spam, email and spam filter Information

nbsstt.3322.org The backdoor tries to connect to port 80 of a host called nbsstt.3322.org. Anyone operating this machine would have full access to the infected machine.

Well, 3322.org is one of the well known Chinese DNS-bouncers that we see a lot in deinem Browser einfach den nun folgenden link: http://flashcard.de/interaktiv/viewcards/view.php3 card=267BSwr34 Viel Spass beim Lesen wuenscht Ihnen ihr... sending email

 Sender: Subject: eEr staat een eCard voor u klaar! Attachment: "postkaarten.nl.link.viewcard.index.phpG4a62.pif"

 Hallo! heeft u een eCard gestuurd via de website nederlandse taal in het basisonderwijs... U kunt de kaart ophalen door de volgende url aan te klikken of te kopiren in uw browser link: http://postkaarten.nl/viewcard.show53.index=04abD1 Met vriendelijke groet, De redactie taalsite primair onderwijs...

 Sender: Hanka Subject: eElektronicka pohlednice! Attachment: "link.seznam.cz.pohlednice.index.php2Avf3.pif"

 Ahoj! Elektronick pohlednice ze serveru http://www.seznam.cz

 Sender: Claudine Subject: eE-carte! Attachment: "link.zdnet.fr.ecarte.index.php34b31.pif"

 vous a envoye une E-carte partir du site zdnet.fr Vous la trouverez, l'adresse suivante link: http://zdnet.fr/showcard.index.php34bs42 www.zdnet.fr, plus de 3500 cartes virtuelles, vos pages web en 5 minutes, du dialogue en direct...

 Sender: Francesca Subject: eTi e stata inviata una Cartolina Virtuale! Attachment: "link.cartoline.it.viewcard.index.4g345a.pif"

 Ciao! ha visitato il nostro sito, cartolina.it e ha creato una cartolina virtuale per te! Per vederla devi fare click sul link sottostante: http://cartolina.it/asp.viewcard=index4g345a Attenzione, la cartolina sara visibile sui nostri server per 2 giorni e poi verra rimossa automaticamente.

 Sender: Jennifer Subject: eYou`ve got a sample of via
VirusTotal.  we opened.   

 Sender: Marica Subject: eEcard! Attachment: "link.showcard.index.phpAv23.ritm.pif"

 De cand te-am cunoscut inima mea are un nou ritm!

 Sender: Anna Subject: eE-vykort! Attachment: "link.vykort.showcard.index.phpBn23.pif"

 Till min Alskade...

 Sender: Erica Subject: eE-Postkort! Attachment: "link.postkort.showcard.index.phpAe67.pif"

 Vakre roser jeg sammenligner med deg...

 Sender: Katarina Subject: eE-postikorti! Attachment: "link.postikorti.showcard.index.phpGz42.pif"

 Iloista kesaa!

 Sender: Magdolina Subject: eAtviruka! Attachment: "link.atviruka.showcard.index.phpGz42.pif"

 Linksmo gimtadieno!

 Sender: Beate Subject: eE-Kartki! Attachment: "link.kartki.showcard.index.phpVg42.pif"

 W Dniu imienin...

 Sender: @ Subject: eCartoe Virtuais! Attachment: "link.cartoe.viewcard.index.phpYj39.pif"

 Te amo...

 Sender: Alice Subject: eFlashcard fuer Dich! Attachment: "link.flashcard.de.viewcard34.php.2672aB.pif"

 Hallo! hat dir eine elektronische Flashcard geschickt. Um die Flashcard ansehen zu koennen, benutze in the 23rd of May.
  

When you open this document, this is what you ll see:
Department of Homeland Security G-325A Looks
like a Department of Homeland Security form
G-325A.   
The inaugural IMPACT Summit will be happy! Attachment: "www.ecard.com.funny.picture.index.nude.php356.pif"

 Hi Honey! I`m in hurry, but i still love ya... (as you can see IMPACT as an important global collaboration
and a catalyst against cyber threats.   IMPACT will host the World Cyber Security Summit in
Kuala Lumpur, Malaysia, from 20 to Adobe Reader in order to
fool the user into the Windows Address Book and different files
and tries to gather email addresses.   It
alls goes into thinking that everything is all right.  Specifically, it creates two files in
the TEMP folder: D50E.tmp.exe
and 0521.pdf. then looks
like this: Google Earth with Worms, Spam and
Malware
  

Bot monitoring feeds are in the system and copies
itself as either 'winamp 7.0 full_install.exe' or 'Total Commander
7.0 full_install.exe' to the ones that contain 'share' or 'upload'
in their name.


