections are a mixed bag:

File ColonialDigicertx_509.exe received on 08.26.2008 23:52:05 (CET)
AntivirusVersionLast UpdateResult
AhnLab-V32008.8.21.02008.08.26-
AntiVir7.8.1.232008.08.26HEUR/Crypted
Authentium5.1.0.42008.08.26-
Avast4.8.1195.02008.08.26-
AVG8.0.0.1612008.08.26-
BitDefender7.22008.08.26DeepScan:Generic.
Malware.dld!!.6B08AD0D
CAT-QuickHeal9.502008.08.26(Suspicious) - DNAScan
ClamAV0.93.12008.08.26PUA.Packed.MEW-1
DrWeb4.44.0.091702008.08.26-
eSafe7.0.17.02008.08.26Win32.Stration
eTrust-Vet31.6.60502008.08.26-
Ewido4.02008.08.26-
F-Prot4.4.4.562008.08.26-
F-Secure7.60.13501.02008.08.26Suspicious:W32/Malware!Gemini
Fortinet3.14.0.02008.08.26-
GData192008.08.26-
IkarusT3.1.1.34.02008.08.26Trojan-Proxy.Win32.Small.DT
K7AntiVirus7.10.4282008.08.25-
Kaspersky7.0.0.1252008.08.26-
McAfee53702008.08.26-
Microsoft1.38072008.08.25PWS:Win32/Uloadis.A
NOD32v233902008.08.26-
Norman5.80.022008.08.26W32/Suspicious_M.gen2
Panda9.0.0.42008.08.26-
PCTools4.4.2.02008.08.26Packed/MEW
Prevx1V22008.08.26-
Rising20.59.11.002008.08.26-
Sophos4.32.02008.08.26Mal/EncPk-BA
Sunbelt3.1.1582.12008.08.26VIPRE.Suspicious
Symantec102008.08.26-
TheHacker6.3.0.6.0602008.08.23W32/Behav-Heuristic-066
TrendMicro8.700.0.10042008.08.26Cryp_MEW-11
VBA323.12.8.42008.08.26-
ViRobot2008.8.26.13502008.08.26-
VirusBuster4.5.11.02008.08.26Packed/MEW

Asprox: beyry.ru, iopoe.ru, jetp6.ru, nucop.ru, port04.ru and vj64.ru

There's been a slight shift in the characteristics of the current Asprox attack. The javascript called is now script.js rather than ngg.js or js.js, and this goes to a redirect script currently pointing at /cgi-bin/index.cgi?lle on the local domain.

Active domains in this new attack seem to be as follows, new ones are in bold.
  • beyry.ru
  • cb3f.ru
  • cnld.ru
  • iopc4.ru
  • iopoe.ru
  • jetp6.ru
  • loopk.ru
  • netr2.ru
  • okcd.ru
  • nucop.ru
  • port04.ru
  • ueur3.ru
  • vj64.ru
Check your logs or block these domains. Most business outside of Russia and neighbouring countries could probably block the entire .ru TLD with minimal impact. Look also for the CGI sript (/cgi-bin/index.cgi?lle) to find potentially infected client PCs.

Friday 22 August 2008

Asprox: iopc4.ru, jetp6.ru, loopk.ru, netr2.ru and ueur3.ru

The domains used is the Asprox SQL injection attack have been stable for most of the past week, but over the last 24 hours some ne wdomains have been registed, so check your logs and/or block the following:

  • iopc4.ru
  • jetp6.ru
  • loopk.ru
  • netr2.ru
  • ueur3.ru

It is likely that some more will turn up during the course of the day.

Friday 15 August 2008

Another SQL injection domain: mo98g.cn

I mentioned some days ago that there seems to be a parallel SQL injection attack to Asprox with all the hallmarks of being Chinese. Over the past day or so, mo98g.cn has appeared on some infected sites (often alongside Asprox) making a call to mo98g.cn/q.js which is hosted on 222.122.128.5 in South Korea.

The back end seems not to be working at present, so maybe the server has been cleaned up. In any case, this is another domain to block or check your logs for.

Asprox: ujnc.ru

Just a single new Asprox domain to list this morning: ujnc.ru which is still using the js.js redirector, i.e. www.ujnc.ru/js.js. All the domains from the past two days are still active too.

