Mailbag

I had some time today, so I thought I'd post this mornings mailbag:

Compromised website (Javascript Compromise):

http://emergency [dot] charlestoncounty [dot] org/index2.asp?p=/ElectedO.htm

PayPal/City Credit Union Phish - with kits:

http://85.45.179.9/icons/small/Secure/home/management/

Kits located at:

http://85.45.179.9/icons/small/www.citycu.org.tar.gz (info goes to alvin.thecrazy@gmail.com)
http://85.45.179.9/icons/small/citycu.org.tar.gz -> (info goes to pep.xxl@gmail.com)
http://85.45.179.9/icons/small/paypal.tar.gz -> (info goes to pep.xxl@gmail.com)

Todays "Breaking News" spam:

From: Tinney
User-Agent: Thunderbird 2.0.0.14 (Windows/20080421)
MIME-Version: 1.0
To: [REDACTED]
Subject: BREAKING news
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Did Bill Clinton Cross the Line? http://www[dot]sakapfet[dot]com/1.html

Attempts to trick users into downloading a fake AV client called Antivirus XP 2008 from antivirusxp-08.com.
Trys to convince users they need to download and run "install.exe" which of course is a trojan. (VirusTotal Output)

Reported malicious domains:

fbcel.org
www.jewelryboxes.net
sakapfet.net
tvmonitoringservice.com
cheahahs.com (msn_video.html)

Bots/Malware:

http://www [dot] 1rc-chat [dot] net/a.exe
http://members [dot] lycos [dot] co [dot] uk/dbrowny/server.exe

Peed Goes Static

For the last few days, the Peed servers have stopped rotating their malware. They are sticking with the static MD5 sum of c05893a656b54164fb486028309bd89e.

Most of the major Antivirus vendors are aware of the file:

File setup.exe received on 09.01.2007 17:54:57 (CET)
Antivirus	Version	Last Update	Result
AhnLab-V3	2007.9.1.0	2007.09.01	Win32/Zhelatin.worm.138240.B
AntiVir	7.4.1.66	2007.08.31	Worm/Zhelatin.HJ
Authentium	4.93.8	2007.09.01	W32/Tibs.XB
Avast	4.7.1029.0	2007.09.01	Win32:Tibs-BCY
AVG	7.5.0.484	2007.08.31	Generic6.WTZ
BitDefender	7.2	2007.09.01	Trojan.Peed.PB
CAT-QuickHeal	9.00	2007.09.01	-
ClamAV	0.91.2	2007.09.01	-
DrWeb	4.33	2007.09.01	BackDoor.Groan
eSafe	7.0.15.0	2007.08.29	-
eTrust-Vet	31.1.5100	2007.08.31	Win32/Pecoan
Ewido	4.0	2007.09.01	-
FileAdvisor	1	2007.09.01	-
Fortinet	3.11.0.0	2007.09.01	W32/Tibs@mm
F-Prot	4.3.2.48	2007.08.31	W32/Tibs.XB
F-Secure	6.70.13030.0	2007.08.31	Email-Worm.Win32.Zhelatin.hj
Ikarus	T3.1.1.12	2007.09.01	Backdoor.Win32.Agent.amd
Kaspersky	4.0.2.24	2007.09.01	Email-Worm.Win32.Zhelatin.hj
McAfee	5110	2007.08.31	W32/Nuwar@MM
Microsoft	1.2803	2007.09.01	-
NOD32v2	2495	2007.09.01	-
Norman	5.80.02	2007.08.31	W32/Tibs.dam
Panda	9.0.0.4	2007.09.01	Trj/Alanchum.MV
Prevx1	V2	2007.09.01	-
Rising	19.38.52.00	2007.09.01	Worm.Mail.Win32.Zhelatin.dau
Sophos	4.21.0	2007.09.01	W32/Bagz-I
Sunbelt	2.2.907.0	2007.08.31	Trojan-Downloader.Win32.Tibs.jy
Symantec	10	2007.09.01	Trojan Horse
TheHacker	6.1.9.175	2007.08.31	W32/Zhelatin.hj
VBA32	3.12.2.3	2007.09.01	Email-Worm.Win32.Zhelatin.hj
VirusBuster	4.3.26:9	2007.09.01	I-Worm.Zhelatin.AA
Webwasher-Gateway	6.0.1	2007.08.31	Worm.Zhelatin.HJ
Additional information
File size: 138240 bytes
MD5: c05893a656b54164fb486028309bd89e
SHA1: 8ad506547710d61a6ac0613fdb1d290911f8e600

(Virustotal Results, http://www.virustotal.com)

As you can see, a select few still miss it, so please be careful clicking on those links in email or blog posts!


UPDATE: A closer look at our binaries over the last few days shows that we're still getting random binaries, but only a couple hundred a day, instead of several thousand. By far the most common binary appears to be c05893a656b54164fb486028309bd89e.