Sponsored by..

Monday, 29 December 2008

SQL injection: msngk6.ru, dft6s.kz and mcuve.cn

A new bunch of domains being used in SQL injection attacks at the moment:
  • www.msngk6.ru
  • www.dft6s.kz
These are calling a script called style.js and follow on from these, most likely the work of the Asprox gang. The registration details are probably fake, but for the record are:

domain: MSNGK6.RU
type: CORPORATE
nserver: ns2.msngk6.ru. 75.63.155.106
nserver: ns3.msngk6.ru. 146.57.249.100
nserver: ns1.msngk6.ru. 76.240.151.177
nserver: ns4.msngk6.ru. 24.247.215.75
state: REGISTERED, DELEGATED
person: Aleksandr A Zamaraev
phone: +7 495 7412992
e-mail: zamaraev@namebanana.net
registrar: NAUNET-REG-RIPN
created: 2008.12.17
paid-till: 2009.12.17
source: TC-RIPN
The domain mcuve.cn is different, calling 1.js. This is related to the recent 17gamo.com domain which exploits a number of things including this recent IE7 vulnerability.

Check your proxy logs for .cn/1.js and .ru/style.js plus .kz/style.js to keep on top of these. It is often worth monitoring all traffic to .cn, .ru and .kz domains for manual review.

Monday, 22 December 2008

Asprox SQL injections are back

The Silent Noise blog reports that a fresh round of SQL injection attacks by the Asprox crew are under way. They seem to be using a variety of .ru and .kz domain names, although at the moment they all redirect to 79.135.168.18 in the Lebanon.. the whole 79.135.168.* block is pretty bad and has been covered here before.

inetnum: 79.135.168.0 - 79.135.168.255
netname: LB-NET
descr: Lebanon private dedicated service
country: LB
admin-c: MHB1111-RIPE
tech-c: MHB1111-RIPE
remarks: abuse mailbox: moh.b@lubnannetworks.biz
status: ASSIGNED PA
mnt-by: SISTEM-NET-MNT
source: RIPE # Filtered

person: Mohamed Baga
address: Basha Garden bldg, 5th floor LB
address: Jisr El Bacha Main Road
address: Beirut - Lebanon
e-mail: moh.b@lubnannetworks.biz
remarks: abuse mailbox: moh.b@lubnannetworks.biz
phone: +961 1 512341
nic-hdl: MHB1111-RIPE
source: RIPE # Filtered

route: 79.135.160.0/19
descr: Sistemnet Telecom
origin: AS44097
mnt-by: Sistem-Net-MNT
source: RIPE # Filtered
The endpoint appears to be a PDF exploit running on 79.135.168.18 - it's worth blocking or checking for anyaccess to this server, and also check your logs for accesses to ".kz/style.js" and ".ru/style.js" too.

Currently active domains are:
  • www.bnmd.kz
  • www.nvepe.ru
  • www.mtno.ru
  • www.wmpd.ru
Some notable impacted sites:
  • frontweb.vuse.vanderbilt.edu (Vanderbilt University)
  • maryvillecollege.edu (Maryville College)
  • guildford.ac.uk (Guildford University)
  • many .gov.ar (Argentina) and .gov.cn (China) sites
  • navigationusa.com (Online retailer)
  • worldcricketstore.com (Online retailer)
A Google search and Yahoo search indicate the extent of the problem (obviously, you don't want to visit any of these impacted sites).

Saturday, 20 December 2008

"Classmates Info Center": Currently planning the 2009 Year Reunion

There's a fake "Classmates" email being spammed out, that leads to a fake video that needs a fake "Adoble Media Player" called Adobe_Player10.exe and as you would probably guess, at the end of all this fakery is a nasty trojan.



Subject: Currently planning the 2009 Year Reunion
From: "Classmates Info Center" personalvideo@classmates.com

Your Classmates Events: Reunion January 16th 2009

" With pride and joy we invite you to share a special day in our lives and join us
for the Class Reunion on Friday, January 16th 2009.
Bring the gang from Our High School back together again!
Great party - from start to finish! "

Proceed to view details:

http://video.classmates.logon.user-gandy3ts0.updateyourplayer.com/messages.htm?/identification/INVITATION=vvffx2dckssqnle



Your favorite people are already here, so use ClassmatesTM to bring them together.

With best regards, Josh Jacobson. Customer Service Department.
Copyright 1995-2008 Classmates Online, Inc. All Rights Reserved.




The landing page looks like this:


Detection rates are poor according to VirusTotal. ThreatExpert's report is right here. It installs a rootkit and does all sorts of nasty things. Avoid.

Friday, 19 December 2008

Beijing AUG Networks Technology Co / augnetworks.cn scam

This is certainly spam.. but is it a scam? Most likely..

Subject: Dynamoo Domain name and Internet keyword Registration
From: "tom.xu"

Dec 19, 2008

Dynamoo

Domain name & Internet keyword

Dear Sir/Madam,

We are Beijing AUG Networks Technology Co., Ltd which is the domain name and internet keyword registration service company in China. We received a formal application from a company who is applying to register " dynamoo " as their domain name and Internet keyword on Dec 16, 2008.Since through our investigation we found that this word has been in use by your company, and this may involve your company name or trade mark so we inform you in no time. If you consider the domain name and internet keyword are important to your company and it is necessary to protect them by registering them first, contact us soon.

Kind Regards,

Tom Xu

Registration Comissioner

Tel/fax: +86-10-82797446

Email: tom.xu@augnetworks.cn

Website: www.augnetworks.cn

augnetworks.cn was only registered on 23/11/2008 to "Beijing AUG Networks Co", it is in no way an official registrar and the company probably doesn't even exist. Domain registrars are not actually responsible for checking trademarks, they most likely have had no such approach from a customer and really the whole thing is designed to make you panic into buying something you don't need.

There's more on Chinese domain malpractice here.

Tuesday, 16 December 2008

MS08-078: Out-of-band patch for IE coming

Microsoft are issuing an out-of-band patch tomorrow (17th December) for the well-publicised flaw in Internet Explorer. This is another one of those "patch now" things - see here for more details.

"IE 7 users: stop looking at porn now!"


This zero day vulnerability in Internet Explorer has already been very widely publicised. There are no effective workarounds for the problem until Microsoft patch it.. apart from using a different browser.

The aptly named Zero Day blog has this sage piece of advice: "IE 7 users: stop looking at porn now!" Simply put, randomly surfing for smut, warez, illegal torrents or anything like that* is likely to infect your machine if you are running IE.

In fact, because there's no such thing as a safe site you should consider ditching IE altogether. If you're running Windows then probably one of the safest things you can do is get Firefox, add the NoScript extension and then ensure that your PC is fully up-to-date by using the Secunia Software Inspector. Even security firms such as CA and Trend Micro have had their sites compromised to serve up malware in the past, so you can never be to careful...

* or Myspace.. or Facebook..

Wednesday, 10 December 2008

Vulnerability in WordPad Text Converter Could Allow Remote Code Execution

Most people will rarely use WordPad these days, but it's installed on pretty much every Windows system out there. So when Microsoft announce a vulnerability in WordPad, it could spell trouble.. essentially, a specially-crafted WordPad file could run arbitrary code on your system.

WordPad documents have a .DOC or .WRI extension, and if you have Word installed (or a similar product) then .DOC files will default to loading in Word instead. So, to mitigate against this you could simply block .WRI files at your proxy and/or mail filter. Or you could use Windows XP SP3 or Vista.. but that's not exactly a quick fix. Or you could deassociate .WRI files from WordPad using a policy.

There aren't a lot of WRI files to test with on the web, so here's a harmless file I prepared earlier:

Sunday, 7 December 2008

Spammers try and fail with fake Classmates email

We've seen this particular attack several times before - an email for a bank or other service that requires some sort of software installation to proceed.. in this case, masquerading as an update to Flash for some nonsense to do with Classmates.com.

Subject: Classmates Organisation.Reunion Website Builder
From: "Classmates Messagebox#329" invitation591@classmates.com

Dear Classmates customer.
Classmates Day 2009 soon!

Video Invitation from your Classmates "2009 Classmates Day Announcement!" prepared to view.
Reunite Your High School Classmates and Celebrate This Day!
Your Classmates Are Waiting to Hear From You!

Proceed to view Your invitation now>>

With best regards, Lowell Abernathy.
Copyright 1995-2008 Classmates Online, Inc. All Rights Reserved.

Unfortunately, the stupidity of spammer is such the they have messed up the incredibly long URL, and if the users click on the link they'll get nowhere. The spammer is trying to send visitors to a subdomains of clasmatessup.com but they have forgotten the dot before com and instead are sending visitors to clasmatessupcom.

If you go to the effort of correcting the link, you get redirected to a site on a fast flux botnet which prompts you: Can't see the video? please download the Adobe_Player v10 Converter and this leads to a downloaded called AdobePlayer10.exe which actually doesn't appear to be malware (at the moment) as it identifies itself as "IIS Fortezza Setup Utility" which is a security add-on to Microsoft IIS servers, usually called fortutil.exe.

So, it's all kinda strange. Let's have a look at the WHOIS details for the domain:
Domain name: clasmatessup.com

Registrant Contact:
inc inc
Greff Frelos inc@yahoo.com
4576810811 fax: 4576810811
8883 Sh Road
New York NY 10003
us

[blah blah]

DNS:
ns1.licence-dsl.com
ns2.licence-dsl.com

Created: 2008-12-07
Expires: 2009-12-07
Of course, these are fake. The registrar is BIZCN.COM, who are often a registrar of choice for spammers. Of real interest are the name servers, ns1.licence-dsl.com is 207.150.183.180, ns2.licence-dsl.com is 66.34.177.43. 207.150.183.180 is an IP address connected with the Srizbi botnet and is a name server for a whole buncha domains.

If you run a corporate mail system, it might well be worth blocking email "from" classmates.com in any case, even if this time the spam is hugely unsuccessful, because all the bad guys will do is repackage it up and send it out again.

Saturday, 6 December 2008

Joe Job against GoldPoll.com: welcome to the murky world of HYIP

GoldPoll.com is a web site about HYIPs (High Yield Investment Programs) that is hosted in the British Virgin Islands to an anonymous (possibly Panamanian) registrant, and until recently the registrar was the well-known fraudster's friend EstDomains. Despite this unpromising pedigree, it does appear that GoldPoll.com is legitimate..

..well, as legitimate as anything is in the world of HYIPs. Most HYIPs are generally just a front for Ponzi schemes and offer ridiculous payout rates such as 2% interest per day (about 624% per year) which are clearly unsustainable.

Anyway, as you can imagine there are a LOT of fraudulent HYIP schemes (are there any that are actually legitimate?) GoldPoll.com attempts to flag up schemes that aren't paying up.. which means that they have obviously annoyed some HYIP scammer somewhere who has decided to carry out a Joe Job against GoldPoll.com:

Subject: Gold Poll
From: goldpoll.com.ads@gmail.com
Date: Sat, December 6, 2008 3:57 pm

The most relevant information about the top HYIP programs from the best hyip monitoring. http://www.goldpoll.com


We personally invest in each HYIP and check the reliability of everyday payments. Click on any HYIP name to be redirected to it. Click on Program Details to get further information about a HYIP, find other members' posts and vote yourself.

goldpoll.com

Now GoldPoll.com states: "We never send SPAM and hate SPAMmers. Please don't trust in any e-mail that appeared to be from us and not stated on our Newsletters Archive!" which of course doesn't mean that much.. but a close investigation of the offending email indicates that it came from 211.95.78.71 in China. Now, 211.95.78.71 isn't just any IP address, it happens to be a server where a number of HYIP related domains are hosted:

  • Accuramoney.com
  • Bestinvestfar.com
  • Bestnethosta.com
  • Dalamonda.com
  • Google-analyser.com
  • Google-optimise.com
  • Google-spider.com
  • Healthcarem.com
  • Heroesadvent.com
  • Homegome.com
  • Injektus.com
  • Jampadventures.com
  • Libertyreiserve.com
  • Libertyrescerve.com
  • Luckautomachine.com
  • Luckjewel.com
  • Maxcargotrade.com
  • Ordtechnologies.com
  • Platinumtvonline.com
  • Sekermen.com
  • Toguessgame.com
  • Trancgroup.com
  • Webtradersite.com

It seems that there is a related server to this at 64.63.1.204, at least one of the domains (nasdaq-invest.com) is on GoldPoll.com's blacklist (there may be others).

