Wednesday, January 26, 2011

Spamvertised "Your password has been stolen!" Malware Campaign Circulating

A currently ongoing spamvertised campaign, attempts to impersonate the most popular social networking site, Facebook.

Using a well proven "Your password has been stolen!" theme, the campaign entices the end user into downloading and executing the malware. Social engineering-driven campaigns targeting Facebook, remain among the popular malware campaign spreading techniques due to the ease of execution.

Subject: Facebook Support. Your password has been stolen! ID50888
Message: Good afternoon.

A Spam is sent from your FaceBook account.

Your password has been changed for safety. Information regarding your account and a new password is attached to the letter.Read this information thoroughly and change the password to complicated one. Please do not reply to this email, it's automatic mail notification! Thank you for your attention. Your Facebook!

Spamvertised filedname: Facebook_details_ID76803.zip (32,458 bytes)

Detecrion rate:
Facebook_details.exe - Trojan-Downloader:W32/Koobface.HV - 12/ 43 (27.9%)
MD5   : f0e7a8c264fe14562ca8ac98abb35840
SHA1  : f68d15e66590c69ac75c46a09ae495be8bbf231f
SHA256: 3ca757bfdecbee20ec10d5af770700041f4bc1b17ee3123f4d85acfd19e1bb74

Upon execution, the sample phones back to:
Phones back to:
interviewbuy.ru /forum/document.doc
interviewbuy.ru /forum/load.php?file=0
interviewbuy.ru /forum/load.php?file=1
interviewbuy.ru /forum/load.php?file=2
interviewbuy.ru /forum/load.php?file=3
interviewbuy.ru /forum/load.php?file=4
interviewbuy.ru /forum/load.php?file=5
interviewbuy.ru /forum/load.php?file=6
interviewbuy.ru /forum/load.php?file=7
interviewbuy.ru /forum/load.php?file=8
interviewbuy.ru /forum/load.php?file=9
interviewbuy.ru /forum/load.php?file=ftpgrabber
interviewbuy.ru /forum/load.php?file=pokergrabber

interviewbuy.ru - 91.204.48.96 (AS24965); 124.217.248.229 (AS45839) Email: servman1976@yandex.ru

ZeuS crimeware activity at AS24965 (SPOINT-AS S.Point LTD) as well as SpyEye malicious activity is also observed.

This post has been reproduced from Dancho Danchev's blog.
- No comments:

Saturday, January 22, 2011

Top Ten Must-Read Posts at ZDNet's Zero Day for 2010


01. Seven myths about zero day vulnerabilities debunked
02. Should a targeted country strike back at the cyber attackers?
03. 5 reasons why the proposed ID scheme for Internet users is a bad idea
04. Hotmail's new security features vs Gmail's old security features
05. Attack of the Opt-In Botnets
06. From Russia with (objective) spam stats
07. The current state of the crimeware threat - Q&A
08. Mac OS X SMS ransomware - hype or real threat?
09. 10 things you didn't know about the Koobface gang
10. Google-China cyber espionage saga - FAQ

This post has been reproduced from Dancho Danchev's blog.
- No comments:

Friday, January 21, 2011

Top Ten Must-Read DDanchev Posts For 2010

01. How the Koobface Gang Monetizes Mac OS X Traffic
02.  AS50215 Troyak-as Taken Offline, Zeus C&Cs Drop from 249 to 181
03. The DNS Infrastructure of the Money Mule Recruitment Ecosystem
04. The Avalanche Botnet and the TROYAK-AS Connection
05. Koobface Gang Responds to the "10 Things You Didn't Know About the Koobface Gang Post"
06. Sampling Malicious Activity Inside Cybercrime-Friendly Search Engines
07. GazTransitStroy/GazTranZitStroy: From Scareware to Zeus Crimeware and Client-Side Exploits
08. Dissecting Northwestern Bank's Client-Side Exploits Serving Site Compromise
09. U.S. Treasury Site Compromise Linked to the NetworkSolutions Mass WordPress Blogs Compromise
10. TorrentReactor.net Serving Crimeware, Client-Side Exploits Through a Malicious Ad

This post has been reproduced from Dancho Danchev's blog.
- No comments:

Saturday, September 11, 2010

Summarizing 3 Years of Research Into Cyber Jihad


From the "been there, actively researched that" department.
  1. Tracking Down Internet Terrorist Propaganda
  2. Arabic Extremist Group Forum Messages' Characteristics
  3. Cyber Terrorism Communications and Propaganda
  4. A Cost-Benefit Analysis of Cyber Terrorism
  5. Current State of Internet Jihad
  6. Analysis of the Technical Mujahid - Issue One
  7. Full List of Hezbollah's Internet Sites
  8. Steganography and Cyber Terrorism Communications
  9. Hezbollah's DNS Service Providers from 1998 to 2006
  10. Mujahideen Secrets Encryption Tool
  11. Analyses of Cyber Jihadist Forums and Blogs
  12. Cyber Traps for Wannabe Jihadists
  13. Inshallahshaheed - Come Out, Come Out Wherever You Are
  14. GIMF Switching Blogs
  15. GIMF Now Permanently Shut Down
  16. GIMF - "We Will Remain"
  17. Wisdom of the Anti Cyber Jihadist Crowd
  18. Cyber Jihadist Blogs Switching Locations Again
  19. Electronic Jihad v3.0 - What Cyber Jihad Isn't
  20. Electronic Jihad's Targets List
  21. Teaching Cyber Jihadists How to Hack
  22. A Botnet of Infected Terrorists?
  23. Infecting Terrorist Suspects with Malware
  24. The Dark Web and Cyber Jihad
  25. Cyber Jihadist Hacking Teams
  26. Two Cyber Jihadist Blogs Now Offline
  27. Characteristics of Islamist Websites
  28. Cyber Traps for Wannabe Jihadists
  29. Mujahideen Secrets Encryption Tool
  30. An Analysis of the Technical Mujahid - Issue Two
  31. Terrorist Groups' Brand Identities
  32. A List of Terrorists' Blogs
  33. Jihadists' Anonymous Internet Surfing Preferences
  34. Sampling Jihadists' IPs
  35. Cyber Jihadists' and TOR
  36. A Cyber Jihadist DoS Tool
  37. GIMF Now Permanently Shut Down
  38. Mujahideen Secrets 2 Encryption Tool Released
  39. Terror on the Internet - Conflict of Interest
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
- No comments:

