Throughout the years, cybercriminals have been perfecting the process of automatically abusing Web application vulnerabilities to achieve their fraudulent and malicious objectives. From the utilization of botnets and search engines to perform active reconnaissance, the general availability of DIY mass SQL injecting tools as well as proprietary malicious script injecting exploitation platforms, the results have been evident ever since in the form of tens of thousands of affected Web sites on a daily basis.

We’ve recently spotted a publicly released, early stage Python source code for a Bing based SQL injection scanner based on Bing “dorks”. What’s the potential of this tool to cause any widespread damage? Let’s find out.

Sample screenshots of the Python script in action:

In its current form, the tool isn’t capable of causing widespread damage, due to the fact that it doesn’t come with a pre-defined database of dorks for cybercriminals to take advantage of. Therefore, taking into consideration the fact that they’d have to manually enter them, greatly diminishes the tool’s potential for causing widespread damage. However, now that the source code is publicly obtainable, we believe that fellow cybercriminals inspired by the initial idea will further add related features to it, either releasing the modified version for everyone to take advantage, or monetizing the newly introduced features by pitching it as a private release.

We’ll be naturally monitoring its future development, and post updates as soon as new developments emerge.

The post Cybercriminals experiment with Android compatible, Python-based SQL injecting releases appeared first on Webroot Threat Blog.

In a series of blog posts, we’ve highlighted the ongoing commoditization of hacked/compromised/stolen account data (user names and passwords), the direct result of today’s efficiency-oriented cybercrime ecosystem, the increasing availability of sophisticated commercial/leaked DIY undetectable malware generating tools, malware-infected hosts as a service, log files on demand services, as well as basic data mining concepts applied on behalf of the operator of a particular botnet. What are cybercriminals up to these days in terms of obtaining such type of data? Monetization through penetration pricing on their way to achieve stolen asset liquidity, so hosts can be sold before its owner becomes aware of the compromise, thereby diminishing its value to zero.

A newly launched E-shop is currently offering access to hundreds of thousands of compromised legitimate Mail.ru, Yahoo, Instagram, PayPal, Twitter, Livejournal, Origin, Skype, Steam, Facebook, and WordPress accounts, as well as 98,000 accounts at corporate SMTP servers, potentially setting up the foundation for successful spear-phishing campaigns.

Sample screenshot of the inventory of the service:

The prices are as follows:

• 50, 000 hacked/compromised accounts go for $10
• 100,000 hacked/compromised accounts go for $15
• 500,000 hacked/compromised accounts go for $45
• 1,000,000 hacked/compromised accounts go for $80

The service is also offering a discount for orders beyond 3,000,000 hacked/compromised accounts, which in this case are offered for $70 for “every other million”. This underground market proposition is a great example of several rather prolific ‘common sense’ monetization tactics applied by a decent percentage of cybercriminals who are attempting to monetize their fraudulently obtained assets:

• Penetration pricing – penetration pricing is a common pricing technique aimed at quickly gaining market share, and in this particular case, efficiently supplying the stolen assets to potential customers. What’s also worth emphasizing on is that on the majority of occasions, the cybercriminal will automatically ‘break-even’ even if he’s actually invested hard cash into the process of obtaining the hacked/compromised accounting data at a later stage
• Timeliness of a stolen asset in terms of achieving asset liquidity – whether it’s due to the (perceived) oversupply of a particular commoditized underground market item — like for instance compromised accounting data — or the plain simple logic that the fact that it’s been stolen will sooner or later come to the attention of its owner, cybercriminals are no strangers to the concept of achieving financial asset liquidity, and would do their best to reach out to potential customers as quickly as possible

We expect to continue witnessing the commoditization of hacked/stolen accounting data, with more similar propositions eventually popping up on our radars.

The post Newly launched E-shop offers access to hundreds of thousands of compromised accounts appeared first on Webroot Threat Blog.

Among the most common misconceptions regarding the exploitation (hacking) of Web sites, is that no one would exclusively target *your* Web site, given that the there are so many high profile Web sites to hack into. In reality though, thanks to the public/commercial availability of tools relying on the exploitation of remote Web application vulnerabilities, the insecurely configured Web sites/forums/blogs, as well as the millions of malware-infected hosts internationally, virtually every Web site that’s online automatically becomes a potential target. They also act as a driving force the ongoing data mining to accounting data to be later on added to some of the market leading malicious iFrame embedding platforms.

Let’s take a look at a DIY (do it yourself) type of mass Web site hacking tool, to showcase just how easy it is to efficiently compromise tens of thousands of Web sites that have been indexed by the World’s most popular search engine.

Sample screenshots of the DIY mass Web site hacking/SQL injecting tool based on the Google Dorks concept:

The proxy (compromised malware infected hosts) supporting tool has been purposely designed to allow automatic mass Web sites reconnaissance for the purpose of launching SQL injection attacks against those Web sites that are vulnerable to this common flaw. Once a compromise takes place, the attacker is in a perfect position to inject malicious scripts on the affected sites, potentially exposing their users to malicious client-side exploits serving attacks. Moreover, as we’ve seen, the same approach can be used in a combination with privilege escalation tactics that could eventually “convert” the compromised host as part of an anonymous, cybercrime-friendly proxy network, as well act as a hosting provider for related malicious of fraudulent content like malware or phishing pages. With the list of opportunities a cybercriminal could capitalize on being proportional with their degree of maliciousness or plain simple greed, Web site owners are advised to periodically monitor their site’s reputation by taking advantage of managed Web application vulnerabilities scanning services, or through Google’s SafeBrowsing.

We expect to continue observing such DIY efficiency-oriented underground market releases, with the logical transformation of DIY type of products, to actual managed services launched primarily by novice cybercriminals, either enjoying a lack of market transparency through biased exclusiveness of their proposition, or through propositions aimed at novice cybercriminals who wouldn’t have access to such tools.

The post Google-dorks based mass Web site hacking/SQL injecting tool helps facilitate malicious online activity appeared first on Webroot Threat Blog.

Whenever a user gets socially engineered, they unknowingly undermine the confidentiality and integrity of their system, as well as any proactive protection they have in place, in exchange for quick gratification or whatever it is they are seeking. This is exactly how unethical companies entice unsuspecting victims to download their new “unheard of” applications. They promise users the moon, and only ask in return that users install a basic free application. Case in point, our sensors picked up yet another deceptive ad campaign that entices users into installing privacy violating applications, most commonly known as PUAs or Potentially Unwanted Applications.

