New tactics from the Storm gang can be seen as they celebrate with Halloween. Below is the look of the latest Storm site:
With an unpatched system, visiting the site will trigger an exploit to automatically download and execute a malicious file. The new filename is halloween.exe. We already detect this as Email-Worm.Win32.Zhelatin.LJ
This may be a Trick, and a bad Threat from the Storm gang, so be sure to keep your databases updated.
A malicious PDF file called report.pdf, debt.2007.pdf, overdraft.2007.10.26.pdf, or similar, has been massively spammed through e-mail. The PDF is spiced with exploit CVE-2007-5020 that downloads ms32.exe, which in turn downloads more components.
Massive spamming did not eventually lead to major problems, since the secondary download location was swiftly taken down preventing the downloader from functioning.
The subjects for the spam messages include:
Your credit report Your credit points Your balance report Personal Financial Statement Personal Credit Points Personal Balance Report Your Credit File Balance Report
All of them are registered to Chinese addresses and they are criss-crossed to provide DNS for earch other.
We've seen Citibank and Myspace phishing sites hosted under these domains before. But this is the first time we've seen a smoke shop hosted there. It's quite likely the whole site is fake and only built to collect credit card numbers.
Most of the day-to-day malware that we currently analyze has a financial motive. Such malware typically doesn't do anything noticeably malicious as it doesn't want to tip-off the victim.
But every now and then, we see something that's just plain nasty. Yesterday, Marko analyzed such a sample that we now detect as Trojan:W32/Agent.DPL.
This particular piece of malware appears to have a political rather than financial motive. A system infected with Agent.DPL displays the following message when Windows starts:
And it attempts to connect to www.kalonzomusyokaforpresident.com.
The website is the official presidential campaign page of Kenyan politician Stephen Kalonzo Musyoka. He launched his presidential campaign on October 14, 2007. Kenyan elections will be held in December. Note that the malware quotes Francis rather than Stephen.
Agent.DPL hacks the registry so that the user is unable to locate key Windows functions. This image shows the missing Control Panel icon as well as a few other things.
If any Control Panel apps are launched from another location, they'll be shut down by the malware.
Our guess is that by making the computer next to useless, Musyoka's detractors hope to shift the blame to him. But then again we don't know that much about the political situation in Kenya…
Our description — Trojan:W32/Agent.DPL — provides additional details, including an unusually easy way to disable it.
Greetings from the RSA Europe conference. This year it's being held in the Excel Conference Center in London.
The conference has many different tracks: authentication, business trends and impact, deployment strategies, developing with security, enterprise defense, hackers and threats, and a few others.
Several leading security experts including Bruce Schneier are participating in the keynote sessions. And to crown it all off, the closing keynote session is hosted by Frank W. Abagnale, the world's famous authority on fraud and identity theft. This name rings the bell, doesn't it? Indeed, Frank was the subject of the major motion picture "Catch Me If You Can", directed by Steven Spielberg and starring Leonardo DiCaprio and Tom Hanks.
Here's the given address for the later half of 2006:
The 555 reminded us of the fake phone numbers used in Hollywood movies so we decided to do a search on the address. There were lots of results. It was when we searched for "555 8th Ave" and e-gold that we discovered an interesting case from the past.
On February 22nd of 2006, the Manhattan District Attorney's office indicted three people for laundering $25 million via their business called Western Express:
Western Express was hosted at Paycard200.com. Here's the page courtesy of the Wayback Machine:
Shortly after the incitement there's a message informing their customers that they have hired attorneys to fight the charges:
And then the case drops off the radar… Being curious, we called the District Attorney's office in New York for a follow-up. The couple running the website plead guilty to the charges against them and received 2 to 6 (Vadim), and 1 to 3 (Yelena) years in prison. Their son is apparently still a fugitive.
Recently, Mikko was interviewed by Gary McGraw of the Silver Bullet Security Podcast. Show #19 was posted yesterday.
From McGraw's site: "For the 19th episode of The Silver Bullet Security Podcast, Gary interviews Mikko Hyppönen, Chief Research Officer at F-Secure. During this show, Gary and Mikko discuss Helsinki and Finnish pronunciation, whether mobile viruses are all hype or a legitimate threat, if the iPhone as a closed system is good or bad for security, and Mikko’s prediction for the appearance of the first mobile botnet. They also chat about Finnish hip-hop."
A new Storm site advertises a networking application. That site looks like this:
However, a mere visit to the site using an unpatched system will trigger an exploit to automatically download and execute a malicious file. Patched systems are protected but only if the users do not choose to download the file (with filename krackin.exe) and execute it themselves.
The webpage is detected as Trojan-Downloader.JS.Agent.KD while the file is detected as Email-Worm.Win32.Zhelatin.KE.
This is one network you wouldn't want to join, so make sure to keep your databases updated.
An unknown group has caused quite a hassle by publicly posting information about tens of thousands of user accounts.
A 4.5MB text file (passlist.txt) was uploaded to a Finnish website earlier today. The file contains usernames, e-mail addresses, passwords and uncracked password hashes of almost 79,000 user accounts. These accounts are mostly from different Finnish web forums.
It's quite trivial to find the correct password based on the password hash, assuming the password is "easy" and can be found from a password dictionary. The passlist.txt file claims that the hack was done by two Swedish hackers but this has already been disputed.
The case exhibits some resemblance to an incident six weeks ago, where Swedish hacker Dan Egerstad published hundred passwords to different embassies and government organisations. However, in that case the information was stolen by Mr. Egerstad by running rogue TOR exit node servers.
In today's case, the information has been stolen by unknown parties – most likely by hacking the servers of several Finnish web forums: that's pretty much the only way to gain access to the password hashes.
After a few weeks of low activity from the Storm gang they restarted their activities earlier this week. The mails and website were the same as from September but yesterday they changed the e-mail messages and also the website:
All the links points to SuperLaugh.exe which we detect as Email-Worm.Win32.Zhelatin.KI
Below are the lists of critical and important updates Microsoft has for this month.
These updates involve applications including Kodak Image Viewer, Outlook Express and Windows Mail, Internet Explorer, and a vulnerability in Microsoft Word. All of these could allow remote code execution and elevation of privileges. For more details on these updates, here's the link to Microsoft's Security Bulletin.
Most of the new phishing we see is done with phishing kits, like the Rock Phish kit.
But every now and then we run into "old skool" phishing. Like the site we're looking at today, servicecenter-us-eu.dk. This domain was registered to Mr. "Asger Trier Bing" in Copenhagen three weeks ago. Quite surprisingly, the site is even hosted in Denmark.
When visiting the front page of the site, you get redirected to a standard PayPal phishing site. Once you log in (with any credentials), you get redirected to a page for some "additional security checks".
Now, take a look at the list of questions they're asking.
It's quite astonishing that anybody would be gullible enough to go through the full form and type in all the required information. Like your e-mail password? Your father's day of birth? Your PIN? Then again… somebody will fall for this. Someone always does.
Sorry for the big screenshot. The site has been reported and should be down soon.
Editor's Note: The registrant noted above, Mr. Bing, is the victim of identity theft.
This seems to have been the other vendor's solution: ignore reporters asking questions, fix the problem, then speak with the reporters and deny any knowledge of the issue.
With this approach to security – we wonder just how secure the rest of such spy tool applications are.
Updated to Add: We've received some communication from our readers that while Mobile-Spy's web interface issue has been addressed, the site may still be vulnerable to an SQL injection attack. We have not confirmed this, but if true, this means that all of the customer information is still accessible to anyone using the Demo account.