Wednesday, September 08, 2010

Historical OSINT: Celebrities Death, Fedex Invoices, Office-Themed Malware Campaigns

As promised, this would be a pretty short historical OSINT post -- catching up is in progress -- detailing the structure of several campaigns that took place throughout July-August, 2010, and (as always) try to emphasize on the connection with historical malware campaigns profiled on my personal blog.

Campaigns of notice include: spamvertised "Celebrities death-themed emails", "Fedex shipment status themed invoices", and "Office-themed documents".

Sample subjects:
Angelina Jolie died; Gwen Stefani died; Oprah Winfrey died; Tom Cruise died; Application; Thursday Journal Club; End Of Rotation; Abstracts; Project Declaration; Residency Happy Hour: SOP_POLICIES; Fwd: Updated Journal Club Handout

Sample attachments:
journal club articles.zip; Rotation Input Sheet.zip; ppi and c dif.zip; MSpeck.zip; ResidencyPrep.zip; speck Case presentation draft.zip; journal club template.zip

Detection rates, phone back URLs, and connections with previously profiled campaigns:
- news.exe - Trojan.Bredolab-993 - 40/ 43 (93.0%)
MD5: 44522def7cf2a42aa26f59c2ac4ced58
SHA1: 2f60531b6e33d842eba505f3c3cb81a3ff6e3e6a

- journal club articles.exe - Backdoor/Bredolab.edb - 41/ 43 (95.3%)
MD5: 72e90fd1264e731109d1b6b977b2c744
SHA1: 0a36b882d1b4d8b42cc466ec286e95bbb2e77d49

Upon execution, the samples phone back to:
188.65.74.161 /mrmun_sgjlgdsjrthrtwg.exe - AS42473 - DOWN
194.28.112.3 /outlook.exe - AS48691 - ACTIVE

- outlook.exe - TrojanSpy:Win32/Fitmu.A - 17/ 43 (39.5%)
MD5: 8f4eca49b87e36daae14b8549071dece
SHA1: 1d390e9f8d6e744ead58dd6c424581419f732498

Upon execution, the dropped sample phones back to:
cuscuss.com - 188.65.74.164 - Email: info@blackry.com


Responding to 188.65.74.164 at AS42473 are also:
wiggete.com - Email: info@blackry.com
depenam.com - Email: info@blackry.com
fishum.com - Email: info@blackry.com
blackry.com - Email: info@blackry.com

Two of the domains are know to have been serving client-side exploits, but the redirection is currently returning an error "Connect to 188.40.232.254 on port 80 ... failed".

- depenam .com/count22.php
- blackry .com/count21.php
    - vseohuenno .com/trans/b3/ - 188.40.232.254 - Email: latertrans@gmail.com

Responding to 188.40.232.254, AS24940 are also the following command and control, client-side exploit serving domains:
gurgamer.com - (New IP: 86.155.172.30) Email: latertrans@gmail.com
moneybeerers.com - Email: latertrans@gmail.com
daeshnew.com - (New IP: 86.145.158.90) Email: latertrans@gmail.com
volosatyhren.com - Email: latertrans@gmail.com
vyebyvglaz.com - Email: latertrans@gmail.com
---------------------------------------------------------------------------------

- FedexInvoice_EE776129.exe - Win32/Oficla.LK - 41/ 43 (95.3%)
MD5: d4e2875127f5cbdf797de7f1417f96a7
SHA1: c2df8d8c178142ba7bee48dbf9a9f68c32a14f5e

Upon execution, the sample phones back to:
ilovelasvegas .ru/web/St/bb.php?v=200&id=636608811&b=24augNEW&tm= - 109.196.134.44, AS39150 - Email: vadim.rinatovich@yandex.ru with x5vsm5.ru - Email: vadim.rinatovich@yandex.ru also parked there.

Where do we know the vadim.rinatovich@yandex.ru email from? From two previously profiled campaigns "Spamvertised iTunes Gift Certificates and CV Themed Malware Campaigns"; and "Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign" having a direct relationship with the Asprox botnet.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
- No comments:

Friday, August 13, 2010

Dissecting a Scareware-Serving Black Hat SEO Campaign Using Compromised .NL/.CH Sites

This summary is not available. Please click here to view the post.
- No comments:
Subscribe to: Comments (Atom)