Thursday 14 August 2008

Asprox: 3njx.ru, cb3f.ru, cnld.ru, nbh3.ru and okcd.ru

Some more Asprox domains to block or look for in your logs:

  • 3njx.ru
  • cb3f.ru
  • cnld.ru
  • nbh3.ru
  • okcd.ru

Renewed Asprox activity: bcus2.ru, jkn3.ru, juc8.ru and locm.ru

After a quiet few days, Asprox seems to have flared up again (at about 1000 CET) with a new set of malware domains, still launching from a SQL injected js.js file on compromised hosts. Keep an eye out for these domains or block them.

These domains are all very recently registered through naunet.ru, there are probably many more on the way soon.

  • bcus2.ru
  • jkn3.ru
  • juc8.ru
  • locm.ru

Tuesday 12 August 2008

All quiet on the Asprox front?

For the moment the Asprox SQL injection attacks seem to have stopped, although infected sites are still infected and need to be secured as soon as possible.

So, does this mean that the bad guys have given up? Well, no.. but there are probably thousands of sites out there which are still infected, so from that point of view they will still be getting "hits" to their malware sites.

Perhaps the answer is this - the people behind the SQL injection attacks are doing something else. Two very newsworthy events happening over the past few days have been the war in Georgia and the Beijing Olympics. Dancho Danchev reports that the RBN have been actively involved in attacking Georgian sites, including using SQL injection attacks. F-Secure report that Chinese sites have been attacked since the run-up to the Olympics started.

It might well be that these Asprox attacks will be quiet for a couple of weeks, but it is likely that general SQL injection attacks will ramp up again soon.

Sunday 10 August 2008

Spammers are still stupid

Another case where a spammer is too stupid to use the spamming tool they have just bought.

Subject: hey
From: "hvgoxscw"
Date: Sun, August 10, 2008 7:59 pm

You have 2 options here,
Option 1 - You can put ANY text you want in here.

Option 2 - We will fill it in with the text only portion of the
html message if you put the macro for you: [url removed]
in here.

NOTE: Some email clients don't disply html data. In that case what you
put here will be seen by the recipient. If the email client does

display html data then this will NOT be seen by the recipient.
Based on this you may wish to put a text version of your add here;
however, you can also put some macros here to make the message
more random.

Or use Option 3 and don't add anything at all. Idiot.

Saturday 9 August 2008

"Hey, take a look!!" / "Yahoo Daily News"

Looks like another variant of the Storm Worm /Zapchast doing the rounds:

Subject: Hey, take a look!!
From: "Yahoo Daily News"

Hello friend !
You have just received a yahoo messenger ultimate version !!


Click Download Now to begin downloading and installing Yahoo Messenger ultimate version 10 ver 10.1



1. Download Now Click Download Now to begin downloading and installing Yahoo! Messenger ultimate version 10.
ver. 10.1
2. When prompted, please click the Run button in each window that appears.

Other versions: XP (9.0 Beta), Vista, Mac, Web, Mobile

Thank you for using our services !!!
Please take this opportunity to let your friends use about this new software by sending them the source.

Copyright © 2008 Yahoo! Inc. All rights reserved. Copyright/IP Policy | Terms of Service |Guide to Online Security

Relevant advertising creates a better web experience. See how

NOTICE: We collect personal information on this site.

To learn more about how we use your information, see our Privacy Policy
In this case the target file to download is msgr8.5us.exe, VirusTotal detection is pretty good.

Expect to see a LOT of these over the next few days, either themed for the Olympics or the war in South Ossetia. Although the subject will always change, a crash course in user education can help to mitigate the risk.

ISC: "More SQL Injections - very active right now"

The Internet Storm Center has published technical details on the Chinese-based SQL injection attack which may be of interest to SQL administrators and programmers and also security specialists. It also flags up another javascript file to look for: csrss/w.js

Keep an eye out for log activity pointing to this file. Blocking the entire .cn TLD will probably do very little harm for most businesses.

Asprox: block 91.203.93.4 and js.js

A shift in behaviour from the Asprox botnet - this time all traffic from infected sites is being redirected through a fixed IP at 91.203.93.4. Blocking 91.203.93.0/24 will probably do no harm.

Also, the name of the javascript file has changed to js.js, so look for this in your logs.

The Silent Noise blog is tracking Asprox domains too, with some interesting developments that we haven't had the chance to dig deeper into.

