Friday, September 25, 2009

Bogus MS Update

We have been receiving bogus emails claiming to be coming from Microsoft:

...public distribution of this Update through the official website » would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all users Microsoft Windows OS.
as the computer set to receive notifications when new updates are available, which you have received this notice.

We have seen emails containing one of the following links:

They seem to be compromized websites being used by the bad guys in order to facilitate this attack.

The page default.html from hxxp:// uses a refresh-type redirect to this url:

The page microsoftupdate.html from and 0xc0.0xdc.0x6e.0xe4 both execute another refresh-type redirect in order to download a Zeus malware with filename update09.exe.

Interestingly enough, this attack uses 0xc0.0xdc.0x6e.0xe4 to serve the malware. This IP-address translates to, which in turn resolves to, another possibly compromised website used in this attack.

The presence of the following files/folders may indicate signs of infection:

More here.

Tuesday, September 22, 2009

Another Shameless SEO based on Atlanta Flooding

Users Googling "Atlanta flood pictures" receive a yet another SEO attack, using a possibly compromised legitimate Australian website hosting restaurants in the famous Bondi area.

Here's a screenshot of a google search result:

A Fiddler capture shows us the redirections:

So we go from

An installer named Soft_207.exe will be presented for download, which is a variant of the Total Security family of Fake AVs.

At the moment, the following domains have been observed to have been involved in this attack:


These domains resolve to the following IP addresses:

But knowing the trend in scareware, there could be heaps more domains being created as we speak.

Friday, September 18, 2009

Koobface on the Move, Serving Scareware !!

We have been seeing a lot of new movement on the koobface front Lately.


As koobface-serving domains are being taken down as early as the good guys discover them, the bad guys are at it and they respond by registering new ones. At the moment, their, C&C server is hosted in China with IP Address

The bad guys are still using a fake facebook website, as well as posing as a fake codec, in order to distribute koobface.


Clicking anywhere on the page, presents us with a file named setup.exe. Here are some of the IPs being used to distribute koobface:


The javascript component being by used by koobface, remains bascically the same as before

And as before, koobface is still serving up scareware. From time to time, users are presented with a My Computer online scan, going through these domains:



At some instances, we also get these warnings:


At the moment, these warnings are serving Internet Antivirus Pro.

Koobface has been going at it and here's another one that spoofs youtube and serves koobface malware as a fake codec: