We recently have determined that different computers have logged into your
HSBC Online Banking account,and multiple password failures were present before the logons.
This message has been sent to you from Abbey Bank because we have noticed invalid login attempts into your account, due to this we are temporarily limiting and restricting your account access until we confirm your identity.
We recently have observed that different computers have logged into your
wachovia Online Banking account and multiple password failures were present before the logons.
As part os our security measures to protect your online banking account, Alliance and Leicester has introduced a recent internet banking security upgrade.
As part of our ongoing commitment to offer you the safest possible internet banking service, we are constantly reviewing and enhancing the security we offer our customers.
Due to a several attempt to login your online alliance-leicester Bank by Fraudsters ,We de-activated your online account for security reasons, unexplained funds depletion or the likewise.
We recently upgraded our Online Banking security system with a newly established
security server in which guarantee's your maximum protection when
accessing your account online.
Websense® Security Labs™ ThreatSeeker™ Network has discovered a spam lure that attempts to capitalize on the recently reported natural disasters in the state of Santa Catarina, in the south of Brazil.
This campaign uses email messages that look like a news alert about the current disaster in Santa Catarina. To appear genuine, the lure includes a legitimate telephone number for donations. The messages also contain a link that appears to provide a video of the recent disasters. This link actually leads to a malicious executable, a Trojan downloader named "Video_SC_Desastre.exe" (SHA1: 6862b862877e5cb9f2180cc53ee4338977bc0efb).
Example of malicious email:
When "Video_SC_Desastre.exe" is run, it connects to various sites. The executable first connects to a site, www.*SNIP*so.com, that informs the BOT controller about the infection. The executable then connects to a hosting provider account at *SNIP*.bizhostnet.com. Password stealing Trojans are downloaded from that site to the compromised machine and registered as BHOs. These files are hosted in the form of JPG images, but actually are malicious executables.
Trojan's network activity snapshot:
Among other malicious activities of the downloaded Trojans, one Trojan, msnmgr.exe, launches a password stealing application spoofing MSN Live Messenger.
MSN Live Messenger spoof:
Websense Messaging and Websense Web Security customers are protected against these threats.
Websense® Security Labs™ ThreatSeeker™ Network has discovered another infectious holiday email making the rounds. Victims are receiving messages promoting a coupon from McDonald's or a holiday promotion from the Coca-Cola company. Both messages include a .zip attachment that contains either coupon.exe or promotion.exe. The malicious files (SHA1 ca973b0e458f0e0cca13636bd88784b80ccae24d) are Trojan Droppers, but have low anti-virus detection at the moment.
The McDonald's email claims to present their latest discount menu, and states that the attached coupon should be printed. The Coca-Cola email states that the attachment has details about their new online game and a chance to win Coca-Cola drinks for life.
Screenshot of spoofed McDonald's email:
Screenshot of spoofed Coca-Cola email:
Websense Messaging customers are protected against these threats.
Websense® Security Labs™ ThreatSeeker™ Network has discovered that malware authors are already using Christmas themes this year as a social engineering tactic, in an effort to gain control over compromised machines. This campaign uses email messages in the form of e-greetings, leading to supposed animated postcards. These actually lead to a Trojan backdoor that has been distributed in previous malicious spam campaigns.
The email messages, spoofed to appear as though they have been sent from postcards.org, display an animated Christmas scene. A URL link within the email leads to a malicious file called postcard.exe hosted on various servers, including those in the .com TLD space.
Once executed, a backdoor is created by the malware author enabling access and control over the resources of the compromised machine. Control is conducted over IRC, communicating with ircserver.*snip*.la. During the install process an image called xmas.jpg is displayed to the user as a distraction technique.
Example of malicious email:
Websense Messaging and Websense Web Security customers are protected against these threats.
Websense® Security Labs™ ThreatSeeker™ Network has discovered a new, malicious social-engineering spam campaign that is disguised as an official email sent from Google's Web 2.0 social networking site, Orkut.
