Internet Domain Registry

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Friday, 2 October 2009

Cyber Security Awareness Month: Day Two

Posted on 10:24 by Unknown

Fake IRS Email Continues


I know this is becoming the Spam Campaign that Just Won't Die, but today we are still seeing extreme volumes of spam claiming to be from the Internal Revenue Service, with the subject line "Notice of Underreported Income". Here are the host names being used in the spam for October 1st and so far on October 2nd:

October 2, 2009 Domains seen in spam by the UAB Spam Data Mine:

www.irs.gov.ccviilli.com
www.irs.gov.ccviilli.net
www.irs.gov.ccviilll.com
www.irs.gov.ccviilll.net
www.irs.gov.ccvillli.com
www.irs.gov.gerradsz1.be
www.irs.gov.gerradsz1.co.ee
www.irs.gov.gerradsz1.com
www.irs.gov.gerradsz1.eu
www.irs.gov.haqwaz1.co.im
www.irs.gov.haqwaz1.com.im
www.irs.gov.haqwaz1.im
www.irs.gov.haqwaz1.net.im
www.irs.gov.hyyyyf1.cn
www.irs.gov.hyyyyf1.eu
www.irs.gov.hyyyyf2.eu
www.irs.gov.hyyyyf3.cn
www.irs.gov.hyyyyf4.cn
www.irs.gov.hyyyyf5.cn
www.irs.gov.hyyyyf6.cn
www.irs.gov.hyyyyf6.eu
www.irs.gov.hyyyyf7.cn
www.irs.gov.hyyyyf7.eu
www.irs.gov.hyyyyf8.cn
www.irs.gov.hyyyyf8.eu
www.irs.gov.nyuz1a.com
www.irs.gov.nyuz1a.net
www.irs.gov.nyuz2a.com
www.irs.gov.nyuz2a.net
www.irs.gov.nyuz3a.com
www.irs.gov.nyuz3a.net
www.irs.gov.nyuz4a.com
www.irs.gov.nyuz4a.net
www.irs.gov.nyuz5a.com
www.irs.gov.nyuz5a.net
www.irs.gov.vsdftpp.net

October 1, 2009 Domains seen in spam by the UAB Spam Data Mine:

www.irs.gov.ercc1zw.com
www.irs.gov.hyu111a.com
www.irs.gov.msrvtpp101.be
www.irs.gov.msrvtpp101.com
www.irs.gov.msrvtpp101.eu
www.irs.gov.msrvtpp102.be
www.irs.gov.msrvtpp102.com
www.irs.gov.msrvtpp102.eu
www.irs.gov.msrvtpp103.be
www.irs.gov.msrvtpp103.com
www.irs.gov.msrvtpp103.eu
www.irs.gov.vsdftpp.biz
www.irs.gov.vsdftpp.com
www.irs.gov.vsdftpp.in
www.irs.gov.vsdftpp.info
www.irs.gov.vsdftpp.mobi
www.irs.gov.vsdftpp.net
www.irs.gov.vsdftpp.org

Attempting to retrieve the malware from these sites, we were successful only with those on the ".im" country code. Like many cybercriminals, the criminals behind Zeus rely on inexperienced or uncooperative domain name registrars in order to keep their malicious websites live longer. In this case the domains:

haqwaz1.co.im
haqwaz1.com.im
haqwaz1.im
haqwaz1.net.im

as you're no doubt aware (ok, I had to look it up too!) .IM = Isle of Man. These domains would have been registered from "nic.im", who holds the keys to taking those domains off-line. I'm using the "nic.im" "contact us" page to report these fraud domains now.

The current version of the malware, which is still a Zeus Bot or "Zbot" infector, has these characteristics:

File size: 95232 bytes
MD5...: 869dba8c4bd9bb5a9030a24096883c6b

and is currently detected by only 9 of 41 anti-virus products at VirusTotal as you can see in this VirusTotal Report.

Other Malware in the Mail


Another long-running spam campaign claims that there has been a "delivery problem" with either DHL or Western Union.

The spam message says something like:


Hello!

We were not able to deliver the package you have sent on the (date here) in time
because the recipient's address is inexact.
Please print out the invoice copy attached and collect the package at our department.

DHL Customer Service


In this case the "attached package" is a piece of malware:

File size: 62464 bytes
MD5 : a4c926feeb6f906344f583091a02598f

which is well-detected as "BredoLab" as you can see in this VirusTotal Report by 16 of 41 anti-virus products.

Another version of the same spam says the same thing, only uses "UPS Delivery Problem" as the subject line and claims to be sent from "United Parcel Service".

A third version of the spam claims to be from Western Union, using the subject line "Wester Union transfer is available for withdrawl".


Dear customer.

The amount of money transfer: 8566 USD.
Money is available to withdrawl.

You may find the Money Transfer Control Number and receiver's details in document attached to this email.

Western Union.
Customer Service Center.


Whichever of these BredoLab malwares you run, you end up with Fake AV products being installed on your computer.


