Showing posts with label UPS. Show all posts
Showing posts with label UPS. Show all posts

Thursday, 18 October 2012

UPS spam downloads malware


Yes, you've read the title right. Not the usual spam/malware attachment, but in fact just a picture of UPS... which of course is clickable.

But wait! Seems like the bad guys forgot a letter in their HTML (facepalm). I received the following mail:

Subject of spam email: UPS #Print your postal label














Since they forgot the "h" in "http", the image is incorrectly displayed. What it should have been:

Your package was not delivered. You are asked to print the label 














The mail  is coming from (related to the Asprox botnet):
70.75.216.19 - IPVoid Result

What happens when you click on the "Print a shipping label" (or what it should have been):

Copy_of_UPS_Label.zip

A ZIP file gets saved, but you still need to open it and execute the file to become infected...


Copy_of_UPS_Label.exe






Result: 13/43
MD5: 2e9755cfce544627fbfd3be07af5d7d9
Anubis Report
Malwr Report
ThreatExpert Report 


If the file gets executed, it drops a copy of itself to the %appdata% folder and tries to connect to the following IPs:

46.105.112.99:8080 - IPVoid Result
50.22.136.150:8080 - IPVoid Result
78.46.31.53:8080 - IPVoid Result
173.224.211.194:8080 - IPVoid Result
178.77.103.54:8080 - IPVoid Result
184.154.20.226:8080 - IPVoid Result
188.165.212.160:8080 - IPVoid Result
202.169.224.202:8080 - IPVoid Result
217.160.236.108:84 - IPVoid Result


Also when executing the file, an instance of svchost (malware injected into it, thanks to SteveK for the headsup) gets started and opens an empty Notepad file:
Empty Notepad file created by the malware


If anyone has an idea on the why of this,be sure to let me know. Maybe to convince you it's really a UPS label after all? Second fail of the day, should have at least included some rubbish text in there.

This malware is known as Kuluoz, which can download and install additional malware on your system.


Conclusion


Pretty simple. Never open any emails from unknown senders, do not click on any links and certainly do not open any attachments.

Bells should be ringing already when you have not ordered anything. Always be wary when receiving mails where you need to click on a link or open an attachment to view this or that. Ask yourself:
"does this look legit?" If the answer is no, you know what to do.



By at No comments:
Labels:forex, iqoption, pubg Hacked , , , , , ,

Friday, 2 September 2011

Increase in malicious spam



Rodel Mendrez from M86 Security labs has made an excellent post on a Massive Rise in Malicious Spam:

http://labs.m86security.com/2011/08/massive-rise-in-malicious-spam/





As he notes in his conclusion, "It seems spammers have returned from a holiday break and are enthusiastically back to work."





So I decided to check out if I had received some spam as well. Jackpot ;-) !





UPS notification























































Re: End of July Statement Required









Your credit card has been blocked











ACH Transfer Review







Most of the files are displaying a Word or PDF icon to trick

the user in opening the file:





Some examples of attachments, with their respective

VirusTotal results:



Invoice_08.17.2011_Collcod.exe

MD5: cf0397bb622e4ed9dfdeb07fcbfa9687

VirusTotal Report



MasterCard_invoce_ID73284783275943.doc.exe

MD5: 0b7eba77dd4bcea3c670c4a664e98778

VirusTotal Report

UPS_Document.exe

MD5: 17f9148b130a94ab1f50030ebbf2415a

VirusTotal Report



form-62091.exe

MD5: e18d8cb2a4264a3c559d7967b3c6ab99

VirusTotal Report



When opening either of these files, you can end up with a rogue.

One example rogueware I got was "System Repair":



System Repair rogueware



The dropped file that is launching the rogueware:



pusk3.exe

MD5: 27077c2058983bb76bd09cdad69f7bde

Result: 36/44 (81.8%)

VirusTotal Report

ThreatExpert Report

Anubis Report







Conclusion

Conclusion is pretty simple: Do not open any attachments from unknown senders.

If you happen to be infected with System Repair, you can for example use the guide on Bleepingcomputer:

http://www.bleepingcomputer.com/virus-removal/remove-system-repair

By at No comments:
Labels:forex, iqoption, pubg Hacked , , , , , ,

Wednesday, 9 February 2011

United Parcel Service notification #82929

Today I received an email with the subject "United Parcel Service notification #82929"

Apparently my order was sent to my home address and now they are sending me an email with additional information. How kind of them :) .



You can supposedly find more information in attachment


The text is mostly the same, here's a small variant:
Dear customer.

The parcel was sent your home address.
And it will arrive within 3 business day.

More information and the tracking number are attached in document below.

Thank you.
© 1994-2011 United Parcel Service of America, Inc.


There is a file attached called "USPS_Document.zip" Other variants may be: "UPS_Document.zip", "UPS.zip", "UPS-tracking.zip", and so on. In the ZIP archive you will find a file called UPS_Document:


UPS_Document.exe


What stands out here is that the file is no PDF file, as you might think, but is in fact a malicious executable.


UPS_Document.exe
Result: 38/41 (92.7%)
MD5: 047bcd79fa681442b37bdf9b56c2257f


UPS.exe


Result: 17/43 (39.5%)
MD5: a668f20228e37a12bc033f5e2c014007
VirusTotal
ThreatExpert



Other subjects of this email might be:
- United Parcel Service notification #[random number]
- UPS Delivery Problem #[random number]
- UPS notification #[random number]
- United Parcel Service
- Post Express Service. Track your parcel! NR[random number]
- Post Express Information. You need to get a parcel NR [random number]
- UPS ticket #[random number]



Conclusion

You should never trust an email which has:

- only a URL included in the message
- an attachment that you need to open to view 'information'
- crappy spelling and grammar if there is content in the message
- been sent out to everyone in the sender's address book
- been sent from an unknown sender
- promises you can buy something for a very cheap price
- No subject or strange subjects ( eg.: "0 enjoy yourself" )

Never reply to this kind of email, simply delete it and don't look back ;) .

If you have downloaded a program and you are unsure about its intentions, you can always upload it to VirusTotal or other online virusscanners (VirScan, Jotti). Keep in mind that if a file is not detected by any engine, it is not necessarily clean!

Additionally, if you have executed the file, and believe you are infected, you can follow this guide to remove the malware:
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-malware-tutorial

Feel free to add any comments if you have any problems or questions.

By at No comments:
Labels:forex, iqoption, pubg Hacked , , , ,

Tuesday, 19 October 2010

USPS Delivery Problem NR5808038‏

Recently I got an email in my Unwanted Email box from Hotmail.

I do not check this often, so only noticed this now.
There was an email in it which caught my attention:
USPS Delivery Problem NR5808038‏

In the mail, there was a file called USPSLabel.zip. The content of the mail was the following:



Only the picture and the attachment were in the email, nothing more, nothing less.
The attachment was already removed by Hotmail as "unknown virus".


Conclusion:
USPS or any other Postal Service will not send you an email stating that you need to open an attachment. Certainly do not open the email when you have never used their services before.

If you did order with them and you are in doubt, do not reply on the email but simply navigate to their website (in this case: http://www.usps.com ) and look for contact details.

Additionaly, (correct me if I'm wrong) you can easily compare your tracking number with the one in the subject.
By at No comments:
Labels:forex, iqoption, pubg Hacked , , ,
Subscribe to: Posts (Atom)