Malware Watch: Twitter password reset emails, IRS-themed crimeware, malicious PDFs, and fake YouTube pages
This week's Malware Watch reviews five currently spreading malware/scareware campaigns, including two recent cases of digital devices shipped with malware on their memory cards.
Although the Twitter password reset email is an old theme, cybercriminals continue using it, perhaps due to its success. This currently ongoing campaign, is attempting to trick the user into executing Twitter_security_model_setup.zip which is hosted on Google Groups. The use of legitimate hosting providers is prove to increase over time, due to the clean IP/network reputation of their servers, compared to a purely malicious infrastructure.
How are the malicious attackers monetizing the campaign? Through scareware, also known as rogue security software.
According to researchers from eSoft, over a 100, 000 fake YouTube pages are currently serving scareware. The same hosting provider that's playing a crucial role in maintaining the campaign's infrastructure (AS6851, BKCNET "SIA" IZZI), can be also seen in the recent mass WordPress blogs compromise campaigns.
What's even more special about this Latvia based hosting provider, is the fact that one of Koobface botnet's original command and control servers (urodinam(dot)net) is not just currently parked there, but also, the fact that another domain is currently responding to the same IP, this time serving client-side exploits.
This currently spamvertised campaign, is relying on thousands of automatically generated short URLs, or subdomains at free site hosting services, in an attempt to trick the user into downloading and executing the tax-statement.exe ZeuS crimeware binary.
Just like the Twitter password reset notifications, this campaign once again demonstrate the cybercriminal's interest in (supposedly) increase the average life time of their campaigns, by relying on thousands of URLs generated through legitimate services.
The "Notice of Underreported income"/“IRS Fraud Application Claims” themed campaigns, were an inseparable part of the campaigns launched by the Avalanche botnet, a major customer of now taken offline TROYAK-AS cybercrime friendly ISP.
According to Sophos Labs, another currently spamvertised campaign is using Changelog_07.06.20010.zip attachments, with the samples detected as Mal/BredoZp-B and Mal/Zbot-U.
A recent update on the post indicates that the spamvertised attachments are now using the correct year. From a social engineering perspective, the campaign -- thankfully -- lacks key features that would have made it a mass marketing success.
F-Secure is reporting on another currently spamvertised campaign, relying on malicious PDFs using the /Launch feature. The campaign is using the exact same theme as the one covered in a previous Malware Watch, namely "Please, review my CV, Thank You!".
With Adobe set the release a patch for the recent zero day flaw by June, 29, this is perhaps the perfect moment to switch to an alternative PDF reader in order to decrease the probability of infection posed by the persistent exploitation of Acrobat Reader.
According to Olympus Japan (translated warning), over 1700 units of their Tough 6010 digital compact camera were shipped with malware, relying on the AutoRun functionality. Despite Microsoft's ambition to tackle the problem, according to a recent report by McAfee, AutoRun related infections held the No. 1 position.
Clearly, Q&A is either sacrificed for efficiency/economies of scale, or is relying on a flawed methodology.
Cybercriminals are constantly busy, looking for new ways, or tweaking the old ones, with a single idea in mind - infecting as many hosts, as efficiently as possible. Understanding how they work and what makes the cybercrime ecosystem work, is crucial to protecting yourself against the campaigns scheduled for tomorrow.