iOffer phishing email

January 19, 2009 by mxlab Leave a Comment

The iOffer web site, a place to sell, buy and trade, is subject to a phishing email. MX Lab received some samples with the subject  ”You’ve received a question about your ioffer item Brand New Nikon D80 Package, 2 Lens,4GB and more..” with senders address ”noreply@ioffer.com” <noreply@ioffer.com> containing the following content:

Dear member,

You have a question from maildirect1 regarding the item Brand New Nikon D80 Package, 2 Lens,4GB and more….!

Click below to see the question and respond:
View the dispute thread to respond hxxp://222.124.199.98/icons/small/login?SignIn&amp;co_partnerId=2&amp;pUserId=&amp;siteid=0&amp;pageType=******

**THIS IS AN AUTOMATED EMAIL – PLEASE DO NOT REPLY**

The use of an IP address in an URL is always suspicious and should alert you for a possible abuse. When visiting the site we found a nicely branded iOffer login page, we didn’t expect anything else, where you are asked your login and password.

Normally, our Firefox warns us when we enter a phishing site but this time we have no warnings. When filling in a login and password (not recommended) I notice that the word Username and Password turns green and next to the form fields the words Required_fail appear. Afterwards you are directed to the genuine iOffer login page.

Filed under Phishing Tagged with ,

The latest spam campaigns on the net

January 19, 2009 by mxlab Leave a Comment

Spam regarding meds and pills are still taking a serious part of all the spam messages worldwide. The latest spam messages are some fine examples.

Google Groups spam

The following spam message is using Google Groups again to get the visitor attracted.

Hi!

Feel Better Now!!

hxxp://groups.google.com/xxxxx/robertomrlg860/web/mariana

We’re always here for you!
the past is immutable: forget it, sheep dismantler

This is the Google Groups page:

Following the URL to the Google Groups brings us to a site called Pharmacy Express under the domain hxxp://esmnyx.sg/.

CBS News spam

Another example included a “News Summary” in the header. That image is actually hosted on the CBS News site.

What is remarkable with this spam is that when you look in the message source you’ll find up to 5 different URLs in use, below the Help, Advertise, Terms of Service and other links, that redirect all to the same Canadia Pharmacy web site.

Pizza Hut

Another “victim” in the spam campaigns is Pizza Hut. The “Order Now” button and the “Click for more deals” tab are both images hosted on the Pizza Hut site.

The message source even contains an URL from Pizza Hut going to their special landing page: hxxp://getmore.emailpizzahut.com/****. The URLs also lead to the Canadian Pharmacy.

Power Gain spam

Besides viagra and other pills, techniques and products to increase your manhood are also very popular. This example shows you the latest one.

Do notice that with these campaigns the spam messages contain some footers with unsubscribe links, click your email preferences and so on. With these techniques spammers try to make their messages appear as a valid mailing trying to mislead the readers.

Filed under Spam Tagged with , , ,

Conflict in Gaza inspires new CNN campaign from malware authors

January 14, 2009 by mxlab Leave a Comment

The military campaign from Israël in Gaza has inspired malware distributors. The outbreak appears to be sent from CNN Media Centre (cnn@cnn.com) – obviously spoofed – with subject lines such as:

israel’s war on hamas: a dozen thoughts
hamas goads israel into war
israel vows war on hamas in gaza
hamas launching rocket war after gaza evacuation

The body of the email contains:

Israel offers short respite from strikes.
Israel will halt its bombardment of Gaza for three hours  every day to allow residents of the Hamas-ruled Palestinian territory to obtain much-needed supplies, a military spokesman says.
The images broadcast here where graphic and striking.
The Al Jazeera English report below captures the extent of the devastation caused by the initial strikes.

Proceed to view details:

hxxp://edition.cnn.2009.completeserv.*****-******.israelgazaconflict.com/israel-gaza.htm?/****

2009 Cable News Network. A Time Warner Company. All Rights Reserved.

The included URL will lead  visitors to a web site that looks like the CNN site. Download screens promts appear, to update your Adobe Acrobat or Flash player software,  when you click on a link to view the video. Getting out of the loop can only done by closing your browser session. If the download is accepted, a Trojan is installed which opens communication for the download of further malware from a remote location.

A similar campaign has been done in the past with the CNN Daily top 10 and the CNN Alerts. These previous campaigns caused several new infections because the receivers of these emails thought this was a legit email because of the CNN look-and-feel that was used to mislead readers.

The current campaign isn’t having a CNN branding at the moment so it should look supsicious right away to anyone. Be carefull.

CNN’s Behind the Scenes blog warns their readers not to download any software pertaining to the Gaza conflict.

Filed under Viruses Tagged with , , , , ,

Northwest Airlines email contains a trojan

January 13, 2009 by mxlab 17 Comments

A Trojan-Spy.Win32.Zbot.jzb (Kaspersky), W32/Trojan-Gypikon-based.BA!Maximus (F-Prot), PWS:Win32/Zbot.gen!R (Microsoft) is spreading around. The trojan is spread by an email with the subject E-ticket #4452444681 (numbers will change) and is send by Northwest Airlines <tickets@nwa.com>. This is obviously a spoofed senders address.

The email body content:

Hello!

Thank you for using our new service “Buy Northwest Airlines ticket Online” on our website.
Your account has been created:

Your login: ida.camacho@t********.com
Your password: passXNK0

Your credit card has been charged for $471.52.
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the Northwest Airlines ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

Kind regards,
Damian Muller
Northwest Airlines

Attached is a ZIP file named NorthwestAirlines.zip that contains the executable NorthwestAirlines.exe.

The Trojan-Spy.Zbot.YETH is a rootkit trojan which steals online banking information and downloads other malware as well. The origin is possibly the Russian Federation.

Local files created:

%System%\twain32\local.ds
%System%\twain32\user.ds
%System%\twain32\user.ds.lll 
%System%\twex.exe 

Several Windows registry changes are being made, one registry change makes ure that twex.exe is run every thime Windows starts, and the trojan makes connection with the host 91.211.65.33 on port 80 and a GET command is executed to ferrari/admin.bin.

So it has all the characteristics of the new UPS variant that I have posted earlier only with a Northwest Airlines wrapping to get your attention.

Virus Total permlink and MD5: 3060a4679f0163664b14f8aa59255791.

Filed under Viruses Tagged with , ,

New UPS trojan variant: Delivery problems

January 11, 2009 by mxlab 8 Comments

A new UPS trojan variant is being detected called Mal/Zbot-G by Sophos and VirTool:Win32/Obfuscator.CT by Microsoft.

MX Lab was the first to send and analyse the file by Total Virus. Only 2 of the 36 AV engines at Virus Total did detect the trojan at the time of writing. So be aware that this email contains malware so don’t open the attachment.

The senders email addres is: United Postal Service <tracking@ups.com>.

The subject is: Delivery problems

The content of the body:

Hello!

Sorry, we were not able to deliver postal package you sent on December the 25th in time because the recipient’s address is not correct. Please print out the invoice copy attached and collect the package at our office.

Your UPS Support Team

The file attached is names UPSInv.zip and the ZIP archive contains UPSInv.exe.

Please note that the senders email address, the subject, body and attached file names can change.

This is the Trojan-Spy.Zbot.YETH, which is a rootkit trojan which steals online banking information and downloads other malware as well. The origin is possibly the Russian Federation.

Local files created:

%System%\twain32\local.ds
%System%\twain32\user.ds
%System%\twain32\user.ds.lll 
%System%\twex.exe 

Several Windows registry changes are being made, one registry change makes ure that twex.exe is run every thime Windows starts, and the trojan makes connection with the host 91.211.65.33 on port 80 and a GET command is executed to ferrari/admin.bin.

Virus Total permlink and MD5 hash: 61a1617ddb5c5bdb495b29bd1719e965.

Filed under Viruses Tagged with , , ,

IKEA’s New Planning Software is a trojan

January 11, 2009 by mxlab Leave a Comment

When you receive an email with the subject “IKEA’s New Planning Software” and it contains the attachment ikea.zip, it is likely that you have received a trojan W32/Trojan3.TX by F-Prot, Trojan.Win32.Buzus.agev( Kaspersky) or Trojan.Generic.1281011 (BitDefender). The extracted file contains “ikea.doc   [lots of spaces]  .scr” and is about a 220 kB large.

The body content contains:

IKEA has a Fantastic new FREE tool for home decorating. Introducing our Home Planner software which allows you to plan your home in a 3D environment.  Simply follow the instructions in the attachment and start planning your dream home today.

The email is also very IKEA branded as you can see from the screenshot below.

It is clear that the trojan author is trying to get the receivers computer infected with the help of this nice IKEA branded email.

The trojan is a network-aware worm that attempts to replicate across the existing network(s) that may represent security risk for the compromised system and/or its network environment.

It is capable to send out email message(s) with a built-in SMTP client engine or it can comunicate with a remote SMTP server when sending out email. It will also sends out email to the email addresses harvested from the local computer and dowloands other files from the internet.

The following files are created: %Temp%\pmnnmkHY.bat, %System%\ddcBUlLD.dll and %System%\javacpl.exe. The following processes are created: javacpl.exe and ics.exe. Windows registry edits are being made and ports 1033, 1056 and 1067 on TCP are open.

A connection to www.hallmark.com is being established and the following files are downloaded:

    * wcsstore/HallmarkStore/images/globalNav/gnav_logo.gif
    * wcsstore/HallmarkStore/images/globalNav/gnav_shop.gif
    * wcsstore/HallmarkStore/images/globalNav/gnav_hmkmag.gif
    * wcsstore/HallmarkStore/images/globalNav/gnav_ecards.gif
    * wcsstore/HallmarkStore/images/globalNav/gnav_gcs.gif

The file khfCTLdD.dll is downloaded from the host hxxp://childhe.com/pas/apstpldr.dll.html?affid=*****. This file itself performs actions on the infected computer like Window registry changes and is using BITS (Background Intelligent Transfer Service) to schedule other downloads.

This trojan will send out an Hallmark E-Card campaign like the one below in the screenshot.

This email has the sender postcards@hallmark.com, email subject “You’ve received A Hallmark E-Card!” and contains a ZIP file postcard.zip.

As always, if your anti virus on your computer doens’t detect a virus or a trojan and you get a message like this one, with an attachment from a company like this, be suspicious about it. Companies like IKEA don’t send out mailings this way.

The real IKEA Planning Tool is available on the web site of IKEA as a download.

Virus Total permlink and MD5 hash: 8dff0478664d7ef6efde13c74f81cd22.

Filed under Viruses Tagged with , ,

Happy new year!

January 1, 2009 by mxlab 2 Comments

MX Lab wishes everyona a happy new year and a spam free 2009!

Filed under Various