Spam | Fighting Malware!

Zeus Spam Spoofing Career Builder Alerts!

5 11 2010

One of our users got a suspicious email this morning inviting to him to apply for a job with stable income. The email claims to be from Tina Shaffer from AKVA PROGRESSIVE LLC. The email spam is using the Careerbuilder job alerts to entice the victim.

At first glance, the spam appears to be looking for a money mule. However, after a deep look at the embedded link -www.akvaprogressive.com – and we find the payload to include the Zeus/ Zbot Attack.

<Email Sample>
<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>
CareerBuilder Job Application Re:
…
From:
Tina Shaffer <hanalizabeth@gmail.com>
…
To: Joe54@aol1.com

Thank you for uploading your resume on Career Builder.

We looked through your resume and would like to offer you a simple job
with a stable income. We are looking for candidates for a Service
Manager position. Even if you already have a job you can still apply
for this position because it can be used as a part-time job. You can
visit our web-site:

http://www.akvaprogressive.com<– Embeddelink points to IP: IP: 193.104.34.59

Any operational experience is not required. Our company will sign an
agreement with you and you will be trained by us for free. To get
started you’ll need to create an account with any local bank to
process the transactions from our clients and sign the agreement. You
will be able to get your first profit in about 5 business days. We
offer base pay plus commission on top of it.

Please complete the registration on our website:

hxxp://akvaprogressive.com/r.php?i=4<—— Malware link and payload.

and give me a call or send me an e-mail ( t84white@hotmail.com) after
finishing the process.

Best,

Tina Shaffer
Manager AKVA PROGRESSIVE LLC

t84white@hotmail.com
<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

<Malware Link Analyzed: hxxp: akvaprogressive.com/r.php>

IP: 193.104.34.59

<Links>

hxxp://akvaprogressive.com/index.php?option=com_comprofiler&task=registers&Itemid=2&adminid=4
hxxp://akvaprogressive.com/index.php?option=com_comprofiler&task=registers&Itemid=2&adminid=4
Opening page hxxp://akvaprogressive.com/index.php?option=com_comprofiler&task=registers&Itemid=2&adminid=4…

<Malicious Files Created includes Java Scripts>

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4X23OP2B\overlib_mini[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GPURSX23\template[1].css
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ODM3O1U3\overlib_hideform_mini[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ODM3O1U3\template_css[1].css
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WDUF49AN\center-bg-center[1].png
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WDUF49AN\index[1].htm

<Malware Variants>

Troj/ExpLogHm-A
mdl_pdf exploit
mdl_zeus/wsnpoem v2 config file

<Malware HTTP Traffic>

From site:1039 to 193.104.34.59:80 – [akvaprogressive.com]
Request: GET /r.php?i=4
Response: 302 “Found”
93.104.34.59:80 – [akvaprogressive.com]
Request: GET /templates/stroy/css/template_css.css
Response: 200 “OK”
From site:1042 to 193.104.34.59:80 – [akvaprogressive.com]
Request: GET /sites/all/themes/stroy/fix-ie.css
Response: 404 “Not Found”
From site:1043 to 193.104.34.59:80 – [akvaprogressive.com]
Request: GET /components/com_comprofiler/plugin/templates/default/template.css
Response: 200 “OK”
From site:1044 to 193.104.34.59:80 – [akvaprogressive.com]
Request: GET /components/com_comprofiler/js/overlib_mini.js
Response: 200 “OK”
From site:1046 to 193.104.34.59:80 – [akvaprogressive.com]
Request: GET /components/com_comprofiler/js/overlib_hideform_mini.js

<Traced Site>

estate-management.valor.ua [217.12.206.6] <— Malware
junya.goodnet.com.ua [91.203.144.14] <— Fake Antivirus
193.104.34.98<<<========================Zeus/Zbot
193.104.34.59<—<— Zeus/Zbot

<Malware Sites with Trojans, Exploits and Zeus/Zbot>

hxxp://hmcompany.info/faw/zasa.bin
IP:193.104.34.98

193.104.34.59
prodesgroup.com
ip:109.196.143.27
musicjoker.org
IP: 91.203.147.60
bizelitt.com
193.104.34.98
sofort-bank.com
iP:193.104.32.201

Comments : 4 Comments »
Tags: Spam, Spoofing Career Builder, Trojan, ZBOT, ZEUS
Categories : Botnet, Phishing, Scam, Spyware, Trojans, Virus, Web Threats

Spam with Casino Malware!

27 10 2010

I woke this morning and found a nice piece of Spam Email in my in-box. The Spam says it offered me a VIP Treatment to “GameRealCasino.Ru“. Very Interesting!

The Malware GameRealCasino.Ru site is being redirected to 194.143.136.137:80 – [mygoldscasino.com] a malware site.

<These sites are hosting Malware>

Zeus botnet C&C
Facebook Phishing
General Trojans
MDAC Exploit / Virus Sality

<Spam Email Sample>
………………………………….
To: John Smith

On Thu, Oct 28, 2010 at 7:57 AM, Royal Palace Cash <takugshlut@annarborspark.org> wrote:

Get the VIP treatment you deserve with an exclusive 555USD bonus. Additional info in here –

hxxp://gamerealcasino.ru<– bad url
………………………………….
<Malware URls>

91.216.141.130:80 – [gamerealcasino.ru]
194.143.136.137:80 – [mygoldscasino.com]

<Additional Malware Sites>

colohost.lv
eiye1ur.eu
213.231.13.185.pool.breezein.ne <– Zbot
net4ourcasino.com
gamez-lux.com
SOFT-BUYOEM.COM
xredcasino.com

<Suspicious Files Created>

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WDUF49AN\gamerealcasino[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WDUF49AN\royalpalaceca_08[1].jpg

Comments : Leave a Comment »
Tags: GameRealCasino.Ru, Spam, Trojans, ZBOT, ZEUS
Categories : Phishing, Spyware, Trojans, Virus, Web Threats

Spam that offers “Paris and Lindsay” then Malware

22 09 2010

Today our users reported a Spam Email that offers “Paris and Lindsay” together. Very Interesting.

The Spam is a spoof that is being used to trick unsuspecting users to the malware sites. The Malicious URLs and download a virus or Trojan attack. The site is out of the CNCGROUP-SH China Unicom Shanghai network and its dishing out Malware.

<Spam Sample>
From: “Janett Kornprobst” <p2c@gmail.com>
To: UserA@Hotmail.com
Subject: She comes so easily now

Paris and Lindsay are together
Embedded Link “h–p://aqoa.crushfade.ru/”
BAD ISP: CNCGROUP-SH China Unicom Shanghai network

<URL Analysis h–p://aqoa.crushfade.ru/>

<Suspicious Files Created>
File Name: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ODM3O1U3\index_05[1].jpg ]
File Name: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ODM3O1U3\index_07[1].jpg ]
File Name: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ODM3O1U3\style[1].css ]
File Name: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ODM3O1U3\style[2].css ]

Malware Sites Associated with the IP: 220.196.42.166

chiefcause.com
bookbulk.com
fixgate.com
mousegreen.com
windowfemale.com
yearear.com
closebreak.com
ultimatereplica.ru
damagetail.com
plantstop.ru

Reference:
MalwareURL.Com

Comments : Leave a Comment »
Tags: Linday Lohan, Paris, Scam, Spam, Trojans
Categories : Black List, Spam, Trojans, Web Threats

Spam Spoofing Intel and Wall Street

20 09 2010

This morning some email users got a surge in Spam pretending to offer Intel and Wall Street news. The spam includes phishing scams that point to various malware sites.

These cyber criminals are using various popular search titles. The sites include cash scams “ay2cash.biz”, Jobsearch scamS “jobsearchnew.biz” and even Rebecca Hunter Pictures to lure its victims!

These sites may include Phishing Scam and other forms of Malware.

<Spam Sample>
To: AllUsers@ABc.com
From: AllUsers@xyc.om

Subject: Intel Again Seeks To Use Acquisitions To Expand In Wireless – Wall Street Journal

“Intel Again Seeks To Use Acquisitions To Expand In Wireless”
Visit Site!

<Embedded Maliciouslinks>
h–p://erhasuiwer.org
IP Address:182.50.135.128

<a href=”h–p://s2KGTBg04lx.wvo.com/fy”>
<img alt=”” src=”h–p://AKwnV.fTTXpwM.com/4U0EOBB.gif” style=”border-width: 0px”></a><br>
<a href=”h–p://jXrPmM8KWfZcpZ2S7L58.50Hp.com/XwFPb1EXsQF9Vli6v.asp”>
<img alt=”” src=”h–p://fG85uJldPWRb9EVI/lR7CF9TkSmA6PCA34p.gif”

Unsubsribe

<Site Associated with this Phish>
http://www.Deposit222.com Cash Wired to your Bank Up To $1500 Cash Loans. Amazingly Fast No Credit Check,No Faxing,Easy Approve. We Guarantee

Results.Get it NOW! see more at >> http://www.fastusapayday.com

Malware Sites pointing to 182.50.135.128

* addurlsite.us
* rebeccahunterphotographics.com
* jobsearchnew.biz
* howtoplaytheguitarforbeginners.net
* googlepagerankupdate.net
* fastusapayday.com
* way2cash.biz
* xpgoods.com
* pregnancywithoutpounds.com.au
Reverse look-up:
sg2nlhg70c1003.shr.prod.sin2.secureserver.net

Black List: Uribl.com

Comments : Leave a Comment »
Tags: Intel and Wall Street, Phishing, Spam
Categories : Black List, Phishing, Web Threats

Spam Offering Five Million British Pounds

17 09 2010

The Spammers are trying to do a little Phishing Action by offering the public five millions pounds! This a pretty old phishing scam. The problem is that some users still fall for this crap!

<Spam Sample>

From:
Admin <contact@agent.com>

To: contact@agent.com
Actually from – Received: from mail.khinfo.net ([61.129.81.19]
Khinfo.net is hosted on a server in China.

Attn: Please,
We wish to notify you again that you were listed as an Heir to the total sum of Five Million British Pounds.

A regular mail was dispatched to you but no reply from you. We request you to kindly acknowledge officially to enable us process your inheritance.

Yours truly,
Admin.
London UK.19

The Honeypot project has detected behavior from the IP address consistent with that of a spam harvester!

Comments : Leave a Comment »
Tags: Five Million British Pounds, Spam
Categories : Black List, Phishing, Scam, Spam

Fighting Malware!