Tuesday 5 August 2008

Asprox domains: 5/8/08

Current Asprox domains to look for in your blogs or block. These have all been active for 3 or 4 days now, which is an unusually long time for this current SQL injection attack.

  • 8hcs.ru
  • 98hs.ru
  • bgsr.ru
  • bywd.ru
  • ibse.ru
  • ncbw.ru
  • nwj4.ru
  • ojns.ru
  • porv.ru
  • uhwc.ru

Saturday 2 August 2008

Asprox domains: 2/8/07

These are the currently active Asprox domains to check for. They are all very recently registrations.

  • 8hcs.ru
  • 98hs.ru
  • bgsr.ru
  • bywd.ru
  • ibse.ru
  • ncbw.ru
  • nwj4.ru
  • ojns.ru
  • porv.ru
  • uhwc.ru

Friday 1 August 2008

Fake "Correspondence manager" job

Money mule scams are now very common - basically some poor fool ends up laundering money or reshipping goods following the instructions of someone they have never met and is likely to be untraceable.

This particular job offer seems to go a step further. This "correspondence manager" could well be another layer in the scammer's obfuscation. Perhaps the correspondence manager handles communications with the money mules?

One danger here is that this particular role is more credible that the "money for nothing" jobs that scammers usually offer. On the face of it, it doesn't involve handling money, but it does seem to be very easy and the salary looks attractive.

There's an interesting bit of social engineering where the email says "THE SELECTED CANDIDATE MUST PASS A CRIMINAL BACKGROUND CHECK". Of course, it is the employer who needs to pass a background check too. Always verify that your job offers are from a genuine, verifiable business.




Subject: Re: WELL - PAID JOB!
From: ls51@salud.gov.pr
Date: Fri, August 1, 2008 11:52 am

Dear, Job Seeker!

Our firm has an opening vacancy: Correspondence manager.

Please attach your resume in DOC or reach text format and apply right now. This
position is limited.



Company Name
Global Logistic


Job Category
Correspondence


Location
United States


Position Type
Part-Time/Home Based


Salary
$ 35,000 - $ 50,000


Experience
1+


Desired Education Level
High School or Equivalent


Date Posted
March 17, 2008



Job Summary:
You will make some basic tasks from your manager daily; manage personal assets;
making simple correspondence operations. You don't need to have any kind of
education or experience. We will make online training for position offered. You
will have more information in job description document. Apply now.
Requirements: US citizenship or US permanent residency

High school or College in relevant field or 1+ years experience in management;
basic computer, good verbal and grammar skills; must have a cellular phone for
urgent tasks; must be able to work part-time; must provide resume for
qualification process.

ALL RESUMES WILL BE CONFIRMED AND VERIFIED. THE SELECTED CANDIDATE MUST PASS A
CRIMINAL BACKGROUND CHECK
If you're interested send your full name, phone number, age and RESUME
mailto:NannieHolderCE@gmail.com and I'll redirect it to our HR department.


Beware of unsolicited loan offers

Loan scams are a another variant of the advanced fee fraud scam (e.g. fake lotteries, dead dictator's fortunes etc). These seem to be more popular recently due to the "credit crunch". Fundamentally the approach is the same as any other advanced fee fraud: you apply for the loan only to discover that there is a fee payable up front. Of course, no legitimate lender would ask for an up front fee for a loan.

Although the wording for this particular example sounds like it is from Nigeria, the IP address is from the Hathway network in Bangalore. Oddly from "from" address is Hathway too.

Subject: LOAN OFFER
From: ramanks@hathway.com
Date: Thu, July 31, 2008 8:14 pm
Priority: Normal


Dear Customer
We are corporate lenders. we give out loans to
A very honest and reliable personalities. we give
out our loans at low interest rate and moderate
values as cheap as 3% rate. Because of scam
we tender our qualifications if it satisfies, you
can continue with the transaction, but if you are
not satisfied you can go to another lender.
Channel your response to this email.
thomassteve2@gmail.com
Greatest Regards
Marketing Manager
Mr Thomas Steve.
Although this particular one is pretty laughable, it is likely that the scammers will get better at it. Beware of unsolicited loan offers and remember that all fees and interest will come out of your repayments, not from an up front fee.

