Internet Domain Registry

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Wednesday, 3 February 2010

Minipost: Fake Photo Zeus

Posted on 10:49 by Unknown
Back on November 24th, we ran a story about a version of Zeus which pretended to be a friend letting you know that Some Jerk Posted Your Photo. The current spam is almost identical to the original, using the same subject lines of:

Subject: fw
Subject: hey
Subject: hi
Subject: re
Subject: some jerk has posted your photos
Subject: your photos

The text of the message is:
Hey, some jerk has posted your pictures (u understand what kind of pictures are there) and sent a link of them to all ur friends. I have already replied back. Said, that he is an idiot. See the link:

http://photosbank.aedswer.cz/id1073bv/get.php?email=youremail@yourdomain.com

Tamara Orozco



This is what the website looks like:



Although downloading the "PhotoArchive.exe" file is dangerous - its a Zeus Botnet that's currently only detected by 7 of 40 AV products according to this VirusTotal Report, just visiting the website is also dangerous, because it has a drive-by infector that loads from 109.95.115.36 / usasp22 / in.php

Here are some of the websites that we've seen used to host the malware so far today in the UAB Spam Data Mine:

archive.tygersg.cz
archive.uisaxr.bz
archive.zinnko.co.uk
archive.zinnko.com
archives.aedswer.cz
archives.tyerdert.co.nz
archives.tyerdery.co.uk
archives.uisaxr.bz
archives.zinnko.pl

letitbit.aedswek.cz
letitbit.aedswer.cz
letitbit.tyerdery.co.uk
letitbit.tygersk.com
letitbit.tygersm.cz
letitbit.zinnko.co.uk
letitbit.zinnko.pl

photobank.aedswer.cz
photobank.aedswet.cz
photobank.tyerderi.co.uk
photobank.tygersa.cz
photobank.tygersk.com
photobank.zinnko.cz

photosbank.aedswee.cz
photosbank.tyerdere.co.nz
photosbank.tyerderi.co.nz
photosbank.tyerderi.co.uk
photosbank.tyerdery.co.uk
photosbank.tygersg.cz
photosbank.tygersm.cz
photosbank.zinnko.com
photosbank.zinnko.vc

photoshock.tyerdere.co.nz
photoshock.tyerderi.co.uk
photoshock.tyerdero.co.nz
photoshock.uisaxr.me.uk
photoshock.zinnko.be
photoshock.zinnko.com.pl

photostock.aedswee.cz
photostock.aedswek.cz
photostock.aedswer.cz
photostock.aedswew.cz
photostock.tyerdere.co.nz
photostock.tyerderi.co.uk
photostock.uisaxr.me.uk
photostock.zinnko.co.uk
photostock.zinnko.com
photostock.zinnko.com.pl
Email ThisBlogThis!Share to XShare to Facebook
Posted in zbot | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Happy New Year! Here's a Virus! (New Year's Postcard malware)
    I've been busy this week looking at the various defacements (see ComputerWorld , and ABC News ) and other cyber attacks (see yesterday...
  • From Russia, With Love . . . new Postcard spam spies on your PC
    Isn't it nice to have friends who send you postcards? The UAB Spam Data Mine is especially fortunate in that way. Beginning the evenin...
  • New Year's Waledac Card
    We haven't seen a new version of Waledac since Independence Day (July 4, 2009), but it looks like its back! I'm on vacation today, s...
  • Top Brands Imitated by Malicious Spam
    WebSense recently released an InfoGraphic titled "Top Five Subject Lines in Phishing Emails." for January 1, 2013 through Septemb...
  • Tempting Photo Attachments Lead to Fake AV
    One of today's largest malicious spam campaigns continued an occasional theme we've been seeing for a few weeks. A subject line, fo...
  • What about the Social Security Numbers? (The Utah Data Breach and your SSN)
    The Utah Data Breach This week the continuing saga of the Utah Medicaid Data Breach continued to unfold. If you haven't been following...
  • Stop the Rumors: Quit SMSing about WalMart Gang Initiations
    My daughter and her teenage friend were sitting on the couch watching TV today when they began getting text messages on their phone. Here...
  • Minipost: IPR Center celebrates Cyber Monday
    The National Intellectual Property Rights Center (IPR Center) announced today that in celebration of Cyber Monday, they have Seized 82 Domai...
  • ACH Spammer switches to Shortened URLs
    For many weeks now the spammers behind one particular malware family have been fighting a running battle to keep their malware-hosting domai...
  • Work at Home . . . for a Criminal?
    How do you tell if a "Work at Home" invitation is a scam? Here's a clue: It comes in your email. In today's Blog, I tho...

Categories

  • china
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • facebook
  • fake av
  • gumblar
  • koobface
  • law enforcement
  • malware
  • pharmaceuticals
  • phishing
  • public policy
  • spam
  • twitter
  • twitter malware
  • waledac
  • zbot

Blog Archive

  • ►  2013 (21)
    • ►  December (4)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ►  April (3)
    • ►  March (1)
  • ►  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ►  May (7)
    • ►  April (2)
    • ►  March (7)
  • ►  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ▼  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ►  August (5)
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ►  March (8)
    • ▼  February (4)
      • Phishers target Blogger.com accounts
      • What the Bad Guys Know: We'll Click on ANYTHING!
      • Conficker.B Microsoft Warning spam rehashed
      • Minipost: Fake Photo Zeus
    • ►  January (7)
  • ►  2009 (92)
    • ►  December (12)
    • ►  November (11)
    • ►  October (16)
    • ►  September (7)
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ►  April (6)
    • ►  March (7)
    • ►  February (6)
    • ►  January (10)
  • ►  2008 (101)
    • ►  December (7)
    • ►  November (17)
    • ►  October (11)
    • ►  September (10)
    • ►  August (22)
    • ►  July (12)
    • ►  June (3)
    • ►  May (7)
    • ►  April (5)
    • ►  March (2)
    • ►  February (1)
    • ►  January (4)
  • ►  2007 (31)
    • ►  December (3)
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile