Phishers go one step further

Today we are going to talk about phishing. We already know that financial institutions are a prime target for phishers. As malware evolves from an amateur hobby to a money making business, things have evolved a lot.

The phishing we are going to talk about doesn't target a financial institution, nor an e-Commerce site. It directly goes against the Spanish Internal Revenue Service, called "Agencia Tributaria". The scam goes like this, you receive an email that informs you that some taxes have been wrongly charged and that you are elligible for a refund of 90 €. Here is part of the email. It is written in Spanish. Bad Spanish indeed.

[Imageattachment] 

Of course to apply for it you have to enter your data in a web form, that for sure is located somewhere not related to real agency. So as always, be careful, and type the url of the site you want to visit.

Do not follow links from emails, it is much safer.

Strange scanner

Yesterday we came across a sample. It is dropper of a virus called W32/Rigel.A
Once you execute it, it displays a windows(Shown below), that informs users that a scanning for a specific Trojan horse is being done.

[Imageattachment]

But, the truth is quite different. While the unsuspicious user stares at this window, it starts infecting exe files. We have seen different behaviours:
– Useless files
– Runnable infected files
– Self copying file that starts processes until the machine hangs.

Spam in PHP forums

Today we have found that in a php forum, someone was posting spam messages. It was obvious in this particular case, because it was a Spanish forum, and the message was in English. Notice that it uses the "guest" account ("invitado").

[Imageattachment]

It sounded quite suspicious, so we tested the url and found that it was using web attacker exploits to install Trojan horses (Trj/Abwiz, Trj/Cimuz). Usually these are password stealers. But it could be other type of malware.

It could be possible that they are using some program to try to post in non restricted forums. So once again be careful before you follow a link from an unknown source.

If you are an administrator, it would be advisable, to check the configuration of your php application. If you allow anonymous posting, your forums could end filled with spam.

Thanks to Vicen for the information.

Another Spamta run

We have seen that spamtas are rising quickly. Two days ago, we detected a variant, that has been quite silence. But a few hours ago, the last one started climbing, with the appearance of a new variant, which is also arriving in great numbers. Both are stopped with Truprevent ™.

Here we can see the evolution in the last hours.

[ImageAttachment]

Trj/Alanchum.NX alert

A new trojan is being spammed and is arriving to our inbox. We can recognize it because you have the following subjects:
– "U.S. Secretary of State Condolezza Rice has kicked German Chancellor Angela Merkel"
– "230 dead as storm batters Europe."
– "A killer at 11, he's free at 21 and kill again!"

It has some attachment like
– FullClip.exe
– Read More.exe

Although TruPrevent (TM) was able to proactively detect it, be careful if you get one of these.

MSN Messenger Trojan: Trj/MsnZombie.A

Today we have found a piece of malware that uses the so called "social engineering" to persuade users to infect their own machines. In this case it uses a file which is supposed to be an animation of USA's president Bush doing something funny.

It all starts with a MSN messenger message that arrives from one of our friends. These messages encourage you to visit a url to download this file
http://animaciones.xxx.xxxxxxpages.com/Bush-gracioso.exe Notice that the message is being sent by the trojan, which has some predefined messages to confuse users.

It uses "animaciones" as part of the url in an attempt to confuse the user. Of course if I saw any file ***.exe I shoudn't clic, but just in case someone didn't knew.

This page is hosted here:

IP address:                     64.XXX.XXX.XX
Country (per IP registrar):     US [United States]
City (per outside source):      New York, New York

Once the unsuspected user clics on the file, instead of the animation, a popup error informs that something has gone wrong. On the background the machine gets infected, and this trojan starts its duties.

First it kills some antivirus, and prevents the use of cmd command line, regedit.exe, and the task manager.

Then it copies itself with different names
c:\WINDOWS\Avconsol.exe        Size: 49.152 bytes
c:\WINDOWS\Zap.exe             Size: 49.152 bytes
c:\WINDOWS\system32\Hide32.exe Size: 49.152 bytes
c:\WINDOWS\system32\Ttt.exe    Size: 49.152 bytes

Then it becomes interesting, as it saves the IP of the infected hosts in an online database in Sweden Spain.

http://xxxxxxxx.xxxxxx.xxx/contadorm/admin321.php
IP address:                     212.xxx.xxx.XXX
Country (per IP registrar):     SE [Sweden]
Country (per outside source):   SE [Sweden]

If you get access to the database, you get a list of online hosts.

