mx lab blog – all about anti virus and anti spam
September 28, 2011 1 Comment
According to an article on the official Microsoft Blog, the botnet Kelihos, also known as Waledac 2.0, has been taken down on the 27th of September 2011 by Microsoft in an operation codenamed “Operation b79”.
June 10, 2011 1 Comment
MX Lab, http://www.mxlab.eu, reported earlier regarding emails that offer an alternative to the official Adobe PDF Reader and the VOIP add ons for Skype.
It now seems that Google Picasa is the next victim of the same type of scam. We intercepted a few messages with the subject “The iTunes of Photo Organization” coming for the email address Picture Tools <megantivir@aphyet.com>. This is the message:
The message has a download URL in the format hxxp://aphyet.com/re.php?lnk=1203683910&e=****.****@****.be. Following the link takes us to hxxp://officialversion.su/pics/1/index.asp?aff=11677&camp=esp_may09hld_picasa_jun10 with the following web site:
Notice the button on the right “Download Picasa” now and the mention of 24/7 support. This is very familiar and did ring a bell at the MX Lab HQ. We started to investigate the web site further.
We found a registration and order process very similar to the past cases with the Adobe PDF Reader 2011 and the VOIP add ons for Skype.
The payment transaction appears to be processed on an unsecure HTTP connection but a look into the HTML learns us that the payment form in embedded in an <iframe> and the form is processed by hxxps://secure-signupway.com/p06/?siteid=6882. This domain is know for fraudulent payment processing so your credit card details will end up in the wrong hands.
As expected, the domain license details are protected and the domain is registered a few days ago.
Domain Name: APHYET.COM
Registrant:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
ID#10760, PO Box 16
Note - All Postal Mails Rejected, visit Privacyprotect.org
Nobby Beach
null,QLD 4218
AU
Tel. +45.36946676
Creation Date: 06-Jun-2011
Expiration Date: 06-Jun-2012
Domain servers in listed order:
ns1.reg.ru
ns2.reg.ru
Administrative Contact:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
ID#10760, PO Box 16
Note - All Postal Mails Rejected, visit Privacyprotect.org
Nobby Beach
null,QLD 4218
AU
Tel. +45.36946676
Technical Contact:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
ID#10760, PO Box 16
Note - All Postal Mails Rejected, visit Privacyprotect.org
Nobby Beach
null,QLD 4218
AU
Tel. +45.36946676
Billing Contact:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
ID#10760, PO Box 16
Note - All Postal Mails Rejected, visit Privacyprotect.org
Nobby Beach
null,QLD 4218
AU
Tel. +45.36946676
Our recommendation is not to fill in any credit card details – your credit card details will likely be abused – and download this software. Please note that for the real Picasa you need to go to the Google web site at http://picasa.google.com/. And it’s free.
April 5, 2011 1 Comment
DNS.BE, the Belgian organization that manages all registrations of domainnames under the .be TLD, reported that the DNS name servers did get an unusual high workload, up to 6 times more queries than average, resulting in 2 servers that where hardly available during 4 hour on last Sunday. The other 47 name servers were perfectly able to back-up services and surfers to .be sites did not notice any delays.
A botnet, responsible for sending out spam, created many DNS requests to the name servers of DNS.BE for the MX records of domains. In normal cases, these requests are not made to DNS.BE but to the domain name holders’ name servers. When requesting the MX records directly at the top level name servers, the requester will get a response back that the query fails.
Organisation like the CERT (Belgian National Computer Emergency Response Team) and FCCU (Federal Computer Crime Unit) where informed about the “attack” – or abuse – on the DNS name servers.
The investigations shows that botherders did not configure the botnet like it should be and it was not a direct attack to the DNS.BE. Most traffic came from Eastern Europe and South-America.
More reading:
DNS.BE: http://www.dns.be/en/home.php?n=461
Datanews (in Dutch): read article
De Standaard (in Dutch): read article on Monday
De Standaard (in Dutch): read article on Tuesday
March 18, 2011 3 Comments
As with all major events worldwide, spammers and scammers are exploiting these events to get their message delivered into your inbox. Now with the earthquake, the tsunami and problems in the nuclear powerplants in Japan it is not different.
MX Lab, http://www.mxlab.eu/, has intercepted some emails where scammers want to exploit the generosity of people. Here we have an example with the subject “JAPANESE EARTHQUAKE VICTIMS!”:
Dear Sir/Madam,
I am Kasumi Umeko resident in Spain. We have other japanese families living as a community here in Spain. Our family members were severely affected by the recent Tsunami earthquake that happened in the pacific ocean that devasted Tokyo and led to the lost over 13,000 lives and properties worth billions of Dollars.
We implore to help the earthquake victims that lack food and shelter. We have established a distribtion channel to these victims. You can send your gifts and aids as cash by western union money transfer system to our division responsible for the distribution of food, shelter and medical assistance using the information stated below:
FIRST NAME: SHIZUKA
LAST NAME:TADASHI
ADDRESS: CALLE VELAZQUEZ 8
28010 MADRID.After making the payment send the payment details to the Assistance Distribution Section as stated below:
SENDER’S DETAILS:
FIRST NAME:
LAST NAME:
MONEY TRANSFER CONTROL NUMBERS. (MTCN)
COUNTRY:
ADDRESS:
Email: japvictimsesp@yahoo.co.jpThanks for your assistance to the need of humanity of the Japanese people. May God richly blessed and also expand your territory in any field of your endevour.
Yours truly,
Susumu Takumi
Now, please, do not fall for such scams. You will only transfer funds to people who have no intensions whatsoever helping the Japanese people. When emails like this one mention “western union money transfer system” you should be very carefull and it is even better to delete the message immediatly.
September 15, 2010 2 Comments
MX Lab intercepted some emails with the subject “Lees ffkes mn bericht” – can be translated to “read my message”.
This message is written in the Dutch language – some words in a dialect – and it is targeting Dutch email users - and is notifying the recipient that a private messages is waiting to be read.
The message appears to be coming from a Hotmail.com account and is sent from one of the Hotmail servers with the IP 65.55.111.173. The IP seems to be a valid IP address being used by Hotmail.
IP Address: 65.55.111.173
Host: blu0-omc4-s34.blu0.hotmail.com
Location: US, United States
Organization: Microsoft Corp
The body of the email:
Ik heb u juist een anoniem berichtje gestuurd, kunde da ffkes lezen?
Klik op onderstaande link om het berichtje te zien.
hxxp://www93.anoniemberichtje.com/?message=3191332f9645ad23fc538e1932cd936d
Wij zijn de enigste die het berichtje kunnen zien.
Stuurt ge wa terug?
Translated to English:
I just send you an anonymous message, can you read it?
Click on the link below to see the message.
hxxp://www93.anoniemberichtje.com/?message=3191332f9645ad23fc538e1932cd936d
We are the only one who can see the message.
Do you send something back?
When following the URL you will get the following screen.
Great, you will need to fill in your Windows Live account details on a non Microsoft web site. This looks to me like a genuine phishing attempt in the first place.
We filled in some dummy email address and password combination and the webpage becomes visible.
It’s all in Dutch but I will give you an idea of what this page is about. “You have received 1 private message” and you will need to fill in your mobile number in the webform. From that point on, you will receive an SMS and you will need to confirm your mobile number.
After that, the private message for you will be visible and you can also send unlimited private messages.
The web site also states “Are you under 18? Ask permission from your parent or guardian” and to the right, the black box with 3355 – which is a special mobile SMS number – and 28.00 € / week does make it appear that you will subscribe to a sort of SMS service for that amount each month.
Now, the domain anoniemberichtje.com is registered with the following details.
Domain Name : anoniemberichtje.com PunnyCode : ANONIEMBERICHTJE.COM Creation Date : 2010-09-02 13:59:22 Updated Date : 2010-09-14 09:32:35 Expiration Date : 2011-09-02 13:59:19 Registrant: Organization : wu ling Name : wuling Address : ShangHai City : Shang Hai Province/State : Shanghai Country : cn Postal Code : 200085 Administrative Contact: Name : wuling Organization : wuling Address : ShangHai City : Shang Hai Province/State : Shanghai Country : cn Postal Code : 200085 Phone Number : 86-755-12345678 Fax : 86-755-12345678 Email : lixing763@yahoo.cn Technical Contact: Name : wuling Organization : wuling Address : ShangHai City : Shang Hai Province/State : Shanghai Country : cn Postal Code : 200085 Phone Number : 86-755-12345678 Fax : 86-755-12345678 Email : lixing763@yahoo.cn Billing Contact: Name : wuling Organization : wuling Address : ShangHai City : Shang Hai Province/State : Shanghai Country : cn Postal Code : 200085 Phone Number : 86-755-12345678 Fax : 86-755-12345678 Email : lixing763@yahoo.cn
So, the conclusion is that you better do not attempt to fill in your mobile number or your Windows Live account details.
July 27, 2010 7 Comments
MX Lab intercepted some emails with the subject “Upgrade New PDF Acrobat Reader/Writer For Windows And Mac” from the email address “Adobe <newsletter@adobe-upgrade-2010.com>”. Notice the use of Adobe in the email. In the email, an offer is made to download the new PDF Reader 2010 for Windows and Mac.
This is the body of the email:
PDF Reader 2010 – New Version for Windows and Mac
The latest PDF Reader: Open, Edit Create PDF FilesWhat’s new in this version :
-Open, edit and view all PDF files.
-Enhanced performance with faster loading and zooming.
-Collect your data and combine it into a high quality document.hxxp://www.adobe-upgrade-2010.com/
Thank you for choosing us, the worldwide leader in PDF Reader
Solutions.Best Regards,
Tommy Johnson
PDF Reader 2010
When visiting this web site, it all makes perfect sense, it’s a company that offers a PDF Reader/Writer that can do more than the Adobe Reader on its own. But when you go further you will notice some issues with the web site and the offer.
When following the URL in the email, you get redirected to hxxp://2010-pdf-pro.com/.
It seems like you can download the software for free, there is no pricing information on the web site, so you go forward with the Download button.
The Download button leads to the page hxxp://2010-pdf-pro.com/join.asp but you will get a redirect again to the domain hxxp://secure-signup.ru/. Do not get fooled by the domain name secure-signup.ru. The browser session is not secured at all while most genuine web shops already have a secured session through https:// when you sign up for a service or software.
The site asks you to fill in your email address twice for confirmation, your first and last name and country.
When continuing to step 2 you will get the membership choices and here we have it: the PDF Reader 2010 comes not for free. You will need to choose from some 1, 2 or 3 year online access and support.
When you have made your choice you can continue the process by validating your credit card. Notice that you haven’t filled in any details regarding invoicing. The web forms did not ask for your address, zip or postcode to create an invoice or proof of purchase.
On the web form to validate your credit card, you still have no secure https:// connection. This means that your details are send over the internet without any encryption at all and can be read by anyone. What’s worse, your credit card details are now in the hands of a person or group with bad intentions.
Update 29 July 2010:
On the 27th we did fill in a dummy email address to test the webforms on the web sites above and today we received a mailing with the following content:
Dear valued customers,
We are pleased to announce the newest version of PDF Reader 2010 which will enable you to view, create, edit and print PDF documents. The PDF format as a global exchange document format is created by Adobe and is the most efficient way to exchange information.
Simply visit the link below and enter your PDF reader code:
PDF Reader Code: 5013
Go here to receive the latest 2010 versionThank you for choosing us, the worldwide leader in PDF Reader solutions.
Mike Robertson
PDF Reader SupportCopyright PDF Reader 2010 – All rights reserved
You are currently subscribed to sm-pdf as geert@betransport.com
Safely unsubscribe from sm-pdf at any time.Media Internet Consultants – Edif. Neptuno, Planta Baja, Ave. Ricardo J. Alfaro, Tumba Muerto, n/a, Panama
Behind “Go here to receive the latest 2010 version” is the link hxxp://list.directmediafive.com/t/2549518/64766653/4988/0/ that will redirect you to hxxp://new-pdf-reader.com/1/promo/index.asp?aff=11677&camp=pdf_x1
The web form is now somewhat different and allows you to fill in your PDF Reader code 5013. Based on this you get a certain discount. When we wanted to leave the page an go back one page, we got a pop up windows with an 50% reduction in the price, offered for a 24 hour period with a count down counter on the site.
When going further through the process, we did got an https:// connection for sending the credit card details. But based on the facts above and mentioned in this article, I would not recommend anyone doing this. There are too many variables that gives us the idea that buying on this site will result in troubles.
The mailing also contains an unsubscribe URL using hxxp://list.directmediafive.com/. It gives you the idea that this is a genuine company. But what is quite interesting, is that when visiting the domain http://www.directmediafive.com/ directly, you will get a web page of a parked domain.
We have used the unsubscribe URL included in the mailing and will now see what happens during the next few days.
March 9, 2010 83 Comments
MX Lab reported in 2009 about the misleading marketing trick that the World Business Directory uses. Guess what, they are back!
MX Lab received a new registration form from the World Business Directory and again, we want to point out a few things before you sign their contract.
The email comes from info@companyworld2010.com, with the subject “Registration of the World Business Directory 2010/2011″ and this is the email content:
Dear Madam/Sir,
In order to have your company registered in the World Business
Directory for 2010/2011, please print, complete and return the
enclosed form (PDF file) to the following address:World Business Directory
Suite 149 – Rosden House – 372 Old Street
EC1V 9AU / London – United Kingdom
E-mail: office@companyworld2010.com
Fax: +44 207 806 8157Updating is free of charge!
To unsubscribe, please send an email to
unsubscribe@companyworld2010.com
Attached is a PDF file named world-businessdirectory.pdf.
The 1st point that needs your attention is the text block 1:
To update your company profile, please print, complete and return
this form (Updating is free of charge). Only sign if you want to
place an insertion.
As you can read, updating is free of charge but if you want your company get listed in this directory you will need to sign and have to pay.
What is the price of this directory you may ask yourself? Well, you have to go to text block 2 with the very small letters and this includes:
I WILL HAVE AN INSERTION INTO ITS DATA BASE FOR THREE YEARS. THE PRICE PER YEAR IS GBP 980.
And there you have it, this contract will cost your business a total amount of GBP 2940 over 3 years. After the 3 years subscription you can stop your contract if you inform them on time:
THE SUBSCRIPTION WILL BE AUTOMATICALLY EXTENDED EVERY YEAR FOR ANOTHER YEAR, UNLESS SPECIFIC WRITTEN NOTICE IS RECEIVED BY THE SERVICE PROVIDER OR THE SUBSCRIBER TWO MONTHS BEFORE THE EXPIRATION OF THE SUBSCRIPTION.
A few arguments from our side that this is a scam:
The from email address contains the domain companyworld2010.com and when trying to see if there is a site online we got the notification “This account has been suspended”. We might see new emails from the World Business Directory appear with other domains.
When getting some WHOIS information on the domain we got the following:
Registrant:
international group c/o Free Private Reg
P.O. Box 81024
Burnaby, BC V5H 4K2
CA
Domain name: COMPANYWORLD2010.COM
Administrative Contact:
boot, cornelis companyworld2010.com@freeprivateregistration.com
P.O. Box 81024
Burnaby, BC V5H 4K2
CA
852-3594-1708
Technical Contact:
Hostmaster, Domain hostmaster@doteasy.com
Suite 210 - 3602 Gilmore Way
Burnaby, BC V5G 4W9
CA
(604) 434-4307 Fax: (604) 608-6832
Registrar of Record: In2net Network Inc.
Record last updated on 05-Mar-2010.
Record expires on 05-Mar-2011.
Record created on 05-Mar-2010.
Domain servers in listed order:
DNS8.DOTEASY.COM 65.61.199.14
DNS7.DOTEASY.COM 65.61.198.14
Domain status: clientTransferProhibited
clientUpdateProhibited
|
||||
The registrant information is rather vague and points to a PO Box and the administrative contact has the same address. The domain freeprivateregistration.com in the email address of the administrative contact is just a domain alias from doteasy.com. These details must be fake.
In 2009, the PDF document needed to be returned to an address in The Netherlands, in this 2010/2011 edition it needs to be returned to an address in London, UK.
When visiting their site at http://www.world-businessdirectory.com/ on the ‘About us’ page we found the following text:
The World Business Directory online is product of EU Business Services Ltd, a corporation organized and existing under the laws of Nevis, West Indies.
We also found the UK address on the ‘Contact us’ page.
Our recommendation is: don’t sign the document and don’t do business with this company.
Follow these guidelines if you are a victim of this directory scam:
Additional information:
Stop EU Business Services Ltd Trading As World Business Directory
Stop world-businessdirectory.com
On the web site of Richard Corbett you can find some background information about directory scams and what to do when you are a victim of such a scam.
January 21, 2010 Leave a Comment
MX Lab intercepted a few emails regarding AOL Instant Messenger accounts but in fact, the included URL leads to a web site that hosts malware. The malware is know as Trojan-Spy.Win32.Zbot.gen (Kaspersky), PWS:Win32/Zbot.gen!R (Microsoft) or Trojan.Zbot!gen3 (Symantec).
The email comes from the spoofed address AIM <no_reply_instant_messenger@aol.com> with possible subjects like:
Your AIM account is flagged as inactive
Your AIM account will be deleted
YourAOL Instant Messenger account will be deleted
Body of the email:
Dear AOL Instant Messenger user,
Your AIM account is flagged as inactive. Within the following 72 hours it’ll be deleted from the system.
If you plan to use this account in the future, you have to download and launch the latest update for the AIM. This update is critical.
In order to install the update use the following link . This link is generated exclusively for your account and is available within a certain period of time. As soon as this link is not available anymore you will get another letter.
Thank you,
AIM Service Team
This e-mail has been sent from an e-mail address that is not monitored. Please do not reply to this message. We are unable to respond to any replies.
The email contains the link to the web site hxxp://update.aol.com.terfkiof.net.pl/products/aimController.php?code=2902***&email=***r@r***.com. Note: it is possible that other links are being used in this campaign.
This web site informs you to download the file aimupdate_7.1.6.475.exe (size: 128 kB). When executed you will infect your computer with ZBot – a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.
The file %System%\sdra64.exe is created on an infected system, along with a hidden directory %System%\lowsec and the hidden files: %System%\lowsec\local.ds, %System%\lowsec\user.ds and %System%\lowsec\user.ds.lll
The trojan can request data from the following URLs:
* http://nekovo.ru/cbd/nekovo.bri
* http://nekovo.ru/ip.php
Virus Total permlink and MD5: d267e1ccc1a30134ab965fcaa39d145c. At the time of writing, only 9 of the 41 AV engines did detect the trojan. Our recommendation is therefore not to follow the URL and certainly not to download and install this so called AIM update.
January 5, 2010 1 Comment
SpamAssassin, a tool that is widely used as open-source anti spam detection system, had an issue on Janaury 1, 2010 with a rule that compares the date of an email message to detect emails from the future which could be an indicator of spam.
For the readers that are not familiar with SpamAssassin here is a brief explanation on how SpamAssassin works. SpamAssassin will check each incoming message and will check the message based on rules. These rules contains information on what to search for and defines a score when a similarity is found.
The rule FH_DATE_PAST_20XX checks if a message is sent in the near future and will increase the score with 3.2 points if this is true. Apparently, the search date was 01-01-2010.
This caused that all messages had an increased score by 3.2 by default. Combined with other rules, the score per message can increase further and eventually the message can be labeled as spam by SpamAssassin, depending on the configuration, that leads to many false positives.
The date for the rule has been changed to 01-01-2020 according to the SpamAssassin Wiki.
More information:
Mike Cardwell Blog
IT Slashdot
I do hope that the SpamAssassin admins change the rule on time to avoid a 2020 bug in their rule set.
In case you’re wondering…. no, MX Lab does not use SpamAssassin so our services were not affected by this issue.
January 1, 2010 Leave a Comment
We also would like to use the opportunity to thank all the readers of the MX Lab blog for their visits on our blog and the posted comments. We are commited to contribute further in email security related articles and we will also use Twitter to inform about email based threats and certain aspects of our business.
MX Lab wishes everyone a virus and spam-free 2010.