This campaign is another attempt by spammers to profit from popular Web 2.0 services. A spoofed personal message, in Portuguese, is sent from a user allegedly on the Orkut network seeking love. This campaign continues a previous attempt to target Orkut. We issued an alert about the previous attempt last week.
Screenshot of the new message:
The message contains several links that appear to lead to the official Orkut Web site. Clicking on a link actually leads to a malicious executable file, which is a Trojan Downloader named "imagem.exe" (SHA1: 6862b862877e5cb9f2180cc53ee4338977bc0efb).
The malicious file opens the legitimate Orkut network login page, and in the background downloads a password stealing Trojan named "msn.exe" (SHA1: eee7ea71e6ce023fb9000ed75854a8cfd1fafe63). "msn.exe" is copied to various system locations, using different names: "plugin.exe","kss.exe." These copies are bound to the system's start up.
The Trojans in this attack are hosted on a compromised labor union Web site from southern Brazil. This continues the trend of malcode hosted on compromised Web sites.
Screenshot of the Brazilian labor union Web site's main page:
Websense Messaging and Websense Web Security customers are protected against this attack.
Websense® Security Labs™ ThreatSeeker™ Network has discovered a new malicious social-engineering spam campaign masquerading as official emails sent by Google's Web 2.0 social networking site, Orkut. Orkut is one of the most popular social networking sites in Latin America and the second most visited site in India. The email is spoofed, appearing to be from the domain google.com for this fake notification which advises the user that their account has been subject to investigation and will be terminated within 72 hours unless they click through the hyperlink and follow the necessary instructions.
Websense quotes in the 2008 Threat Predictions report have been accurate. In our previous alerts, we have seen spammers and malware authors switching tactics to persevere with their attacks over a longer time, with an increased success rate through defeating antivirus vendors and content learning technologies. This attack is another instance of such tactics, which is an ongoing trend increasingly targeting Web 2.0 sites to carry out a wide range of attacks.
Screenshot of the message:
From the above screenshot, it can be seen that the links in the message actually lead to a malicious executable, a Trojan Downloader named "regulamento_orkut.exe" (SHA1: 8eb1366d580aeab38d00a5c32835006c3648b8f3).
This malicious executable has a very low AV detection.
When run, the malicious executable downloads another malicious file, "fox.exe" (SHA1: 8e1df3d55a778550affea7c5216e58a55beaf979), from the same site. The file copies itself to multiple locations on the infected machine with different names. It also adds itself to startup, and monitors browser activities with the intent to steal user information.
While malicious code is being downloaded a browser window will also popup with objectionable material on it.
Websense® Security Labs™ ThreatSeeker™ Network has discovered that the Koobface social networking worm is again spreading on Facebook. Our HoneyJax systems picked up the following email this morning:
The email reveals that infected user accounts are being used to post messages to Facebook friends lists. The content was an enticing message with a link that used a Facebook open redirector. When recipients click the link, they are automatically redirected multiple times, finally reaching a site masquerading as YouTube that serves a malicious Trojan downloader.
The Facebook link directs to a malicious account hosted at Geocities.com.
The malicious Geocities account includes an obfuscated JavaScript link to http://lost[REMOVED]/js/js.js, which goes to http://off3[REMOVED]/go/fb.php
The .php file next redirects to either http://youtube-spyvi[REMOVED]/?schk=&keat= or http://youtube-x[REMOVED]/?ch=&ea=. These sites serve the malicious "flash_update.exe" (SHA1: 62689f89f1c5f6df10f4c7096772468d4c8e458a) file.
Screenshot of the malicious Web site serving the Trojan downloader:
Websense Messaging and Websense Web Security customers are protected against these threats.
Websense® Security Labs™ has received reports of a proof-of-concept (PoC) exploit code circulating in the wild, exploiting a vulnerability in Adobe Reader 8.1.2, and Adobe Acrobat 8.1.2.
The flaw is a stack buffer overflow that results when parsing specially crafted PDF files (CVE-2008-2992). Successful exploitation allows the attacker the same level of permission rights to the desktop as the victim who opened the PDF file.
We urge customers to update to the latest version of Adobe Reader and Adobe Acrobat. We will continue to monitor the development of this threat.
Screenshot of the PoC exploit's shellcode in memory:
Screenshot of malicious JavaScript code used to spray the heap with the shellcode:
Screenshot of a call to the vulnerable function util.printf() to trigger the error:
Websense® Security Labs™ ThreatSeeker™ Network has discovered another round of malicious Facebook messages. This campaign is another visual social-engineering spam campaign which tries to visually trick users into believing that the message is a legitimate added friend confirmation. The "From" address in the message is spoofed to make it look as if it was sent from Facebook, and the links look like they lead to Facebook.
Websense quotes in the 2008 Threat Predictions report have been based on facts. In our previous alert Facebook "add friend" Malicious Spam campaign, we saw spammers including a malicious zip attachment that claimed to contain a picture, to entice the recipient to double-click on it. From a spammer's perspective, the likelihood of attack success decreases when antivirus software picks up the attachment. If not picked up by antivirus software, then content learning technologies filter such messages and their attachments after receiving a certain volume of similar messages.
In order to maintain their attack over a longer time period with increased success rates, spammers have switched their tactics by including links to an external Web site. The use of external links in emails makes antivirus detection tougher, as not all antivirus software has the ability to scan or detect links included in email messages. Also, from a spammer's perspective, using links consisting of compromised ‘legitimate’ domains hosting malware as a lure increases the success rate, as this is more likely to bypass security filters that rely heavily on reputation services.
Websense Security Labs sees these tactics adopted by spammers and malware authors as an ongoing trend, increasingly targeting Web 2.0 sites to carry out a wide range of attacks.
Screenshot of the malicious Facebook message:
From the above screenshot, it can be seen that the links in the message actually lead to a malicious executable named "update.exe" (SHA1: a4dc17d1bcb191af75afedddf60aecbc2af2a37f).
This malicious executable has a very low AV detection. When run, the malicious executable steals data from its victim, establishing a connection with an IRC botnet.
Screenshot showing the packet capture from a machine infected with "update.exe":
Websense Messaging and Websense Web Security customers are protected against these threats.
Websense® Security Labs™ ThreatSeeker™ Network has discovered further activity from malware authors using the news of the U.S. Presidential campaign outcome as bait to attract users into executing malicious executables. So far we have over 25,000 emails through our systems that use the technique described below. In a very quick response to the outcome of the U.S. Presidential attacks we have now seen both localized and globalized attacks.
The email offers news of Barack Obama's speech, recorded the day after the election results were published. Clicking on the link leads the user to a purposely registered domain which advises the user that they need to install the latest version of Adobe Flash player before the video can be viewed. The malicious Web site actually links to a file called 'adobe_flash.exe' with MD5 47C86509A78DC1EDB42F2964BEA86306. This is a Trojan Downloader packed with ASPack. Upon execution, a RootKit is installed on the compromised machine, and data is sent to multiple command and control servers.
Screenshot of email lure:
Screenshot of malicious Web site:
Websense Messaging and Websense Web Security customers are protected against these threats.
Websense® Security Labs™ ThreatSeeker™ Network has discovered that malware authors are capitalizing on the recently announced results of the 2008 US Presidential election. Malicious email lures are being sent promising a video showing an interview with the advisors to the recently elected US President.
The email actually contains links to a file called 'BarackObama.exe' hosted on a compromised travel site at hxxp://*snip*.com/web/BarackObama.exe. This file is a Trojan Downloader with MD5 9720d70a5da9ca442ecf41e9269f5a27. Upon execution files called system.exe and firewall.exe are dropped into the system directory. A phishing kit is unpacked locally, and the dropped files are bound to startup. The hosts file is also modified.
Major anti-virus vendors are not detecting this Trojan Horse.
The malicious email:
The malicious application:
Websense Messaging and Websense Web Security customers are protected against these threats.