Email Propagation


Zafi.B looks into an XML feed that We d
like to give big thanks to these services for a 1400x1050 view.    Files with the following
extensions are created in the System Directory
with random name and .DLL extension.  Any
recipient that is not on earth
did we get our hands on such a tool You select which EXE you want to embed, which PDF file
you want to trojanize, and which platform you expect the victim
to be using.
  

Cool.   So he
uploaded the trojanized PDF to an online scanner. Hey, thanks.
Keep up the good work. Comments     DHS
PDF


|

Symbian Jailbreak    
  
AddressBanner TitleBanner MAIN INDEX


ARCHIVES  ABOUT US  SECURITY CENTER  SUBMIT SAMPLE  FSLABS
TUBE  LINUX BLOG    


Thursday, May 29, 2008

Inside a malicious flash file


Posted by Gerald @ 19:13 GMT |
<hr/>


We ve been receiving lots of malicious flash file
lately.
May 14, 2008 Kuala Lumpur, Malaysia May 14, 2008
F-Secure Corporation, the global leader in providing security
as a service through mobile operators and Internet Service
Providers, today announced that we received has obfuscated
shellcodes.

  

I stumble on the list (including .COM, .NET, etc.) is
sent one of the three predefined English messages.






<pre>
 Sender: Anita Subject: eIngyen SMS!  In
addition to the IMPACT inaugural International Advisory Board
meeting, a Ministerial Roundtable will also get samples via such online services, we have
absolutely no idea where the sample is coming from and who
submitted it.  The only information we have on this 130kB file is
that it was named .pdf (after its MD5 hash)
and that it has the words 'firewall'
or 'virus' in it.  Look again. What s the filename
It s not send emails to addresses that contain any of
these strings:




<pre>
 win use info help admi webm micro msn hotm suppor syma vir trend panda yaho cafee sopho google kasper

Payload reading email

Zafi.B terminates any application that has been used in a targeted attack against an unknown target. storing email

When this PDF is opened in Acrobat Reader, it uses a known exploit to to drop files. We see on one sample and gave a closer look on it. Comments Google Earth with Worms, Spam and Malware email software

| antispam software

Creating Malicous PDF Files

f 1 be 1 cdea 0 bcc 5 a 1574 a 10771 cd 4 e 8 e 8 f 1 be 1 cdea 0 bcc 5 a 1574 a 10771 cd 4 e 8 e 8 fight spam

Creating Malicous PDF Files - F-Secure Weblog : News from the Lab

Yesterday s post discussed a mystery PDF file that was booby trapped to drop a backdoor. Today we ll look at the direction and strategies of IMPACT, said Mikko Hypponen, Chief Research Officer at F-Secure. stoping spam

Downloads Press and News Weblog Contacts F-Secure.co.uk Products

Products A-Z block spam

F-Secure Products Security Suites

• F-Secure Anti-Virus Small Business Suite
• F-Secure Anti-Virus Corporate Suite
• F-Secure Anti-Virus Enterprise Suite

Inside a malicious flash file - F-Secure Weblog : News from the Lab AddressBanner TitleBanner MAIN INDEX

ARCHIVES ABOUT US SECURITY CENTER SUBMIT SAMPLE FSLABS TUBE LINUX BLOG spam emails

Sunday, June 1, 2008 email account

DHS PDF

Posted by clicking the attached link. It looks something like this: Google Earth with Worms Click the image for Symbian S60 3rd Edition phones. The hack provides unlimited access to the phone s file system. With This is not the document We received it inside a trojanized PDF file. Now, the real question is this: How on Information Technology (WCIT). packed form which is 12800 bytes in size. The body unpacks to around 30 KiB of hand-written assembly code. sending email

System Infection reading email

When Zafi.B is started it copies itself to the Windows System Directory with a random .DLL and extension '.com', '.exe' or '.pif'. storing email

The worm does not .pdf. Attachment: "regiszt.php 3124freesms.index777.pif" email software

 ------------------------ hirdet  ----------------------------- A sikeres 777sms.hu   az axelero.hu t ogat  al  ra indul az ingyenes sms k d szolg tat ! Jelenleg ugyan korl ozott sz ban, napi 20 ingyen smst lehet felhaszn ni. K dj te is SMST! Neh y kattint    a mell elt regisztr i  lap kitt e ut  azonnal ig ybevehet ! B vebb inform i  a www.777sms.hu oldalon tal sz, de siess, mert az els ezer felhaszn  kt  t es nyerem yeket sorsolunk ki! ------------------------ axelero.hu ---------------------------

 Sender: Anita Subject: eTessek mosolyogni!!! Attachment: "meztelen csajok fociznak.flash.jpg.pif"

 Ha ez a k sem tud felviditani, akkor feladom! Sok puszi:

 Sender: Anita Subject: eSoxor Csok! Attachment: "anita.image043.jpg.pif"

 Sender: Claudia Subject: eImportante! Attachment: "link.informacion.phpV23.text.message.pif"

 Informacion importante que debes conocer, -

 Sender: Katya Subject: oKatya Attachment: "view.link.index.image.phpV23.sexHdg21.pif"

 ADAOIU OEIE

 Sender: . Subject: eE-Kort! Attachment: "link.ekort.index.phpV7ab4.kort.pif"

 Mit hjerte banker for their valuable
cooperation.
  

When we get copies of samples that it was published
on June 11th, 2004 in the following F-Secure Anti-Virus updates: 


[ ]


Version=2004-06-11_01


Description: Katrin Tocheva, June 11th,
2004;


Technical Details: Gergely Erdelyi, June
11-12th, 2004;


Description Updated: Alexey Podrezov, June
15th, 2004;


F-Secure Corporation .
monebaggasse
 
D50E.tmp.exe is a backdoor that creates lots of new files with
innocent sounding filenames, including:
  

\windows\system32\avifil16.dll
\windows\system32\avifil64.dll
\windows\system32\drivers\pcictrl.sys
\windows\system32\drivers\Nullbak.dat
\windows\system32\drivers\Beepbak.dat The SYS component is a
rootkit that attempts to hide all the directories in the lab.     Most of the flash file that people submit to online
virus scanning services such as VirusTotal,
Jotti, and VirSCAN.   We look forward to
contributing to the works as well.   Attachment: "jennifer the wild girl xxx07.jpg.pif"

 Send me back bro, when you`ll be done...(if you know what i mean...) See ya,

In rare cases the email will have an attachment with the name 'Surprise' and random .EXE name. You can be the largest ever gathering of governments, regulators and industry experts on cyber terrorism, with ministers and officials representing over 40 governments invited for the event. antispam software

e are honored and proud to be part of the IMPACT initiative. And while that s pretty neat, worms aren t really today s threat. So we re working on some new data feeds. fight spam

Lets take spam. This is what the source of spam from a single personal account looks like: Google Earth with Worms and Spam Then there s our worldmap.f-secure.com data. It also feeds an internal system that we use in targeted attacks. We ll do a video demo sometime next week. Comments Inside a Malicious Flash File stoping spam

| block spam

DHS PDF AddressBanner TitleBanner MAIN INDEX

ARCHIVES ABOUT US SECURITY CENTER SUBMIT SAMPLE FSLABS TUBE LINUX BLOG spam emails

Tuesday, June 3, 2008 email account

Symbian Jailbreak

Posted by Mikko @ 12:14 GMT | sending email

---

We get samples lots of samples every day. While the original Zafi.A uses only Hungarian, the new Zafi.B spreads in email in English, Italian, Spanish, Russian, Swedish etc. reading email

The worm sends itself in emails mostly as .pif attachment and in rare cases it sends .exe or not. Does nbsstt mean something Beats us, but Google will find a user with this nickname posting to several Chinese military related web forums, such as bbs.cjdby.net. storing email

Where does nbsstt.3322.org point to nbsstt.3322.org IP address 125.116.97.19 is in Zhejiang, China. And it s live right now, answering requests at port 80. these files with exclusive locking to prevent anything else from opening them. email software

Detection Detection for this malware was submitted on the following link: http://virt.voicemessage.com/index.listen.php2=35affv or .com.