Sample screenshots of the landing page:

Landing URL: spyalertapp.com

Detection rate for the SpyAlertApp PUA: MD5: 183cf05e8846a18dab9850ce696c3bf3 – detected by 4 out of 47 antivirus scanners as Win32/ExFriendAlert.B; SearchDonkey (fs)

Once executed, it phones back to 66.135.34.182 and 66.135.34.181

The following PUA domains are also known to have responded to the same IPs:
l.cloud-canvas.com
l.getsecureweb.com
l.hitthelightsapp.com
l.infoseekerapp.com
l.moviemodeapp.com
l.provideodownloader.com
l.recordcheckerapp.com
l.searchdonkeyapp.com
l.spyalertapp.com
l.spyguardapp.com
l.spylookoutapp.com
l.tubedimmerapp.com
l.unfriendapp.com
l.webshieldonline.com

The following PUA MD5s are known to have phoned back to these IPs:
MD5: 5a4202e570997e6740169baac0d231cb
MD5: d461ced9efbba91fc9f672b4283ec9ce
MD5: 739974dc2cba93e265b8a4e3015f389d
MD5: a2abbbafbc74c0ee26b2d7cc57050033
MD5: 0c4b84ef70ea55fbadcd20c85e5df888
MD5: 1821d0ff30a9840db1a1be3133cee77f
MD5: 71a8639f45706cc034c37e39443774da
MD5: 9f08e58f38744753921090ee28eb3277
MD5: 8e2a368e139e81ae779e39304d03fb79
MD5: 2a65db19303587722aad675485f33ab4
MD5: 5a7751c7fb62bed7fafebbae36b29d8f
MD5: b1598ddaa466ae8c5ed7727fe8bf9bba
MD5: b960fcc346da8a64d969932fe993ed76
MD5: 32c0863bcb2543a55436ecd5bc1df462
MD5: 0f358896ee2bf4507a07ff971b7bc749
MD5: 82aad768bf3609f700947c689f024d9a
MD5: 2f1101cc2c834b4e404389fb14b43fd2
MD5: 0e76ffda3480511dbc9dda95b18d1c1b
MD5: ed6d97129f713a174d60eb10d5db0992
MD5: 126cf0cfe5f1da0106dfff9ce9cb7041
MD5: 84d31aaf279c57a0d2886639d7468ec5
MD5: 6b4e76e4655592d06828e0a932f260d5
MD5: e86c7ae3bae035e9cdd2a71db1c0fbea

Want to known who’s tracking your online activities? We advise you to give Mozilla’s Lightbeam, a try.

Webroot SecureAnywhere users are proactively protected from these PUAs.

The post Deceptive ads lead to the SpyAlertApp PUA (Potentially Unwanted Application) appeared first on Webroot Threat Blog.

From Bitcoin accepting services offering access to compromised malware infected hosts and vertical integration to occupy a larger market share, to services charging based on malware executions, we’ve seen multiple attempts by novice cybercriminals to introduce unique value propositions (UVP). These are centered on differentiating their offering in an over-supplied cybercrime-friendly market segment. And that’s just for starters. A newly launched service is offering access to malware infecting hosts, DDoS for hire/on demand, as well as crypting malware before the campaign is launched. All in an effort to differentiate its unique value proposition not only by vertically integrating, but also emphasizing on the prevalence of ‘female bot slaves’ with webcams.

Sample screenshot of the cybercriminal’s underground market proposition showcasing some of the “inventory”:

Here’s a breakdown of the prices. A 100 bots that will also get resold to the next prospective buyer are offered for $5. A rather surprising monetization approach, given that once a cybercriminal gets access to a host, the first thing he’d usually do, is to remove competing malware from it. The novice cybercriminal is also offering 100 bots that will not be resold to anyone but the original buyer for $7. Moreover, 300 bots converted directly to malware infected hosts through an exploit kit are offered for $35, followed by the option offered as a separate service, namely, to obfuscate the actual malware for $3 per sample using a public crypter, and $5 using a private one. The boutique cybercrime-friendly shop is also offering DDoS for hire/on demand service, with the prices starting from $2 for one hour of DDoS attack. What we’ve got here is a very good example of UVP-aware novice cybercriminal, that’s basically having hard time trying to pitch commoditized underground market assets.

The novice cybercriminal’s attempt to monetize his fraudulently obtained underground market assets are worth discussing in the broader context of today’s mature cybercrime ecosystem. In particular, the emergence of propositions pitched by novice cybercriminals, who’d monetize virtually anything that can be monetized, including commoditzed goods and services, at least in the eyes of sophisticated attackers. This ongoing lowering of the entry barriers into the world of cybercrime, inevitably results in in the acquisition of capabilities and know-how which was once reserved exclusively to sophisticated attackers.

We expect to continue observing an increase of (international) underground marketplace proposition pitched by novice cybercriminals, to fellow novice cybercriminals, largely thanks to the general availability of leaked/cracked/public malware/botnet generating tools and kits.

The post Cybercriminals differentiate their ‘access to compromised PCs’ service proposition, emphasize on the prevalence of ‘female bot slaves’ appeared first on Webroot Threat Blog.

In a series of blog posts, we’ve highlighted the emergence of easy to use, publicly obtainable, cracked or leaked, DIY (Do It Yourself) DDoS (Distributed Denial of Service) attack tools. These services empower novice cybercriminals with easy to use tools, enabling them to monetize in the form of ‘vendor’ type propositions for DDoS for hire services. Not surprisingly, we continue to observe the growth of this emerging (international) market segment, with its participants continuing to professionalize, while pitching their services to virtually anyone who’s willing to pay for them. However, among the most common differences between the international underground marketplace and, for instance, the Russian/Easter European one, remain the OPSEC (Operational Security) applied — if any — by the market participants knowingly or unknowingly realizing its potential as key differentiation factor for their own market propositions.

Case in point, yet another newly launched DDoS for hire service, that despite the fact that it’s pitching itself as anonymity and privacy aware, is failing to differentiate its unique value proposition (UVP) in terms of OPSEC.
Sample screenshot of the landing page:

Let’s discuss the (business) interaction that most commonly takes place between a buyer and seller of such type of services. On the majority of occasions, thanks to the fact that the vendor seeks to efficiently supply what the market demands, basic OPSEC rules, ones sometimes visible in Russian/Eastern European providers, are ignored. For instance, the service we’re discussing in this post not only has its site publicly searchable, it also features a YouTube advertisement. Combined with the fact that it’s also soliciting customer inquiries through a GMail account — no public PGP key offered — results in a situation where a potential customer would think twice before contacting the vendor. Moreover, these (international) underground market propositions usually tend to acquire less technically sophisticated customers who’d often seek their assistance in taking down a gaming server, or not surprisingly, launch a Denial of Service attack against a “friend’s” Internet connection. In comparison, the Russian/Eastern European vendors would usually prefer to stay beneath the radar, and will vet potential customers based on multiple factors — that includes the actual target — before launching an attack on their behalf.

Not surprisingly, we’re also aware of several malicious MD5s that are known to have been downloaded from the same IP that’s known to have once responded to the service’s domain:

MD5: a7298ee33c26c21f4f179e4c949c817e
MD5: a315bbe9a50271832112cc3172a9ecbc
MD5: 571950ec60be81e033f8b516c7230dfe

We expect to continue observing an increase in such types of ‘DDoS for hire’ propositions, largely thanks to the ease of obtaining the necessary tools required to convert a botnet into a vendor-oriented type of underground market service, and will continue to monitor this market segment.

The post New vendor of ‘professional DDoS for hire service’ spotted in the wild appeared first on Webroot Threat Blog.

In a professional cybercrime ecosystem, largely resembling that of a legitimate economy, market participants constantly strive to optimize their campaigns, achieve stolen assets liquidity, and most importantly, aim to reach a degree of efficiency that would help them gain market share. Thus, help them secure multiple revenue streams. Despite the increased transparency on the Russian/Easter European underground market — largely thanks to improved social networking courtesy of the reputation-aware cybercriminals wanting to establish themselves as serious vendors — certain newly joining vendors continue being a victim of their market-irrelevant ‘biased exclusiveness’ in terms of the unique value propositon (UVP) presented to the community members. Moreover, in combination with the over-supply of DIY malware/botnet generating tools, next to the release of leaked/cracked source code, positions them in a situation where they can no longer command the high prices for their products/service, like they once did. That’s mainly because the competition is so fierce, that it inevitably results in the commodinitization of these underground market items.

What happens when this commoditization takes place? What are cybercriminals doing with the leaked/cracked source code for sophisticated malware/botnet generating tools? Why would a cybercriminal purposely offer the source code of his malware ‘release’ for sale, especially given that he can continue enjoying its proprietary nature, meaning, a supposedly lower detection rate? Let’s discuss these scenarios through the prism of a recently offered source code of a proprietary spam bot written in Delphi. The bot relies primarily on compromised/automatically registered email accounts as the primary propagation vector for upcoming (malicious) spam campaigns.

Sample screenshots of the administration panel of the spam bot, relying on compromised Web shells as C&Cs:

According to the seller of this spam bot, the actual binary is around 56kb in size, and the C&C is PHP/MySQL based. The seller also offers his personal advice, which is to consider relying on compromised Web shells for accessing the command and control infrastructure. The price? $300. A logical question emerges – why would a cybercriminal who’s apparently already making money from his custom coded spam bot, be selling its source code, rather than continuing to operate beneath the radar? Three possibilities – noise generation,  exit strategy, or underground multitasking in action since the seller didn’t mention that he’s selling one copy of the source code, exclusively, to the first potential buyer. Noise generation can be best described as a strategy used by cybercriminals to draw attention away from an initial malicious ‘release’. The idea is to avoid the attention of the security industry/law enforcement, who’d now have to pay attention to copycats that would emerge through tweaking and modifying the original source code. Although not necessarily feasible in a greed dominated cybercrime ecosystem, an exit strategy may result in the seller offering unlimited access to the source code to multiple parties, in an attempt to exit the market segment, while still securing a revenue stream for himself. The multitasking scenario is a variation of the noise generation strategy, where the seller of the source code will continue improving and using it, in between selling access to others so that they can do the same.

Consider going through the following research/posts on the topic of source code and malicious software:

• New ZeuS source code based rootkit available for purchase on the underground market
• Self-propagating ZeuS-based source code/binaries offered for sale
• Managed ‘Russian ransomware’ as a service spotted in the wild
• SMS Ransomware Source Code Now Offered for Sale
• 6th SMS Ransomware Variant Offered for Sale
• 5th SMS Ransomware Variant Offered for Sale
• 4th SMS Ransomware Variant Offered for Sale
• 3rd SMS Ransomware Variant Offered for Sale

The bottom line? We expect that the Russian/Eastern European underground marketplace would continue to dynamically evolve in terms of Quality Assurance, localization, cybercrime-as-a-service type of managed propositions, and overall, stick the well proven efficiency-oriented mentality that’s driving everyone’s business models.

The post Source code for proprietary spam bot offered for sale, acts as force multiplier for cybercrime-friendly activity appeared first on Webroot Threat Blog.

We’ve intercepted a currently trending malicious iframe campaign, affecting hundreds of legitimate Web sites, that’s interestingly part of the very same infrastructure from May, 2013′s analysis of the compromise of an Indian government Web site. The good news? Not only have we got you proactively covered, but also, the iframe domain is currently redirecting to a client-side exploit serving URL that’s offline. Let’s provide some actionable intelligence on the malicious activity that is known to have originated from the same iframe campaign in the past month, indicating that the cybercriminal(s) behind it are actively multi-tasking on multiple fronts.

iframe URL: karenbrowntx.com – 98.124.198.1

Client-side exploits serving redirector: hxxp://ww2.taylorgram.com/main.php?page=3081100e9fdaf127 – known to have responded to 31.171.133.163 and most recently to 184.168.221.20

The same URL is also known to have been dropping malicious software on the hosts of affected PCs on 2012-06-12, in particular MD5: 923324a0282dd92c383f8043cec96d2d

Known to have responded to the same IP (98.124.198.1) are also the following malicious domains:
00ridgeroad.com
0703fdsf.info
09woman.com
100chaparralbv.com
100chaparralbvmartensville.com
10269ruefrederick-olmsted.com
1066sunrisedrive.com
1069colquittavenue.com
110010thavregina.com
1127alexandria.com
1143gladstone.com
114rmerganser.com
1176andrade.com
1180englishtownrd.com
11910route28.com
120-waterstone.com
120riverbank.com
121stationstreet.com
1266mainst.com
1397goyeau4sale.com

We’re also aware of the following malicious MD5s that have used the same IP as C&C server during October, 2013:
MD5: b26c30b512471590cfd2481bceea1b86
MD5: 6e4d7c9e1d935b18340064cabe60ee59
MD5: d0a76dd2bb62c54791a90453884aaeb4
MD5: 5c4b38b7e7bba69eafca7508dea8a940
MD5: 5b057c5838794fe7314ead6cb8ab7a08
MD5: b17279f38e0c2ab76ed6ef929385bd6b
MD5: d5bd9375e2693f5d6f48653c5d98960c
MD5: d181371ce3456363c0ae9628e0366569
MD5: 1e5eca486655233da67081d495e599d2
MD5: dfe79429195841e8819e845535220ac7
MD5: ad48514853d7a07f61b21a7729f2256d

Known to have responded to the same IP (184.168.221.20) are also the following malicious domains:
100crowns.net
12inchskinz.com
17tidalshore.com
1800truckad.com
1pel.com
2000golfcart.com
2013snipefd.com
2174saturn.com
24498pescadero.com
2951central306.info
2getloan.net
30minutesaweek.us
365ing.com
3psillc.com
400kmmm.com
40hourmonth.com
4159alameda.info
4kpublisher.com
4kx2k.org
6005nkimball402.info

We’re also aware of the following malicious MD5s that have phoned back to the same IP:
MD5: 1776790a93de6cdb273c4d43e751ea60
MD5: f7a6f099db2e38ddfefd33700e413477
MD5: f4a56cc617de5a502c89ad616d90239c
MD5: f0ea6bacdc21c909ae253dc028ac3b81
MD5: ef35106c249da0b44b11e514b7279c0a
MD5: e8dad0602a29670397c4d12ee14c11d0
MD5: e6cfa22910624ed26e1269a88cfa21ea
MD5: e6b79746a444b1ad3d6c006f812c756e
MD5: e4fbe5f7471acdba51f8e78c66e62f06
MD5: e2995b8ce1ec3ac62c72dd5a6a76e992
MD5: dc292733ea7a3e22edd86091a1f25a90
MD5: d3b802d899fe7a6be78f90e1526590a4
MD5: d3c02d615e3996def378956b24363e51
MD5: d2f98464214fca25e0e2892192642171
MD5: d282ef4d97993dae7c131fe654ca5466

Webroot SecureAnywhere users are proactively protected from this threats.

The post Low Quality Assurance (QA) iframe campaign linked to May’s Indian government Web site compromise spotted in the wild appeared first on Webroot Threat Blog.

A typical campaign attempting to trick users into installing Potentially Unwanted Software (PUA), would usually consist of a single social engineering vector, which on the majority of cases would represent something in the lines of a catchy “Play Now/Missing Video Plugin” type of advertisement. Not the one we’ll discuss in this blog post. Relying on deceptive “visual social engineering” practices, a popular French torrent portal is knowingly — the actual directory structure explicitly says /fakeplayer — enticing users into installing the BubbleDock/Downware/DownloadWare PUA. What kind of social engineering tactics is the portal relying on? Let’s find out.

Sample screenshot of the fake and localized to French “Missing Plugin” presented on the top of the page:

As you can see in the attached screenshot, the portal attempts to convince the user that he/she is missing a plugin required to display the content. Once users attempt to download it by clicking on the link, they’re automatically exposed to the executable hosted within One Install’s affiliate based type of revenue sharing platform.

Sample screenshots of the fake WebPlugin video window:

The second “visual social engineering” vector relies on the ubiquitous for such type of social engineering campaigns, “Install the WebPlayer plugin” type of fake flash content.

PUA located at: download.oneinstaller.com/installer/?iid=270&nsoft=14 (affiliate network participant at the One Install network)

Detection rate for the PUA: MD5: 14de165a402ea6e13282c1195c24290f – detected by 8 out of 47 antivirus scanners as NSIS:Adware-KQ [PUP]; Adware.Downware.1265; Win32/AdWare.DownloadWare.I; BubbleDock (fs)

Once executed, the sample phones back to the following domains, where it not just obtains the legitimate Adobe Flash Player, but also, drops additional PUAs on the hosts of socially engineered users:
stats.oinst.com – 93.189.35.66
cdninst.com – 109.70.132.26
app.updatesafe.net – 46.232.206.17
ads.oneinstaller.com – 93.189.35.51
media.oneinstaller.com – 109.70.132.26
d.delivery49.com – 166.78.35.128
install.xaven.info – 70.186.131.70
wpc.0952.edgecastcdn.net – 68.232.34.163
hxxp://www.808116.com – 50.97.129.8
ajax.googleapis.com – 74.125.136.95
cdn.delivery49.com – 77.67.4.16
counter.d.delivery49.com – 54.243.81.17
media.vitjvitj.com – 93.189.32.145
hxxp://www.uplstatsone.com – 93.189.33.84
hxxp://www.282208.com – 174.36.200.167
stats.srvmystats.com – 176.32.99.220
csc3-2010-crl.verisign.com – 23.36.149.163
get.adobe.com – 192.150.16.58
www.googletagservices.com – 74.125.136.156
partner.googleadservices.com – 74.125.136.156
pubads.g.doubleclick.net – 74.125.136.154
pagead2.googlesyndication.com – 74.125.136.154
crl.verisign.com – 23.36.149.163
www.adobetag.com – 23.66.241.169
dlmping2.adobe.com – 88.221.216.105
stats.adobe.com – 66.117.29.34

Sample screenshots of the installation:

It also downloads and installs the following related Potentially Unwanted Applications (PUAs):
cdninst.com/offers/Mobogenie/Mobogenie.exe – MD5: a99dac9961a6ea4b50009e6485badb19 – detected by 1 out of 46 antivirus scanners as Trojan.Win32.Generic!SB.0
cdninst.com/offers/V9/Qone8.exe – MD5: f06c4455c740b192fd37cee9501327f2 – detected by 19 out of 47 antivirus scanners as Trojan.Win32.StartPage.choy; Elex Installer (fs)
cdninst.com/offers/SoftwareUpdater/SoftwareUpdater.exe – MD5: 80c3202212cef845931452fede347ee1 – detected by 22 out of 46 antivirus scanners as Trojan-Downloader.Win32.Genome.ffcs; PUP.Optional.Onekit.A
cdninst.com/offers/QuickShare/QuickShare.exe – MD5: e6f281b58cf026716a66098189595bc4 – detected by 4 out of 46 antivirus scanners as Adware.Win32.Linkury.83; PUP.Optional.QuickShare.A
cdninst.com/offers/Okitspace/Okitspace.exe – MD5: 2c908d624618f70304574f56c6dd73e6 23 out of 47 antivirus scanners as Trojan.Win32.MSIL.BrowserProtectIU.A
cdninst.com/offers/Diamonddata/Xaven.exe – MD5: fedad72d67c0c4cf7dcf1401a1421bf3 – detected by 5 out of 47 antivirus scanners as Win32/BrowseFox.C
app.updatesafe.net/u/v122/TubeSing_1060-2015_v122.exe – MD5: c074d4c0bde7e63d5f2330d7b0c4fd36 – detected by 3 out of 47 antivirus scanners as Trojan.Crossrider.10; PUP.Optional.Tubesing

Webroot SecureAnywhere users are proactively protected from these PUAs.

The post Popular French torrent portal tricks users into installing the BubbleDock/Downware/DownloadWare PUA (Potentially Unwanted Application) appeared first on Webroot Threat Blog.

Our sensors just picked up an interesting Web site infection that’s primarily targeting Brazilian users. It appears that the Web site of the Brazilian Jaqueira prefecture has been compromised, and is exposing users to a localized (to Portuguese) Web page enticing them into installing a malicious version of Adobe’s Flash player. Not surprisingly, we’ve also managed to identify approximately 63 more Brazilian Web sites that are victims to the same infection.

Sample screenshot of the landing page serving the localized Adobe Flash Player:

Sample screenshot of the embedded redirector at a sample compromised Web site:

Sample affected Web site: jaqueira.pe.gov.br

Landing malicious URL: 79.96.179.237/br/flashplayer

Detection rates for the served malware:
MD5: cdb0ae783f66d37883f0431c6dd18954 – detected by 18 out of 47 antivirus scanners as TrojanSpy:Win32/Banker.AJP
MD5: 7dad87060db280e866b75970757dd462 – detected by 29 out of 48 antivirus scanners as Trojan-Downloader.VBS.Agent.agm

Webroot SecureAnywhere users are proactively protected from these threats.

The post Web site of Brazilian ‘Prefeitura Municipal de Jaqueira’ compromised, leads to fake Adobe Flash player appeared first on Webroot Threat Blog.

Sharing is caring. In this post, I’ll put the spotlight on a currently circulating, massive — thousands of sites affected — malicious iframe campaign, that attempts to drop malicious software on the hosts of unaware Web site visitors through a cocktail of client-side exploits. The campaign, featuring a variety of evasive tactics making it harder to analyze, continues to efficiently pop up on thousands of legitimate Web sites. Ultimately hijacking the legitimate traffic hitting them and  successfully undermining the confidentiality and integrity of the affected users’ hosts.

Sample redirection chains:
hxxp://www.cibonline.org/cache/mod_poll/7c7478fde2f89a23.php -> hxxp://www.haphuongfoundation.net/vietnam/language/pdf_fonts/www/all2.php -> hxxp://www.profili-benton.si/templates/beez/1.php -> hxxp://www3.omq97dncl0enuzc91.4pu.com -> hxxp://find-and-go.com/?uid=11245&isRedirected=1 -> hxxp://5.199.169.39/piwik/piwik.php?idsite=6

hxxp://www.cibonline.org/cache/mod_poll/7c7478fde2f89a23.php -> hxxp://www.haphuongfoundation.net/vietnam/language/pdf_fonts/www/all2.php -> hxxp://www.profili-benton.si/templates/beez/1.php -> hxxp://www3.omq97dncl0enuzc91.4pu.com (95.141.42.88) -> hxxp://www1.vjq1b9261b4d0.4pu.com/i.html (66.199.250.147) -> hxxp://www1.vjq1b9261b4d0.4pu.com/nnnnvdd.html -> hxxp://www1.vjq1b9261b4d0.4pu.com/pdfx.html -> hxxp://www1.vjq1b9261b4d0.4pu.com/qopne.html -> hxxp://www1.vjq1b9261b4d0.4pu.com/fnts.html

hxxp://www.cibonline.org/cache/mod_poll/7c7478fde2f89a23.php -> hxxp://www.haphuongfoundation.net/vietnam/language/pdf_fonts/www/all2.php -> hxxp://www.profili-benton.si/templates/beez/1.php -> hxxp://www3.omq97dncl0enuzc91.4pu.com (109.201.135.20) -> hxxp://www1.u7dtn91y8y09.4pu.com/i.html -> hxxp://www1.u7dtn91y8y09.4pu.com/iexp.html -> hxxp://www1.u7dtn91y8y09.4pu.com/jmnyhsr.html

hxxp://www.cibonline.org/cache/mod_poll/7c7478fde2f89a23.php -> hxxp://www.haphuongfoundation.net/vietnam/language/pdf_fonts/www/all2.php -> hxxp://profili-benton.si/templates/beez/1.php -> hxxp://www3.e96s0ttcl.4pu.com (109.201.135.20) -> hxxp://www1.thh3ssp6.4pu.com/i.html -> hxxp://www1.thh3ssp6.4pu.com/nnnnvdd.html -> hxxp://www1.thh3ssp6.4pu.com/pdfx.html -> hxxp://www1.thh3ssp6.4pu.com/qopne.html -> hxxp://www1.thh3ssp6.4pu.com/0a8aqgdg7qedig.swf

Sample detection rate for the served client-side exploits:
MD5: 3b141482d57aa716c8686b388fcbc8f3 - detected by 5 out of 47 antivirus scanners as Exploit:Win32/Pdfjsc.AKB
MD5: 4d52aa24c91b2f9b757ab81118f56447 - detected by 5 out of 47 antivirus scanners as Exploit.Win32.CVE-2011-3402.a
MD5: cee8493b53394a2b58228b829f2af25e - detected by 5 out of 47 antivirus scanners as Exploit:Win32/Pdfjsc.AKB
MD5: 1b61c150176f0ab076f8befb46cfc3ce - detected by 4 out of 47 antivirus scanners as Exploit:SWF/Salama.F

Responding to (66.199.250.147) are also the following malicious domain, part of the campaing’s infrastructure:
hxxp://www1.2fmjnfw8yl.4pu.com
hxxp://www1.b245489okr8x5j2ao.4pu.com
hxxp://www1.c5laimisz83pc4.4pu.com
hxxp://www1.cg86g6670v8866.4pu.com
hxxp://www1.d23v9rkj.4pu.com
hxxp://www1.e0ypzxcl2g.4pu.com
hxxp://www1.e0zz7py279t37.4pu.com
hxxp://www1.e3upj5djor1ff8.4pu.com
hxxp://www1.eoyuwo33xk08zk6a6.4pu.com
hxxp://www1.g3qovry5o502d1g8.4pu.com
hxxp://www1.h3x48xalmvan55.4pu.com
hxxp://www1.j-9x9quv8lrdqicyf4.4pu.com
hxxp://www1.j9jw1i0or74893.4pu.com
hxxp://www1.js9fow2qc23vir9m-2.4pu.com
hxxp://www1.k3s7v5h96w4m9rm17.4pu.com
hxxp://www1.k5t56to8.4pu.com
hxxp://www1.kjrca9kozgygi2.4pu.com
hxxp://www1.lr615xyv4ne4ev2s2.4pu.com
hxxp://www1.m-t439plolgh9rg3x8.4pu.com
hxxp://www1.mwqfes56.4pu.com

Responding to (109.201.135.20) are also the following malicious domain, part of the campaing’s infrastructure:
10qaswedrfgthsfh47.4pu.com
2fmjnfw8yl.4pu.com
4gpf37.4pu.com
24r23rfe23.4pu.com
54y5h56yh.4pu.com
6qaswedrfgthsfh46.4pu.com
789568gh48fjh34.4pu.com
8m5w180sfs.4pu.com
98ol8loldd.4pu.com
a-1lj8fexbrqilv.lflink.com
a199ozb9gpvairco9.4pu.com
a6fe5t76kp7xzc5t.lflink.com
a8eb8spt8sp02.lflink.com
aaagxmid11pp-7.4pu.com
ae8w0olox4.4pu.com
ao83szty36u9x-9.lflink.com
auh40nk2.4pu.com
b-8720elxb.4pu.com
b-8qkw4qs.lflink.com
b-9s7rtwq9j.4pu.com

Webroot SecureAnywhere users are proactively protected from these threats.

The post Malicious multi-hop iframe campaign affects thousands of Web sites, leads to a cocktail of client-side exploits appeared first on Webroot Threat Blog.

Telephony Denial of Service Attacks (TDoS) continue representing a growing market segment within the Russian/Eastern European underground market, with more vendors populating it with propositions for products and services aiming to disrupt the phone communications of prospective victims. From purely malicious in-house infrastructure — dozens of USB hubs with 3G USB modems using fraudulently obtained, non-attributable SIM cards — abuse of legitimate infrastructure, like Skype, ICQ, a mobile carrier’s legitimate service functionality, or compromised accounts of SIP account owners, the market continues growing to the point where even Distributed Denial of Service Attack (DDoS) providers start ‘vertically integrating’.

A new, commercially available multi-threaded SIP-based TDoS tool released by what appears to be an experienced TDoS vendor that’s also offering managed TDoS services, is prone to empower not just lone attackers, but also, potential new vendors who’d use the tool as a primarily vehicle for the the future growth of their business model. Let’s profile the tool, discuss its features, as well as what might have prompted the vendor of managed TDoS services to start selling copies of it, instead of exclusively using it in-house.

Sample screenshots of the newly released TDoS tool:

Next to multi-threading, simultaneous use/abuse of multiple compromised/legitimate accounts at multiple SIP providers, the tools also has a  cron-like type of scheduling for a particular attack allowing queuing of campaigns and accepting multiple orders at a time. The price? 10,000 rubles ($304.92), including a hardware ID enabled type of license for a single PC. The tool is just the tip of the iceberg of TDoS products/services offered by the same vendor, and we believe that it’s been publicly pitched in an attempt by the vendor to generate more revenue, while preserving the actual ‘know-how’, in-house type of custom-coded TDoS tools, the ones primarily driving its business model.

Sample screenshot of the actual TDoS equipment operated by the vendor:

We believe that the Russian/Eastern European TDoS market would continue flourishing, with more vendors serving the growing demand for such type of services. As we’ve already seen in the past, they are known to have been directly used against emergency phone lines, a modern day’s alternative to perhaps the first known such case, namely, the 911/chode worm (2000).

The post Vendor of TDoS products/services releases new multi-threaded SIP-based TDoS tool appeared first on Webroot Threat Blog.

Cybercriminals are currently mass mailing tens of thousands of malicious emails, supposedly including a photo attachment that’s been “Sent from an iPhone”. The social engineering driven spam campaign is, however, the latest attempt by a cybercriminal/group of cybercriminals that we’ve been monitor for a while, to attempt to trick gullible users into unknowingly joining the botnet operated by the malicious actor(s) behind the campaign.

Detection rate for the spamvertised attachment: MD5: 46e077f058f5a6eddee3c851f8e56838 – detected by 36 out of 47 antivirus scanners as Trojan.Win32.Neurevt.jl; Trojan:Win32/Neurevt.A.

Once executed, the sample creates the following Registry Keys on the affected hosts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ijiujsnjb.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe
HKEY_CURRENT_USER\Software\Classes\CLSID\{1619728A-151F-0C46-98D4-171F5E70A2E0}
HKEY_CURRENT_USER\Software\Win7zip

Once executed, the sample attempts to contact the following C&C servers:
91.109.14.224
31.7.35.112
49.50.8.93
173.0.131.15
209.50.251.101
88.198.7.211
64.120.153.69
219.94.206.70
173.231.139.57

next to the well known by now, networksecurityx.hopto.org, a C&C host that we’ve already profiled in several analyses.

Moreover, the following malicious MD5s are also known to have phoned back to these C&C hosts:
MD5: b0dbfd7e359d4830d7ff4a5f40a78204
MD5: 5b904359d9f8922e209141fbccbacf4f
MD5: 4c6baee04409f0fe04a616946f2c2230
MD5: a64eceab34bf8eaa4615bc0f477f8279
MD5: 71c2d1d1c46f0c458ab88127b020fd02
MD5: 58282fd31e84be35d8e904542e96b1ba
MD5: 6fefcd92fb6758f77b1ef0b6fccc9870
MD5: 04492fd5c0e82e45f00a8e125728e15b
MD5: 9244e8799ffd75f2d0666a441b5bc84e
MD5: 9591c937c6da209b21ebbdf8a37e2ddd
MD5: d966aa83c96c81faf118dde9836636e2
MD5: 8e59c5683fe56e3c1576ae360776dad5
MD5: 3d75e483f9fad44d9cae483628652a8e
MD5: ed97aa41539ca162479534fd9ace2bc0
MD5: b20cc2ad04b4fffaffcf6fa17c5f22ce
MD5: 5640dfbfe84321811c3374c2453c96b7
MD5: a416fa920ef2219bcd33ef2682ee2308
MD5: ebe9d1ea6a41d4e7c402ece7ecca398b
MD5: 231aef609786d8076b33d475ac7a9702
MD5: c965119e445379db79308011cec6b967

Webroot SecureAnywhere users are proactively protected from these threats.

The post Cybercriminals spamvertise tens of thousands of fake ‘Sent from my iPhone’ themed emails, expose users to malware appeared first on Webroot Threat Blog.

Want to file for mileage reimbursement through a STD-261 form? You may want to skip the tens of thousands of malicious emails currently in circulation, attempting to trick users into executing the malicious attachment. Once downloaded, your PC automatically joins the botnet operated by the cybercriminal(s) behind the campaign, undermining the confidentiality and integrity of the host.

Sample screenshot of the spamvertised email:

Detection rate for the spamvertised attachment: MD5: 3aaa04b0762d8336379b8adedad5846b – detected by 21 out of 47 antivirus scanners as Trojan.Win32.Bublik.bkri; TrojanDownloader:Win32/Upatre.A.

Once executed, the sample starts listening on ports 8412 and 3495.

It also creates the following Mutexes:
Local\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Local\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Local\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Local\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Local\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Local\{911F9FCD-AFAC-6AF2-DBC9-BE58FA349D4A}
Global\{2E06BA86-8AE7-D5EB-DBC9-BE58FA349D4A}
Global\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Global\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Global\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Global\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Global\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Global\{BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A}
Global\{896D5E41-6E20-7280-11EB-B06D3016937F}
Global\{896D5E41-6E20-7280-75EA-B06D5417937F}
Global\{896D5E41-6E20-7280-4DE9-B06D6C14937F}
Global\{896D5E41-6E20-7280-65E9-B06D4414937F}
Global\{896D5E41-6E20-7280-89E9-B06DA814937F}
Global\{896D5E41-6E20-7280-BDE9-B06D9C14937F}
Global\{896D5E41-6E20-7280-51E8-B06D7015937F}
Global\{896D5E41-6E20-7280-81E8-B06DA015937F}
Global\{896D5E41-6E20-7280-FDE8-B06DDC15937F}
Global\{896D5E41-6E20-7280-0DEF-B06D2C12937F}
Global\{896D5E41-6E20-7280-5DEF-B06D7C12937F}
Global\{896D5E41-6E20-7280-95EE-B06DB413937F}
Global\{896D5E41-6E20-7280-F1EE-B06DD013937F}
Global\{896D5E41-6E20-7280-89EB-B06DA816937F}
Global\{896D5E41-6E20-7280-F9EF-B06DD812937F}
Global\{896D5E41-6E20-7280-E5EF-B06DC412937F}
Global\{896D5E41-6E20-7280-0DEE-B06D2C13937F}
Global\{896D5E41-6E20-7280-09ED-B06D2810937F}
Global\{896D5E41-6E20-7280-51EF-B06D7012937F}
Global\{896D5E41-6E20-7280-35EC-B06D1411937F}
Global\{896D5E41-6E20-7280-61EC-B06D4011937F}
Global\{DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A}

Drops the following files on the affected hosts:
MD5: 3659e0dc0323e769aabfeb668a7d1ecb
MD5: 617973f2d58f541913678f4d15e61d60
MD5: 1c23c5bdfd8f8f80ff2654208833ebdf

It then attempts to phone back to the following C&C servers:
122.201.103.88
122.201.103.86
46.49.119.78
85.100.41.9
79.187.164.155
74.243.130.50
86.180.70.185
176.205.29.45
58.252.57.193
93.177.184.173
108.65.194.40
86.147.226.12
217.35.80.36
84.58.47.98
85.34.231.122
61.250.167.140
75.99.113.250
190.204.248.56
86.160.8.233
46.48.251.37
68.162.220.34
82.211.142.218
31.192.48.109
46.49.93.88
60.44.176.185
23.24.39.197

Naturally, we’re also aware of related malicous MD5s that are known to have phoned back to the same C&C servers as well:
MD5: 75c4209771d322d1b2c404fe3f3a9b95
MD5: 96b7b1f503be8b361c95389d0370cb2d
MD5: 9236cdff457e2ff07a05c11ba71e7332
MD5: d3e6175dd54eb537636142f3dd74bfd3
MD5: 6a2905e94eabff2d7793614d0b9f05bb
MD5: 9f63177a6c30b081e2216e438729cda4
MD5: d281140c890b06d76692f6fed8ed5e7e
MD5: 258f5c7bdee9f063dd163c35c5ef0b12
MD5: c8cb617b8318fab2e1fee0f838e14841
MD5: def02766def420e49dbf3ce0af2f60b9
MD5: 9d07184f4375671623a7f442230d8745
MD5: cf1f61ad29dc56a7689f6fa0c1c5bf2e
MD5: 20cb4b66d2a1d35ef635d66bc7e8ad20
MD5: c30d4650897da4735eb756863a30fc95
MD5: da514188b7c911d2a5c8568f2807a68c
MD5: c8032899076e28c4edf83e59aeeeb981
MD5: ee7ecadfc3a7d879d72537ddcb815253
MD5: edbdf3a3086430d96f57f85d15bbe8f1
MD5: e226dcf34a0c71a6f552d61ee9789932
MD5: 860701c889c40f17d5811f58c3c29877
MD5: d3bac5410920def9594b3170dbcdc711
MD5: f192f19de1b6fa3b0b10efd1343eb63c
MD5: eddc590c10a9cb482a1eba8596094dee
MD5: 8af455cf950ee44db2b67bab23a62f82

Webroot SecureAnywhere users are proactively protected from these threats.

The post Fake ‘Annual Form (STD-261) – Authorization to Use Privately Owned Vehicle on State Business’ themed emails lead to malware appeared first on Webroot Threat Blog.

In need of a good reason to immediately improve the strength of your Origin password, in case you don’t want to lose access to your inventory of games, as well as your gaming reputation? We’re about to give you a pretty good one. A newly released proxy-supporting Origin brute-forcing tool is not just efficiency verifying an end user’s understanding of basic security practices, but also, has built-in option for parsing an affected user’s inventory of games, as well as related gaming information. Why would a cybercriminal want to gain access to someone’s gaming account in the first place, besides the most logical reason of gaining access to their gaming inventory? Simple. To set up the foundations for a successful business model relying on standardized E-shops for selling access to compromised gaming/accounting data.

Sample screenshot of the actual advertisement:

The software has built-in support for proxies (malware-infected hosts) syndication, as well as the ability to obtain the CD key for a particular game it has detected as part of the affected user’s inventory, allowing the cybercriminal operating it to easily build up inventories of fraudulently obtained gaming assets to be later on sold to potential buyers. The tools is just the tip of the iceberg in the ever-green market segment for brute forcing tools and services. It’s such tools that empower novice cybercriminals with the necessary capabilities to launch managed email hacking services, or target a specific set of Web sites, running, for instance, WordPress or Joomla, in combination with the ubiquitous in 2013, option to solve CAPTCHAs in an API-friendly, cost-effective manner.

Gamers are advised to go through EA’s recommended account security settings, as well as to active Steam Guard.

The post ‘Newly released proxy-supporting Origin brute-forcing tools targets users with weak passwords’ appeared first on Webroot Threat Blog.

We’ve just intercepted a currently circulating malicious spam campaign impersonating WhatsApp — yet again — in an attempt to trick its users into thinking that they’ve received a voice mail. Once socially engineered users execute the malicious attachment found in the fake emails, their PCs automatically join the botnet operated by the cybercriminal(s) behind the campaign.

Sample screenshot of the spamvertised malicious email:

Detection rate for the spamvertised attachment: MD5: 41ca9645233648b3d59cb52e08a4e22a – detected by 10 out of 47 antivirus scanners as TrojanDownloader:Win32/Kuluoz.D.

Once executed, it phones back to:

hxxp://103.4.18.215:8080/460326245047F2B6E405E92260B09AA0E35D7CA2B1
70.32.79.44
84.94.187.245
172.245.44.180
103.4.18.215
172.245.44.2

We’re also aware of the following malicious MD5s that are known to have phoned back to the same C&C servers as well:
MD5: 4014d1ee9e038b312dfcebf58f84968f
MD5: b82c2a96c5b3deccb46825507026ec39
MD5: 210096af9d8049bf3bae51d000c2ab76
MD5: e1b68d32e92bddb356a9917ea8e07e83
MD5: a5fb88ee735eab458bcbff287e36d590
MD5: c8b9b6e0a3257130e5842dd0840577c9
MD5: 38fc3178363b9d16174cc1565745d57f
MD5: bf5bdca7ef67b9c85a4413a8126ecb22
MD5: 53e568fe21ef96918853bc8404fef458
MD5: 3471d59f6f99f5676714cfac595e2aad
MD5: 91ade7d94244104d8cd6fc26be839c62
MD5: 40cb1f0111b4f4c8136404d4d351ceb5
MD5: 9c122673e98a487f8cd65746f03237aa
MD5: 7d53d47982fd62a37009b9a3e5fad42f
MD5: 2226cf5ead414b156e0b8b99f761ef83

Webroot SecureAnywhere users are proactively protected from these threats.

The post Fake WhatsApp ‘Voice Message Notification’ themed emails expose users to malware appeared first on Webroot Threat Blog.

HSBC customers, watch what you execute on your PCs. A circulating malicious spam campaign attempts to socially engineer you into thinking that you’ve received a legitimate ‘payment e-Advice’. In reality, once you execute the attachment, your PC automatically joins the botnet operated by the cybercriminal(s) behind the campaign.

Sample screenshot of the spamvertised email:

Detection rate for the spamvertised attachment: MD5: 2fbf89a24a43e848b581520d8a1fab27 – detected by 24 out of 47 antivirus scanners as Trojan.Win32.Bublik.blgc.

Once executed, the sample starts listening on ports 3670 and 6652.

It creates the following Mutexes on the affected hosts:
Local\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Local\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Local\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Local\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Local\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Local\{911F9FCD-AFAC-6AF2-DBC9-BE58FA349D4A}
Global\{2E06BA86-8AE7-D5EB-DBC9-BE58FA349D4A}
Global\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Global\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Global\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Global\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Global\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Global\{BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A}
Global\{572F15AA-25CB-ACC2-11EB-B06D3016937F}
Global\{572F15AA-25CB-ACC2-75EA-B06D5417937F}
Global\{572F15AA-25CB-ACC2-4DE9-B06D6C14937F}
Global\{572F15AA-25CB-ACC2-65E9-B06D4414937F}
Global\{572F15AA-25CB-ACC2-89E9-B06DA814937F}
Global\{572F15AA-25CB-ACC2-BDE9-B06D9C14937F}
Global\{572F15AA-25CB-ACC2-51E8-B06D7015937F}
Global\{572F15AA-25CB-ACC2-81E8-B06DA015937F}
Global\{572F15AA-25CB-ACC2-FDE8-B06DDC15937F}
Global\{572F15AA-25CB-ACC2-0DEF-B06D2C12937F}
Global\{572F15AA-25CB-ACC2-5DEF-B06D7C12937F}
Global\{572F15AA-25CB-ACC2-95EE-B06DB413937F}
Global\{572F15AA-25CB-ACC2-F1EE-B06DD013937F}
Global\{572F15AA-25CB-ACC2-89EB-B06DA816937F}
Global\{572F15AA-25CB-ACC2-F9EF-B06DD812937F}
Global\{572F15AA-25CB-ACC2-E5EF-B06DC412937F}
Global\{572F15AA-25CB-ACC2-0DEE-B06D2C13937F}
Global\{572F15AA-25CB-ACC2-09ED-B06D2810937F}
Global\{572F15AA-25CB-ACC2-51EF-B06D7012937F}
Global\{572F15AA-25CB-ACC2-35EC-B06D1411937F}
Global\{572F15AA-25CB-ACC2-29EF-B06D0812937F}
Global\{DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A}

Then drops MD5: 5df5b7fe7ee73b55362abdb4fa3b95ba ; MD5: 01c1e2b13d9c177b8891f27ae06ed5c2 and MD5: cb7a5b65aac7de310a396d7458700f37 on the affected hosts.

