Kelihos botnet taken down by Microsoft


According to an article on the official Microsoft Blog, the botnet Kelihos, also known as Waledac 2.0, has been taken down on the 27th of September 2011 by Microsoft in an operation codenamed “Operation b79”.

Read the full story.

FDIC email with attached trojan masked as PDF file


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subjects like:

Fw: Security update for banking accounts
FW: Banking security update

The email is send from the spoofed address and has the following body:

Dear clients,
Your Wire and  ACH transactions have been
temporarily suspended. Please open the attached
document(Adobe PDF) for more information.

Best regards,
Online security department
Federal Deposit Insurance Corporation

The attached ZIP file has the name FedDIC_0925_W61312.zip and contains the 47 kB large file FDIC_FORM_09252011_Coll.exe.pdf. Numbers in the filename can vary in each email.

!!! When MX Lab investigated the attached file it appears like FDIC_FORM_09252011_Collexe.pdf on the screen. The trick is done by inserting a “right to left override” (RLO) character in unicode just before the p of pdf. The real filename is in fact FDIC_FORM_09252011_Coll.exe.pdf.

The trojan is known as Artemis!CE5AEADAD3D5 (McAfee), W32/Yakes.B!tr (Fortinet), Trojan.Packed.666 (Dr Web), BC.Heuristic.Trojan.SusPacked.BF-6.A (ClamAV), Trojan-Downloader.Win32.Injecter.gty (Kaspersky).

The following files will be created:

%AppData%\KB441600.exe
%Temp%\D.tmp
%Temp%\POS3.tmp
%Temp%\POSC.tmp

The following directory is created:

%AppData%\FBDC89D4

Several Windows registry changes will be exectued and the trojan can establish connection with the following IPs 204.160.119.126, 210.125.243.177, 217.24.246.7, 66.208.205.74, 84.53.97.7 on port 80 and with the IP v on port 443.

Data can be obtained from following URLs:

  • hxxp://www.download.windowsupdate.com/msdownload/
    update/v3/static/trustedr/en/authrootstl.cab
  • hxxp://www.download.windowsupdate.com/msdownload/
    update/v3/static/trustedr/en/authrootseq.txt
  • hxxp://nugromilzek.ru/forum/index.php?cmd=getload
    &login=4117AF14E694E469C&sel=77777&
    ver=5.1&bits=0&file=2&run=ok
  • hxxp://nugromilzek.ru/forum/index.php?cmd=getload
    &login=4117AF14E694E469C&sel=77777&ver=5.1&bits=0&file=3
  • hxxp://nugromilzek.ru/forum/index.php?cmd=getload
    &login=4117AF14E694E469C&sel=77777
    &ver=5.1&bits=0&file=0&run=ok
  • hxxp://nugromilzek.ru/forum/index.php?cmd=getload
    &login=4117AF14E694E469C&sel=77777&ver=5.1&bits=0&file=1
  • hxxp://nugromilzek.ru/forum/index.php?cmd=getload
    &login=4117AF14E694E469C&sel=77777&ver=5.1&bits=0&file=2
  • hxxp://nugromilzek.ru/forum/index.php?cmd=getload
    &login=4117AF14E694E469C&sel=77777&ver=5.1&bits=0
  • hxxp://nugromilzek.ru/forum/index.php?cmd=getload
    &login=4117AF14E694E469C&sel=77777&ver=5.1&bits=0&file=0
  • hxxp://www.mijnhemubo.nl/files/light.exe

At the time of writing, only 11 of the 44 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: ce5aeadad3d5d0e693b5008be0a6c980.

Google AdWords phishing campaign


MX Lab, http://www.mxlab.eu, started to intercept a new phishing campaign with the subject “Account has stopped running” and comes from the spoofed email address “Google Adword <adwords-noreply@google.com>”. This campaign targets AdWords users.

The recipient is informed that his Adwords campaigns stopped running as of this morning Monday, September 26, 2011.

This is the full content:

We stopped running your Google ads this morning (Monday, September 26, 2011).

Dear AdWords Advertiser,

We had encountered a number of issues when reviewing your ads this morning and we stopped running them. We will review them again and make the necessary changes that will allow to run your ads without any problems.

lightbulbClick here to review your ads and let us know if we made a mistake.

