Mediafire DMCA Office2010-kb2289161-fullfile-x64-glb.exe patch email

This summary is not available. Please click here to view the post.

So long and thanks for all the phish

I will be away until Sept 17 and will not be posting until at least Sept 25.
My internet connection will be intermittent but I will reply to all messages
as soon as I can  ~ Mila

Sept 3. Liberating Taiwan: one phish at a time. 2010-2011

chineseposters.net

I will be traveling most of September but I wanted to leave you with something to play with while I am away.
These 175 phishing messages were received over the course of 18 months by one recipient, who also happens to be a former Taiwan government official and an expert on China. The recent exploits used are mostly CVE-2010-3333 and CVE-2011-0611 and CVE-2010-2883 but you will find a good variety, as well as a lot of RAR files with RTLO and exe. The senders and the recipient are in Asia so these document give you a good idea about the phishing landscape there (in many ways it is similar to what you see in USA, for understandable reasons)
There might be a few documents that are not malicious, esp. image files.

The first folder inside zip contains files named as DATERECEIVED_NAME.EXT and the second has the same files named DATERECEIVED_SENDERADDR_SUBJECT_NAME.EXT. Use whichever works for you better. I also posted details about two messages to give you an idea. 

Aug 28 Morto / Tsclient - RDP worm with DDoS features

 

According to Microsoft, Morto is a worm that spreads by trying to compromise (lame) administrator passwords for Remote Desktop connections on a network. They also note it can perform Denial of Service attacks against attacker-specified targets. 
I can add that it runs what it looks like a quick DoS test against one Google IP. In addition, it creates a lot of traffic: RDP scans, downloads, receiving commands, and interesting DNS queries for command and control servers.
Judging by the domain owners of CC servers (China) and their location (Hong Kong), I would say it is likely it be cybercrimeware originating in erm,...Asia. I don't know how difficult it is for a foreigner to register domains with  Jiangsu Bangning Science & technology Co. Ltd.in China. One of the domains existed for a few years and changed several Chinese registrars and hosting companies. Like in Russia, DDoS attack crimes are very common in China (I don't have stats for other Asian countries but I am guessing common there too :)

I want to thank jsunpack.jeek.org and malc0de.com for the sample.

Targeted attacks against personal Gmail accounts Part II - CNAS Report

popartmachine.com

I am posting this only to highlight the fact that once compromises happen and are covered in the news, they do not disappear and attackers don't give up or stop. They continue their business as usual. Here is a small update to the post dated Feb 17, 2011 Targeted attacks against personal accounts of military, government employees and associates. This post was mentioned a few times in the news thanks to Google mention in their blogpost in June 2011 


I received a phishing email sample indicating that the attackers described in the above post continue their efforts with a very slight modifications to the original themes and I must note that this incident is even more simple than the previous one. I don't know if any accounts were compromised this time, I hope the public disclosure of the previous attacks along with the notifications on Forward rules and two-factor authentication in Gmail helped prevent most if not all compromises.

P.S. Google are aware of this, there is not much they can do to prevent these from coming in but I am sure they are trying. If you are concerned about your account safety, please use two-factor authentication and change your passwords often.

Microsoft and Adobe Flash patches vs corresponding document and web exploits (non PDF, CVE numbered)

Again, thanks to Malware Tracker keeping exploit timeline for Microsoft products (MS Office, HTML help, Windows thumbnail), these are the patches you need to have installed for protection or should not  *not* have if you want successful sandbox testing of these exploits.

Some of these like Flash were also used as Web exploits. The table below includes only exploits used in documents.

There are too many Flash exploits to list with the links, however, the two lists below allow very easy correlation

List of Flash Player Vulnerabilities with CVE and Flash version numbers

Old versions of Flash Player for download

Adobe Reader versions vs corresponding exploits (CVE numbered) - Downloads for testing

Building VM sandbox environment for testing malicious documents? I found that sometimes tracking all the full versions and minor updates of Adobe Reader via Old Apps or Adobe.com and corresponding CVE numbers is more time consuming than actual testing.  Here are all the necessary for testing versions available from Contagio download. In some cases you need to install the base version and then apply all the incremental updates to get to the version you need

