Friday, January 22, 2010

Social Engineering Tactics Promote "Miracle" Berries

I received an unlikely Yahoo! IM from a long time friend with whom I have not been in contact with for quite a long time.

Af first I thought, wow this would be a good time to catch up.

She buzzed me and asked me if I was busy, then gave me a URL to try out very quickly and tell her what the results tell me.

Well, here's the screenshot:


The link was: hxxp://freakyloverresults.com

At this time I was already suspicious about the whole thing. So I tried out the link in a controlled environment. There were a series of redirections and my browser was redirected to:

hxxp://www.acaipowermax.com


It seems that whoever I was talking to was not my friend (possibly a bot). She might have been a victim of a phishing scam, and her Yahoo! IM account was being used as part of this social engineering tactic in order execute the Acai Berry spam which has been bugging people for ages.

This one was a bit harmless as the whole exercise was just another form of spam. But as always, I would like to remind everyone to be careful of clicking links, even if they come from people you know.
Posted by at 2 comments:
Labels: , , , ,

Monday, December 7, 2009

Fake codec used by porn site

Here's another porn site distributing malware under the guise of video codecs:

hxxp://adultsvideo.cn/

Unsuspecting users wanting to view the adult videos are tricked into downloading and installing the fake codec.

The fake codec can be downloaded from this url:

hxxp://freebigutilites.com/ActiveX-Video-Codec.45092.exe

The server spits out files that have different MD5s each time.

ThreatExpert report here

Update:

Here's another site that purports to host "Free Full Lenght Movie" porn clips and uses fake video codecs in order to lure unsuspecting users into downloading and installing their rogue antivirus software:

hxxp://freeanalsextubemovies.com/video1483/porn/

Clicking anywhere on the video screen area gives us the following link to a file named video.exe:

hxxp://homeamateurclips.com/video/video.exe

Which is a fake antivirus software under the Security Tool family of Fake AVs.
Posted by at No comments:
Labels: , , , , , , , , , , ,

Tuesday, November 3, 2009

MaCatte scareware fools users by masquerading as McAfee

rogue2

MaCatte Antivirus is a rogue av that attempts to impersonate McAfee scanners in order to scam users.

This scareware has been seen to be using a bogus My Computer online scan similar to ones we've seen here, here and here.

rogue6

The online scan can be seen on this url:

hxxp://proscan5.info/25/26-088wLzQzL1EzL==

The downloader being served from this url is time-sensitive and will not work after a period of time. A session ID of some sort is embedded on the binary executable itself. After such time has elapsed, the downloader tells the user to contact MaCatte Antivirus support people. This prevents reverse-engineers from replicating the infection and gathering samples for analysis.

Presence of these files / folders would signal infection from this scareware:
C:\Documents and Settings\All Users\Application Data\msca
C:\Documents and Settings\All Users\Application Data\msca\MaCatte.ico
C:\Documents and Settings\All Users\Application Data\msca\mcull.exe
C:\Documents and Settings\All Users\Application Data\msca\msc.exe
C:\Documents and Settings\All Users\Application Data\msca\Viruses.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Media\WPtect.dll
C:\Documents and Settings\All Users\Desktop\MaCatte.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\MaCatte
C:\Documents and Settings\All Users\Start Menu\Programs\MaCatte\MaCatte.lnk

Unsuspecting users are set back from their hard-earned money by a hefty $99.

Stay away from these rogue apps.
Posted by at 2 comments:
Labels: , , , , , , , , ,

Wednesday, October 21, 2009

Sysinternals Releases Disk2vhd v1.0

Sysinternals has recently released Disk2vhd that "simplifies the migration of physical systems into virtual machines (p2v)."

