Spyware Remover Help Spyware removal ebook Free download

When we think about phishing, we think about e-mails that try to get information from online banks, eBay or PayPal accounts. While in most of the cases this is true, it must be noted that the aim of the guys behind these attacks is the money. So, wherever there is money, there will be attempts to steal our information. Nowadays another common target are online games, specially MMORPG (Massive Multiplayer Online Role Playing Games) as World of Warcraft or Lineage.

Last week I found this bid in eBay, selling four 70 level characters starting at US$ 27,000:

Last year “Andy” Deokyoung Jung from AhnLab made a very good presentation about online gaming and hackers at AVAR. It is clear that all kind of accounts are likely to be under attack. For example, on February 22nd I saw a new phishing attack targeting Yahoo Sponsored Search users:  

 

Of course when you click on the link, it will take you to a bogus site:

 

This is the real one:

 

As I always say, please be careful and delete any message that tries to get your information. It’s simple but effective.

Posted under Malware Alerts

Last week we received an email message written in German which advertised a casino called Lux Imperial Casino. However, this message was not just spam but also included a malicious link to a toolkit called Exploit Multipackage.

The URL infection, which is http://58.65.239.98/[removed]/index.php, allows a malicious user to analyse the system in search for vulnerabilities. If it finds any, a Trojan detected as Nabload.DBD will be installed in the computer. This Trojan, in turn, will download another one detected as Banker.KQS, which is designed to obtain confidential information related with banking entities.

We could access its control panel, which is hosted in Hong Kong. Although it has not been active for a long time, in the following images we can view the most affected operating systems and browsers. Other interesting data we can see is that the control panel is in Russian and the most affected country is Germany.

This control panel is similar to the Traffic Pro one, so it could be an evolution of this one. Last year, we published a complete report about this kit, which you can check here.

 

This is the list of vulnerabilities it attempts to exploit in the systems:

If you want to know more information about the exploited vulnerabilities and how to update the system in order to avoid them, visit the following websites:

Microsoft Security Bulletin MS03-011 [Flaw in Microsoft VM Could Enable System Compromise (816093)]

Microsoft Security Bulletin MS06-014 [Vulnerability in the Microsoft Data Access Components Function Could Allow Code Execution (911562)]

Microsoft Security Bulletin MS06-044 [Vulnerability in Microsoft Management Console Could Allow Remote Code Execution (917008)]

Microsoft Security Bulletin MS07-017 [Vulnerabilities in GDI Could Allow Remote Code Execution (925902)]

Microsoft Security Bulletin MS07-055 [Vulnerability in Kodak Image Viewer Could Allow Remote Code Execution (923810)]

Yahoo! ActiveX GetFile () [Vulnerability in Yahoo! Messenger (8.1.0.421) CYFT FT60.DLL]

QuickTime ActiveX [QuickTime <= 7.4.1 QTPlugin.ocx Multiple Remote Stack Overflow]

Thanks to Christian for his collaboration.

Posted under Malware Alerts

Since last week we have been noticing a significant increase in certain spam messages, which have several features in common.

The subject of all of them is “Sensation.New Video - make haste to look!!!”, and as a social engineering technique they include a video that makes reference to different news; the latest one we have seem is related to the trailer of a film premiere.

All of them enclose a link which starts with a google url in order to go unnoticed.

Server: http://pousadarecantonatureza.com.br/
IP: 67.15.48.41
City / Country: Houston (Texas) [United States]

Server: http://www.neufeld-media.de/
IP: 81.169.145.72
City / Country: Berlin [Germany]
 

http://www.google.com/pagead/iclk?sa=l&ai=fXfafaD&num=67154&adurl=http://pousadarecantonatureza.com.br/<removed>/rdown.php?lddhUCE
http://www.google.com/pagead/iclk?sa=l&ai=sqxtEvL&num=93594&adurl=http://www.neufeld-media.de/<removed>/news/rdown.php?xssqxtE

http://www.google.com/pagead/iclk?sa=l&ai=DtxxsAu&num=85078&adurl=http://pousadarecantonatureza.com.br/<removed>/rdown.php?mVLuOuc

From these URLs a file called "news_m.exe" is downloaded, which is detected as Trj/Downloader.SQV. This downloader will download another file called "vshost.exe" detected as Trj/Spammer.AGF, whose objective is to send more spam messages like these ones.

Besides, another file called "Loca.exe" will be downloaded. This file belongs to Trj/KillFiles.BU, which will delete some *.sys files from the system32/drivers directory, causing a certain instability in the system.

Other contents used in these spam mesages are:

Pamela Anderson divorces in third times!!!                     
CIA tortures prisoners!!!                      
Harry Potter was purchased by pentkhaus!!!
Two powerful earthquakes happened in the USA!!!
Michael Jakson glued up a person plaster!!!
Madonna reinvents herself as film director!!!
The extramarital son of John Kennedy appeared in Canada!!!

 

Posted under Malware Alerts