Sponsored by..

Friday, 13 September 2013

citizensbank.com "Issue File I3774 Processed" spam

For some reason I'm seeing a lot of these EXE-in-ZIP attacks recently. Here's another one with a malicious attachment:

Date:      Fri, 13 Sep 2013 11:09:53 -0500 [12:09:53 EDT]
From:      "GISPROD@citizensbank.com" [GISPROD@citizensbank.com]
Subject:      Issue File I3774 Processed

Regarding Issue File 3774 - Total Issue Items # 36 Total Issue Amount $42,171.75 This
will confirm that your issue file has been processed. Please verify the information in
attached report; if you find there are discrepancies in what you believe your totals
should be and what we have reported, please contact the Reconciliation Department at
1-888-333-2909 Option # 3 between the hours of 8:00am and 4:00pm ET not later than 24
hours after you receive this notice. *** Please note, this message was created on the RBS
FileGateway system ***

-----------------------------------------
Use of email is inherently insecure. Confidential information,
including account information, and personally identifiable
information, should not be transmitted via email, or email
attachment. In no event shall Citizens or any of its affiliates
accept any responsibility for the loss, use or misuse of any
information including confidential information, which is sent to
Citizens or its affiliates via email, or email attachment. Citizens
does not guarantee the accuracy of any email or email attachment,
that an email will be received by Citizens or that Citizens will
respond to any email. This email message is confidential and/or privileged. It is to be
used by the intended recipient only. Use of the information
contained in this email by anyone other than the intended recipient
is strictly prohibited. If you have received this message in error,
please notify the sender immediately and promptly destroy any
record of this email.
There is a malicious attachment called issue_report_I3774.zip which in turn contains an executable file issue_report_I6576543219672.exe which has a detection rate of 12/47 at VirusTotal. Automated analysis [1] [2] [3] shows some of the mechanics of the malware, including network communications with wptutes.com on 74.221.210.124 (DME Hosting LLC, US).

Recent experience with this type of attack shows that when one domain on a sever is compromised, then they all are. If you want to block everything then the following domains appear to be on that server:

2ndry.com
bar-stool.info
electric-wheelchair.info
freeb4u.com
gov-l.net
hot-buys.org
hot-water.org
iconsumers.org
leather-handbags.info
storage-cabinets.info
thesafeconsumer.com
wptutes.com

Thursday, 12 September 2013

QuickBooks spam / Invoice_20130912.zip

This fake QuickBooks spam has a malicious attachment:

Date:      Thu, 12 Sep 2013 20:29:17 +0200 [14:29:17 EDT]
From:      QuickBooks Invoice [auto-invoice@quickbooks.com]
Subject:      Important - Payment Overdue

Please find attached your invoices for the past months. Remit the payment by 09/16/2013 as outlines under our "Payment Terms" agreement.

Thank you for your business,

Sincerely,
Quentin Sprague

This e-mail has been sent from an automated system.  PLEASE DO NOT REPLY.

The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify your representative immediately and delete this message from your computer. Thank you. 
The attachment is Invoice_20130912.zip which in turn contains a malicious executable Invoice_20130912.exe (note the date is encoded into the filename). The detection rate at VirusTotal is just 3/46.

Automated analysis [1] [2] [3] [4] shows that amongst other things, the file attempt to communicate with the domain leightongriffiths.com on an apparently compromised server at 64.50.166.122 which has been seen before.

Given that there are now several domains serving malware on the same server [1] [2] it is probably safe to assume that all the domains on that server are malicious and should be blocked.

Recommended blocklist:
64.50.166.122
4-access.com
ashburnes.com
bevan-holdings.com
bevanholdings.com
biffberry.com
camelotdevelopments.com
cardiffpower.com
carterlaurenconstruction.com
celebrategoodtimes.com
churchgatetrading.com
ciderbrokers.com
creativehomeworker.com
dcmsservices.com
deserve.org.uk
dignifiedcelebrations.com
doaus.com
drippingstrawberry.com
eflengineering.com
fruityblue.com
goldhaven.co.uk
gwentpressurewashers.co.uk
gwentpressurewashers.com
gympiper.info
haveyougotone.com
ivelostmymarbles.com
janglesmacrame.com
joannehawkins.com
justnoodles.co.uk
kinggems.com
kingmarbles.com
kwaggle.com
leightongriffiths.com
leisuremaintenanceltd.com
lmpropertyinvestments.com
macaraya.com
manorbrick.com
manorbrickyards.co.uk
marbledelights.com
marbleicious.com
motorhomeparadise.com
mykidbrother.com
mypersonalname.co.uk
mywebsitegroup.com
newportairport.co.uk
pnoa.co.uk
properteye.com
rockthecasbah.eu
rpduk.com
squaremileinsurance.com
steveperrott.com
talonstamed.com
thedrippingstrawberry.com
theitalianjob.mobi
thisisyourwife.co.uk
zestimports.com

Wednesday, 11 September 2013

USPS spam / Label_FOHWXR30ZZ0LNB1.zip

This fake USPS spam has a malicious attachment:

Date:      Wed, 11 Sep 2013 11:19:05 -0500 [12:19:05 EDT]
From:      USPS Express Services [service-notification@usps.com]
Subject:      USPS - Missed package delivery
Priority:      High Priority 1 (High)

Notification

Our company's courier couldn't make the delivery of package.

REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: New York
DELIVERY STATUS: Sort Order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: UGLFOHWXR30ZZ0LNB1
FEATURES: No

Label is enclosed to the letter.
Print a label and show it at your post office.

An additional information:

You can find the information about the procedure and conditions of parcels keeping in the nearest office.

Thank you for using our services.
USPS Global.

*** This is an automatically generated email, please do not reply ***

CONFIDENTIALITY NOTICE:
This electronic mail transmission and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information belonging to the sender (USPS , Inc.) that is proprietary, privileged, confidential and/or protected from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distributions of this electronic message are violations of federal law. Please notify the sender of any unintended recipients and delete the original message without making any copies.  Thank You

There is an attachment Label_FOHWXR30ZZ0LNB1.zip which in turn contains an executable Label_368_09112013_JDSL.exe which has a very low detection rate at VirusTotal of just 2/47. Automated analysis [1] [2] [3] shows an attempted connection to a hijacked domain drippingstrawberry.com hosted on 64.50.166.122 (LunarPages, US) with quite a lot of other hijacked domains. Blocking or monitoring traffic to this IP could stop the infection

URLquery shows the following domains are distributing malware on that server:
cardiffpower.com
celebrategoodtimes.com
drippingstrawberry.com

thisisyourwife.co.uk

For the record, the following domains appear to be on that server. They all look legitimate, but some others may be hijacked (and others may not be). Do with this list what you will:
4-access.com
ashburnes.com
bevan-holdings.com
bevanholdings.com
biffberry.com
camelotdevelopments.com
cardiffpower.com
carterlaurenconstruction.com
celebrategoodtimes.com
churchgatetrading.com
ciderbrokers.com
creativehomeworker.com
dcmsservices.com
deserve.org.uk
dignifiedcelebrations.com
doaus.com
drippingstrawberry.com
eflengineering.com
fruityblue.com
goldhaven.co.uk
gwentpressurewashers.co.uk
gwentpressurewashers.com
gympiper.info
haveyougotone.com
ivelostmymarbles.com
janglesmacrame.com
joannehawkins.com
justnoodles.co.uk
kinggems.com
kingmarbles.com
kwaggle.com
leightongriffiths.com
leisuremaintenanceltd.com
lmpropertyinvestments.com
macaraya.com
manorbrick.com
manorbrickyards.co.uk
marbledelights.com
marbleicious.com
motorhomeparadise.com
mykidbrother.com
mypersonalname.co.uk
mywebsitegroup.com
newportairport.co.uk
pnoa.co.uk
properteye.com
rockthecasbah.eu
rpduk.com
squaremileinsurance.com
steveperrott.com
talonstamed.com
thedrippingstrawberry.com
theitalianjob.mobi
thisisyourwife.co.uk
zestimports.com

UPDATE
This is an alternative version with the same payload: 
Date:      Wed, 11 Sep 2013 14:54:14 -0600 [16:54:14 EDT]
From:      Xerox WorkCentre
Subject:      Scanned Image from a Xerox WorkCentre

Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.

Sent by: spamcop.net
Number of Images: 5
Attachment File Type: ZIP [PDF]

WorkCentre Pro Location: Machine location not set
Device Name: 07PR24RHFD

Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: http://www.adobe.com/

Attachment is Scan_883_00286191_7159.zip which expands to scanned_doc_091113.exe

Tuesday, 10 September 2013

Are top porn sites still riddled with malware?

Back in April I wrote an article about how several top porn sites were having issues with malware. An apparent infection at xvideos.com (link is a little NSFW) led to to look at the Google malware results for the past 90 data again.

I started with a list of sites in the top 1000 sites globally according to data at Alexa.com (a few have dropped out of the top 1000 since I collated the data set) and also used the Alexa data to work out the average number of daily pageviews per user. The next step was to look at Google's data on the number of infected pages and the total number of pages on the site, noting the date of last infection. From that I could work out an "infection likelihood" which is the probability of an average visitor coming into contact with malware during the period the site was infected.

What was surprising was just how clean these sites are looking (well, from a malware perspective). Last time some of the biggest sites had hundreds of pages infected, and now they appear to have virtually none. I've highlighted everything about 1% in red but note that the "riskiest" site (largeporntube.com) has been clean for a couple of months.
 
The results of my analysis are as follows:


Rank
Domain
Pageviews / User
Total pages
Infected
Date
Infection rate
Infection likelihood
38
xvideos.com
11.7
89427
0

0.00%
0.00%
51
xhamster.com
10
11356
1
2013-07-01
0.01%
0.09%
66
pornhub.com
5.6
6235
0

0.00%
0.00%
88
xnxx.com
9.5
26082
0

0.00%
0.00%
95
redtube.com
5
9189
0

0.00%
0.00%
99
youporn.com
5.6
1675
0

0.00%
0.00%
103
livejasmin.com
2.4
502
0

0.00%
0.00%
162
tube8.com
3.9
12697
0

0.00%
0.00%
169
youjizz.com
4.7
1385
0

0.00%
0.00%
227
hardsextube.com
3.3
71817
0

0.00%
0.00%
268
dmm.co.jp
9.2
1245
0

0.00%
0.00%
275
beeg.com
4.9
873
0

0.00%
0.00%
326
motherless.com
14.8
3196
4
2013-06-24
0.13%
1.84%
393
drtuber.com
2.8
1420
0

0.00%
0.00%
438
myfreecams.com
4
148
0

0.00%
0.00%
453
cam4.com
6.3
889
0

0.00%
0.00%
462
adultfriendfinder.com
7.8
241
0

0.00%
0.00%
464
bravotube.net
2.6
1098
0

0.00%
0.00%
502
ixxx.com
3.4
438
5
2013-09-05
1.14%
3.83%
528
chaturbate.com
14.7
2725
0

0.00%
0.00%
578
nuvid.com
2.8
884
0

0.00%
0.00%
588
spankwire.com
3.3
1182
0

0.00%
0.00%
591
porntube.com
2.9
734
0

0.00%
0.00%
595
pornerbros.com
1.9
946
1

0.11%
0.20%
607
largeporntube.com
3.2
5750
160
2013-07-20
2.78%
8.63%
676
yourlust.com
2.7
1224
0

0.00%
0.00%
697
4tube.com
4.3
1337
0

0.00%
0.00%
699
keezmovies.com
3
669
0

0.00%
0.00%
707
pornhublive.com
2.3
30
0

0.00%
0.00%
768
xhamstercams.com
1.8
5
0

0.00%
0.00%
780
h2porn.com
1.8
2193
1

0.05%
0.08%
800
4chan.org
26.7
218
0

0.00%
0.00%
804
video-one.com
13.7
1143
0

0.00%
0.00%
825
xtube.com
12.1
805
0

0.00%
0.00%
830
sunporno.com
2.7
360
0

0.00%
0.00%
848
porn.com
4
1281
0

0.00%
0.00%
864
perfectgirls.net
5.4
1958
5
2013-09-05
0.26%
1.37%
883
nudevista.com
8.7
2088
1
2013-08-03
0.05%
0.42%
931
redtubelive.com
2.8
33
0

0.00%
0.00%
942
alphaporno.com
1.9
10472
32
2013-07-21
0.31%
0.58%
1065
videosexarchive.com
3.8
5183
0

0.00%
0.00%
1238
hellporno.com
3
331
0

0.00%
0.00%
1382
watchmygf.com
1.3
11
0

0.00%
0.00%
1806
ah-me.com
2.7
235
0

0.00%
0.00%
  
So, what is going on? Have these sites cleaned up their act? Well, it certainly looks like there has been an improvement (despite the reported infection at xvideos.com above). 

Over 46,000 people looked at my previous blog post on the topic, and it was covered by some major news outlets [1] [2] [3] [4] [5]. Reaction was varied, and many porn site operators flatly denied the problem despite the Google statistics indicating otherwise.

So perhaps shining a light on the problem helped to clean it up. Perhaps the spike in malware was a temporary glitch. Perhaps the malware operators are better at hiding what they are doing. I suspect that it is a combination of all three.


Despite the apparent cleanup of these sites, my advice is that you still need to exercise caution. It is very important to make sure that your system is fully patched (you can use Secunia OSI to check if you have a Windows PC), and a combination of Firefox + NoScript is very good at locking down your browser (note that this isn't really for novices). Logging in as something other than an administrator can also help to reduce the impact of malware, and of course a good and up-to-date anti-virus or security package is essential. In addition, Google's Chrome browser is pretty good at picking up malicious sites, and the most dangerous browser to use tends to be Internet Explorer. And if you have Sun's Java platform installed on your system I would strongly recommend that you remove it as that it currently the most popular way of getting your machine infected.