  • Al-moeed.com
  • Boodjewel.com
  • Deluxeinvestment.org
  • E-investbank.net
  • Fastprofit-2008.com
  • Futureinvest.biz
  • Gpttalkpro.com
  • Higaintrade.com
  • Hyip-profits.com
  • Hyip-world.com
  • Hyipchecking.com
  • Hyipozaurus.biz
  • Katyadumper.com
  • Libertyrieserve.com
  • Mcdump.com
  • Monemoke.com
  • Moneyinvests.biz
  • More-invest-2009.com
  • Nasdaq-invest.com
  • Pensioninsurancefund.com
  • Perfectservers1.us
  • Photos-vn.com
  • Realforex.us
  • Sectrustbonline.com
  • Solid-fund.com
  • Supervirtualcards.com
  • Teekypleaze.com
  • Tieudiemchinh.com
  • Tomerbusiness.com
  • Tophyipsite.com
  • Ukoblos.com
  • Userinvest.com
  • Wertor.info
  • Wmrub.com
If you are an HYIP investor, then take some of these domain names and Google for them, and you'll get the measure of [un]reliable they are. You can pretty much guarantee that they are closely related.

But really my best advice is to avoid HYIP altogether. It's basically just a form of gambling, but with much worse odds in the long run.

Wednesday, 3 December 2008

"Alpha Soft Company" bogus employment offer

Alpha Soft Company is a wholly legitimate Ukrainian software development company, this fake job offer is being sent out by someone pretending to be Alpha Soft, and who is fraudulently using the name of Taras Vergovsky (who is a director) in order to make the offer seem more credible.

There have been a few similar emails targeting companies from the Ukraine recently, for example: Infopulse, JavaRealm Software, VM-Soft, SocMart. They all follow a similar pattern and wording, and all mention the name of a senior person within the company.. and they are all bogus. In short, this is just another money laundering scam that should be avoided at all costs.




Hello Sir/Madam.

I Taras Vergovsky, Director of Alpha Soft Company specializes in innovative IT solutions and complex software projects development.

My company based in Ukraine. We've earned ourselves a reputation of a reliable and trustworthy partner working successfully with a number of West European companies and providing them with reliable software development services in financial and media sectors. Unfortunately we are currently facing some difficulties with receiving payments for our services. It usually takes us 10-30 days to receive a payment and clearing from your country and such delays are harmful to our business. We do not have so much time to accept every wire transfer.

That's why we are currently looking for partners in your country to help us accept and process these payments faster. If you are looking for a chance to make an additional profit you can become our representative in your country. As our representative you will receive 8% of every deal we conduct. Your job will be accepting funds in the form of wire transfers and forwarding them to us. It is not a full-time job, but rather a very convenient and fast way to receive additional income. We also consider opening an office in your country in the nearest future and you will then have certain privileges should you decide to apply for a full-time job. Please if you are interested in transacting business with us we will be very glad.

Please contact me for more information via email: alphasoft.ua.job@gmail.com

and send us the following information about yourself:

1. Your Full Name as it appears on your resume.
2. Education.
3. Your Contact Address.
4. Telephone/Fax number.
5. Your present Occupation and Position currently held.
6. Your Age

Please respond and we will provide you with additional details on how you can become our representative. Joining us and starting business today will cost you nothing and you will be able to earn a bit of extra money fast and easy. Should you have any questions, please feel free to contact us with all your questions.

Thank you,
Taras Vergovsky ,
Alpha Soft Company




Some email addresses to look out for are alphasoft.ua.job@gmail.com, sup.alphasoft@gmail.com, job.alphasoft@gmail.com.. there are probably others. Sending IP is 217.170.2.228.

Tuesday, 2 December 2008

Awesome or what? The Nokia N97.



Announced a couple of hours ago, the Nokia N97 is a pretty awesome looking bit of kit. We've waited a long, long time for Nokia to come up with something like this.. although I don't think that I will be giving up the Nokia E90 just yet, since the rumour is that there will be a touchscreen Communicator next year (probably announced at Mobile World Congress).

It's not cheap: €550 (around £450 or $650) SIM-free before tax. You can get a laptop for that. Very tempting though...

Friday, 28 November 2008

French "Bill Gates" lottery scam

A colourful lottery scam featuring Bill Gates. The pitch is that the Bill Gates Foundation is running a lottery and you have won €400,000 which for some reason will be paid through a bank in the Ivory Coast. It is all written in fairly simple French, and it isn't difficult to see that the pitch is basically the same as in English.