It then phones back to the following C&C servers:
cardiffpower.com – 64.50.166.122
64.50.166.122
95.101.0.155
95.104.85.196
99.114.99.151
172.245.217.122
192.95.59.51
93.199.59.166
120.151.247.221
75.99.113.250
92.22.42.26
188.124.212.94
93.180.110.180
200.91.49.183
98.164.247.13
177.64.175.59
46.49.119.78
173.194.65.106
173.194.65.94
46.49.107.136
84.59.129.23
93.172.48.237
108.230.237.240
190.149.31.42

Webroot SecureAnywhere users are proactively protected from these threats.

The post Cybercriminals impersonate HSBC through fake ‘payment e-Advice’ themed emails, expose users to malware appeared first on Webroot Threat Blog.

In this edition of the Webroot ThreatVlog, Grayson Milbourne talks about ways to keep your mobile device secure from the physical aspect. As our lives become more and more mobile focused, with an increasing amount of private information being stored on tablets and phones, it is always smart to remain vigilant to possible security breaches direct into the phone.

The post ThreatVlog Episode 10: Mobile security tips appeared first on Webroot Threat Blog.

Over the last two months, we’ve been closely monitoring — and proactively protecting from — the malicious campaigns launched by cybercriminals who are no strangers to the concept of social engineering topic rotation. Their purpose is to extend a campaign’s life cycle, or to generally increase a botnet’s infected population by spamming out tens of thousands of fake emails, exposing users to malicious software. The most recent campaign launched by the same cybercriminal(s), is once again impersonating T-Mobile U.K in an attempt to trick mobile users into thinking that they’ve received a legitimate MMS Gallery notification. In reality though, once the attachment is executed, the victim’s PC will automatically join the botnet operated by the cybercriminal(s) behind the campaign, ultimately undermining the confidentiality and integrity of the host.

Sample screenshot of the spamvertised email:

Detection rate for the spamvertised attachment: MD5: bff8af7432ced6e574e85d9241794f80 – detected by 8 out of 47 antivirus scanners as Trojan.Zbot; W32/Trojan2.OADJ.

Once executed, the sample phones back to networksecurityx.hopto.org. Go through related assessments of campaigns known to have been launched by the same cybercriminal(s), also phoning back to the same C&C server:

• ‘T-Mobile MMS message has arrived’ themed emails lead to malware
• Spamvertised T-Mobile ‘Picture ID Type:MMS” themed emails lead to malware
• U.K users targeted with fake ‘Confirming your Sky offer’ malware serving emails
• Cybercriminals spamvertise tens of thousands of fake ‘Sent from my iPhone’ themed emails, expose users to malware
• Fake WhatsApp ‘Voice Message Notification/1 New Voicemail’ themed emails lead to malware

Related malicious MD5s that are known to have phoned back to the same C&C server over the last 24 hours:
MD5: 334caadd87414cec33aeed2cd5660047
MD5: 758427f8dbca63c5996732d53af9d437
MD5: 3c2c403e4e13634e5ff16ff0d5958f4a
MD5: 8d8cdb8e019f6512ec577b65aacd8811
MD5: 292b15c5c38812d99ee5b71488d4da84
MD5: e53efd2f8cf233ebdaff75547a7afe2a
MD5: d20943554561953f5f495f2497fb6ec7
MD5: 9c26ccbd415da8c9eaf99e347ffd46bf
MD5: 32d86dcf3dae6ccf298745293992c776
MD5: 6a1d9111dde1c54e06937594642d1c96
MD5: 555aba5436e4b7c197b705803063528f
MD5: f5257fa2d6948f14ec92c77f45b0bff9
MD5: f3aa65b13c7d6552bf6e5c40f502194e
MD5: ef1d8ff8ea198e4e601e90f645acbfdb
MD5: ee9f046ff9cce896faf3cd9094a14100
MD5: f1b3ab7ecc9268d8ed2e2afeafaa34ab
MD5: ed43d198b52ff644c0a38e45def54ce6
MD5: ea1a91d504c8ccffcd2a22ea9a8e9f82
MD5: e9a5b9e3d0b69248dd3f2e769ce6f9eb
MD5: deac0b055af271d8f30bba759a18bae4

We’ve also observed two newly introduced C&C servers within these samples, namely, dnshosting1.ws – 185.26.120.124 and 178.32.173.85.

Webroot SecureAnywhere users are proactively protected from these threats.

The post Fake ‘MMS Gallery’ notifications impersonate T-Mobile U.K, expose users to malware appeared first on Webroot Threat Blog.

Recently we heard of a rogue fake antivirus that takes screenshots and webcam images in an attempt to further scare you into succumbing to it’s scam. We gathered a sample and sure enough, given some time it will indeed use the webcam and take a picture of what’s in front of the camera at that time. This variant is called “Antivirus Security Pro” and it’s as nasty as you can get.

The rogue locks down any of the Advanced Boot Options: Safe Mode, Safe mode with Networking, Safe mode with Command prompt, directory services restore mode, ect. As soon as these are picked the computer will just restart back into normal mode where all executables are flagged as malicious. If you don’t purchase the scam in a few minutes it will take a picture with the web cam and then warn you that  [insert name of good process].exe is “malicious” and attempting to send it to unidentified users. This is a really impressive step in social engineering to scare people and I’m sure has increased the percentage of people who pay out to the scam.

Picture of our office

However, this is false and there is no trace of the webcam images being sent anywhere. The only network traffic this Rogue has is during initial drop to download all of its components.

Removal 

If you have Webroot SecureAnywhere installed then not to worry, this virus should be blocked in real time as soon as it is written to your hard drive; the only notification you’ll receive is a notice that it was quarantined.

However, removing this virus once it has infected you is a little trickier without the comforts of the safe modes. Those of you that try system restore, you’ll notice that this virus disables it. All the file does is disable System Restore.  It does not delete any restore points so you can just turn it back on and restore to a previous point. To turn on System restore: Click Start > Right click computer > select properties > Click System protection > Select your OS Drive (Typically C:) > Click Configure > Check “Restore system settings and previous version of files.” Please note that once you restore to a previous point only the registry entries are going to be removed, so although the virus no longer starts up when your computer does, you will still have to manually delete the files.

Location of Files:

%CommonAppData%\”random name”\
%CommonAppData%\”random name”\DD1

%CommonAppData%\”random name”\”random name”.exe

%CommonAppData%\”random name”\”random name”.exe.manifest

%CommonAppData%\”random name”\”random name”.ico

%CommonAppData%\”random name”\”random name”kassgxDq.in

%CommonAppData%\”random name”\”random name”kassgxDq.lg

%CommonAppData% = C:\Documents and Settings\All Users\Application Data\ in Windows XP and C:\ProgramData\ in Vista/7/8

Webroot support is always more than happy to help with removal and any questions regarding infections.

Webroot SecureAnywhere users are proactively protected from these threats.

The post Rogue antivirus that takes webcam pictures of you appeared first on Webroot Threat Blog.