Archive for August 5th, 2008

05
Aug

Sponsored Result != Safe

By lithium Comments
Categories: Database Update and Malware

We have been monitoring several malware campaigns lately and we are noticing the distribution spread from just spam e-mails to social networking sites to search engine sponsored results.

A good example is the CNN Top 10 malspam campaign we exposed yesterday. The e-mail comes off as legit to the average user and leads to infection.

In a malware related google search we entered the search term “CNN Top 10 XP Antivirus” and found a sponsored result for a rogue anti-malware product, Antivirus XP 2008.

Google search with malicious results

Free online check! New Generation.

Search Results

If we click the link we are taken to a rogue anti-malware site, hxxp://antivirus-xp-2008.net. *Warning* Live malicious site! Proceed at your own risk** It’s appears legit, offers a free scan, and even sports badges from PC Magazine, Sun, Microsoft, Intel. ICSA, Checkmark, and VB100 to keep it looking like a credible site.

XP Antivirus

If we download the files we get a zip file with 2 files. The files are pretty much undetected across the board because they are so new. We have included the JoeBox Sandbox reports for you to look at.

Zip Contents

Antivirus-XP-2008.exe
-> VirusTotal: Result: 6/36 (16.67%) CDFAE03CA18BBAF307A77F9BA2BB7B38
->JoeBox Sandbox: JoeBox Sandbox Report

Update-July-2008.exe
-> VirusTotal: Result: 3/36 (8.34%) 2E3D63ED9BFF383926FBD34449513928
-> JoeBox Sandbox: JoeBox Sandbox Report

*UPDATED 835pm*

Found more sponsored links by simply searching “antivirus software” on Google. Same exact setup on a different domain name hxxp://2008antivirusxp.com.

avxp2k8ad

More results on other search engines (click image for Virustotal results)…

adwaredlad

*UPDATED 8-06-08*

Another sponsored link was found for rogue antivirus software on a different domain hxxp://xp-2008.com.  This was found by searching ‘antivirus’.  This has potential for misleading many people because also searching ‘norton antivirus’, ‘mcafee antivirus’, ‘panda antivirus’, or any other REAL software, will be presented with this advertisement.

xpav2k8ad

05
Aug

Malspam: Carrington Mortgage Services LLC owes you money!

By djpnuemo Comment
Categories: E-mail, MalSpam and Malware

There are some malspam messages that are being sent out to users with an infected attachment. This malware may not be disinfected by your anti-malware product because it is compressed in a protected archive although the contents of the email will provide the user with the password. The malspam contains the following message:

This email is for informational purposes only. Do not reply to the email address above.

A payment to Carrington Mortgage Services LLC in the amount of $8773.85 has been made from your Checking account

For further information about this transaction, please download attached invoice file (Password for ZIP archive: “invoice” )

If you did not authorize this payment to be made, please contact your financial institution or card issuer immediately for further instructions.

FKNC Privacy Statement: The information contained in this electronic mail transmission is intended by Fort Knox National Company for the use of the named individual or entity to which it is originally directed and may contain information that is privileged or otherwise confidential. It is not intended for transmission to, or receipt by anyone other than the named addressee (or a person authorized to deliver it to the named addressee). It should not be copied or forwarded to any unauthorized persons. If you have received this electronic mail transmission in error, please delete it from your system without copying or forwarding it, and notify the sender of the error by reply email or by calling Fort Knox National Company at 866-220-7121. Unauthorized use, dissemination, distribution, or reproduction of this message is strictly prohibited and may be unlawful.

The file enclosed in the archive is IN87129_717a.exe. Below are the results from Virustotal along with the sandbox results.

Virustotal: 15/36
Additional information (JoeBox)

File size: 58368 bytes
MD5…: eead764389f7e2b1939d147b198443a3
SHA1..: 94332eb2ead4bc9464ae1108ea2ab2b3c60d824b
SHA256: 74492a5d2e571ff6eae2f3ed913f372ab9620778c4ad522895d3aa805d1688f7
SHA512: 92ef95984fdd1db26f526c17ce897e2898858ca8410f3c0a39636ebdf0b852c6
35a2122adb4809d23363956008fae04f1071f94d7ad1afcae2834a48615a8262
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×40107d
timedatestamp…..: 0×4806e3fb (Thu Apr 17 05:45:31 2008)
machinetype…….: 0×14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0×1010 0×1200 2.80 2b47bcb94b4842dbad7d705a4edde293
.data 0×3000 0×22b9b 0xc800 7.60 ded2450cbafedda4dfe1d972a0e701f2
.reloc 0×26000 0×1000 0×0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0×27000 0×1000 0×600 4.66 0552eaf398afb9100b608d74807bcad7

( 1 imports )
> gdi32.dll: GetClipBox, GetBitmapBits, CreateDIBSection, SetTextColor, GetPixel, CreateDIBitmap, GetBrushOrgEx, CreateBitmap, CreateFontIndirectA, ExcludeClipRect

( 0 exports )
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=eead764389f7e2b1939d147b198443a3

05
Aug

Malspam spreading name.avi.exe through celebrity “pornography”

By djpnuemo Comments
Categories: E-mail, MalSpam and Malware

Lots and lots of malspam these days. Here is a fresh round of malspam we’ve collected in the last few hours. These are attempting to get the user to download name.avi.exe (information below).

Here are some of the intriguing subjects and bodies of this campaign.

Subject
Your order
Your order is executed

Body
Nude Celebrities (Jennifer Lopez)- huge archive of Naked Celebs. Free pics & videos.
Angelina Jolie N@ked – Extremly Video!
All your favorite celebrities caught naked !
BRITNEY NUDE VIDEO. 00:58
T!t$ Photo and Video Angel!na Jolie
JENNIFER LOPEZ EXTREMLY NAKED!!!
Angelina Jolie Videos, Pics, Celebrity $ex Tapes.
Cameron Diaz Nude – Free Video – See Now!!
Free Nude Celebrity – all your favorite celebrities caught naked !!
Nicole Kidman N@ked – Video, Pictures

Virustotal: 12/36
Additional information (JoeBox)

File size: 138752 bytes
MD5…: 88be4cf23bf477d1d32f558e22607ed3
SHA1..: 7e9ffece41fc0e8ae1f866fb763b0983b60e70df
SHA256: c657532cc59ede8d92dc47d185407b5e7e1d72e5216396d8456aeb1f7f9aa34a
SHA512: 2139d6ad9f6950ba66e1a3d7975e992c07dc40bd30a350a94e8d21b73068f5a3
fbaed6dbce03366c8e2a499e460e445cfaa4ece463f2b24d43a715652ac2bb9c
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×402f77
timedatestamp…..: 0×4897342d (Mon Aug 04 16:54:05 2008)
machinetype…….: 0×14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.code 0×1000 0×3388c 0×4a00 3.91 a52a8eadd95c07842ce55336e14b6226
DATA 0×35000 0×1b380 0×1ac00 8.00 92acecf8c3c1dd2466e423fe3eab02ea
.rsrc 0×51000 0×1000 0×400 6.85 e9f67bb8713e98caf74e01bf392003c8

( 0 imports )

( 0 exports )

Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=8185F2D7003567E21EC702A9BAA2DB00E60C9AE5
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=88be4cf23bf477d1d32f558e22607ed3



 

August 2008
M T W T F S S
« Jul   Sep »
 123
45678910
11121314151617
18192021222324
25262728293031