November 2009 - Posts

Fly for $1 or Your Money Back! – McAfee Labs Blogs

Fly for $1 or Your Money Back!

Friday November 20, 2009 at 5:07 pm CST
Posted by Pedro Bueno

No Comments

It is the time of year to get together with family and friends, and that often involves flying. So, how about a promotional airline ticket for just $1?

That sounds like an irresistable idea! Though it also sounds too good to be true. As you can imagine, there is something wrong here. Instead of flying for a buck, you may end up with several fewer hundred dollars in your bank account.

This example is the most recent seasonal spam targeting Brazilians. In the image below you can see the pitch.

Spam_Scam

When you click on the image, which is hosted at hxxp://dhroot.hpg.com.br/images/danosse.jpg, you’ll follow a link that will attempt to download a Trojan from hxxp://www.medcitybuilders.com/plugins/system/[REMOVED]/. This Trojan is a downloader that will copy a password-stealing malware that targets the customers of Brazilian banks. The malware is currently hosted at hxxp://www.radfahrschule.at/html/modules/PagEd/browsepics/[REMOVED].

In Brazil we say “there is no such thing as free dinner.” In the States there’s no free lunch. In this case we can also see that there are no free air tickets. :)

Posted Wednesday, November 25, 2009 1:38 PM by cmosby | with no comments
Filed under: ,

DonBot starts vigorous social networking campaign – Symantec Security Blogs

DonBot starts vigorous social networking campaign

Paul Wood's picture
Paul Wood
November 19th, 2009
Filed under: , , , , ,

This post is made on behalf of my colleague Mat Nisbet, Malware Analyst for Symantec Hosted Services.

As of November 18, we have noticed a huge jump in the number of spam e-mails that contain a link to Twitter. Normally there is a tiny fraction of a percent, but on November 18 it jumped to 4 percent of all spam. This new surge is entirely from the DonBot botnet.

 blog_img2.jpg

The apparent aim of these e-mails is to get people to fall for “get rich by working at home” schemes where the victim is encouraged to pay an initial fee for a trial and then sit back and watch the cash come in. Though easily stopped by us, this new run of spam uses a number of techniques to attempt to get past basic filters. Firstly, the body of the e-mail is simply an image (of a fake newspaper article), to try and get past text-based signatures.

blog_img1.jpg

Second, the image itself is a link to a Twitter account, an attempt to get past link signatures as Twitter is a legitimate site that couldn’t be stopped without stopping a huge amount of perfectly innocent e-mails as well. The Twitter update that it links to is a short message telling people they could earn a certain amount of money per day, and provides a link to follow. A large number of Twitter accounts are used and they seem to be a mixture of hijacked accounts (quite old, and have genuine looking updates) and false accounts set up purely for the purpose of spamming (not very old, only contain spam-like links).

 blog_img3.jpg

There are a few websites links at the end of the trail and all are similar containing a story explaining how the victim could make large amounts of money for very little effort, then a step by step list of things to do in order to start making this money. The first of which is to fill out a form and give a small “trial” fee. Some of these websites even include a photo of a “happy customer” holding a check for more than $29,000. This tactic attempts to increase the credibility of the scam.

 blog_img4.jpg

We have also seen this scam being run through hijacked Facebook accounts, where the scammers have used a legitimate Facebook account which does not belong to them to post updates to the account’s ‘friend’ list. These updates contain links to the same Twitter accounts that are used by the e-mails.

Any website or e-mail claiming to have an offer to make easy money that seems too good to be true, almost certainly is. Don’t be fooled!

Posted Wednesday, November 25, 2009 1:37 PM by cmosby | with no comments
Filed under: , ,

Pacquiao vs Cotto Fight Live Stream Leads to FAKEAV – Trend Labs Malware Blogs

Nov16
2:21 am (UTC-7)   |   by Jessa De La Torre (Threat Response Engineer)

As Filipinos and Puerto Ricans were busy rooting for their champions in yesterday’s fight, so were cybercriminals who wished to capitalize on the match. Through SEO poisoning, users searching for a live stream of the Pacquiao vs Cotto fight were instead served a FAKEAV variant.

Click for larger view

According to Threat Response Engineer Jasper Manuel, search results led to the download of TROJ_FAKEAV.MAN. Clicking the link displays the following image:

Click for larger view

Users who are interested in watching Pacquaio’s upcoming fights (i.e., with Mayweather) are advised to stay away from suspicious-looking links. Trend Micro Smart Protection Network™ blocks user access to malicious URLs and detects the said FAKEAV.