In the last prominent malware campaign we'll look at today a spam message is sent with the subject line "Thank you for setting the order No.475456". The text of the email reads:


Dear Customer!

Thank you for ordering at our online store.
Your order: Sony VAIO A1133651A, was sent at your address.
The tracking number of your postal parcel is indicated in the document attached to this letter.
Please, print out the postal label for receiving this parcel.

Internet Store.


Several slight variations of the attachment, sometimes called "install" and other times called "open" detect as different malware, with the two main versions being:

File size: 13312 bytes
MD5 : 595dc19dab1fa441304d77971c507d65

which detects as "Bravix" or "FakeAlert" or many other names, as you can see in this VirusTotal Report, which shows that 20 of 41 Anti-virus products detect this as malware.

and

File size: 13824 bytes
MD5 : 19daf4ef68dd4d830d4159e3d0dc7eb0

which also has many different detection names, including "Bravix", as you can see in this VirusTotal Report, which shows 23 of 41 anti-virus products detect this as malware.
Email ThisBlogThis!Share to XShare to Facebook
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Happy New Year! Here's a Virus! (New Year's Postcard malware)
    I've been busy this week looking at the various defacements (see ComputerWorld , and ABC News ) and other cyber attacks (see yesterday...
  • From Russia, With Love . . . new Postcard spam spies on your PC
    Isn't it nice to have friends who send you postcards? The UAB Spam Data Mine is especially fortunate in that way. Beginning the evenin...
  • New Year's Waledac Card
    We haven't seen a new version of Waledac since Independence Day (July 4, 2009), but it looks like its back! I'm on vacation today, s...
  • Top Brands Imitated by Malicious Spam
    WebSense recently released an InfoGraphic titled "Top Five Subject Lines in Phishing Emails." for January 1, 2013 through Septemb...
  • Tempting Photo Attachments Lead to Fake AV
    One of today's largest malicious spam campaigns continued an occasional theme we've been seeing for a few weeks. A subject line, fo...
  • What about the Social Security Numbers? (The Utah Data Breach and your SSN)
    The Utah Data Breach This week the continuing saga of the Utah Medicaid Data Breach continued to unfold. If you haven't been following...
  • Stop the Rumors: Quit SMSing about WalMart Gang Initiations
    My daughter and her teenage friend were sitting on the couch watching TV today when they began getting text messages on their phone. Here...
  • Minipost: IPR Center celebrates Cyber Monday
    The National Intellectual Property Rights Center (IPR Center) announced today that in celebration of Cyber Monday, they have Seized 82 Domai...
  • ACH Spammer switches to Shortened URLs
    For many weeks now the spammers behind one particular malware family have been fighting a running battle to keep their malware-hosting domai...
  • Work at Home . . . for a Criminal?
    How do you tell if a "Work at Home" invitation is a scam? Here's a clue: It comes in your email. In today's Blog, I tho...

Categories

  • china
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • facebook
  • fake av
  • gumblar
  • koobface
  • law enforcement
  • malware
  • pharmaceuticals
  • phishing
  • public policy
  • spam
  • twitter
  • twitter malware
  • waledac
  • zbot

Blog Archive

  • ►  2013 (21)
    • ►  December (4)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ►  April (3)
    • ►  March (1)
  • ►  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ►  May (7)
    • ►  April (2)
    • ►  March (7)
  • ►  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ►  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ►  August (5)
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ►  March (8)
    • ►  February (4)
    • ►  January (7)
  • ▼  2009 (92)
    • ►  December (12)
    • ►  November (11)
    • ▼  October (16)
      • Facebook Safety & Million Member Facebook Groups
      • FACEBOOK PHISH! Users Beware!
      • Fake FDIC spam campaign spreads Zeus malware
      • FBI and SOCA make a media splash at RSA Europe
      • Phishing For Love: Banking Insiders
      • TowerNet CapitalOne: Avalanche returns after 15 mo...
      • Zipped Malware Attachments in Spam: Here comes Con...
      • Hacked Newspaper loads Google News with malware sites
      • Targeted URLs in spam . . .OWA Settings update
      • IRS Zeus via Geocities
      • A weekend of Old News
      • The FBI's Biggest Domestic Phishing Bust Ever
      • Microsoft "Your e-mail will be blocked" phish
      • A Day in the Life of Spam
      • Cyber Security Awareness Month: Day Two
      • Cyber Security Awareness Month: Day One
    • ►  September (7)
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ►  April (6)
    • ►  March (7)
    • ►  February (6)
    • ►  January (10)
  • ►  2008 (101)
    • ►  December (7)
    • ►  November (17)
    • ►  October (11)
    • ►  September (10)
    • ►  August (22)
    • ►  July (12)
    • ►  June (3)
    • ►  May (7)
    • ►  April (5)
    • ►  March (2)
    • ►  February (1)
    • ►  January (4)
  • ►  2007 (31)
    • ►  December (3)
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile