CyberInsecure.com

Archive for the ‘Spam’ Category

Researchers at ESET have reliable intelligence that the Waledac botnet is currently being prepared for a spam campaign around the Independence Day theme. They have registered at least 18 domain names all related to the theme of video, fireworks, and Independence Day. The criminals behind Waledac are preparing to start sending spam with links to supposed videos of Independence Day fireworks which are, in reality, fresh copies of the Waledac malware family.

ESET estimates the size of Waledac’s botnet as tens of thousands of infected computers. More than 20,000 compromised computers will be used to send the malicious emails, in an effort to increase the size of the botnet. This effort will allow the criminals to send out even more spam. Currently, detection of the new variants of Waledac is quite low, with only a handful of antivirus products detecting the newest threat.

The Waledac family has been active since the end of 2008 and has been known to exploit events such as Christmas or Valentine’s day in order to spread in a way very similar to methods used by the infamous Storm Worm. Also, just like the Storm Worm, Waledac uses a peer-to-peer network to receive commands from its controllers. The main objective behind the Waledac operation is to use infected computers to send spam.

Consumers are reminded not to follow links in unsolicited emails, even if they appear to come from someone they know. As dangerous as fireworks can be, when used as directed, they are still safer than unsolicited emails!

Credit: ESET ThreatBlog
Credit: Websense

Miscreants have created a Michael Jackson mass-mailing worm. The malware follows a growing list of other hacking attacks in the wake of the superstar’s death last week and claims to offer secret songs and photos of Jackson in an attached zip file. In reality, the emails (which claim to come from sarah@michaeljackson.com) offer malicious code.

Prospective marks duped into opening the infected attachment on Windows machines get infected while further spreading the worm. The malware is also capable of spreading via USB memory sticks. The mass mailing worm - identified by Symantec as Ackantta-F - spreads in messages that typically bear the subject line “Remembering Michael Jackson.”

Ackantta is far from the only item of malware trying to ride on the coat-tails of Michael Jackson’s death. For example, an executable file posted on counterfeit photo-sharing sites was detected by F-Secure last week. The malware tried to established a backdoor on compromised Windows PCs.

Separately, a domain loaded with exploit code - supposedly touting Jackson death conspiracy theories - is actually just an outlet for an exploit tool, Sunbelt Software warns. The domain, complete with Matrix-like animation, is running “Unique Pack” exploit package version 2. The malicious domain is being promoted via an enthusiastic spamming campaign.

Credit: The Register

Researchers from Computer Associates and Sophos are reporting on three currently active malware campaigns using fake Microsoft patch themes as a social engineering tactic to spread over email.

The first one is spreading as an “Important Windows XP/Vista Security Update” and is offering a bogus Conficker removal tool, the second is using an “Outlook re-configuration” — also spammed earlier this month — and the third one is using an out-of-the-band “Update for Microsoft Outlook / Outlook Express (KB910721)” theme, which in reality is nothing else but a trojan.

The fake Conficker removal tool campaign has been active for over a week now, with Symantec pointing that not only are the authors unable to make the difference between Troj/Brisv.A and Conficker, but also, they misspelled Conficker as ConFlicker in between attaching their malware to Symantec’s original removal tool in an attempt to build more legitimacy into the campaign.

A similar fake “Conficker Infection Alert” spam campaign redirecting to scareware took place in April, however, despite the fact that cybercriminals continue sticking to the cyclical pattern of the “Microsoft security update/patch” social engineering theme, compared to previous campaigns where the timing was perfect, in this latest one it thankfully isn’t.

The second, Outlook re-configuration campaign is serving Outlook_update.exe through several legitimate and logically compromised web sites, next to the purely malicious ones. Interestingly, the third campaign promoting the fake Outlook critical update has directly attached the executable officexp-KB910721-FullFile-ENU.exe to the email, indicating their lack of experience in such campaigns.

Credit: ZDNet.com Security Blogs

Twitter users over the weekend were the target of a scam that tried to infect them with rogue anti-virus software and other malware, in what is one of the first times the micro-blogging site has been hit by a known for-profit attack, a security researcher said.

The problem started after a flurry of tweets directed users to a website promising “Best Video.” The site appeared to offer content from YouTube, but behind the scenes, the site delivered a PDF document designed to infect those using vulnerable versions of Adobe’s Reader program. Victims then received an urgent warning that their systems were infected and needed to cleaned using fraudulent security software. The scam promoted a piece of rogue anti-virus software dubbed “System Security.”