Wednesday 30 July 2008

PestPatrol: Zuten detected in c:\windows\minidump

This one looks like a false positive.. CA PestPatrol with signature version 2008.7.29.15 seems to be detecting Zuten in the c:\windows\minidump folder.

A close examination of the description indicates that the following files may be being misdetected:

%windows%\minidump\mini072908-01.dmp
%windows%\minidump\mini072908-02.dmp
As you can see, yesterday's date in encoded into the .dmp files. If your computer system has generated a .dmp file in the past day, then PestPatrol may well be mis-detecting it.

Tuesday 29 July 2008

The SQL Injection war

Dancho Danchev had has some very good writeups on the current round of SQL injection attacks. This post on copycat attacks caught my eye, because it shows that there's more than one crew at work here.

If anything, this situation is likely to get worse. The tools needed to carry out a SQL injection attack are now almost available off-the-shelf, the attacks are obviously financially successful because they have been ongoing now for some months, and enumeration of vulnerable servers can be done through Google or Yahoo if you don't want to bother crawling the web.

Identifying and blocking domains helps, but it isn't a real solution. Most of these attacks are thwarted by a fully patch client (and I do mean all the software on the client, the Secunia Software Inspector can help here or some other decent audit tool). Using Firefox + NoScript is a good idea for the technically savvy. But ultimately, the best way of fighting this is to secure or shut down infected SQL servers. Don't be afraid to use the abuse@ email address where a web site is posing a continuing threat.

Asprox domains: 29/7/08

These are this morning's active Asprox domains. New ones are in bold.

  • b4so.ru
  • bce8.ru
  • bjxt.ru
  • bnsr.ru
  • bosf.ru
  • bsko.ru
  • ch35.ru
  • gty5.ru
  • iroe.ru
  • jve4.ru
  • kj5s.ru
  • kjwd.ru
  • kpo3.ru
  • kr92.ru
  • ncb2.ru
  • ncwc.ru
  • nemr.ru
  • njep.ru
  • nmr43.ru
  • oics.ru
  • pfd2.ru
  • po4c.ru

Monday 28 July 2008

Asprox domains: 28/7/08

These seem to be the current Asprox domains to block or check for. New ones are in bold.

  • bs04.ru
  • bce8.ru
  • bjxt.ru
  • bnsr.ru
  • bosf.ru
  • bsko.ru
  • ch35.ru
  • iroe.ru
  • jve4.ru
  • kjwd.ru
  • kodj.ru
  • kpo3.ru
  • kr92.ru
  • ncb2.ru
  • ncwc.ru
  • nemr.ru
  • nmr43.ru
  • oics.ru
  • pfd2.ru
  • po4c.ru
ngg.js still seems to be the name of the javascript file injected into compromised hosts.

Friday 25 July 2008

Asprox domains: 25/7/08

These domains seem to be active today, new ones in bold.

  • bce8.ru
  • ch35.ru
  • iroe.ru
  • jve4.ru
  • kjwd.ru
  • kodj.ru
  • kpo3.ru
  • kr92.ru
  • ncwc.ru
  • nemr.ru
  • nmr43.ru
  • pfd2.ru
  • po4c.ru
One oddity - the URL zvz.cc/forums/8L0/join.upq has been spotted as a redirector for these Javascript exploits. Google list zvz.cc that as a malware infected site, it is hard to tell though if this is just another victim or part of the C&C for the botnet. For the record, these are the WHOIS details.. but they might not mean very much.

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: ZVZ.CC

Registrant:
Himpet .Inc
Evgenij Novoberkov (zvz@tut.by)
Stahanov.St 120
Minsk
Missouri,222120
US
Tel. +022.2720771

Creation Date: 09-Apr-2008
Expiration Date: 09-Apr-2009

Domain servers in listed order:
ns2.zvz.cc
ns1.zvz.cc

Administrative Contact:
Himpet .Inc
Evgenij Novoberkov (zvz@tut.by)
Stahanov.St 120
Minsk
Missouri,222120
US
Tel. +022.2720771

Technical Contact:
Himpet .Inc
Evgenij Novoberkov (zvz@tut.by)
Stahanov.St 120
Minsk
Missouri,222120
US
Tel. +022.2720771

Billing Contact:
Himpet .Inc
Evgenij Novoberkov (zvz@tut.by)
Stahanov.St 120
Minsk
Missouri,222120
US
Tel. +022.2720771

Status:ACTIVE