Subject: Toutes Nos "Felicitation !!!!! Vous Venez De Gagnez La Somme De 400.000Euros"

From: lottery_cristal2008

Bonjour Mme / M,

Nous vous contactons par cette presente pour vous informer de votregain à la Bill Gates fondation ISABELLE CHEVALIER

Ceci n'étant donc pas un spam ni un virus, veuillez trouver en fichier joint votre notification de gain.

Cordialement.

Mme ISABELLE CHEVALIER

Directrice des Opérations

INTERNATIONALE BILL GATES

FONDATION.

Contact Agent

NOM ET PRENOMS : Bouah Williams Herve

numéro de téléphone: 0225-02 73 98 90

E-mail:cabinet_bouah_williams_herve@yahoo.fr





Unusually, the scam comes with a PDF attachment that gives more details. On the principle that unsolicited PDF files can often come with nasty surprises, here is a JPG version for you to enjoy (click to enlarge):

A strange mismash of elements that looks unconvincing, but it does seem that people still fall for this type of trick.

Wednesday, 26 November 2008

SINOCHEM bogus job offer

Nice for them to label this as "spam". SINOCHEM is a legitimate and huge Chinese chemicals company, but they did not send this email. Why would SINOCHEM need to use a Yahoo! email account anyway? Liu Deshu really is the president of SINOCHEM though, it's a case of the scammers trying to use a real name to make it more convincing.




Subject: Spam: Free: Collection Officer Needed
From: "Sinochem Company"

China National Chemicals Import & Export Corporation(SINOCHEM)
Tower A2,Fuxingmenai,
Street,Beijing,
People's Republic of China.
PC: 100080.

REF:SC/08/00867546.

Dear Sir/Madam,

We need Representatives from all over the World and as specified.

North America

Collection Officer wanted in this region who will assist in retrieving debts
from our clients in USA & CANADA.

EUROPE, ASIA, SOUTH AMERICA & AUSTRALIAS

Someone needed to assist in setting up a Branch of our Company in his/her
country.

If interested, please supply the following:

1) Name
2) Country

Send your response via email SPECIFICALLY to sinochemcorp221@yahoo.cn

Respectfully Submitted,
Mr. Liu Deshu.
President.
Sinochem Trading Company.


Tuesday, 25 November 2008

bobbear.co.uk "Joe Job" attack

BobBear.co.uk is a comprehensive resource covering money laundering and parcel reshipping scams. Recently it has been under a DDOS attack from the Bad Guys. They have followed this up with a Joe Job,with a series of offensive email messages apparently "from" Bob Harrison who runs BobBear. This has happened before.

The messages have a faked "from" addresses @tiscali.co.uk and @gmail.com account, presumably those belonging to Bob Harrison in an attempt to get his mailboxes shut down.

Sample subjects are:
  • Fukkah
  • Bitched
  • Butthole
  • Penises
  • Mutha Fuker
  • Suck
  • Polack

Sample body text:
  • your son sexy nigger boob knobz knobs
  • your father pusse phuker
  • your mother asholes retard
  • your son cnts cock head bitches knobs
  • our daughter mutha fucker phuc
  • your dad phuck sluts
  • your son cocksucker fuker
There are probably hundreds of hosts sending out this mail, but I have seen 128.130.173.77 and 65.98.57.10 repeatedly.

Don't bother complaining to Tiscali or Gmail about this, BobBear is not sending out the spam. Instead, use a reporting service such as SpamCop to send a complaint back to whoever manages the sending machine.

Monday, 24 November 2008

"Ran-De-Vou Co." proofreading scam

Sometimes it is hard to see what the scam is with some of the job offers, except that undoubtedly it IS a scam. This job offer from the ficticious "Ran-De-Vou Co." offers a proofreading job which is kind of unusual at first glance.



Subject: Successful Positions Available

Dear Job Seeker,

We are glad to inform you about new vacancy opening in the area of proofreading at
Ran-De-Vou Co.


Part time job Description:

We provide you with business messages which require revision and your task is to
make necessary
corrections as an english speaking person, and e-mail them back to us.


Payment:

There is no fixed salary for this vacancy. We offer $5.00 per 1Kb of the text which
you revise (the workload is about 4-5 Kb a day).
The salary is paid once a month, and begins with the date of the first revision you
make.
(Example: by editing 5Kb of texts a day you earn $1000.00 a month)


Requirements:

-Applicant must be a US citizen
-Applicant must be of a legal age: 21+
-Applicant should be skilled in computer usage, and American English


Feel free to submit the application form which follows only to e-mail:
ran.devou.gr@gmail.com
__________
FULL NAME:
HOME ADDRESS:
CITY, STATE, ZIP CODE:
Phone number (home or cell, but SHOULD BE available any day time):
E-MAIL:
AGE:
OCCUPATION:
EDUCATION:
----------

You will receive a response from us in 24 hours.

If you have any questions please reply only at our e-mail: ran.devou.gr@gmail.com

Sincerely, Ran-De-Vou Co. Team



Unlike the usual money mule and parcel reshipping scam jobs, this really does seem to be asking for a proofreader. And given the poor quality of English seen in some of these scams, it is easy to understand why. In fact, there is a whole underground fake career network aimed at recruiting virtual office staff for these bogus outfits. Unfortunately for these "employees", they are usually the people that end up having to deal with the police when the scam gets busted.

Avoid.

Saturday, 22 November 2008

"Louvre Tec Products Ltd" job offer scam

LouvreTec is a wholly legitimate New Zealand company using the domains www.louvretec.co.nz, louvretec.net, louvretec.com and other similar names.

This fraudulent job offer is not from LouvreTec, but it looks like it is.

Subject: Work Online With US
From: "Louvre Tec Products Ltd" Job@louvretec.co.nz

You could make 5,000 pounds online in a week without delaying your present job...


Hit REPLY for more details..

NOTICE: IF YOU ARE SERIOUS TO GET EMPLOYED ONLINE, YOU MUST REGULARLY CHECK YOUR JUNK OR/ BULK OR/ SPAM FOLDERS IN OTHER NOT TO LOSE SOME OF OUR MESSAGES.
Although it appears to be "from" louvretec.co.nz, hitting "reply" comes up with a completely different email address of louvretecproductsltd.n.z@emailaccount.com. The scammers are hoping that no-one will notice this. (In case you are wondering why it is different, it's an annoying feature called the "reply to" address).

£5000 a week sounds good.. after all, that's over a quarter of a million quid a year. Yeah right..

One interesting thing with this spam is the bit at the bottom. The scammers realise that spam filters tend to remove junk like this, so they are asking you to check your junk messages for job offers. Not a good idea.

Originating IP address is 78.159.123.169, which claims to be in the UK and the message was sent to an email address stolen from a UK online retailer.

Wednesday, 19 November 2008

ISC: Large quantity SQL Injection mitigation

The ISC have given some good guidance on SQL injection mitigation, in case your server has been hit by Asprox or something similar. It's complicated stuff, and if you don't understand it, then it is definitely worth hiring a professional to fix your database.

Tuesday, 18 November 2008

Microsoft Morro: free anti-virus software for consumers

This might be a good deal for cash-strapped consumers, but a bad deal for other anti-virus companies.

Anyway, "Microsoft Morro" is the name given to this idea of giving away free anti-virus software to consumers. I will say that Microsoft's malware scanning technology is actually pretty darned good, but having a security monoculture is not a good idea.

I think perhaps McAfee, Symantec and some other AV vendors might be lawyering up on this one..

Friday, 14 November 2008

McColo dead - spam 69% down

If there was any doubt the McColo was behind a vast majority of the world spam, then I think the figures speak for themselves. We're seeing a 69% drop in spam volumes day-on-day (although we still only have one day's worth of post-McCole data). It will be interesting to see how long this takes to recover back to "normal" levels of awfulness.

Thursday, 13 November 2008

Estdomains and McColo sentenced to death


After some hesitation, ICANN have finally decided to terminate Estdomains, who most people in the security industry regarded as a rogue registrar with unhealthy connections to organised crime.

Another piece of good news is that McColo has been knocked offline - it turns out that they were hosting a number of command and control servers for botnets plus a load of other unpleasant stuff. Spam levels have dropped by a massive two-thirds as a result. Nice work.. and a big thanks to all those involved!