We’ll often stop running your ads until we are able to make the necessary updates. As soon as we made and saved the changes, your ads are automatically resubmitted to us for review.

Please note: If you do not verify the status of your Adwords account and notify us if your ads do not appear online we can not help you and your ads will stay offline for the next few days.

2011 Google is a trademark of Google Inc. All other company and product names may be trademarks of the respective companies with which they are associated. 1600 Amphitheatre Parkway Mountain View, CA 94043

The included URL leads to hxxp://www.google-ars.com/accounts/?ServiceLogin?service=adwords and brings the visitor to the following login webpage.

The login page will request the page login.php and redirect the visitor to an official Google AdWords page http://adwords.google.com/support/aw/bin/answer.py?hl=en&answer=142731.

Now, when I was looking at the above page it made me wonder if this version of the login page is still up to date. I surfed to the Google Adwords page and got the following

It seems to me that the authors of this campaign didn’t take the effort to check the design and layout of the phishing login page and modify it to the changed design that is online at Google. Never mind, it’s even better for us to see the difference between an real site from Google and an phishing attempt.

Deutsche Post email with attached ZIP file Postetikett contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Deutsche Post. Sie mussen eine Postsendung abholen″. This seems to be a variant to the DHL and UPS delivery issues but now presented in the German language with Deutsche Post as carrier.

The email is send from the spoofed address “Deutsche Post <post@deutschepost.de>” and has the following body:

Lieber Kunde,

Es ist unserem Boten leider misslungen einen Postsendung an Ihre Adresse zuzustellen.
Grund: Ein Fehler in der Leiferanschrift.
Sie konnen Ihre Postsendung in unserer Postabteilung personlich kriegen.
Anbei finden Sie einen Postetikett.
Sie sollen dieses Postetikett drucken lassen, um Ihre Postsendung in der Postabteilung empfangen zu konnen.

Vielen Dank!
Deutsche Post AG.

The attached ZIP file has the name Postetikett_DE43313.zip and contains the 40 kB large file Postetikett.exe.

The trojan is known as W32/Yakes.B!tr (Fortinet) or a variant of Win32/Kryptik.LJ (NOD32).

At the time of writing, only 2 of the 44 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: df6b8f76fc0b76eaea9b104be1e28a70.

Emails “Sent via Google Maps” is a redirect to the Canadian Pharmacy


MX Lab, http://www.mxlab.eu, intercepted some spam messages with subjects like:

Sent via Google Maps: Brett Lepper sent you: A Maps link
Sent via Google Maps: Brenna Eber sent you: A Maps link
Sent via Google Maps: Theodora Cavitt sent you: A Maps link

The subjects start with ‘Sent via Google Maps:’ and end with ‘A Maps link’.
The from email address is spoofed but starts with ‘admin@’ combined with a subdomain address.

Message body examples:

This email was sent to you by a user on Google Maps:
Hi

hxxp://gertie8kthv.blogginc.asia/10/8/gertie-bawa.html
This email was sent to you by a user on Google Maps:
Hi

hxxp://elmira4221c.blogsun.asia/11/10/elmira-antoniuk.html

The URLs in the message will redirect the user to the website of the Canadian Pharmacy at hxxp://www.bestrxs.com/.

Your email is sending spam messages


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with various subjects like:

We will be impelled to sue you
We are going to sue you
We are suing you
You are sending add messages
A message from our security service

The email is send from the spoofed address “ICI Investment <spam@ici.org>” and has the following body:

Hello.

Your email is sending spam messages!

If you don’t stop sending spam, we will be impelled to sue you!

We’ve attached a scanned copy of the document assembled by our security service to this letter.

Please carefully read through the document and stop sending spam messages.

This is the final warning!
ICI Investment Company.

The attached ZIP file has the name Attached_Document#02504.zip and contains the 45 kB large file Attached_Document.exe.

The trojan is known as Trojan.Downloader.JOPJ (BitDefender, F-Secure, GData), Artemis!9121F25A31F5 (McAfee), Troj/Bredo-KE (Sophos).

Virus Total permalink and MD5: ddf4fb7e16e92219ba78dd4a22508e5a.

Follow

Get every new post delivered to your Inbox.

Join 305 other followers