[Imageattachment]

We have extracted a geographical distribution of the infection. (Note that this only represents online hosts at this moment)

Country	%
Argentina	19,05%
Spain	10,71%
France	8,33%
Brazil	7,74%
United States	6,55%
Venezuela	5,95%
United Kingdom	5,36%
Peru	4,76%
Others	31,04%

 

Spam, spam spam…..

Of course, we have all wondered when we will stop receiving spam. It is not an easy question. We have already started 2007 and all the figures show that it is increasing overtime.

When I take a look at my inbox, all I see are emails like these:
– Phishing, 419s, lottery, etc.
– Pharma-related, pseudo-medicinal.
– Software with suspicious discounts.
– Online gambling.

Some call this "virtual fraud". It’s amazing, as this fraud is not so virtual, or at least it becomes quite real when later you take a look at your bank account.

Most of it relies on users’ own decision. Users decide whether the product/service is worth their money or not. I have never bought anything from these providers (honest to God), because I’m not interested in their products. But if the hit ratio, although minimal, is worth all the effort and resources the spammers are putting into this business, it is clear that a lot of users are willing to pay. And this means that these users don't see spam as something you want to get rid of, but a kind of advertisement that may be interesting.

Corporate companies are facing pressure from some groups to find a technical solution to this. Filters and new technologies arise, but I think that user education is a must that sometimes is not being stressed enough.

Most of this spam relies on the greed of the recipient, and I’m afraid there is no technical solution to this.

 

 

New Spamtaload wave…

Today, we have detected an increase in the number of email incident reports. This is due to a new variant of the infamous Spamtaload. We have  called this variant Spamtaload.CS. In the last 12 hours we have seen a peak reached at 10:00 and although the figures show that it is decreasing, it has not ended yet.

[Imageattachment]

We have received 20 different MD5 aprox. All of them link to site located in New Jersey. The malware is prepared to download some more components from “www6.***********************.com”. Luckily it is not working at the moment.

Stay alert, just in case it gets active…

What do you want to do for a living?

Yesterday we found such an interesting job offer, that we felt compelled to explain it to you, in case you were interested.

It consists in being paid 60$ every month, just for sending 1,000 emails a day. The deal works more or less like this. Once you agree, you receive a program that enables you to start sending emails from your computer. Though you must run it every day, it only takes 5 minutes of your time to send all those 1,000 emails. It doesn’t look as a hard job, does it?

It seems the employer’s SMTP server imposes him a limit to the amount of emails he can send daily, so he needs more people to increase his ability to send more.

[Imageattachment]

Be it a legitimate job offer or not (most probably), the comments in the “Questions & Answers” section leave little to imagination:

“As I understand it, you’ve got an application that only lets you send one thousand emails daily, don’t you? Well, we have developed an application to send emails, and you won’t have limits in the daily amount, it is developed in c# .Net we can adjust to your uses and sell it to you, the application only needs a SMTP server (outgoing mail server) to be specified, and a user and a password, and done, you will be able to send all the emails you want daily, you wouldn’t need to pay 60$ monthly, what do you think?”

Mmm… So it seems spamming is a healthy industry. We should not forget that it works because people continues to buy the goods advertised on those junk emails. The spam problem will cease when revenue to spammers disappears.

Train timetables and Bluetooth

Today we came across an interesting piece of news.

Less than two hundred meters from Panda Software's main building, at the hall of a centric train station in Bilbao, a hotspot will be installed, from which timetables and fares can be downloaded via Bluetooth.

This is a pioneer experience in Europe, and will leverage users from brochures and calls to information services in order to obtain and access that data.

However, at the risk of being called fearmongers, we could not prevent a shiver when we read the instructions given in the article: "Activate bluetooth in visible mode, wait a few seconds until you receive an invitation to download the contents, then accept the message".

Being Bluetooth the most typical propagation means for cellphone worms, and provided that user intervention is of utmost importance, we recommend users of this (or any other) Bluetooth hotspot to make sure that they are downloading and accepting the right file.

Better safe than sorry…