The domain promed-net[dot]com which is currently registered/hosted with Go-Daddy has been acting as a malware distribution point for at least the past 30 days.  Malware such as Win32.Krap.ah and Trojan:Win32/Hiloti.genA. I’ve also seen this domain participating in several of the many ongoing Trojan Zeus/Zbot Spam campaigns. The latest being Fake CDC emails claiming you need to set up a H1N1 profile.

Example

“You need to create your personal H1N1 (swine flu) Vaccination Profile on the cdc.gov website. The Vaccination is not obligatory, but every person that has reached the age of 18 has to have his personal Vaccination Profile on the cdc.gov site. This profile has to be created both for the vaccinated people and the not-vaccinated ones. This profile is used for the registering system of vaccinated and not-vaccinated people”

If you happen to click the link you now have the notorious Trojan Zbot installed on your system which will then contact promed-net[dot]com to install additional malware. One example can be seen in this ThreatExpert report. More information can be found here.

A fake Verizon Wireless email with the subject “Your credit balance is over its limit” is currently making rounds.

Dear Verizon Wireless customer,

Your credit balance is over its limit. Please use the attached Verizon Wireless Balance Checker Tool to review and analyze your payments.

Yours sincerely,
Verizon Wireless Customer Services

The email contains an attachment called “balancechecker.zip” which is really Trojan Sasfis/Oficla. If executed Sasfis will run silently in the background and download and install additional malware.

http://www.virustotal.com/analisis/c98767c0a51b0ca83d1708beb89f03296394f11f4fd17fc93f3b6d6fbf1686a9-1258535039

The ongoing fake antivirus campaigns are out of control with no end in sight. This software is distributed in a variety of ways such as spam, drive by downloads, Fake Ad banners or  social engineering techniques. Some hold the files on your computer hostage by encrypting them while others harvest email addresses and credit card information.

Protecter Plus

Antivirus 2009

While the malware each domain is distributing  may change the keyword “anti” is usually static. Follow the links below to view an updated list of fake antivirus domains.

http://malc0de.com/tools/db.php?search=scan
http://malc0de.com/tools/db.php?search=anti
http://malc0de.com/tools/db.php?search=security

On October 15th Scan Safe wrote about the return of the gumblar botnet which can be found here.  The botnet was dubbed Gumblar back in May 2009 when it was first discovered. This was because the site which served the malware after a series of redirects was gumblar.cn.  Since then the Gumblar botnet has decentralized its malware distribution by using thousands of compromised legitimate websites. Once installed on the victims machine the  malware will look for FTP credentials from applications such as FileZilla.  The stolen credentials will then be used to to download files which will be modified before being uploaded back to the compromised account. In the example from the scan safe blog the malware (Trojan.Win32.Delf.phk) currently being delivered has a low detection rate.

More information can be found at the following links

http://en.wikipedia.org/wiki/Gumblar
blog.scansafe.com
wepawet
anubis

During the past 30 days the honeypot I maintain has been attacked 423 times. Interestingly the United States was the top offender with China (no surprise) coming in close second. All the attacking IP addresses can be found here.

Count – Country

94 – UNITED
82 – CHINA
23 – KOREA
19 – BRAZIL
13 – TAIWAN
11 – POLAND
10 – UNITED
10 – RUSSIAN
10 – ITALY
8 – GERMANY
8 – COLOMBIA
8 – ARGENTINA
7 – MEXICO
7 – INDIA
7 – CZECH
7 – CANADA
5 – SPAIN
5 – HUNGARY
5 – HONG
5 – FRANCE
4 – UKRAINE
4 – TURKEY
4 – ROMANIA
4 – PANAMA
4 – JAPAN
4 – CHILE
4 – AUSTRALIA
3 – BULGARIA
2 – VENEZUELA
2 – SOUTH
2 – SAUDI
2 – PHILIPPINES
2 – PERU
2 – PAKISTAN
2 – NETHERLANDS
2 – MOLDOVA
2 – MALAYSIA
2 – IRAN
2 – HONDURAS
2 – FINLAND
2 – EGYPT
2 – BELGIUM
2 – AUSTRIA
1 – VIET
1 – UNITED
1 – SYRIAN
1 – SRI
1 – SLOVAKIA
1 – SINGAPORE
1 – NICARAGUA
1 – LITHUANIA
1 – KAZAKHSTAN
1 – ISRAEL
1 – IRAQ
1 – GUATEMALA
1 – GREECE
1 – GHANA
1 – COSTA
1 – AZERBAIJAN

The root account was the most targeted username out of all the attacks. Its always a good idea to disable this account when setting up your ssh server. This will slightly decrease the chances of an automated brute force from being successful. Listed below are a few more options you should consider if you wish to protect your server.

- Using host-based tools such as DenyHosts, fail2ban or BlockHosts
- Making sure usernames were not easily guessable
- Using multiple factors of authentication or public keys if possible
- Reduce the amount of public facing servers if possible