“This attack is very significant,” Kaspersky researcher Roel Schouwenberg says. “It would seem that at least one criminal group is now exploring the distribution of for-profit on Twitter. If the trends we’ve seen on other social platforms are any indicator for Twitter then we can only expect an increase in attacks.”

Twitter representatives said Saturday they had contained the problem after temporarily suspending accounts that had been compromised. No confidential information was intercepted, they added.

The high volume of posts on Twitter that encourage readers to follow obscured links to audio, video, and other content has created a click-first-ask-questions-later culture on the micro-blogging site that’s ideal for drive-by attacks. And yet, this weekend’s attack is one of the few to target Twitter users with exploits that install malware.

That’s not to say Twitter hasn’t been targeted in the past. The vast majority of the attacks, though, have been worms that repeat a phrase or link over and over by tricking users to click on links that automatically leave a post. As more posts are generated, more and more Twitter users are bombarded with the malicious links, giving the attacks the ability to spread virally.

Credit: The Register

Fans of Chelsea, Arsenal and Manchester United are being targeted in a new email scam that attempts to trick recipients into sending premium rate text-messages in the hope of winning non-existent Champions League final ticket prizes.

The ruse promises entry in a draw for a chance of a seat at the Stadio Olimpico on 27 May but promises only to empty fans’ pockets, net security firm BitDefender warns. The Champions League and similarly-themed Uefa Cup scam are aimed at mobile subscribers and began circulating earlier this week, before Liverpool and Manchester City were knocked out of the competitions.

“Under the false appearance of a lottery that offers tickets to the final matches, the text-based spam invite recipients to send text messages with the name of their favorite team to a specific number,” BitDefender analyst Razvan Livintz explains. “Most likely, cybercriminals collect a fee for each SMS, but they do not give any ticket to Sükrü Saracoglu Stadium or Stadio Olimpico in return.”

Credit: The Register

A cross-site scripting worm was spreading in Twitter profiles for several hours during April 12. People started reporting that their profile had sent Twitter messages without their knowledge. Messages looked like this:

Later on the messages morphed several times:

Many people followed the links to promoted website, as they believed the messages to be genuine Tweets from their friends. A cross-site script on the site then caused new users to start to Tweet the same messages.

It is unclear if the spammed site was actually associated with the worm.

According to an explanation on DCortesi blog:

What’s happening here is that it looks like somebody realized they could save url encoded data to the profile URL field that would not be properly escaped when re-displayed. This is particularly nasty because you could get infected simply by viewing somebody’s profile page on Twitter that was already infected. If you visited an infected profile, the JavaScript in the profile would execute and by doing so tweet the mis-leading link, and update your profile with the same malicious JavaScript thereby infecting anybody that then visits your profile on twitter.com.

It looked like Twitter fixed the issue but another round of the worm hit Twitter on Sunday morning. It was effectively the same thing, but attacked a different field. Here’s of the current variants:

Besides the “original” worm that was supposedly written by a teenager, there are some copycats out. The code had also been run through an obfuscator. The copycat Twitter XSS worms exploit the same vulnerability and actually most of the code remains the same. The new version got obfuscated to make analysis a bit harder.

It looks like the folks from Twitter are still fixing all the vulnerabilities so seems that there’s going to be quite a few modified Twitter worms for a day or two. Twitter stats blog said that they are currently addressing a new manifestation of the worm attack.

No passwords, phone numbers, or other sensitive information were compromised as part of this renewed attack, according to Twitter.

All these attacks are Javascript-based so it is possible to turn Javascript off if you’re worried or use a NoScript Firefox add-on.

F-Secure detects the script file as Worm:JS/Twettir.A.

Credit and screenshots: Mikko, F-Secure Weblog
Credit: DCortesi.com Blog
Credit: SANS Internet Storm Center

The Foreign and Commonwealth Office (FCO) has warned Brits and others to ignore a phishing scam currently circulating around the internet.

Scam emails attempt to trick users into submitting personal data, in exchange for a chance to benefit from a fictitious “Recession Relief Programme Fund”. The bogus emails purport to come from Foreign Secretary David Miliband and feature subject lines such as “Global economic crisis relief aid”, as explained in an FCO warning here, issued on Monday.

The stimulus package announced by government leaders at the G20 conference last month makes the attempted FCO-themed fraud timely, without making it any more plausible. Most internet savvy users would smell a rat a mile off, but it only takes a tiny fraction to respond to make the ruse worthwhile for cybercrooks. Trend Micro notes the ploy is similar to “Obama Stimulus Check” scam emails spammed out in January.

Phishing scams began as an attempt to trick the gullible into handing over login credentials for online banking or PayPal accounts under the guise of security checks.

Over the years the brands targeted by such attacks have expanded to include a much wider range of e-commerce outlets, and more occasionally, as with the latest example, posing as messages from government departments. Government-themed phishing scams used to offer tax refunds but now we’re seeing examples of supposed grant offers, another sign that fraudsters are adapting to the recession.

Phishing scams in general are more frequently targeted towards consumers, but businesses are not immune to getting taken to the cleaners either.

Credit: The Register

Match.com, an online dating service with reportedly more than 15 million members from 37 countries, is being used by miscreants to infect users with malware. Websense Security Labs has noticed that this new spam campaign aimed at Match.com is being used to spread a trojan called Papras.

On April 7 2009, Websense received thousands of malicious emails in their email Honey Pot system. The emails claim that someone wants to show the user her pictures and videos, and lures the user into visiting the Web site set up by the attacker. When the user starts the video on the Web site, they are asked to install a streaming video player (a malicious file called ADOBE_PlayerInstallation.exe) which is actually a trojan with relatively low AV detection, according to VirusTotal:

BitDefender     7.2     2009.04.08     Trojan.PWS.Papras.V
eSafe     7.0.17.0     2009.04.07     Suspicious File
F-Secure     8.0.14470.0     2009.04.08     Trojan-PSW:W32/Papras.DS
GData     19     2009.04.08     Trojan.PWS.Papras.V
McAfee+Artemis     5577     2009.04.07     Generic!Artemis
Prevx1     V2     2009.04.08     High Risk System Back Door
Sophos     4.40.0     2009.04.08     Mal/EncPk-HJ
Symantec     1.4.4.12     2009.04.08     Infostealer
VBA32     3.12.10.2     2009.04.08     suspected of Malware-Cryptor.Win32.General.3

Easter is around the corner and as expected, attackers have already started to poison search engine queries to redirect users to websites that deliver misleading applications. Various search keywords related to Easter have been poisoned in Internet search results so that links to rogue websites are returned in the search listings. Some of the examples of poisoned keywords are:

Easter verse

Popular Easter Bible verse scriptures

Easter greeting card verses

Easter Bible verses

Easter verses poems

Bible Easter verse

Easter-Bible

Easter Bible quotes

Here is a Google search results example (do not visit those sites):

Attackers are using various tricks, such as referrer checking, in order to evade security researchers. If the bogus domains returned in the search listing are visited directly, we will see a page with many Easter-related keywords and links used to bolster the page’s search ranking. However, if the bogus links are clicked on from the search engine results, users will be redirected to malicious websites delivering misleading applications. In addition, the attackers are using “no-store, no-cache” in their HTTP headers so that these malicious pages are not stored or cached. Below are a couple of snapshots of the poisoned search results:

These bogus domains are hosting malicious scripts that redirect users to websites delivering misleading applications. This script redirects users to a website that displays a fake antivirus “scan” screen and delivers a rogue application.

Many of these bogus domains in question are currently redirecting to wikipedia.org, which most likely means that the attackers will change the redirection to point to malicious domains sometime in the future.

Credit: Security Response Blogs, Symantec

The growing trade in rogue security software is being driven by the gaming of search engines to direct surfers to sites peddling scareware.

Scareware affiliate networks are using black-hat search engine optimization techniques to drive traffic volumes. To promote their wares, these well-organized cybercrooks are compromising legitimate websites and inject links to SEO-targeted pages which include repetitive references to popular search terms.

The tactic means that compromised websites appear at the top of search results. This black-hat SEO targeted technique yielded almost half a million Google searches to compromised sites, according to stats found on a cybercrime server by net security firm Finjan. A total of 1.8m unique users were diverted to sites peddling rogue anti-virus software during 16 consecutive days.

Scareware applications typically try to frighten users into believing their PCs are riddled with malware, even if their computer is clean, as a ploy designed to trick people in purchasing ineffective clean-up tools.

Between 7-12 per cent of surfers visiting sites punting scareware packages installed the trial version of the fake software, with 1.79 per cent paying $50 for software of little or no utility.

Members of scareware affiliate network made 9.6 cents per redirection, raking in a total of $172,800 or $10,800 per day during the duration of the scam, Finjan estimates.

According to a study by the Anti-Phishing Working Group, published last week, the number of rogue anti-malware programs in circulation rose from 2,850 in July to 9,287 in December 2008, more than tripling in the space of only six months.

Campaigns promoting traffic to sites punting scareware packages have been themed around the tragic death of actress Natasha Richardson and the recent confusion around the Norton forum ‘Pifts’ purge, which followed in the wake of an accidental distribution of an unsigned program update by Symantec.

Credit: The Register