01/20/2014

Refrigerators Now Send Spam as Well as Keeping it Cold

Category  
0
Refrigerators now do more than keep spam, that tasty treat,  cold, they also send spam, the electronic email version.

That is the story of a compromised refrigerator that sends cold "spam" to unsuspecting users via it's internet connection.

Viruses makers will try to add anything to their botnets, and the latest attack on "refrigerators" does not surprise me at all. The target of this attack was a refrigerator model running a flavor of Linux that had not been hardened or protected against malware, and was allegedly sending out lots of spam.


A picture named M2

There was no proof from Proofpoint of the actual source refrigerator in the article, making some at Ars Technica question the veracity of the story. Either way it is only a question of time before these Internet connected devices start doing more than laundry. With ipv6, which has 3.4 x 1038 addresses (that is 3,400 trillion  trillion  trillion addresses), which means any item can have an ip address. If there are soon 10 billion people in the world, we could tag more than 100 trillion trillion items each with an ipv6 address, so these won't run out unless we want to start tagging stars in the sky.

Make no mistake about it: The virus makers are targeting any Target (pun intended) that they can, in an attempt to:
  • Steal money
  • Steal your identity
  • Steal your wallet (bitcoin users know this problem very well)
  • Steal your data (credit card numbers, for example)
  • Hold you for Ransom

If these don't work, they will infect your device and use it to send more spam or malware.

The moral of the story is that in an always-connected world every device is contantly being probed for weaknesses to find an entry point to launch an attack.

01/09/2014

Increase in Virus Activity

Category
0
The increase in recent Virus activity has been noticeable, and the sophisticated techniques the virus makers use to evade detection make the job of stopping them that much more challenging. Many times, a new message appears and I ask "Is this some new attempt to get me to infect my machine"? Many of my customers ask me the same question, so I put a live stream of recently caught viruses subjects and attachment names on our website. (Obviously, I did not put the viruses, just their names).  Clicking on the wordle that I created out of the names will bring you to a list of recent viruses blocked.

A picture named M2

Here is a sampling of the viruses recently caught by SpamSentinel Anti-Virus.

01/07/2014

Virus Names translated from Chinese

Category
0
I was interested in what the .XLS attachments were in the SpamSentinel quarantine, so I made a view, extracted the contents (minus the XLS extension) and let Google translate show my what these attachments REALLY say.  Like some spam subjects, many of these sound like zen inspired quotes. Here are a few of my favorites:

To manage or to leadership
Become Devil coach
Management does not manage tired

Here is the results of my search for virus attachment wisdom:

http://lotusnotesspam.blogspot.com/2014/01/virus-names-translated-from-chinese.html

To read the list, you must go to my blogspot blog, The Chinese characters were causing problems with my blog template.

01/02/2014

Notice to Appear in Court

Category
0
Yes, the title of the blog appears scary and that is what the senders of the email want, to scare you into opening the message and reading the body, then launching the phony "notice".


Here is a sample of a phony notice that appears to come from JonesDay.

A picture named M2





Here are the Law firms that were spoofed in these virus outbreaks, and a sampling of the from addresses that were used. To be perfectly clear, these messages are spoofing the law firms, trying to get the recipient to open them, and have no relationship to the actual law firms. The virus senders rotate through a list of reputable law firms in the hope of getting past the virus filters and tempting their target into opening the message.


Spoofed Law firm name: Baker Botts
"Notice to Appear" <manager@bakerbotts.com>
"Notice to Appear" <appear_support.5@bakerbotts.com>
"Notice to Appear" <service.753@bakerbotts.com>
"Notice to Appear" <ticket469@bakerbotts.com>
"Notice to Appear" <no_reply@bakerbotts.com>
"Notice to Appear" <appear_support.7@bakerbotts.com>
"Notice to Appear" <information@bakerbotts.com>
"Notice to Appear" <appear_528@bakerbotts.com>
"Notice to Appear" <manager@bakerbotts.com>


Spoofed Law firm name:
Covington and Burling
"Court Notice WA" <support405@cov.com>
"Court Notice WA" <your_notice@cov.com>
"Court Notice WA" <notice_support.7@cov.com>
"Court Notice WA" <support382@cov.com>
"Court Notice WA" <aa.support369@cov.com>
"Court Notice WA" <information@cov.com>
"Court Notice WA" <service.734@cov.com>
"Court Notice WA" <information@cov.com>
"Court Notice WA" <manager@cov.com>
"Court Notice WA" <your_notice@cov.com>


Spoofed Law firm name:
Jones Day
"Notice to Appear" <ticket_support.7@jonesday.com>

"Notice to Appear" <personal.information@jonesday.com>
"Notice to Appear" <service.615@jonesday.com>
"Notice to Appear" <service.723@jonesday.com>
"Notice to Appear" <ticket_248@jonesday.com>
"Notice to Appear" <help420@jonesday.com>
"Notice to Appear" <ticket_service@jonesday.com>
"Notice to Appear" <your_ticket@jonesday.com>
"Notice to Appear" <service.301@jonesday.com>
"Notice to Appear" <ticket_609@jonesday.com>
"Notice to Appear" <ticket_support.2@jonesday.com>
"Notice to Appear" <ticket_support.2@jonesday.com>
"Notice to Appear" <support.8@jonesday.com>
"Notice to Appear" <ticket020@jonesday.com>
"Notice to Appear" <order.723@jonesday.com>
"Notice to Appear" <ticket_162@jonesday.com>

Spoofed Law firm name: Latham and Watkins
"Notice to Appear" <ticket_support.3@lw.com>

"Notice to Appear" <support838@lw.com>
"Notice to Appear" <service.252@lw.com>
"Notice to Appear" <ticket340@lw.com>
"Notice to Appear" <help432@lw.com>
"Notice to Appear" <ticket_support.4@lw.com>
"Notice to Appear" <ticket_support.7@lw.com>
"Notice to Appear" <service@lw.com>
"Notice to Appear" <service_ticket@lw.com>
"Notice to Appear" <support.5@lw.com>
"Notice to Appear" <service_ticket@lw.com>
"Notice to Appear" <information@lw.com>
"Notice to Appear" <no_reply@lw.com>
"Notice to Appear" <support.9@lw.com>
"Notice to Appear" <ticket_support.5@lw.com>

Spoofed Law firm name: McDermott Will & Emery
"Notice to Appear" <manager@mwe.com>

"Notice to Appear" <ticket_support.5@mwe.com>
"Notice to Appear" <ticket_service@mwe.com>
"Notice to Appear" <ticket_support.6@mwe.com>
"Notice to Appear" <support.6@mwe.com>
"Notice to Appear" <service@mwe.com>
"Notice to Appear" <support.2@mwe.com>
"Notice to Appear" <ticket_support.2@mwe.com>
"Notice to Appear" <support.6@mwe.com>


Spoofed Law firm name: Orrick
"Court Notice Orrick" <support.4@orrick.com>
"Court Notice Orrick" <your_notice@orrick.com>
"Court Notice Orrick" <service_notice@orrick.com>
"Court Notice Orrick" <service.959@orrick.com>
"Court Notice Orrick" <support.6@orrick.com>
"Court Notice Orrick" <support.7@orrick.com>
"Court Notice Orrick" <your_notice@orrick.com>
"Court Notice Orrick" <support.3@orrick.com>
"Court Notice Orrick" <support.3@orrick.com>
"Court Notice Orrick" <support.4@orrick.com>
"Court Notice Orrick" <notice_service@orrick.com>
"Court Notice Orrick" <order.510@orrick.com>
"Court Notice Orrick" <notice_support.5@orrick.com>
"Court Notice Orrick" <information@orrick.com>
"Court Notice Orrick" <notice706@orrick.com>
"Court Notice Orrick" <support.8@orrick.com>



Opening the messages. Don't try this at home (or the office)!


I took one message and loaded my Virus Testing Workstation, which is a virtual machine that I can infect then delete the machine.



A picture named M3


Here is one of the viruses that was caught as a ZIP file.

A picture named M4


Here is the attachment, which is disguised as a Word document, but is actually an executable file:

A picture named M5


As there was no response when I clicked the attachment, I clicked it again, so I infected the machine twice. Notice in the task manager, they use the file name to avoid suspicion and preventing some people from closing it.

A picture named M6


When I did close it, I got this error.


A picture named M7



I didn't try to dig into the mechanism of infection, or wait 24-48 hours and see what damage they did to my virtual machine, but that will be a subject for another post.





Download File

Lotusphere

LinkedIn

View Frank Paolino's profile on LinkedIn

Tags

Frank Paolino