Many thanks to Malware tracker for making this easier - see their PDF threats timeline post here Current PDF Threats

Or, Download all together from HERE

Jul 25 Mac Olyx backdoor + Gh0st Backdoor in RAR archive related to July 2009 Ürümqi riots in China (Samples included)

The recently discovered Backdoor for Mac Olyx (Criminals gain control over Mac with BackDoor.Olyx)  was used for targeted attacks (or what it appears to be), which is not surprising. As Microsoft pointed out, in addition to malware, the package contains an html page and photos from a Wikipedia page for events dated July 5, 2009, however it appears that all photos relate to one event - July 2009 Ürümqi riots in China. 

"Government censors disabled keyword searches for "Urumqi", and blocked access to Facebook and Twitter as well as local alternatives Fanfou and Youku. Chinese news sites mainly fed from Xinhua news service for updates about the rioting in Urumqi, comments features on websites were disabled on some stories to prevent negative posts about the lack of news. Internet connections in Urumqi were reportedly down.Many unauthorized postings on local sites and Google were said to have been "harmonised" by government censors, and emails containing terms related to the riots were blocked or edited to prevent discord."

Perhaps the trojans found in the package Ghostnet backdoor as Backdoor:Win32/Remosh.A. and the new Backdoor:MacOS_X/Olyx.A were destined for a Chinese human rights activist, as he/she would be likely to be interested in this particular event update. In addition, it is known that many of the Gh0stnet targets were  human rights activists.

Jul 12 RTLO rar with trojan Taidoor - former President Lee Teng-hui seriously ill

 
I wanted to release this one as part of a pack (several semi related posts together) but seems like it takes too long, so I just post it. This one is not much different from what you saw before, just another taidoor trojan for your collection sent within RTLO rar archive. According to Microsoft Malware Protection Center Trojan Taidoor / Rubinurd is a bot capable to download and upload files to / from the attackers' server, and execute commands on the system. It is prevalent in Taiwan (at least 1/2 of all detections are there) and is relatively new - emerged in September 2010. This is a file sent in Taiwan from a Taiwan server.

Exploit Information

RTLO
More about RTLO is here Right to Left Override unicode can be used for multiple spoofing cases by Jordi Chancel:

"RTLO is a technique exploiting the RIGHT TO LEFT OVERRIDE unicode and than it will always cause the directional reverse reading order of others characters followed it including the extension-type of malicious file! This UNICODE of which we will simplify name by [RTLO] doesnt can see owing to the fact that its characters and its place are invisible. Use RTLO for reverse the direction of reading of the file names including the extension of concerned file while keeping same the types of execution.
Example: To use a syntax like “SexyPictureGirlAl[RTLO]gpj.exe” be read “SexyPictureGirlAlexe.jpg”

TROJAN TAIDOOR/ RUBINURD (as payload)

It produces traffic as below
http://someipordomain/qfgkt.php?id=030696111D308D0E8D
http://aaaaa/bbbbb.php?id=xxxxxxyyyyyyyyyyyy where
aaaaa is a host or domain
bbbbb is a 5 char string
xxxxxx is a 6 char changing string
yyyyyyyyyyyy - 12 char more or less constant string - which is encoded mac address of the system

Why contagio will never have ads

Navigating a mine field. I've seen worse.

Jul 13 CVE-2010-2883 PDF Meeting Agenda with more Poison Ivy www.adv138mail.com | 112.121.171.94

Here is one more for a full collection - same malware and sender as in the previous post.  This message, targeting experts on Japan, China, Taiwan / USA relationship, was sent on July 13,2011. The attached pdf exploits CVE-2010-2883 (2/43 VT, encrypted) with poison ivy (keylogging) payload, connecting to www.adv138mail.com. The domains serving PI and listed below were registered by DNS.com.cn, which has a poor reputation. These domains/IP have been CnC for poison ivy for a while, consider the posts below.

Other PI domains noted are:
web.adv138mail.com; -2011
dns.adv138mail.com - 2011 (thank you, John)

www.adv138mail.com  - 2011 - 112.121.171.94  
pu.flower-show.org - 2011 - 112.121.171.94

cecon.flower-show.org - 2010   
posere.flower-show.org - 2009

112.121.171.94  Nov.adv138mail.com, ftp.adv138mail.com and asm.adv138mail.com point to 112.121.171.94.

• Contagio | Jul 5 CVE-2010-2883 PDF invitation.pdf with Poison Ivy from 112.121.171.94 | pu.flower-show.org
• Contagio | More flowers with some poison ivy - Feb. 10, 2010
• F-secure | Watch Out for flower-show.org - Feb.10, 2010
• ISC | Sophisticated, targeted malicious PDF documents exploiting CVE-2009-4324 - Jan 4, 2010 

Jul 5 CVE-2010-2883 PDF invitation.pdf with Poison Ivy from 112.121.171.94 | pu.flower-show.org

Update Jul 13. Considering that this pdf is very low detection, I decided to post some of the target domains here in case it helps them to prevent or identify infections.

The non-gmail domains included:

usjapancouncil.org, spfusa.org, vanderbilt.edu, comdt.uscg.mil, miis.edu

If you work at one of those places and must know the actual recipient, you can contact me. ~ Mila

The message, targeting experts on Japan, China, Taiwan / USA relationship was sent on July 5. The attached pdf exploits CVE-2010-2883 (2/43 VT, encrypted) with poison ivy (keylogging) payload, connecting to pu.flower-show.org. This domain has been CnC for poison ivy for a while, consider these posts
Contagio | More flowers with some poison ivy - Feb. 10, 2010
F-secure | Watch Out for flower-show.org - Feb.10, 2010
ISC | Sophisticated, targeted malicious PDF documents exploiting CVE-2009-4324 - Jan 4, 2010 

Other PI domains noted are:
pu.flower-show.org - 2011
cecon.flower-show.org - 2010
posere.flower-show.org - 2009

New CONTAGIOminiDUMP - mobile malware is moving !!!

Please welcome the new section of Contagio - CONTAGIOminiDUMP.BLOGSPOT.COM
The old mobile malware Mini-dump (aka "Take a sample, leave a sample" ) grew too large and difficult to use. This section will allow better organization of all the mobile malware. There are not that many samples but it is steadily growing.

This is a work in progress and please send or post your comments regarding the design, hosting, organization and such.

Many thanks to Tim Strazzere for catalyzing the upgrade :)

You will be able to access the new location from contagio - it won't be too hard to find.

 ~ Mila

Take a sample, leave a sample. Mobile malware mini-dump - July 8 Update

This post and all mobile malware moved to contagiominidump.blogspot.com

I frequently get requests for already published on Contagio mobile malware and also new files that might be mentioned in the media and blogs. I do not really have a large collection of mobile malware but I welcome the submissions.
Here is a folder with the most recent files I have. If you use upload feature on the blog (see below) and send more mobile malware samples, they will be added to this folder for everyone to come and use.

Download

Download files from the mobile malware mini-dump (new link)
 use infected for the password

Current list (~50+ downloads = around 200 individual files as of June, 2011). Hyperlinks lead to Virustotal
Download from the dump link above or click on "download" link if present

1. Zitmo Android Edition (Zeus for mobile) ecbbce17053d6eaf9bf9cb7c71d0af8d  Download (thanks to anonymous, July 8, 2011)  Zitmo hits Android Axelle Apvrille- Fortinet
2. GoldDream.A  BloodvsZombie_com.gamelio.DrawSlasher_1_1.0.1.apk b87f2f3a927bf967736ed43ca2dbfb60 (many  thanks for the sample to oren@avg-mobilation July 6,2011) Download Read more:Security Alert: New Android Malware -- GoldDream -- Found in Alternative App Markets  Xuxian Jiang
3. GoldDream.B v1.0_com.GoldDream.pg_1_1.0.apk f66ee5b8625192d0c17c0736d208b0b (many  thanks for the sample to oren@avg-mobilation July 6,2011) Download Read more: Security Alert: New Android Malware -- GoldDream -- Found in Alternative App Markets  Xuxian Jiang
   
4. DroidKungFu2 -A _com.allen.txthej_1_1.0 F438ED38B59F772E03EB2CAB97FC7685 (many  thanks for the sample to oren@avg-mobilation July 3,2011) Download  Read more: Security Alert: New DroidKungFu Variants Found in Alternative Chinese Android Markets 
   