Posted Wednesday, November 25, 2009 10:17 AM by cmosby | with no comments
Filed under: ,

Microsoft Security Bulletin Major Revisions - Issued: November 24, 2009

********************************************************************

Title: Microsoft Security Bulletin Major Revisions

Issued: November 24, 2009

********************************************************************

 

Summary

=======

The following bulletins have undergone a major revision increment.

Please see the appropriate bulletin for more details.

 

  * MS08-076 - Important

 

Bulletin Information:

=====================

 

* MS08-076 - Important

 

 - http://www.microsoft.com/technet/security/bulletin/ms08-076.mspx

 - Reason for Revision: V5.0 (November 24, 2009): Added entries to

    the Frequently Asked Questions (FAQ) Related to This Security

    Update section announcing the re-release of this update for

    the Windows XP Embedded operating system. Customers using the

    Windows XP Embedded operating system should install this

    automatically offered security update at the earliest

    opportunity. Customers of all other operating systems who

    have already installed this update do not need to take

    further action. 

 - Originally posted: December 9, 2008

 - Updated: November 24, 2009

 - Bulletin Severity Rating: Important

 - Version: 5.0

Posted Wednesday, November 25, 2009 8:23 AM by cmosby | with no comments
Filed under: , , , , ,

This Utility Has Zero Business with Your Mailbox – Symantec Security Blogs

This Utility Has Zero Business with Your Mailbox

Mayur Kulkarni's picture
Mayur Kulkarni
November 19th, 2009
Filed under: , , , , ,

We are monitoring new malicious attacks that look similar to the fake "Microsoft Outlook reconfigure" spam campaign messages we have been observing for the last couple of months. That malicious campaign was followed by attacks on social networking sites, transforming from malicious code attacks into URL-based phishing attacks. These new attacks have similar traits, such as the spoofed “From” headers, which aggressively target and baffle enterprise users, and a subject line that is intended to cause panic (for obvious reasons—have a look at the example image below).

thisutility.png

As seen in the message above, the mail attachment is a zipped file named “utility.zip” that extracts an executable detected as Trojan.Dropper by Symantec antivirus. Using HTTP, this threat contacts a known C&C server for Zeus/Zbot in Ukraine. (The Zeus/Zbot family of threats is known to distribute malware using attachments and URLs in spam campaigns.)

These attacks seem to be around in rotation and are intended to confuse users with variations in alert types. Users should not open suspicious attachments because no legitimate site will send an executable to reactivate a mailbox, especially as a zipped file. As observed in the past, these attacks return with URLs instead of attachments in the days following the initial email. Users need to be careful before clicking URLs and/or downloading an application that wrongfully claims to restore/repair/activate their mailbox.

Posted Tuesday, November 24, 2009 1:00 PM by cmosby | with no comments
Filed under: , ,

Malicious Java Applet Poses as Carrie Prejean Video – McAfee Labs Blog

Malicious Java Applet Poses as Carrie Prejean Video

Thursday November 19, 2009 at 6:48 am CST
Posted by Rahul Mohandas

No Comments

McAfee Labs has observed various spam runs exploiting the recent sensational Carrie Prejean news. The Prejean video is rapidly becoming one of the most searched-for topics ever on the net since the existence of the tape became common knowledge.

Source: Google Trends

Java applets provide everything from interactive features to web applications to advertisements. Since the birth of Java, attackers have exploited its security platform. Attackers are now taking advantage of a feature in Java to social-engineer not tech-savvy Internet users into infecting themselves with malware.

Here’s how an attack works:

  • The bad guys spam a link claiming to be the Carrie PreJean video
  • Then they trick victims into visiting a malicious website, which prompts users into running a Java applet to view the video

The signed applet contains a signature that browsers should verify through a remote, independent certificate-authority server. Once the signature is verified and the user also approves, the signed applet can gain more rights, becoming equivalent to an ordinary application. When the app is injected into a trusted website, users would hardly take the trouble to validate if the certificate is legitimate.

