Archive for March 18th, 2008
March 18th, 2008 by Paul Ferguson (Advanced Threats Researcher)
Yes, you read that correctly.
In the ever-changing spam landscape, a Trend Micro customer forwarded this interesting spam to us today [above], a spam informing the recipient that they have been selected (!) to receive funds pursuant to “…payment of the foreign contractor’s debts…” in the form of an ATM payment card.
Apparently spammers are continuing to successfully sucker people into these bogus offers, but this is the first time we’ve seen them use the Google Calendaring system to request a meeting with the recipient.
Obviously, all sorts of Bad Things could result in accepting these offers, adding them to your Google (or other) calendaring systems as an appointment, etc., including the possibility of executing malicious code or other malware.
So, as we add these sorts of spams to our blocking databases (as we have done), please be sure to delete any similar ones that you may get in your inbox.
“Fergie”, a.k.a. Paul Ferguson
Network Security Intelligence
Advanced Threats Research
March 18th, 2008 by JM Hipolito (Technical Communications)
Hmmm… Are most cyber criminals named Robert?
Just recently, the “King of Spam” Robert Soloway pleaded guilty to charges against him as another Robert, 21-year-old Robert Matthew Bentley of Panama City, Florida also pleaded guilty to felony charges related to his botnet activities. The US-based hacker, The Register reports, admitted to cashing in thousands of dollars by hacking corporate computers in Europe and turning them into bots.
Robert, who went by the codename LSDigital, worked with other hackers to install customized tools on hundreds of Newell Rubbermaid’s computers. The company reportedly sustained at least $150,000 worth of damage as the malware has caused network shares to stop functioning due to too much traffic on the company’s servers.
Bentley’s arrest and prosecution were part of the FBI’s project called Operation Bot Roast, made to crack down on botnet crime. He is among the first eight of the bot herders identified and later prosecuted through the efforts of the said FBI initiative.
Despite possibly facing a maximum of 20 years in prison and a fine of $500,000 for charges against him, Bentley is said to qualify for “the granting of relief” if he provides assistance in the investigation and prosecution of other individuals related to botnet activities.
This project by the FBI is considerably a huge step to show cyber criminals that they should be wary of their actions; as the long arm of the law has now extended into the cyberworld.
March 18th, 2008 by JM Hipolito (Technical Communications)
The man who has reportedly raked in $300,000 from spam operations pleaded guilty to charges of fraud and tax evasion last friday, PC World reports.
Aptly dubbed “King of Spam” by authorities, Robert Soloway was arrested in May 2007 by the US Justice Department. He had previously been found guilty of other spam charges including one where he was fined US$7.8 million in a civil case against Microsoft, which he reportedly refused to pay.
Soloway’s sentence is set to be served on June 20. InformationWeek states that his sentence is likely to come from his mail fraud offense, email fraud, and failure to file a tax return. The three offenses are said to be punishable by up to twenty years, five years, and one year, respectively.
This prosecution is being sent out by authorities as a warning to other spammers still continuing with their illegal activities. As Assistant United States Attorney Kathryn Warma puts it, “We’ve only just begun.”
March 18th, 2008 by Jovi Umawing (Technical Communications)
The Associated Press and CNet News reported earlier this week of a data intrusion to Hannaford Bros., a supermarket chain based in Portland, Maine, wherein 4.2 million accounts had been stolen. The company had already issued a letter of apology to their clients, which is available under the News & Events header in their official Web site.
Although the number of victims is indeed baffling, the company assured that no personal information about their clients were actually stolen or exposed to the public but only numbers and expiration dates of their credit and debit cards. Ron Hodge, President and CEO of Hannaford, further stated in the letter that “(the) intrusion affected (165) Hannaford stores, (106) Sweetbay stores in Florida and certain independently-owned retail locations in the Northeast that carry Hannaford products.” They are now working closely with the U.S. Secret Service to apprehend the culprit(s).
Initial investigations revealed that the Hannaford data breach was the end result of a 4-month-long continuous intrusion into the company that began early December last year and ended just last March 10. Hannaford only realized unusual credit card activities late last month. As of this writing, investigations are still ongoing.
Hannaford patrons are warned to keep a close eye on their card statements and advised to immediately inform authorities of unusual transactions once found. Fraudsters and identity thieves are known to take part in coaxing personal information out of the victims in the form of phones calls and email messages. The company warned their clients to be wary of such activities, as well.
March 18th, 2008 by Loucif Kharouni (Threats Analyst)
Yesterday, while checking my personal spam emails that I received today, I’ve got interested by a certain email which is asking to watch adult pictures by clicking on the picture:
Once you click on the picture, it is linked to hxxp://rusdiam.com/1.exe, which is a malicious file now detected as TROJ_AGENT.HRC.
Once I’ve got this file, I was curious again to know what was on the main page of this website.
I just typed hxxp://rusdiam.com on my browser and I’ve got now really infected by a succession of malware loading in memory. The website is no more available.
I decided to take a look closer to the main page’s source which contains 2 scripts sending you to 2 different URLs:
I’ve then investigated on those 2 URLs as a start.
From the URLs hxxp://buytraffic.cn/in.cgi?11 I was able to get a file named count.php containing a script sending you:
hxxp://193.109.163.179/exp/getexe.php?status=1&ip=81.249.55.218&os=6&browsers=1&country=FR&ref=buytraffic.cn
From this link, you get a file with a random name update04xxxx.exe where xxx is a random number. This link is also getting some other information for statistics purpose, as you can see, there is my IP add that I’m using for my testing, it is also getting the browser in use, the language and the OS in use.
After having work on this case and some other before, I’m used to play with the URLs and double check if I’m checking something else.
So, as usual, I played with the URL
hxxp://193.109.163.179/exp/getexe.php?status=1&ip=81.249.55.218&os=6&browsers=1&country=FR&ref=buytraffic.cn
My first attempt was the following:
hxxp://193.109.163.179/exp/getexe.php?
In this attempt I had also prompted to download a file named update04xxxx.exe. This finfing made me more curious and interested to investigate further.
My second attempt was then to play with it again as follow:
hxxp://193.109.163.179/exp/
As you might be, I was surprise to end up here. On the folder where everything is hosted, such as the malicious pages, malicious file, statistics webpage, a folder full of scripts.
I was also surprise when I tried to look for the malicious file; I just found 1 file named file.exe and every time you try to download the file getexe.php, it is forcing you to download the file “file.exe” but renamed each time.
The most interesting thing here beside of this is the stats link. Once you click on it a web console is displayed as follow:
You are now on a NoName Pack administration console. So now the deal is to login
I just tried a weak login/password and I got in:
As you can see, you can find the browser, the OS in use and also the country and the referrer means from where you came from. I’ve tried few websites stated there and I got fully loaded of malware, here is a small list from 1 website:
2.dllb [PAK_Generic.001]
b138.exe [TROJ_DLOADER.HBK]
BraveSentry\BraveSentry.exe [ADW_BRAVESENTR.N]
BraveSentry\BraveSentry0.dll [ADW_BRAVESENTR.N]
BraveSentry\BraveSentry2.dll [ADW_BRAVESENTR.N]
BraveSentry\BraveSentry3.dll [ADW_BRAVESENTR.N]
BraveSentry\Uninstall.exe [SPYW_BRAVSENT.A]
diperto70a0-3d69.sys [RTKT_NUWAR.UY]
dllgh8jkd1q2.exe [PAK_Generic.001]
JavaCore\JavaCore.exe [ADW_INSIDER]
maxpaynow.game [TROJ_TINY.FB]
maxpaynowti.exe [DIAL_RAS.JS]
maxpaynowti.game [DIAL_RAS.JS]
NoDNS\NoDNS.exe [TROJ_CLICKER.WI]
nvcoi\nvcoi.exe [TROJ_AGENT.SQK]
shift.exe.exe [WORM_NUWAR.AR]
toolbar.exe [TROJ_Generic]
v3xd1.g22me [TROJ_SMALL.BC]
v4xd3.ga2me [PAK_Generic.001]
v4xd6.gam5e [PAK_Generic.005]
v6xdt4.game [WORM_NUCRYPT.GEN]
vedxg3am1et3.exe [WORM_NUCRYPT.GEN]
kowts_05: vedxga4me1.exe [TROJ_SMALL.BC]
vx1dt3.game [WORM_NUCRYPT.GEN]
xpupdate.exe [PAK_Generic.001]
As you may notice it is installing you a rogue antivirus product named Brave Sentry.
Previous Posts
