Account Operations Report contains a trojan

October 31, 2008 Leave a Comment

Emails with the subject “Account Operations Report” contains the Trojan-Downloader.Win32.Agent.anaq according to the F-Secure anti virus.

The message:

Good morning
Icommittal

We got the request for the detailed report on your account operations made in the period from 1/1/08 to 10/30/08

Please print out altered details of your account on page 3 is enclosed in the zip compressed attachment to this message.

Thanks for contacting us.
Lucinda Leslie

The email contains the file Statment_details.zip and when extracted the file Statment_details.doc     .exe. Subject and filenames can vary when this threat continues.

Virus Total permalink and MD5: 7f57b7a2513622e24094528e02b8eaf4.

Filed under Viruses Tagged with , , ,

Eliminate your debt spam

October 17, 2008 Leave a Comment

With the financial crisis there seems to be an uprise of financial/debt spam emails worldwide. Some of these spam messages also make use of the domain spaces.live.com to host their spam message trying to defeat anti spam engines that use intent analysis.

Some subjects:

debt consolidation
low interest debt consolidation
credit rating
bad debt consolidation
debt external
… 

Content:

 

DO NOT cöñsolidate your debt   Elimiñate It!!!

Leegally Remove your credït card and other unsecured dëbt

* WIT|-|OUTT ever makiñg another pãyment to yoour creditoors
* WITHOUT it affecting yoúr credit long-term
* WITHOUT coñfrontatïon

http://8b1cdN.spaces.live.com/

This IS NOT:

* Båñkrufltcy
* Consolidation
* Or refinancing of any kind

Visit here to leârn how.

http://8b1cdN.spaces.live.com/

* Must have a minimum of 10K in còmbined household unsecured debt to apply 
* Must be a US resident.

Notice the use of special language characters in the spam to trick Bayesian engines and certain content filters that can filter on the word combination consolidate, eliminate and debt.

When visiting the spaces.live.com site you’ll get the following screen that links to the web site http://btstfirstcredit.com/.

When visiting and following the link to http://btstfirstcredit.com/ I arrived at the homepage of Google.be. Is this their intention, get me to Google?

The domain itself has been registered at the DNS registrar OnlineNIC Inc on 16 October 2008 by Shestakov Yuriy, located in Mirniy, Russia with the mailaddress alexey@cocainmail.com.

The domain cocainmail.com itself is registered in Asia at BIZCN.COM, INC by Feis Kiosop from New York.

Filed under Spam Tagged with ,

Statement January – October virus

October 17, 2008 2 Comments

MX Lab intercepted a new virus variant that is only detected by 5 of the 36 anti virus engines on Virus Total. The virus is known as PAK_Generic.001 by Trend Micro, Backdoor.Win32.Haxdoor by Ikarus or as Trojan:Win32/Emold.gen!C by Microsoft.

The emails are distributed with the subjects:

Data request
Attached Statement
Statement January – October
Account data
Account information

xxx.xxx Report 1/1/2008 – 10/1/2008. (where xxx stands for the name that is used in the emailaddress)

This is the content of a sample:

Please take a look at the attached statement on your account. The statement was issued today upon request, and your data has been successfully altered.

Thank you for contacting us.
Sincerely,Gilda

or

Dear Valued Customer:

Your account ID: t.mario.flores

As requested, we are sending you this account report attached this mail between 1/1/2008 and 10/1/2008.

At your service,
Aurelia Schneider

The attachment has the name “tatement_Jan-Oct.zip” and once extracted has the document ”Statement_Jan-Oct.doc             .exe”. Naming can vary when new variants are spread out. The spaces before .exe is a common trick to fool people. It mostly appears as being a .doc file while the actual file type is further in the file name.

Virus Total permalink and MD5: 0d5908b1bc2881c7fb6cd30a48dee64c

Filed under Viruses Tagged with , ,

MX Lab is “best buy” according to Data News

October 16, 2008 Leave a Comment

Data News, a IT/ICT magazine from Roularta Media Group, has published in magazine nr. 31, 3 October 2008, a test regarding hosted mail security.

The tested email security providers are Belgacom e-Services Email Security, Kaspersky Hosted Security Services, MessageLabs Email Services, SPAMfighter, Symantec Hosted Mail Security and Trend Micro Interscan Messaging Hosted Security.

Data News concludes: “From all the tested services we are impressed by the services from Belgacom, MessageLabs and MX Lab. These three services had almost perfect results during the test and are not too expensive. MX Lab is “best buy” because of the fact that MX Lab had the best price and no false positives during the test.”

Web site: http://www.datanews.be

Filed under MX Lab News Tagged with , , , , , , , ,

Security Update for OS Microsoft Windows

October 10, 2008 4 Comments

MX lab intercepted emails with the subject “Security Update for OS Microsoft Windows” with a rather long email with the instructions to run the attached file named, in this case, KB934178.exe, which is a keylogger program that can capture all user keystrokes. It is known by Sophos as Mal/EncPk-CZ and F-Secure as Trojan-Spy.Win32.Goldun.bce. The message even includes a PGP sugnature to make it even more realistic.

The author has some some basic home work. Steve Lipner is indeed working for Microsoft as Senior Director of Security Engineering Strategy in Trustworthy Computing (found it on the net – what a title by the way) and has published the book The Security Development Lifecycle. You can also read some blog articles from Steve Lipner, and other authors, at http://blogs.msdn.com/sdl/default.aspx.

Dear Microsoft Customer,

Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions: Microsoft Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft Windows Vista.

Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.

Since public distribution of this Update through the official website http://www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users.

As your computer is set to receive notifications when new updates are available, you have received this notice.

In order to start the update, please follow the step-by-step instruction:

1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.

If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine. In that case, at this point the upgrade of your OS will be finished.

We apologize for any inconvenience this back order may be causing you.

Thank you,
Steve Lipner
Director of Security Assurance
Microsoft Corp.

—–BEGIN PGP SIGNATURE—–

Version: PGP 7.1

794OF0ZAO22DKAJUOQV1SEBNKIAM6AFIC2YR1ZHA6W55L9J2V4890Z7WGV56F
MZ63FIE80ZXC41KFNK6GK6WA2DBBS259GL8SMT8I83MEXOSZVIU3KRQR31J6YA
NFAR62PDBLEJIOW47E55XF1Y4D757C911KXRFK9ANFOBOF0BIEMGPO8CIC6O3IK
7Y487P92KYTZCTBWL5J069T69DT8MDDHAMGQX45BSMTOSYMZ43TNM81R8BPA
WQDN9MP3VX3PR14QTRJXT5G94IR2CDKAVMU56ZV48J69K5FPQ==
—–END PGP SIGNATURE—–

Virus Total permalink and MD5: 1ffcb1ea024c228ade6d8dad681c6ed7.

As a general rule, Windows only distributes patches and security update through Windows Update on your computer. Every other way of distribution by email is not recommended at all.

Filed under Viruses Tagged with , , ,

Nice Citibank phishing attempt example

October 7, 2008 1 Comment

We intercepted a nice Citibank phishing attempt. The email contains the notification that 1 message is waiting for you in the mail section so you will need to login.

Dear Customer,

You have one new message at .Citibank (South Dakota).

INBOX

From: Customer Service
Date: 10/07/2008
Subject: Official service renewal notification.

In order to read the message  click here <http://www.***********.com/uploads/z/***/citibank/index.html>  to login at
 Citibank (South Dakota) and access your MAIL section. 

This link brings us to the first step in the whole process, the login page. Notice that there is no secure HTTPS in use. The whole phishing web site is hosted on a blog server.

After a succesfull login (with a non real login and password of course) we get the security notification message to see.

This message explains that our account is temporary locked for security reasons after detection login attempts of foreign IP addresses. So, we need to update our account. When clicking in Continue we can fill in all our private details such as our address and more important our credit card details.

Again, we continue with dummy data and get a response page that the submitted details will be verified.

The green button at the end of the page contains a link to an external web site and leads us to a log out confirmation page. This domain appears to be registered by Citibank and contains a secured HTTP connection.

As you can see, it’s that easy to steal your information if you don’t pay any attention at all. Phishing attempts can be detected by following some simple rules:

  • do not trust the email from address at all times
  • banks do not send you an email to ask to re-activate or confirm your account, even if they include their logo and if it looks legit
  • banks also do not ask you to send private and critical data over the internet like your credit card details
  • always keep an eye on the address in the URL locator of your browser
  • don’t send any details over an unsecured HTTP, always look for HTTPS and make sure your browser is showing a HTTPS security icon in the status bar

Filed under Phishing Tagged with , ,

Canadian Pharmacy spam looks like a mailing

October 1, 2008 1 Comment

Most of the time, spam for viagra and other pills from Canadian Pharmacy doesn’t look so good like this campaign.

Their latest spam campaign is rather nice looking and has some tricks to lure the receiver into their trap with an Unsubscribe link, Manage Subscription links and Privacy policy note.

They also use different domains and change this quite often during the day to avoid detection by intent analysis techniques.

Using one of these links http://www.voiceold.com/memberservices/remove.php?recipient=info@*****.be&SESSID=51706986E9245C just leads you to a web site and gives the response “Not Found”.

I would recommend not doing this because they can easily track your actions on their web site with these links. You will only confirm that your email address is valid by using those links and receive more spam.

Filed under Spam Tagged with , , , , ,

Follow

Get every new post delivered to your Inbox.

Join 109 other followers