Disk2vhd is a utility that creates VHD (Virtual Hard Disk - Microsoft’s Virtual Machine disk format) versions of physical disks for use in Microsoft Virtual PC or Microsoft Hyper-V virtual machines (VMs)


More here.
Posted by at No comments:
Labels: , , , , ,

Thursday, October 15, 2009

Sysguard / Winifighter Clones

Here are some screenshots of the members of this scareware family:

[gickr.com]_6c803672-8a5f-25e4-5109-31b55ebdf362

Beware of these rouge apps.
Posted by at No comments:
Labels: , , , , , , , ,

Tuesday, October 13, 2009

Winifighter Clone: TrustFighter

RogueAntiSpyware.Winifighter_TrustFighter6

Another scareware has been spotted in the wild and it calls itself TrustFighter. This is a recent addition to the Winifighter family of scareware.

Same as other members of this family of scareware, as in a previous post, TrustFighter creates heaps of junk binary files in the %systemroot% and %system% directories.

Sample junk files are the following:

%systemroot%\51c0vzr24975.dll
%systemroot%\51cbthreatz1991.ocx
%systemroot%\524699py69fz.bin
%systemroot%\525z1vi9us4e4.cpl
%systemroot%\5294viz115.exe
%systemroot%\5eddaddwar9167z.dll
%systemroot%\5ezast95l495.dll
%systemroot%\5ezdaddware2359.cpl
%systemroot%\5z09s9yware545.cpl
%systemroot%\5z56th5eat19149.bin
%systemroot%\5z85thief22759.cpl
%systemroot%\5z99addware2835.ocx
%systemroot%\5z9bba5kdoor525.dll
%systemroot%\5z9cth5ef13559.cpl
%systemroot%\5zfdaddware950.bin
%systemroot%\5zfesparse709.exe
%systemroot%\6169th5zf99.ocx
%systemroot%\6210spywa5e192z.ocx
%system%\1905szea51146.cpl
%system%\190979iru57z7.ocx
%system%\190cszywa591879.exe
%system%\19105vizus1c.bin
%system%\19179virusz65.ocx
%system%\1930thief97z5.cpl
%system%\19559spamboz6bb.ocx
%system%\1958stezl2595.cpl
%system%\195b5hreat39894z.exe
%system%\19645worm7zd.exe
%system%\1969spz715.bin
%system%\1977zhacktool54d.cpl
%system%\19792troz5aa.bin
%system%\1987th5z92904.cpl

Here are some domains participating in this campain:

securityannounce(dot)com
securityadjust(dot)com
bestmalwaredetect(dot)com
pcprotectzone(dot)com
trustfighter(dot)com

Unsuspecting users get set back by $49.95 from their hard-earned money.
Posted by at No comments:
Labels: , , , , , , , , , , , ,

Friday, September 25, 2009

Bogus MS Update

We have been receiving bogus emails claiming to be coming from Microsoft:

...public distribution of this Update through the official website »www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all users Microsoft Windows OS.
as the computer set to receive notifications when new updates are available, which you have received this notice.

We have seen emails containing one of the following links:
hxxp://www2.sinel.com/microsoftupdate.html
hxxp://mail1.e-corecorporation.com/default.htm

They seem to be compromized websites being used by the bad guys in order to facilitate this attack.

The page default.html from hxxp://mail1.e-corecorporation.com/default.htm uses a refresh-type redirect to this url:
hxxp://0xc0.0xdc.0x6e.0xe4/microsoftupdate.html

The page microsoftupdate.html from sinel.com and 0xc0.0xdc.0x6e.0xe4 both execute another refresh-type redirect in order to download a Zeus malware with filename update09.exe.

Interestingly enough, this attack uses 0xc0.0xdc.0x6e.0xe4 to serve the malware. This IP-address translates to 192.220.110.228, which in turn resolves to summit102.summitdesign.net, another possibly compromised website used in this attack.

The presence of the following files/folders may indicate signs of infection:
%System%\sdra64.exe
%Temp%\tmp.exe
%System%\lowsec\

More here.
Posted by at No comments:
Labels: , , , , , , , , , , ,
Subscribe to: Comments (Atom)