Archive for the ‘Trojan’ Category

« Older Entries
Newer Entries »

Bredolab UPS_Invoice Blast

Tuesday, January 12th, 2010

Over the past 16 hours, we’ve seen a sharp spike in the number of UPS_Invoice themed malware being run and prevented on systems. We’ve seen this invoice scheme many times before, but to many computer users, the scam still is not familiar. The files often are delivered as .zip attachments, containing a malicious Bredolab downloader or Zbot password stealer. Again, this is the extracted file’s appearance, after it is unzipped and file extensions are not visible (a folder option). Compare it with the screenshot below. the difference is not obvious, unfortunately:

UPS_Invoice_no_extensions

 

 And here is a screenshot with the extensions visible:

UPS_Invoice

Some of the names being used and designed to fool users include…

UPS_INVOICE_NR81913.ZIP
UPS_INVOICE_NR81913.EXE
UPS_invoice_NR43193.zip
UPS_INVOICE_NR43193.EXE
UPS_invoice_NR12090.zip
UPS_INVOICE_NR12090.EXE
UPS_invoice_NR74225.zip
UPS_INVOICE_NR74225.EXE
UPS_INVOICE_NR10124.ZIP
UPS_INVOICE_NR10124.EXE
UPS_INVOICE_NR85411.ZIP
UPS_INVOICE_NR85411.EXE
UPS_INVOICE_NR76225.ZIP
UPS_INVOICE_NR76225.EXE

Be sure to examine the contents of .zip files prior to attempting to open them. We will update this post as more information is available.

Posted in Bredolab, Social Engineering, Spam, Trojan, Undetected malware | 1 Comment »

Tertwit? or Twitter Tweet Links Redirect to Koobface

Friday, August 7th, 2009

koob-Face or ter-Twit? The ongoing abuse of twitter feeds by malware distributors continues to net more social networking victims. As always, be wary of any executable you are prompted to download and execute. Currently, evil tweets for “My home video :) ” or “cool video! WOW!” redirect to a set of spoofed social network pages. The malicious pages present visiting users with a prompt for a plugin install, “Flash player upgrade required”. An example here:

The malicious Koobace worm that ThreatFire has been preventing on desktops is served up and named “setup.exe” from this site. Interestingly, a number of these ip addresses serving up Koobface have been in use by Waledac distributors.

The ThreatFire community has been reporting the Koobface nastiness being served from multiple web servers today, with fairly heavy Koobface volume from web servers hosted on these ip addresses:
24.99.76.139
68.190.49.24
76.127.120.44
81.108.192.83
91.121.135.189
199.0.205.28

Update: Thankfully, as the malware distributors have changed some of their tweet tactics, their web server at kukuruku-290709. com has been pulled out from under them. Here is an example portion of javascript (mods mine) hosted on redirect pages that examines the victim’s search url, and based on a list of extremely popular social networking sites, redirects them to a variety of spoofed pages:

// KROTEGvar
abc1 = 'hxxp://kukuruku-290709. com/go/';
var abc2 = 'hxxp://kukuruku-290709. com/go/';
var ss = '' + location.search;
if ((location.search).length>0) abc = abc1; else abc = abc2;
var redirects = [
['facebook. com',  abc+'fb.php'],
['tagged. com',    abc+'tg.php'],
['friendster. com',abc+'fr.php'],
['myspace. com',   abc+'ms.php'],
['msplinks. com',  abc+'ms.php'],
['myyearbook. com',abc+'yb.php'],
['fubar. com',     abc+'fu.php'],
['twitter. com',   abc+'tw.php'],
['hi5. com',       abc+'hi5.php'],
['bebo. com',      abc+'be.php']];

Again, if you are a user of these sites and receive a tweet from someone you don’t know that redirects you to a page that serves up an executable download, be very suspicious. And of course, run a behavioral-based solution like ThreatFire as a layer on your system.

Posted in Bot, Koobface, Social Engineering, Trojan, Worm | 1 Comment »

That Darn Amanda

Thursday, March 26th, 2009

Another spam run of Zbot messages are going out as this is written.

As in previous posts, we find that the end game is to install password stealing components. Some of the subject lines look like
“FaceBook message: Very Beautiful facebook girl Dance Video! (Last rated by __insert name here__)”
“FaceBook message: facebook members Dancing In Striptease (Last rated by __name here__)”
“FaceBook message: Watch the Oooh! Super Beautiful Girl Dancing (Last rated by __name here__)”

The message content includes text like
“You have 1 Personal Message:
Video title: “Amanda is dancing on Striptease Dance Party, March 21, 2009! We’re absolutely shocked!”. Proceed to view full video message: hxxp://facebook.xxx.xxx(dot)personalid-aa(dot)management(dot)324uptdate(dot)com/home.htm?/logon/application=999″

Clicking on the link in turn redirects the user’s browser to another set of sites hosting a video, prompting the user to download and install Flash_Adobe11.exe. Don’t bother, it’s still not the real flash player. Instead, Zbot malware is installed. Here is a censored screenshot of one of the attacking sites:

ThreatFire is preventing the malware from running on a fair number of community systems right now. Do not run Flash_Adobe11.exe from these sites.

Posted in Social Engineering, Spam, Trojan, ZBot | No Comments »

« Older Entries
Newer Entries »