5. DroidKungFu2 -B __com.tutusw.onekeyvpn_7_1.1.6_54bc7a8fb184884a26e4cce74697d3a5 (many  thanks for the sample to oren@avg-mobilation July 3,2011) Download  Read more: Security Alert: New DroidKungFu Variants Found in Alternative Chinese Android Markets 
   

Rootkit TDL-4 (TDSS, Alureon.DX, Olmarik, TDL) 32-bit and 64-bit Sample + Analysis links - Update July 7

Old version 3 -  See August 27, 2010  TDL3 dropper (x86 compatible with x64 systems).

General File Information - April 2011

 This is an updated version of TDL4, which made a lot of news recently thanks to being named the ‘indestructible’ botnet. This is the last / current version and it is dated April 2011 (the previous version is from January 2011)

All the credits and many thanks for the files and comments go to @EP_X0FF @InsaneKaos @markusg @USForce from KernelMode.info. I am posting the files and their comments here because of the the large number of inquiries for the updated version.

KernelMode.info:
Version TDL4 (April 2011 edition)

1) Bypassed Microsoft patch (STATUS_INVALID_IMAGE_HASH error overwritten) to be able again to infect x64 OS
2) Bypasssed Microsoft patch to kdcom.dll (this version of TDL4 checks kdcom resource directory size on the x64 version of it, whether it is == 0x110 || 0xFA)
2) Improved disk minport filtering hook

Version history:

1. 0.01 firstly detected ITW in the end of July 2010
2. 0.02 August 2010, version with x64 support
3. 0.03 September 2010, small changes, new C&C library
4. In April 2011 Microsoft released KB2506014 targeting 0.03 version, exactly boot loader and kd dll - and it was able to successfully prevent TDL4 from working. However, the rootkit support strike back within two weeks releasing their update, which could bypass the MS patch. The rootkit version wasn't changed.

Related articles:

• The Evolution of TDL: Conquering x64 ESET Eugene Rodionov, Aleksandr Matrosov
• June 27, 2011 TDL4 – Top Bot - Kaspersky - Sergey Golovanov, Igor Soumenkov
• May 1, 2011  TDL4 rootkit is coming back stronger than before  - Prevx Marco Giuliani

List of samples included

File: TDL4.exe
Size: 146944
MD5:  4A052246C5551E83D2D55F80E72F03EB
http://www.virustotal.com/file-scan/report.html?id=b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5-1305275113

File: dll (2).exe
Size: 140288
MD5:  D69B02C1ACD87B5A5C33B19693E24020
http://www.virustotal.com/file-scan/report.html?id=fe165840b709adb5b7765ea329c317f64d05a402873c8d8cea84873cbe192bf4-1304405700

File: DLL.exe
Size: 140288
MD5:  A1DE5B3607845F5C6597528BE02EBDA5
http://www.virustotal.com/file-scan/report.html?id=1aa5708519389ddcf96fa6206cf274844414c58bff6e3f8338188364449f4509-1304402425



Download TDL4 - April 2011 edition files listed above as a password protected archive (contact me if you need the password)

Jun 22 CVE-2011-0611 PDF-SWF "Fruits of economic growth" with revoked COMODO cert and Trojan Taidoor

Message is signed by a certificate "Issued by COMODO Client Authentication and Secure Email CA" and the certificate is revoked.

The sender address is a spoofed Gmail address of SEF News sef1941@gmail.com but it was sent from a HINET server in Taiwan, not from Gmail. The exploit used is CVE-2011-0611, with the same malicious SWF as described in the previous post Jun 27 PDF - SWF CVE-2011-0611 Two Views On The South China Sea from compromised Pikes Peak BOCES account w Taidoor.

The payload is the same too Trojan Taidoor / Rubinurd (see more with Taidoor here) with CC server 213.42.74.85- Dubai, UAE

Update June 29  As screenshots of the certificate show, it was not expired. The Comodo Certificate Revocation List showed that the certificate was revoked less than 12 hours before it was sent, which means it was stolen and ready to be used while it was still valid. Perhaps it was used while still valid for a while before I got it.
Digitally signed messages are used to gain trust of the recipient. Contagio has examples of stolen valid and invalid certificates used to signed malicious binaries in order to bypass white-listing applications and other filters. Speaking of CRL, here are two articles related to web certificates.

Revocation doesn't work (18 Mar 2011) Imperial Violet
Detecting Certificate Authority compromises and web browser collusion (22 Mar 2011) Tor Blog by ioerror

Jun 27 PDF - SWF CVE-2011-0611 Two Views On The South China Sea from compromised Pikes Peak BOCES account w Trojan Taidoor

-- This message came from a compromised account of mail.ppboces.org - mail server for Pikes Peak Board of Cooperative Educational Services in Colorado Springs, Co.It has two attachments exploiting CVE-2011-0611.
 --The payload is Trojan Taidoor / Rubinurd, which is a frequently used trojan for targeted attacks. (see more with Taidoor here) For attribution reasons, I would like to know if this is a private custom trojan or something commercial and thus used by more than one group of attackers. If you happen to know, let me know. The PDF and the payload have Chinese language in the file metadata and code.
-- The CC IP addresses are 62.38.148.117 ( 443 80) -Hellas On Line S.A., Greece, Attiki and 64.167.26.66 (80) - SBC Internet Services, Costa Mesa, CA

New blog design. Yay or Nay?

Not sure if noticeable but there are a lot of tweaks, including addition of a mobile template. It it work in progress, I will tweak it more later
Update: Changed to fixed width to prevent columns from running over each other

OLD DESIGN

NEW DESIGN

Jun 17 SCR (RTLO) South China Sea Territorial Disputes Study Update with Taidoor

Exploit Information

More about RTLO is here Right to Left Override unicode can be used for multiple spoofing cases by Jordi Chancel:

"RTLO is a technique exploiting the RIGHT TO LEFT OVERRIDE unicode and than it will always cause the directional reverse reading order of others characters followed it including the extension-type of malicious file! This UNICODE of which we will simplify name by [RTLO] doesnt can see owing to the fact that its characters and its place are invisible. Use RTLO for reverse the direction of reading of the file names including the extension of concerned file while keeping same the types of execution.
Example: To use a syntax like “SexyPictureGirlAl[RTLO]gpj.exe” be read “SexyPictureGirlAlexe.jpg”

I2P ... the *other* Anonymous Network - Sempersecurus.blogspot.com

So you want to be "Anonymous"? check out Andre's post about I2P tunnels I2P ..the *other* Anonymous Network http://sempersecurus.blogpost.com

Apr 13 CVE-2011-2100 PDF - Adobe DLL Loading Vulnerability - Agenda.7z

Common Vulnerabilities and Exposures (CVE)number

CVE-2011-2100 Adobe Acrobat and Reader DLL Loading Arbitrary Code Execution Vulnerability.

Untrusted search path vulnerability in Adobe Reader and Acrobat 8.x before 8.3, 9.x before 9.4.5, and 10.x before 10.1 on Windows allows local users to gain privileges via a Trojan horse DLL in the current working directory. 

It was patched by Adobe on June 14, 2011.
References and related articles

• APSB11-16 Security updates available for Adobe Reader and Acrobat (Adobe) June 14, 2011
• Microsoft Security Advisory 2269637 Released (Microsoft: DLL preloading attacks post of 21 Aug 2010 )
• Security Focus
  
  

May-June 2011 Trojan Taidoor "Louisvilleheartsurgery.com" phishing campaign

These posts all contain the same trojan but they were created not the sake of samples. They are to show how compromised USA servers are used for a stream of phishing emails. The first was noticed on May 31, 2011 and the last was today - June 13, 2011.


mail.louisvilleheartsurgery.com 66.147.51.202 appears to be a misconfigured mail server allowing relay but only forensic examination of the server can provide more details. If you are a patient and are concerned about your records, please note that the mail server is not the same as a database or a data server and patient records are most likely on a different server and not affected. Also, these attackers are not after the louisvilleheartsurgery.com data, they usually use the mail service to reach their targets elsewhere. The phishing campaign, judging by the targets, topics, and trojans used, is targeting researchers and experts working on Chinese and Taiwan issues.

