Bogus MS Update

We have been receiving bogus emails claiming to be coming from Microsoft:

...public distribution of this Update through the official website »www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all users Microsoft Windows OS.
as the computer set to receive notifications when new updates are available, which you have received this notice.

We have seen emails containing one of the following links:
hxxp://www2.sinel.com/microsoftupdate.html
hxxp://mail1.e-corecorporation.com/default.htm

They seem to be compromized websites being used by the bad guys in order to facilitate this attack.

The page default.html from hxxp://mail1.e-corecorporation.com/default.htm uses a refresh-type redirect to this url:
hxxp://0xc0.0xdc.0x6e.0xe4/microsoftupdate.html

The page microsoftupdate.html from sinel.com and 0xc0.0xdc.0x6e.0xe4 both execute another refresh-type redirect in order to download a Zeus malware with filename update09.exe.

Interestingly enough, this attack uses 0xc0.0xdc.0x6e.0xe4 to serve the malware. This IP-address translates to 192.220.110.228, which in turn resolves to summit102.summitdesign.net, another possibly compromised website used in this attack.

The presence of the following files/folders may indicate signs of infection:
%System%\sdra64.exe
%Temp%\tmp.exe
%System%\lowsec\

More here.

Another Shameless SEO based on Atlanta Flooding

Users Googling "Atlanta flood pictures" receive a yet another SEO attack, using a possibly compromised legitimate Australian website hosting restaurants in the famous Bondi area.

Here's a screenshot of a google search result:


A Fiddler capture shows us the redirections:


So we go from
hxxp://idrb.com/pdf_files/atlanta-flood-pictures.html
>hxxp://06d.ru/t.php
>>hxxp://read-cnn2.com/?pid=207&sid=de9f8f
>>>hxxp://winfixscanner7.com/scan1/?pid=207&engine=pHTyzjTyMzEyOS44Mi4xOTAmdGltZT0xMjUuNgAMPAVN

An installer named Soft_207.exe will be presented for download, which is a variant of the Total Security family of Fake AVs.

At the moment, the following domains have been observed to have been involved in this attack:

winfixscanner7(dot)com
15scanner(dot)com

These domains resolve to the following IP addresses:
89.47.237.55
89.248.174.61
213.163.89.60

But knowing the trend in scareware, there could be heaps more domains being created as we speak.

Koobface on the Move, Serving Scareware !!

We have been seeing a lot of new movement on the koobface front Lately.



As koobface-serving domains are being taken down as early as the good guys discover them, the bad guys are at it and they respond by registering new ones. At the moment, their, C&C server is hosted in China with IP Address 61.235.117.83.

The bad guys are still using a fake facebook website, as well as posing as a fake codec, in order to distribute koobface.



Clicking anywhere on the page, presents us with a file named setup.exe. Here are some of the IPs being used to distribute koobface:



115.130.27.204
123.202.200.84
151.204.31.67
196.206.65.53
221.126.0.105
24.215.207.229
41.238.76.198
61.93.34.23
67.206.253.52
68.47.48.240
69.18.107.115
69.254.215.173
70.122.242.250
70.212.232.126
71.116.37.213
71.130.216.179
71.194.236.32
71.80.105.40
72.13.138.210
72.190.87.208
75.181.171.110
75.251.94.44
76.119.98.22
76.22.160.28
76.23.203.64
81.192.192.160
98.140.58.163
98.244.224.140
98.26.40.38
99.22.74.229

The javascript component being by used by koobface, remains bascically the same as before

And as before, koobface is still serving up scareware. From time to time, users are presented with a My Computer online scan, going through these domains:



gotrioscan(dot)com
plazec(dot)info

At some instances, we also get these warnings:




At the moment, these warnings are serving Internet Antivirus Pro.

Update:
Koobface has been going at it and here's another one that spoofs youtube and serves koobface malware as a fake codec:

hxxp://71.197.170.226/d=www.marcellaburnard.com/0x3E8/view/console=yes/?go