  • At this point, the applet runs in the browser, which in turn downloads a malicious executable that launches itself on the victim’s machine

This approach is very effective for the following reasons:

  • It’s easier to social-engineer users, as many rich multimedia applications use Java
  • Unlike spammed links that contain a cocktail of exploits or a zero-day attack, this approach exploits the applet’s design
  • The attack is independent of browser type and version
  • The attack works on a machine with the latest version of Java, which makes the exploit all the more dangerous

The malicious applet has almost no detection on Virustotal, but it is detected by McAfee with the current DATS as Exploit-ByteVerify.b. The malicious executable incorporates SMTP functionality that is capable of sending spam and is currently detected as BackDoor-EHP.

We urge users to handle unknown Java applets with caution and make sure any digital signature comes from a trusted authority before executing it.

Posted Tuesday, November 24, 2009 12:53 PM by cmosby | with no comments
Filed under: , , , ,

Meteor Shower and New Moon Lead to FAKEAV – TrendLabs Malware Blog


img {max-width:650px;width: expression(this.width > 650 ? 650: true);border-style:none; behavior: url(../iepngfix.htc); }
Nov18
12:48 am (UTC-7)   |   by Erika Mendoza (Threat Response Engineer)

TrendLabs threat analysts found another FAKEAV campaign piggybacking on the Leonid meteor shower and the much-anticipated sequel to the Twilight saga, New Moon. Users searching for news and updates using the keywords “meteor shower tonight november 16 time” and New Moon premiere live stream” end up with poisoned search results. These results redirect users to fake online scanners, which ultimately lead to the download of a FAKEAV variant detected by Trend Micro as TROJ_FAKEAV.MET.

Click for larger view Click for larger view

Upon execution, TROJ_FAKEAV.MET drops malicious files and displays fake warning messages. These messages urge users to avail of a bogus antivirus product, Security Tool.

Click for larger view Click for larger view

FAKEAV is notorious for capitalizing on hot news and popular searches via SEO poisoning. Hence, users are advised to be wary of suspicious-looking URLs when conducting online searches. Trend Micro protects users from this attack via the Smart Protection Network™ that blocks and detects all related malicious files and URLs.

Posted Tuesday, November 24, 2009 12:47 PM by cmosby | with no comments
Filed under: , , ,

Bogus “Balance Checker” Tool Carries Malware – Trend Labs Malware Blog


img {max-width:650px;width: expression(this.width > 650 ? 650: true);border-style:none; behavior: url(../iepngfix.htc); }
Nov14
12:30 am (UTC-7)   |   by Nino Penoliar (Anti-spam Research Engineer)

Trend Micro threat analysts received samples of spammed messages purporting to have come from mobile phone companies, Vodafone and Verizon Wireless. The email messages carry the subject, “Your credit balance is over its limits” and inform users that their credit balance is due. To be able to review the payments, users should employ the balance checker tool attached to the email.

Click Click

When users open the attached .ZIP file, they will not find a balance checker tool but will instead get a malicious file (balancechecker.exe) detected by Trend Micro as TROJ_ZBOT.MYS. TROJ_ZBOT.MYS steals online banking credentials such as usernames and passwords. This stolen information may be used by cybercriminals for other fraudulent activities. It also disables the Windows Firewall and has rootkit capabilities that make detection and removal difficult.

Users are strongly advised not to open any suspicious-looking email even it comes from a known source. It is also good to verify any email coming from your mobile service provider just to be sure if it is legitimate or not. Trend Micro protects users from this attack via the Trend Micro Smart Protection Network™ that detects and blocks spammed emails and malicious files.

Posted Tuesday, November 24, 2009 10:37 AM by cmosby | with no comments
Filed under: , , ,

Spoofed Trend Micro Email Leads to Phishing Site – Trend Labs Malware Blog

Nov23
11:24 am (UTC-7)   |   by Menard Osena (Solutions Product Manager)

Trend Micro threat analysts recently unearthed spammed messages that purported to have come from Trend Micro. Targeting trusted organizations is not an uncommon technique, used by cyber criminals when carrying out spam campaigns.  In this case, the phishing URL and domain are already inaccessible.

The emails bear the subject, “Malware Blocking Tests put Trend Micro on Top” and inform users about the recent NSS Labs tests. They also describe how NSS Labs conducted the test, which was based on “socially engineered malware.” Ironically, however, the emails were themselves a good example of socially engineered malware.

Click

When the user clicks any of the links within the email, they are redirected to a phishing site, http://l.trndmcro.com/rts/{BLOCKED}.

As mentioned above, the phishing URL and domain are already inaccessible plus Trend Micro Web reputation blocks access to the URL involved.  Based on Whois information, the domain was created last September 2009. Apart from this, however, the site did not hold any other information on the said domain. The attack also employed the so-called “genuine-looking URL” phishing technique wherein cybercriminals imitated the URL of the target company in order to steal user information.

In such an attack, traditional spam filtering using patterns alone will no longer prove effective. On the other hand, the cloud computing technology utilized in the Trend Micro Smart Protection Network, easily protects users as it detects and blocks spammed emails and malicious URLs using reputation-based ratings.  Readers are advised, as always, to pay close attention to the content of and URLs within emails.

Posted Tuesday, November 24, 2009 10:11 AM by cmosby | with no comments
Filed under: , ,

Zero-Day IE Exploit Coming to a Browser Near You – McAfee Labs Blog

Zero-Day IE Exploit Coming to a Browser Near You

Monday November 23, 2009 at 3:22 pm CST
Posted by Jon Paterson

No Comments

Information regarding another zero-day vulnerability in the Internet Explorer web browser affecting version 6 and 7 has been published as Proof-of-Concept over the weekend. The vulnerability lies in a missing check when accessing a website’s Stylesheet markup information through the „getElementsByTagName“ script method. The current PoC exploit uses heap-spraying to write the malicious shellcode to memory before triggering the vulnerability. While exploits for this new vulnerability may not yet be in-the-wild (beyond PoC state), you can be sure that the malware community will be working overtime to ensure reliability and maximum effect. The underground community rapidly turn these proof of concepts into working exploits to add to their Web exploit toolkits, differentiating their product from the competition – especially when there is no patch available from Microsoft to mitigate the risk.

Web Exploits continue to be the preferred attack mechanism of choice, with many organisations challenged by managing the number of patches for the browser and associated plug-ins, making it an effective attack vector for the malware authors. We have seen increasingly complex JavaScript mechanisms to attempt to evade detection – please ensure you have appropriate protection against this contemporary attack vector.

Recommendations to disable scripting in your browser may help to protect from this new threat, but simply is not realistic in the Web 2.0 world in which we now browse in. McAfee protects its customers against the current PoC exploit, blocking it proactively as “JS/Exploit-BO.gen” in VirusScan and as “BehavesLike.JS.Suspicious.A” at the Web Gateway with McAfee Gateway-Anti-Malware.

Posted Tuesday, November 24, 2009 9:27 AM by cmosby | with no comments
Filed under: , , , , , , , ,

[SA37448] Internet Explorer Layout Handling Memory Corruption Vulnerability - Secunia

TITLE:

Internet Explorer Layout Handling Memory Corruption Vulnerability

 

SECUNIA ADVISORY ID:

SA37448

 

VERIFY ADVISORY:

http://secunia.com/advisories/37448/

 

DESCRIPTION:

A vulnerability has been discovered in Internet Explorer, which can be exploited by malicious people to compromise a user's system.

 

The vulnerability is caused due to an error in the layout parsing and can be exploited to corrupt memory by tricking a user into viewing a specially crafted web page.

 

Successful exploitation may allow execution of arbitrary code.

 

The vulnerability is confirmed in IE6 on Windows XP SP2 and IE7 on Windows XP SP3. Other versions may also be affected.

 

SOLUTION:

Disable support for active scripting for all but trusted websites.

 

PROVIDED AND/OR DISCOVERED BY:

securitylab.ir

Posted Tuesday, November 24, 2009 7:45 AM by cmosby | with no comments
Filed under: , , , , , , , ,

Microsoft Security Advisory Notification - Issued: November 23, 2009

********************************************************************

Title: Microsoft Security Advisory Notification

Issued: November 23, 2009

********************************************************************

Security Advisories Updated or Released Today ==============================================

* Microsoft Security Advisory (977981)

- Title: Vulnerability in Internet Explorer Could Allow Remote Code Execution

- http://www.microsoft.com/technet/security/advisory/977981.mspx

- Revision Note: Advisory published.

Posted Tuesday, November 24, 2009 7:43 AM by cmosby | with no comments
Filed under: , , , , , , , ,

New SMB Zero-Day Exploit? – Trend Labs Malware Blog


img {max-width:650px;width: expression(this.width > 650 ? 650: true);border-style:none; behavior: url(../iepngfix.htc); }
Nov12
9:09 pm (UTC-7)   |   by Jonathan Leopando (Technical Communications)

Third-party security researchers reported that they found a vulnerability in both Windows 7 and Windows Server 2008 Release 2. The said bug exists in the handling of Server Message Block (SMB) packets and can allow malicious users to remotely crash systems if a malformed packet is received by the target system. The crash does not lead to the infamous blue screen of death, however. It merely renders the system unresponsive. Older versions of Windows (e.g., Windows Vista) are not affected by this vulnerability.

Microsoft has not confirmed independent reports. A spokesman said the company was still investigating the issue. Enterprise users are protected by Trend Micro products such as Deep Security and Intrusion Defense Firewall. Trend Micro has issued a security advisory with some more technical details on this vulnerability.

Other users are advised to block the ports used by the SMB protocol and await the official Microsoft response.

Update as of 11:01 P.M. While Microsoft has not confirmed these reports as of this writing, we have verified that Windows 7 is vulnerable.

Update as of November 14, 6:20 A.M. Microsoft has released a security advisory for this vulnerability. Accordingly, the said vulnerability can’t be used to install malicious files and to take control of one’s system. Although the exploit code has been published already, Microsoft said that it hasn’t received any reports of known attacks in the wild. As a workaround, Microsoft advises users to block TCP ports 139 and 445 at the firewall.

Posted Monday, November 23, 2009 2:33 PM by cmosby | with no comments
Filed under: , , , ,

Internet Explorer Vulnerability Exploit Detected – Tren Labs Malware Blog

Nov23
5:26 am (UTC-7)   |   by Det Caraig (Technical Communications)

Threat researchers have been alerted to the discovery of a new exploit targeting Internet Explorer. Analysts have conducted tests and confirmed that the exploit affects versions 6 and 7 of the browser. Although the exploit is currently unreliable, cybercriminals may be able to create a reliable exploit in the near future. This may allow them to exploit websites and infect visitors. However, an attack may only succeed if hackers lure victims to specially crafted malicious Web pages or compromised websites. The attack also requires JavaScript in order to exploit Internet Explorer.

The exploit targets a vulnerability with regard to how Internet Explorer uses cascading style sheet (CSS) information. Trend Micro detects this exploit as HTML_SHELLCOD.WT and protects users via the Smart Potection Network. 

Internet Explorer users are advised to make sure their antivirus definitions are up-to-date. Disabling JavaScript and visiting trusted sites until fixes become available from Microsoft are also suggested.

SHARETHIS.addEntry({ title: "Internet Explorer Vulnerability Exploit Detected", url: "http://blog.trendmicro.com/internet-explorer-vulnerability-exploit-detected/" });

Posted Monday, November 23, 2009 2:28 PM by cmosby | with no comments
Filed under: , , , , , , , , , ,

Zero-Day Internet Explorer Exploit Published – Symantec Security Blogs

Zero-Day Internet Explorer Exploit Published

Security Intel Analysis Team's picture
Security Intel Analysis Team
November 21st, 2009
Filed under: , , , ,

A new exploit targeting Internet Explorer was published to the BugTraq mailing list yesterday. Symantec has conducted further tests and confirmed that it affects Internet Explorer versions 6 and 7 as well. The exploit currently exhibits signs of poor reliability, but we expect that a fully-functional reliable exploit will be available in the near future.  When this happens, attackers will have the ability to insert the exploit into Web sites, infecting potential visitors.  For an attacker to launch a successful attack, they must lure victims to their malicious Web page or a Web site they have compromised. In both cases, the attack requires JavaScript to exploit Internet Explorer.

The exploit targets a vulnerability in the way Internet Explorer uses cascading style sheet (CSS) information. CSS is used in many Web pages to define the presentation of the sites’ content. Symantec currently detects the exploit with the Bloodhound.Exploit.129 antivirus signature and is working on new signatures now. Symantec IPS protection also currently detects this exploit with signatures HTTP Microsoft IE Generic Heap Spray BO and HTTP Malicious Javascript Heap Spray BO. A new IPS signature, HTTP IE Style Heap Spray BO, has also been created for this specific exploit. To minimize the chances of being affected by this issue, Internet Explorer users should ensure their antivirus definitions are up to date, disable JavaScript and only visit Web sites they trust until fixes are available from Microsoft.

Posted Monday, November 23, 2009 2:26 PM by cmosby | with no comments
Filed under: , , , , , , , , , ,
More Posts Next page »