Archive for the ‘Trojan’ Category

« Older Entries

Tertwit? or Twitter Tweet Links Redirect to Koobface

Friday, August 7th, 2009

koob-Face or ter-Twit? The ongoing abuse of twitter feeds by malware distributors continues to net more social networking victims. As always, be wary of any executable you are prompted to download and execute. Currently, evil tweets for “My home video :) ” or “cool video! WOW!” redirect to a set of spoofed social network pages. The malicious pages present visiting users with a prompt for a plugin install, “Flash player upgrade required”. An example here:

The malicious Koobace worm that ThreatFire has been preventing on desktops is served up and named “setup.exe” from this site. Interestingly, a number of these ip addresses serving up Koobface have been in use by Waledac distributors.

The ThreatFire community has been reporting the Koobface nastiness being served from multiple web servers today, with fairly heavy Koobface volume from web servers hosted on these ip addresses:
24.99.76.139
68.190.49.24
76.127.120.44
81.108.192.83
91.121.135.189
199.0.205.28

Update: Thankfully, as the malware distributors have changed some of their tweet tactics, their web server at kukuruku-290709. com has been pulled out from under them. Here is an example portion of javascript (mods mine) hosted on redirect pages that examines the victim’s search url, and based on a list of extremely popular social networking sites, redirects them to a variety of spoofed pages:

// KROTEGvar
abc1 = 'hxxp://kukuruku-290709. com/go/';
var abc2 = 'hxxp://kukuruku-290709. com/go/';
var ss = '' + location.search;
if ((location.search).length>0) abc = abc1; else abc = abc2;
var redirects = [
['facebook. com',  abc+'fb.php'],
['tagged. com',    abc+'tg.php'],
['friendster. com',abc+'fr.php'],
['myspace. com',   abc+'ms.php'],
['msplinks. com',  abc+'ms.php'],
['myyearbook. com',abc+'yb.php'],
['fubar. com',     abc+'fu.php'],
['twitter. com',   abc+'tw.php'],
['hi5. com',       abc+'hi5.php'],
['bebo. com',      abc+'be.php']];

Again, if you are a user of these sites and receive a tweet from someone you don’t know that redirects you to a page that serves up an executable download, be very suspicious. And of course, run a behavioral-based solution like ThreatFire as a layer on your system.

Posted in Bot, Koobface, Social Engineering, Trojan, Worm | No Comments »

That Darn Amanda

Thursday, March 26th, 2009

Another spam run of Zbot messages are going out as this is written.

As in previous posts, we find that the end game is to install password stealing components. Some of the subject lines look like
“FaceBook message: Very Beautiful facebook girl Dance Video! (Last rated by __insert name here__)”
“FaceBook message: facebook members Dancing In Striptease (Last rated by __name here__)”
“FaceBook message: Watch the Oooh! Super Beautiful Girl Dancing (Last rated by __name here__)”

The message content includes text like
“You have 1 Personal Message:
Video title: “Amanda is dancing on Striptease Dance Party, March 21, 2009! We’re absolutely shocked!”. Proceed to view full video message: hxxp://facebook.xxx.xxx(dot)personalid-aa(dot)management(dot)324uptdate(dot)com/home.htm?/logon/application=999″

Clicking on the link in turn redirects the user’s browser to another set of sites hosting a video, prompting the user to download and install Flash_Adobe11.exe. Don’t bother, it’s still not the real flash player. Instead, Zbot malware is installed. Here is a censored screenshot of one of the attacking sites:

ThreatFire is preventing the malware from running on a fair number of community systems right now. Do not run Flash_Adobe11.exe from these sites.

Posted in Social Engineering, Spam, Trojan, ZBot | No Comments »

Bancos Dropper

Tuesday, March 17th, 2009

ThreatFire users in Brazil are being attacked with yet another Bancos dropper/downloader.

The source of the file, “jk982732-2309.zip”, which extracts simply to an aspack’ed “jk982732-2309.exe”, is not entirely clear at this point. If any of our users have seen this file prevented on their desktop, please contact us on the forums or here in the comments with some information on its source and any IM messages or email related to this file.

A dead giveaway that something is unusual is the “Google Inc” file company name property, along with the Microsoft MSN butterfly icon:

Another giveaway that something is amiss is that the file also attempts to download components from free web hosting site “nofeehost.com” that masquerade as Brazilian security Buster Browser Defense components.

Any further information from users would be welcome.

Posted in Bancos, Spyware, Trojan | No Comments »

« Older Entries