A quick look at a signed spam campaign

I noticed the following tweet pass by on Twitter:

Just received my 1st-ever digitally signed piece of spam. The ribbon is bound to entice someone 2 click on the email pic.twitter.com/470TpdaPDE

— Robert (Роберт) (@RobertIdAu) November 9, 2015

The mail received is as follows:

Spam but digitally signed

As Robert correctly notes, since the mail is digitally signed, it may entice people more to open the attachment and get infected. In case you're wondering, the key id of the certificate is as follows:
FE:22:B7:24:E3:4F:27:D9:05:E0:CC:B8:BD:DE:F4:8D:23:FD:2F:D9 (copy of cert on Pastebin)
Issuer: C=IT, O=DigitPA, OU=Ufficio interoperabilita' e cooperazione, CN=DigitPA CA1

Signature details. S/MIME message format

Both first and second mail are coming from: 175.156.221.127 - IPvoid - Whois (DomainTools)

IP location: Singapore (VirusTotal)

On to the attachment (the .xml file is harmless):

"recalculation.zip" attached

Hello
This recalculation of payments for the last month.
I remind you of your debt 3148,48 AUD.
Please pay as soon as possible.

The ZIP file contains 2 files: recalculation_77979.pdf.js & info_9455.txt. The TXT file just contains the name of the first file, which tries to hide as a PDF file but is in fact JavaScript (JS).

Part of the JavaScript

You can find the original JavaScript on Pastebin. You can also find the decoded base64 here and the final obtained JavaScript here. In the final JavaScript, you'll see it downloads a file and renames it to a random filename, then executes it:

Download

Run

It fetches a file from: 203.255.186.156 - IPvoid - Whois (DomainTools)

IP location: Korea (VirusTotal)

The eventual payload may be Andromeda/Gamarue, which will make your machine part of a botnet. Some information on the dropped DLL file (this is all static analysis):

Meta-data
==================================================================
File:    28236726.dll
Size:    495630 bytes
Type:    PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
MD5:     934df5b173790da14ef3a817ec1fc422
SHA1:    e90b6e45f255350d0fd4cba361a09ad5d8271af1
ssdeep:  12288:GysxmAb/DC7BfWLc9ivHsegWDhNSKDWrV5rJfT:jo768wAAExDoPr9
Date:    0x429CE7C3 [Tue May 31 22:40:03 2005 UTC]
EP:      0x1000bddb .text 0/5
CRC:     Claimed: 0x0, Actual: 0x83498 [SUSPICIOUS]
Packers: Armadillo v1.xx - v2.xx

Functions in our DLL file

You may also find the file on VirusTotal, SHA1 hash: e90b6e45f255350d0fd4cba361a09ad5d8271af1


There's also an analysis available by Reverse.it (Hybrid Analysis) on Windows 7 32bit & Windows 7 64bit. Feel free to perform any additional research on it, let me know if you find something interesting or should you find out exactly which kind of malware this is.

Just as a note, while all that is happening in the background, a decoy PDF file gets opened as well, as to not raise suspicion:

Decoy PDF document (not malicious)

Prevention

For administrators:

• Sender's end: Create an SPF record, as to prevent sender address forgery. More on SPF here.
• Receiver's end: Turn on SPF checking on your mailserver.
• If possible, turn on full support for DMARC. More on DMARC here.
• Check that only your mailserver may access the WAN (or RED) on port 25. Configure this in your firewall.
• Check that you use strong passwords for your Domain Controller server(s). 
• Check that antivirus is installed, up-to-date and running on all workstations. (if applicable)
• If not needed, you can disable Windows Script Host (WSH), as it's needed for JavaScript to run locally. Read how to do that here. 

For endusers:

• Don't open attachments from unknown senders - ever.
• Install an antivirus and keep it up-to-date and running. Enable the option to scan Compressed Files. 
• Preferably, see that your antivirus has a firewall as well, to prevent unauthorised access.
• Consider disabling Windows Script Host. You can use my tool, Rem-VBSworm with option D for example.
• Alternatively, you can install Analog X's Script Defender, which will block these scripts (JS, VBS, ...) as well.

Some time ago, I did a Q&A on ransomware, which also included several general tips on how to prevent (ransomware and other) malware. You can find and read those tips here.




Disinfection

As usual:

• Look for suspicious Run keys (find locations here) and delete the associated file(s).
  In our case, all files were dropped in the %TEMP% folder. Also, don't forget to look for rundll32.exe processes, as the payload was a DLL file. More information on rundll32 here.
• Run a full scan with your installed antivirus product.
• Run a full scan with another antivirus and/or antimalware product.
• In a company: warn your network administrator immediately!

Conclusion

Now how was that mail sent out? There's no sure way of telling - it's possible the company is compromised (by either malware or an attacker), there's no SPF record, the certificate has been stolen (unlikely but not impossible), .... Most likely, a machine is infected by a spambot.

Note that with PEC (Posta Elettronica Certificata), a user can send a signed message even when the mailserver is not compromised. PEC means the server signs a message to ensure timestamp and sender, not content. More on PEC here (ITA) or here (EN). See also point 2 and 4 in the Prevention tips above.

I've contacted all related parties and hoping I'll get a reply soon, or at the very least they will perform some analysis and cleaning.

Follow the prevention tips above to stay safe. If you're looking for Indicators of Compromise (IOCs), they can be found as usual on AlienVault's OTX.   

PayPal spam leads to malware cocktail

Interesting spammail in one of the traps today, something wrong with your variables, malware authors? :-)

Subject: With your balance was filmed - 300 $ -Resolution of case #PP-025-851-848-207

Content of email:

ID

Transaction: {figure } {SYMBOL }

With your balance was filmed : - 500 $

                                                           -20 $

                                                           -49 $
---------------------------------------------------------------------

Balance is:                                      625 $

For more information, please see page View all history

Sincerely,

Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click the Help link in the upper right corner of any page PayPal.

Copyright © 1999-2013 PayPal. All rights reserved.

PPID PP {DIGIT }

From:  service@int.paypal.com
Source IP: 96.10.192.31 - IPvoid Result
Botnet: Cutwail spambot

Malicious URL (active):
hXXp://dailyreport.cffy88.com/project/index.htm 


WhoIs information:
Domain Name ..................... cffy88.com
Sponsoring Registrar ............ HICHINA ZHICHENG TECHNOLOGY LTD.
Name Server ..................... dns29.hichina.com && dns30.hichina.com
Registrant ID ................... hc590857663-cn
Registrant Name ................. vinson luk
Registrant Organization ......... shenzhenshi caifufengyun keji youxian gongsi
Registrant Address .............. Rm.3-33C Dijingfeng Maoyecheng Dafen Buji, Longgang District
Registrant City ................. shenzhen
Registrant Province/State ....... guangdong
Registrant Postal Code .......... 518000
Registrant Country Code ......... CN
Registrant Phone Number ......... +86.075533572855 
Registrant Fax .................. +86.075584153080 
Registrant Email ................ vinsonluk@hotmail.com

More malware is hosted on cfyy88.com as well, including a ZIPfile which is currently empty. (Error from the malware authors? Uploaded too soon, dropper just not included yet?)

Related websites:
hXXp://erpii.cn/
hXXp://jiami99.com/
hXXp://verp.cc/
hXXp://greatempire.cn/

Hosted on: 211.154.134.171 - IPvoid Result 

Interesting login page

Other screenshots:

The link from the spammail loads malicious JAR file:
MD5: 6b872d170e878ab3749d717cbba5d0e3
VirusTotal Result
Exploit-Analysis Result

Exploit-Analysis is a new service and looks very promising, besides doing the basic stuff (meta-data dump, strings, tcpdump, ...) you can also view the entropy of the malware, as well as choosing browsertype and Java/Flash/Adobe version. In particular for JAR files, it can also display the classes included and thus can be used to analyze a malicious Jar file online (you can do this offline with JD-GUI for example).

From their website:
Sandy developed under Indian Honeynet and is capable of doing both static and dynamic analysis of Malicious Office, Jar,HTML files at the moment.


Continuing with our findings, the following files were downloaded & dropped to the system:
about.exe    098e44145840862b9488be395c860110   
index.html   325a20d15d66e5a78878da2ff579a715   
readme.exe  523a813fa43744673bdb537d778d0e3f   
w8BDM.exe   5c840a17dcee119cf40a3636971de65c   
able_disturb_planning.jar   6b872d170e878ab3749d717cbba5d0e3   
tixy.exe      82f1d0ed26012f0883cb6017aa8fb671   
able_disturb_planning.php  be3db7ef10eca3a21878cbad80eb5f2d   
pythias.js   d60b2df2b5c6c1ef083766cba29b60d2   
JpVsf.exe   f804ad6fe5b2a0ae3078703fdc112e29   


Besides the usual infostealers (Zbot, Fareit, etc.), Medfos is saying "hello" as well:
Win32/Medfos is a family of trojans that install malicious extensions for Internet browsers and redirect search engine results. It also allows for click-fraud, generating profit for a website through unethical means.
Source: http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/Medfos



Conclusion

• Don't click on links from unknown senders.
• Don't open any attachment(s) of unknown senders. 
• In fact, don't even open mail from unknown senders.
• Don't be fooled by mail spoofing, you can view the real source by right-clicking your mail and choosing "View Source". (This depends on your mailclient though.)
• Install an antivirus and antimalware product and keep it up-to-date & running.
• When in doubt, visit the website of §vendor or §product or §service directly.
• Block the IPs mentioned above in your firewall or hostfile or §solution.
• I almost forgot: uninstall Java.

Scams, scams everywhere

It's the scam season. Well, actually scams are always going around. Facebook is pretty popular to spread those scams, for example the Gina Lisa Facebook scam and the scam to have Facebook in a different color.

There's one recently that caught my attention:

"This is incredible"

Basically what happened here is that someone on Facebook clicked on the wrong link, and the event got automatically created. Consequently, all of his/her friends were invited to the event as well.

Of the 4 pages that showed up in the search results (there are many more), ~500 people clicked on the bit.ly links. Which is not very much, considering how many people got the invite. Most of the comments on the events were "What is this?", so this means most people realised it's fake.

The CNN logo is being (mis)used, probably to make it look more legit. When you click on the link, you get redirected through affiliates but eventually you land on the following page:

"Dr. Oz Miracle Diet"

Websites:
hxxp://consumerhealthnews9.org  - URLvoid Report
hxxp://consumerhealthnews6.com   - URLvoid Report

When clicking on any of the links on those sites, you get redirect to:
hxxp://ww90.thorizo.net  - URLvoid Report

More affiliates, more links to click on. The title for this blog post could also have been "affiliates, affiliates everywhere". 



Removal

If it seems that you have created the event, simply go to the event page, click the "wheel" icon and choose "Cancel Event":

Cancel the event

Be sure to also check your Apps, it's possible you allowed a malicious app to post & create things on your behalf:

Check your Apps

If you were invited to the event, simply ignore the message. You can also report the event as scam or spam by clicking on the Report button on the left of the event:

Report the event

Conclusion

To keep it short and simple:

don't fall for these types of spam/scam, most of the times it's pretty obvious it's fake.

If in doubt, send your friend on Facebook (or if someone sent you the link) via PM if he or she knows what this is about.

You can also use a linkscanner to verify the integrity of a link on either http://www.urlvoid.com or https://www.virustotal.com/

To get some information on a bit.ly (or other URL shortener services) link, you can use any of the following websites:
- http://www.getlinkinfo.com/
- http://longurl.org/
- http://www.longurlplease.com/ (includes Firefox extension)

To report a malicious bit.ly link use:
http://bitly.com/a/report_spam

Gina Lisa Facebook scam

Yet another Facebook scam, this time luring users with a sextape from Gina Lisa, whom is apparently a German model:

Yet another Facebook scam: "Gina Lisa Sextape"

When you click on the link you get:

Verify your age first

When you click on the video to "verify your age" you are redirected to what appears to be a site for gambling, pokergames, etc....:

Subscribe and get a free bonus. Looks legit

I suspect you'll probably have to pay up sooner or later to continue playing. Stargames.com is apparently known for spamming blogs & other sites.

hXXp://hot-movie.pw - URLvoid Report

hXXp://stargames.com - URLvoid Report

This scam and/or spam will also post on Facebook on your behalf. Go over your Privacy Settings on Facebook and make sure you delete this "app" if you see it. Remove any posts you have made as well and report posts similar as this made by your friend(s).

Prevention

Pretty straightforward: do not click on any of these links, how tempting they might be ! Ask your friend if he or she knows what it means, and slightly hover over the post until the 'X' becomes visible. You can then mark the post as spam, and it will be removed from your friend's wall.

It might also help to install the WOT extension into your browser. (Compatible with most modern browsers)

WOT is a community-based tool and is therefore very useful for these kinds of scams, whereas other users can warn you about the validity.

More information and to download WOT: http://www.mywot.com/

Conclusion

To keep it short and simple:

don't fall for these types of spam/scam, most of the times it's pretty obvious it's fake.

WellsFargo spam serving infostealing malware

Not that new, but still noteworthy the spammers seem to be abusing WelssFargo (an American bank) as trusted sender. This is simple mail spoofing.

Mail from "Georgina Franks"

Some example senders (where it seems to come from):
Evelyn_Piper@wellsfargo.com
Georgina_Franks@wellsfargo.com
Noe_Zavala@wellsfargo.com

As far as I could find, these email addresses do not even exist.

The mail itself is actually coming from the Pushdo botnet. Example IPs:

173.167.205.149 - IPVoid Result
209.181.66.178 - IPVoid Result

All the links in the mail are legit, this to convince you that the attachment will be legit as well. When opening the ZIP file (which is named WellsFargo.yourmailprefix) , you're presented with a what-looks-like a PDF file, but is in fact an EXE file:

MD5: 47e739106c24fbf52ed3b8fd01dc3668
VirusTotal Report
Anubis Report
Malwr Report


This malware is known as Fareit (or Tepfer). According to Microsoft:

 Win32/Fareit is a multiple component malware family that consists of a password stealing component, PWS:Win32/Fareit, that steals sensitive information from the affected user's computer and sends it to a remote attacker, and a Distributed Denial of Service (DDoS) component, DDoS:Win32/Fareit.gen!A, that may be commanded to perform flooding attacks against other servers.

When executing the file it looks for quite a lot of data to steal, as well to phone home to update its configuration files and download additional malware (Zeus).Below you can find an image on the data (information) it tries to steal:

List of programs it tries to extract username/password from

So besides all this, it additionally downloads Zeus (the payload), which tries to steal banking credentials and others... If you'd think Fareit is enough, guess again! There's a good image made by the FBI how the Zeus 'scheme' or malware works:

Cyber Theft Ring details

The downloaded Zeus files are all having a very low detection rate on VirusTotal. Hint:
check out the VirusTotal report from the sample above and click on the tab "Behavioural Information". Note the links are live!



Conclusion

• Don't open any attachment(s) of unknown senders. In fact, don't even open mail from unknown senders.
• Don't be fooled by mail spoofing, you can view the real source by right-clicking your mail and choosing "View Source". (This depends on your mailclient though.)
• Don't be fooled by the fancy icons, they are actually EXE files. You can enable an option in Windows so you're always sure of the filetype being used:
  Enable Viewing of Filename Extensions for Known File Types
• Install an antivirus and antimalware product and keep it up-to-date & running.
• If you're in an organisation, you might want to block the following IPs (quite a long list):
  
  173.255.213.171
  5.199.171.133
  50.141.158.229
  62.149.131.162
  62.149.131.162
  69.115.119.227
  69.128.126.198
  76.226.112.216
  76.226.112.216
  78.140.131.151
  82.211.180.109
  89.122.155.200
  90.156.118.144
  95.241.244.184
  107.193.222.108
  107.211.213.205
  108.233.198.131
  108.240.232.212
  116.202.222.102
  142.136.161.103
  173.255.213.171
  188.217.207.224
  198.118.112.110
  211.209.241.213
  212.182.121.226
  108.254.22.166
  108.74.172.39
  112.78.142.66
  122.178.149.88
  173.194.67.105
  173.194.67.94
  173.201.59.32
  173.201.59.32
  173.254.68.134
  173.254.68.134
  178.40.101.100
  181.67.50.91
  182.68.130.230
  184.80.8.18
  187.153.52.160
  189.254.111.2
  190.153.51.122
  190.21.64.25
  199.30.90.80
  199.7.177.218
  2.180.24.120
  2.230.133.66
  200.180.176.65
  201.122.96.80
  201.245.14.237
  201.245.14.237
  207.204.5.170
  207.204.5.170
  216.227.73.207
  24.115.24.89
  24.120.165.58
  41.34.11.17
  65.131.15.62
  66.63.204.26
  68.162.220.34
  69.26.171.181
  69.77.132.197
  69.92.6.139
  71.43.167.82
  74.120.9.245
  74.125.24.105
  74.125.24.94
  74.240.17.144
  78.100.36.98
  78.152.96.70
  79.29.227.158
  79.52.113.31
  81.111.62.181
  83.172.126.39
  84.59.129.23
  84.59.138.75
  85.100.41.9
  87.29.153.193
  87.66.14.62
  87.66.14.62
  90.189.54.253
  91.236.245.22
  94.67.83.244
  94.67.83.244
  95.101.0.104
  95.249.114.32
  98.103.34.226
  98.67.162.178
  99.159.193.22
  99.36.163.147
  99.48.126.246
  99.5.234.38
  99.98.209.3

Note that these are IPs the malware communicates to. In most cases, they are harmful, but keep in mind some IPs might be legit, as the malware authors want to test for connectivity by connecting to Google for example. So, if you plan to block on IP, be sure to cross-check on IPvoid or DomainTools.

Stay safe.

Brazilian banking Trojan tricks

So I encountered what I suspect to be a banker focused on Brazilian banks. (Win32/Bancos)


Part 1 - spam mail:

Fiscal note

Mail from: mail.unimedsc.com.br - 187.115.59.244 - IPvoid Result

The mail reads:

Emissão de Nota Fiscal
Prezado cliente,
Segue abaixo o(s) link(s) para acesso à nota fiscal eletrônica.
Notas Fiscais
Nota    Codigo de Verificacao    Visualizar
11932075    DTU8DBSW    NF-eletronica-8457348947..Docx
Atenciosamente,
Equipe de Cobrança:

Roughly translated:

Issue of Invoice
Dear customer,
Below is a (s) link (s) to access electronic invoices.
invoices
Note the Verification Code View
11932075 DTU8DBSW NF-electronic-8457348947 .. Docx
Sincerely,
Team Collection:

Clicking on the link leads to a ZIP file on Dropbox. I've already requested the file/URL to be removed.



Part 2 - executing the file:

The victim needs to unzip the file and run the malware:

So-called .docx with a mismatching icon

Seems the malware authors got their filetypes wrong, a .docx file should have a Word icon, not a MPEG-4 icon. ;-)
Either way, the malware is neither a Word or MPEG file, it's actually an executable, as can be seen in the screenshot above.


Some details about the file:
NF-eletronica-987812165162.Docx.exe
MD5: 65ba9ff22e4e9073dda5ecae0fd056a7
Detections: 4/46 
VirusTotal Result
Anubis Result
ThreatExpert Result

The file connects to the following IPs:
54.244.228.88 - IPvoid Result
91.136.8.9 - IPvoid Result
187.45.193.134 - IPvoid Result

This is where it gets a bit more interesting: the file downloads from 54.244.228.88 a .hlp file called:
updados.hlp - VirusTotal Result

Basically, this is a compressed .hlp file (Help-file for Windows) which contains 3 more .hlp files:
help01.hlp
help02.hlp
help03.hlp

The files then get renamed randomly and a folder in %ProgramFiles% gets created with a random filename, for example:
C:\Program Files\2x8H8g

Most malware of today gets dropped in %systemroot% or %appdata%. The following entries were added to the registry to ensure persistance:

Autorun entries with fancy icons

Part 3 - the consequenses:

• Your (financial) data will be stolen
• You might get a pop-up next time you log in to your bank asking for credentials
• You might be diverted to a fake login page
• You might finance the malware author's next vacation by unwillingly transferring X amount of money
• Other malware might be downloaded 

Part 4 - gathered files:

Note how the .hlp files have the exact same filesize as the .exe files. (they're the same files)

Contact me for a copy.

Gathered files

Conclusion

• Don't click on any link(s) of unknown senders. In fact, don't even open mail from unknown senders.
• Have you indeed ordered something? Check the status of it directly on the supplier's website.
• Don't be fooled by the fancy icons, they are actually EXE files. You can enable an option in Windows so you're always sure of the filetype being used:
  Enable Viewing of Filename Extensions for Known File Types
• Install an antivirus and antimalware product and keep it up-to-date & running.

Stop Twitter's "follow-me" spam in its tracks

This article is about how to stop the annoying email messages that Twitter sends when an acquaintance joins Twitter and decides that they think you should follow them there too.

What happens if a "friend" invites to you follow them on Twitter

A few weeks ago, I got an email message saying that Helen Someone had just signed up to Twitter, and had provided my email address as someone who followed her elsewhere, and who she thought should follow her here too.

But I'm already on Twitter, and my account there is linked to a different email address than the one which Ms Someone "generously" chose to share with Twitter. And frankly, I get enough email from her already, the last thing I want her doing is bugging me on Twitter too.

So what did I do? Like any sensible person, I deleted the email.

But now, every few days, I get an email message like this :

---------------------------- Original Message ----------------------------
Subject: Helen Someone is still waiting for you to join Twitter...
From: "Twitter"
Date: Fri, March 29, 2013 4:26 am
To: me@email.com
--------------------------------------------------------------------------

Helen Someone is still waiting for you to join Twitter...

Twitter helps you stay connected with what's happening right now and with the people and organizations you care about.

Accept invitation     https://twitter.com/i/535c9c20b....5487e4f01449c029

------------------------

This message was sent by Twitter on behalf of Twitter users who entered your email address to invite you to Twitter.
Unsubscribe: https://twitter.com/i/o?t=1&iid=05f4a3...d=68+26+20130328

Need help?
https://support.twitter.com

Or like this, if I look at it an email client that shows the graphics - notice that the "how to un-subscribe" message is in very small print, down the bottom of the page.

How to stop these messages

At first I just ignored these messages: I figured that Twitter would give up and leave me alone after one or two reminders. But that hasn't happened: they keep reminding me, and I'm getting sick of deleting the same message over and over again.

So today I went looking for how to stop the reminders from happening.   Basically there are two options:

Option 1:  Sign up to Twitter

Accept the invitation, sign up for a new twitter account, turn off all email notifications for this account - and never uses the account again.

Advantage: this stops the annoying messages - and makes sure you won't get them from any other "friends" who give Twitter the same address.

Disadvantage: other friends (who maybe you do want to follow in Twitter) may enter the same email address, and Twitter may connect them to this same Twitter-account that you never use.   You won't get a notification.

Option 2:  Use the un-subscribe link that's provided

If you look at the email contents, there is actually an unsubscribe link near the bottom of the message - f your email client shows the graphic version of the message it's right down in the ultra-small print at the bottom.

Click the link provided - or copy-and-paste it to a web-browser.

This will turn off the annoying messages from this person - and it will also stop your email address from getting messages if other people join Twitter and suggest you should follow them there.

Is this Ok

Which option would you recommend?

More importantly - do you think it's ok to share other people's addresses with social networking sites that you sign up to, in the way that Ms Someone gave my address to Twitter?

---

Related Articles:

Put a "follow me on Twitter" link into your blog

Showing an email address in Blogger

Tools for linking your blog to social sharing websites

Exploits, exploits everywhere

It's the exploit season (especially for Java).

This time, I'm seeing a lot of mails supposedly from PayPal:

Apparently you bought an expensive watch. For someone you don't know.
Looks legit.

Originating IP of this mail:
188.33.40.190 - IPvoid Result

Seems to be sent out by the Cutwail botnet.

When clicking on one of the links (they all point to the same hacked webpage):

Adobe Reader giving a warning

Firstly, a blank webpage opens up and you're getting a PDF or Java exploit which is being launched.

Adobe crashes with a warning. Should raise some suspicions.

The latest trick the malware authors perform is to ultimately redirect you to a fake pharmacy:

'Pharmacy Express'. Fake pharmacy.

You are eventually ending up on this page, probably to make you think 'it was just Viagra spam, that's all'. Wrong! In fact, you're being infected as we speak. A file gets dropped to the %appdata% folder:

xydyswylmylh.exe

Result: 6/45

MD5: 22f3c0fd2a5d9e1799699097836bb5dc

VirusTotal Result

ThreatExpert Result

Anubis Result

There were a lot of HTTP connections, possible password stealer?

Pastebin link: http://pastebin.com/6LhCfu6q

Additionally, it connects to the following IPs & ports: 

Pastebin link: http://pastebin.com/LDrzfKHN

Malware was downloaded from:

188.93.211.151 - IPvoid Result

Adobe/PDF exploit being used: CVE-2010-0188 - CVE Report

Oracle/Java exploit being used: CVE-2013-0431 - CVE Report (tip from @eromang)

All files gathered, contact me for a copy:

Gathered files in this attack

This spreading is still going on, if you'd like to know the source of these exploits (be careful though, they can still be live!), you can see these results from URLquery:

URLquery search results

Conclusion

• Don't click on any link(s) of unknown senders.
  In fact, don't even open mail from unknown senders.
• Have you paid for an expensive watch for somebody you don't even know? I didn't think so.
• Install an antivirus and antimalware product and keep it up-to-date & running. 
• Use for example NoScript in Firefox to counter these attacks.
• And above all: patch Java, Adobe and any other 3d party software you may have!

FedEx spam loads malware

Received an email from (supposedly) FedEx today, seems my parcel was unable to be delivered:

Print your receipt!

    Mail details:

Subject: Shipping Information‏

Sender: stoiciu_ro01@uhost.ro

X-Originating-IP: 195.78.124.42

Content: 

FedEx

Tracking ID: 1795-21492944

Date: Monday, 18 February 2013, 10:22 AM

Dear Client,

Your parcel has arrived at February 20.Courier was unable to deliver the parcel to you at 20 February 06:33 PM.

To receive your parcel, please, print this receipt and go to the nearest office.

Print Receipt  

Best Regards, The FedEx Team.

FedEx 1995-2013

The 'Print Receipt' button points to a filesharing website, where a ZIP file gets downloaded. Inside the ZIP is an EXE file with a neat little Word icon. When running the file:

Postal Receipt  information

You get a Notepad file with some information. Is your name Mark Smith? No? Then you're infected. Is your name Mark Smith? Then you're infected anyway. 

Does this behaviour look familiar? Well noticed, we've seen this in a post from some months ago:

UPS spam downloads malware

Gathered files. Contact me for a copy.

Some more details about the downloaded file:
Postal-Receipt.exe
MD5: d335b890e1bc260a259b994533333d02
VirusTotal Report
Anubis Report
ThreatExpert Report


The following file was dropped in the %appdata% folder:
ujfhmdlk.exe
MD5: d335b890e1bc260a259b994533333d02
VirusTotal Report
Anubis Report
ThreatExpert Report


The malware tries to connect to the following IPs:

46.105.143.110
50.115.116.201
74.117.61.123
77.79.81.166
81.93.248.152
87.106.51.52
91.121.140.40
91.121.28.146
93.125.30.232
95.140.203.241
109.235.252.2
118.97.15.13
122.155.18.53
149.62.168.76
188.165.205.46
190.111.176.13
190.111.176
202.153.132.24
213.229.106.32
217.11.63.194



It performs the following GET request on port 8080, probably to download more malware.  
(I was however unable to reproduce any additional droppers or system modifications): /509A37A363A4A88C8B6BBD234F063B9CEE4072C470F04B0AB239C05FF89DA4B98D1E54BF77C0CD96CD8BC4004B3459C13194D0F9E0D64CF108A635F7468E817F408A20EF7149233F1356D2B3565F49





Conclusion

• Don't click on any link(s) of unknown senders. In fact, don't even open mail from unknown senders.
• Have you indeed ordered something? Check the status of it directly on the supplier's website.
• Don't be fooled by the Adobe or Word icons, they are actually EXE files. You can enable an option in Windows so you're always sure of the filetype being used:
  Enable Viewing of Filename Extensions for Known File Types
• Install an antivirus and antimalware product and keep it up-to-date & running. In this case, the payload is at least 4 months old! This should be easily detected by your antivirus product.

New exploit kit tricks

In today's post, we'll be reviewing a (potentially) new trick by the exploit kit authors.

As usual, it all starts with.... a great portion of spam:

Verizon important account information! ;-)

When clicking on any of the links you get redirected of course.... and some tasty exploits are served.... See for more information on Pastebin links further below....

However, this time, when you don't have a vulnerable Java or Adobe version installed, you'll get redirected (after 61000 milliseconds ~1 minute to be exact) to another page where you can download the brand new version of Adobe Flash Player:

Download the new Flash Player... Note it's not the official Adobe website!

Of course this is not the real Flash Player, in fact, as far as I could find, this version does not exist.

Something that has always bothered me about the download of Flash is the notification circled in red. Yes, on the real website of Adobe, this notification is also present:
"You may have to temporarily disable your antivirus software" --> Great thinking, right?


The bad guys have basically just done a copy/paste of the download page of Flash and changed the version number. When clicking on Download now, you're presented with:

update_flash_player.exe
MD5: 1b7d3393018d65e9d37566089b7626d5
VirusTotal Report
Anubis Report
ThreatExpert Report


The payload seems to be Zeus/Zbot, it also phones home to:
88.190.210.199

Infection URLs from the same campaign, hat tip to @MalwareMustDie :
URLquery search results



Samples that were gathered, contact me if you'd like a copy:

Pastebin links for the Javascripts:
http://pastebin.com/hhQe6RCP
http://pastebin.com/nt5JmGp3




Conclusion

- Don't click on any link(s) of unknown senders. In fact, don't even open mail from unknown senders
- Patch your Java & Adobe or uninstall it if you don't need it
- Install an antivirus and antimalware product and keep it up-to-date & running
- Use NoScript in Firefox or NotScripts in Chrome

About YouTube top comments

Have you seen  the top comments on YouTube recently? Mostly, they're about the videoclip itself, or about other artists that do not live up to the talent of said videoclip ;-) .

Sometimes, however, spam reaches the top comments (whether or not with a lot of upvotes):

Another user is being addressed, "confirming" the site is real

I've seen this kind of Youtube spam unfold into 2 scenarios:
1) The usual survey scams, promising an iPad for example
2) The download of adware or a PUP (Potentially Unwanted Program) to your machine


Let's take a look at both scenarios, we will go more in depth about the second one, as it is the most interesting. This post includes prevention methods, a removal process and a conclusion at the bottom if you want to skip the investigation.



Investigation


1) Survey scam

As seen in above picture, another user is being addressed. This user did not make any comments on the video at all. I'm guessing they use this little trick to 'confirm' someone asked about it and they are 'just helping out'. The comment has several upvotes as well, thanks to the use of bots.

Clicking on the bit.ly link, you are being redirected to another website:
hxxp://alllightsfull.info/prize/prize.html
2/30 - URLvoid Result
2/33 - VirusTotal Result
AllLightsFull.info - Whois Record

Screenshot:

Congratulations! You won a... Survey scam!

After clicking on Start Now!, you'll get redirected to fill in a survey for a chance in winning an iPad... Which will redirect you to another survey... To another survey.... Until you need to fill in personal details such as your email address. In my case, I had to subscribe to about 20 other instances (read: Brace yourselves, spam is coming) to win the iPad.

 Obviously, you won't win anything and your email address will end up on several spamlists.

 

 2) Adware / Potentially Unwanted Program

In this scenario, you end up on a different website, but with a similar, easy layout:

Download Youtube videos with "YouTubeSaved"

Some information about the website:  
hxxp://www.youtubesaved.com 
1/30 - URLVoid Result
0/34 - VirusTotal Result 
YoutubeSaved.com - Whois Record

You can download from Download.com/CNET or directly via their website. I'm not sure what's worse: the fact that you can download this beautiful piece of crap via CNET or that it's Norton/VeriSign Secured.

The following file is downloaded:
cid_185425_sono.exe
Result: 3/46
MD5: a3675a8439b09049a76da7f9c93c4a34
VirusTotal Report
Anubis Report
ThreatExpert Report


In the following minutes, I got several new screens to install additional software:

FLV Media Player coming along with WhiteSmoke

FLV Media Player coming along with PriceGong, Freetwittube,...

Some readers might remember WhiteSmoke from a few years ago, when it came bundled with a rootkit and was particularly annoying as well as hard to remove.

While I was eagerly clicking Next on all of the screens, there were a few connections. In fact, in those 5 minuts of installing FLV Media Player, (and thus also: Yontoo, Relevant Knowledge, Free Ride Games, Moyea, Remote Programs, PriceGong, Conduit and WhiteSmoke) there were about 1140 outbound HTTP requests installing even more adware.

If you're interested in these connections, I have uploaded a Fiddler log to Pastebin:
http://pastebin.com/QxcHca1Z


Interesting to note is that Firefox gave a warning about a particular toolbar:
https://addons.mozilla.org/en/firefox/blocked/i226
From that page:

This add-on is silently side-installed by other software, and doesn't do much more than changing the users' settings, without reverting them on removal.

Actually it does more than that, it redirects your searches (through ad-sponsored networks), changes your homepage, annoys you with pop-ups, .... This does not solely apply to WhiteSmoke.

A total of 63 newly created PE files was found on my machine. Seems like they really wanted me to install as much toolbars and adware as possible. Sometimes, besides being referred to as a PUP or adware, this kind of software is called foistware.

You can find a Pastebin here with all VirusTotal results:http://pastebin.com/87HspUgu



Prevention

Now, how do we prevent these applications from ever entering our system? Here are a few tips:

• Carefully consider what you are installing. Is this program known at all? What does it do? Do I really need this installed? A simple Google search reveals a lot of answers.
• Don't click Next, Next, Next or OK to everything or in any of the screens you get. This is a golden rule in general.
• Read the EULA. No wait, what? Those EULAs are always way too long! That's right, luckily there's a tool available which can assist us in identifying unwanted behaviour. The tools is called EULAlyzer, by the same developer as SpywareBlaster (which also helps prevent these).
  
  I did a scan on a EULA from PriceGong which uncovered the following results:

  

  EULA states advertising, your searches being submitted and more

• Use the extension WOT (Web of Trust) to get a second opinion about website X or Y.
• If you encounter a link that is shortened (for example bit.ly, t.co, tinyurl, ....) you can use a website as GetLinkInfo or Unshorten to acquire more information on that link. Awesome!

Removal

Of course, it might be too late for some users. They are already seeing pop-ups everywhere, getting amazing deals or are getting redirect in their search engines. Again, you can find some hints:

• Most of these programs can be easily removed via the Control Panel > Add/Remove Programs. There's also a small guide by Microsoft on how to do that. After uninstallation, these programs will open your browser and offer to reinstall the "product". Just close the browser when that happens.
• "I removed these programs but am still getting redirected. Why?"
  Probably the Add-On, Extension or Plugin is still installed and active in your browser. Remove or disable this manually by following these steps:
  Removing extensions from Internet Explorer
  Removing extensions from Mozilla Firefox
  Removing extensions from Google Chrome
  
  Restart your browser afterwards and confirm the changes. It's possible you need to manually reset your homepage as well.
  
  
• "Not everything is gone and I don't see anything in the Add/Remove Programs."
  When this happens, you can use a tool like AdwCleaner. Please keep the following in mind:
  - Close all browsers before executing AdwCleaner
  - Click on Search. A logfile will open. Review this carefully! AdwCleaner is pretty strict in removing adware. Then, you can select delete to delete all the unwanted/malicious entries.
  - More information can be found on the download page of AdwCleaner (see above).

• After following these steps, use your already installed Antivirus and perform a full scan. When that's finished, you can also use Malwarebytes to perform a Quick Scan and ensure everything is gone. Be sure to select in the Settings tab > Scanner Settings that PUPs are shown in the scan results.

• If you are having difficulties or are not too sure of following these steps all by yourself, you can always make a post on one of the several forums out there specialized in removing malware and other nonsense from a machine. An example forum where you can get help is BleepingComputer.

Conclusion

After reading this post, I'm sure you can now differentiate the thin line between goodware and foistware, adware, or Potentially Unwanted Programs. With the tips above, you should be able to weapon yourself against this kind of threats.

Some legit programs like Java or Adobe also offer these "toolbars". Don't be fooled! The same above rules should be applied here. Tick off those boxes and read carefully through the installation wizard! Why are these things still around you might ask? There's an interesting article here by Ed Bott:
Why does crapware still exist? Follow the Silicon Valley money trail

You might wonder why your antivirus didn't ring any bells when installing this software. The easy answer is: it is hard to differentiate if this is malicious behaviour, as the users consents and agrees on the EULA - which is basically an agreement to all these unwanted modifications!
The hard and longer answer is something to discuss in a future blogpost.

Conclusion: don't install something when you have no idea what it is or does. Google can be your friend.