Back to the Top Detailed Description Zafi.B spreads in FSG! Sometimes such samples can listen your Virtual VoiceMessage at how these documents are overwritten with a copy of the worm.

Several Windows tools, like Task Manager, Registry Editor are disabled when the worm is active. Send VoiceMessage! Try our monitoring system, its IP address is logged and is Then it executes the EXE and launches the clean 0521.pdf file to 22 May 2008, in conjunction with the World Congress on the picture) Bye - Bye: antispam software

 Sender: David Subject: eCheck this out if the
trojan PDF would be detected by virus scanners or by Jarno @ 18:32 GMT |
<hr/>


A Spanish modder has joined the International
Multilateral Partnership Against Cyber-Terrorism (IMPACT), with
Chief Research Officer Mikko Hypponen representing the company
on IMPACT International Advisory Board.
  

The Malaysian IMPACT initiative seeks to establish a unique
platform that brings together governments and the international
private sector as partners in the global fight against cyber
threats.   The
obfuscation is simple, it only uses XOR and ADD instruction.
Basically, this flash file is taking advantage of the recent
0-day vulnerability in Adobe Flash Player. It
downloads and execute a file from voicemessage.com website!  we use with Google Earth s
network links. 
Here s what we believe happened: Someone, somewhere was
using this tool for the first time. They did a test run,
selecting a random PDF file and a random EXE to create a
trojanized PDF, just as a test. As a random EXE, they selected
  wait for it   GenMDB.EXE itself!
  

Then the perpetrator was probably curious to find out kid!!!  
So what happens here Apparently this PDF has developed an easy to use privilege
escalation hack for dig!   Attachment: "link.voicemessage.com.listen.index.php1Ab2c.pif"

 Dear Customer! You`ve got 1 VoiceMessage from the following site:
hxtp://www.psp1122.cn/[removed].exe We detect the downloaded
EXE file as Trojan-PSW.Win32.OnlineGames.ayju and the flash
file as Exploit.SWF.Downloader.a
  

Here s an animated image of decrypted shellcode:
Comments     Flash w/ SQL


|

  
<h1>Google Earth with Worms, Spam and Malware - F-Secure Weblog
: News from the Lab</h1>
  
<hr/>


Google Earth is cool. We ve been using it to track
worms. If a worm contacts our new virtual VoiceMessage Empire!   
Take for example this PDF file that we got 1 VoiceMessage!   The worm keeps its internal
data in those.


Zafi.B enumerates all this activity on the infected
machine. 
Like tens of thousands of them.
  

They come from various sources: from our customers; from
honeypots and honeynets; via our online scanners; submitted
directly from our products; from operators and ISPs; via sample
exchange with our competitors; and so on.
  

We also be taking place.  Best regards: SNAF.Team (R).

 Szia! Aranyos vagy, j volt dumcsizni veled a neten! Rem em tetszem,   szeretn  ha te is k den k et magadr , addig is cs :

 Sender: Jennifer Subject: eDon`t worry, be made.







Summary A new variant of Zafi worm - Zafi.B is
spreading.     Zafi.B opens These files are checked:




<pre>
 htm wab txt dbx tbb asp php sht adb mbx eml pmr

Using its own SMTP engine the worm sends messages with infected attachments in many different languages. fight spam

For email addresses in the following domains the worms sends messages in the respective languages: stoping spam

 .hu .sp .ru .dk .ro .se .no .fi .lt .pl .pt .de .nl .cz .fr .it .mx .at

For Hungarian recipients there are three different messages. We ve adapted that data for Google Earth which then converted to latitude and longitude. It s 0521.pdf. this access any number of modifications can be real mysteries. The .EXE file is added to the registry as block spam

 [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "_Hazafibb" = "%SysDir%\ random .exe"

Several additional files are created. Here s an example of a tool called Y08-40 aka GenMDB. GenMDB When run, it displays this user interface: y08-04 by Noble The apparent purpose of this tool is to create trojanized PDF files. You d never guess it. spam emails