Jun 13 CVE-2009-4324 PDF navy procurement.pdf from compromised louisvilleheartsurgery.com w Trojan Taidoor

Common Vulnerabilities and Exposures (CVE)number

CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009.

  General File Information

File  navy procurement.pdf
File Size  222903
MD5  DF0DE9AD9E5BF00A60F8DE3D37683C5B
Distribution  Email attachment

CLICK HERE SEE ALL OTHER PHISHING MESSAGES SENT VIA THAT SERVER


 The trojaned documents were sent via mail.louisvilleheartsurgery.com (66.147.51.202), which appears to be a legitimate mail server of University of Louisville surgery program, which is outsourced to/hosted at Nuvox / Windstream Email hosting. The server must be misconfigured or compromised and is being actively used as a relay for phishing.

Jun 1 CVE-2010-3333 DOC You are my King from compromised louisvilleheartsurgery.com w Trojan Taidoor

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-3333 Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability

  General File Information

File You are my king.doc
File Size  58531 bytes
MD5  09D68EF693AC6B7D3ACF0DDFF0585543
Distribution  Email attachment


CLICK HERE SEE ALL OTHERS SENT VIA THAT SERVER


 The trojaned documents were sent via mail.louisvilleheartsurgery.com (66.147.51.202), which appears to be a legitimate mail server of University of Louisville surgery program, which is outsourced to/hosted at Nuvox / Windstream Email hosting. The server must be misconfigured or compromised and is being actively used as a relay for phishing.(I have other examples of phish mail sent via that server and I will post them as soon as I can)

May 31 CVE-2010-3333 DOC President Obama's Speech.doc from compromised louisvilleheartsurgery.com w Trojan Taidoor

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-3333 Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability 

  General File Information

File President Obama's Speech.doc
File Size 73891 bytes
MD5 35C33BBD97D7F5629D64153A1B3E71F1
Distribution Email Attachment

 The trojan within a word document was sent via mail.louisvilleheartsurgery.com (66.147.51.202), which appears to be a legitimate mail server of University of Louisville surgery program, which is outsourced to/hosted at Nuvox / Windstream Email hosting. The server must be misconfigured or compromised and is being actively used as a relay for phishing.(I have other examples of phish mail sent via that server - pretty much everything is the same - note additional C2 ip in this post)

See others

• Jun 1 CVE-2010-3333 DOC 2011 Insider's Guide to Military Benefits from compromised louisvilleheartsurgery.com w Trojan Taidoor  
• May 31 CVE-2010-3333 DOC Q and A.doc compromised louisvilleheartsurgery.com w Trojan Taidoor

May 31 CVE-2010-3333 DOC Q and A.doc compromised louisvilleheartsurgery.com w Trojan Taidoor

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-3333 Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability

  General File Information

File Q and A.doc
File Size 115755 bytes
MD5 46863c6078905dab6fd9c2a480e30ad0
Distribution Email Attachment

 The trojan within a word document was sent via mail.louisvilleheartsurgery.com (66.147.51.202), which appears to be a legitimate mail server of University of Louisville surgery program, which is outsourced to/hosted at Nuvox / Windstream Email hosting. The server must be misconfigured or compromised and is being actively used as a relay for phishing.(I have other examples of phish mail sent via that server - pretty much everything is the same - note additional C2 ip in this post) Jun 1 CVE-2010-3333 DOC 2011 Insider's Guide to Military Benefits from compromised louisvilleheartsurgery.com w Trojan Taidoor

Jun 1 CVE-2010-3333 DOC 2011 Insider's Guide to Military Benefits from compromised louisvilleheartsurgery.com w Trojan Taidoor

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-3333 Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability

  General File Information

File 2011 Insider's Guide to Military Benefits .doc
File Size  92715 bytes
MD5 f520c8671ddb9965bbf541f20635ef30
Distribution Email Attachment

 The trojan within a word document was sent via mail.louisvilleheartsurgery.com (66.147.51.202), which appears to be a legitimate mail server of University of Louisville surgery program, which is outsourced to/hosted at Nuvox / Windstream Email hosting. The server must be misconfigured or compromised and is being actively used as a relay for phishing.(I have other examples of phish mail sent via that server and I will post them as soon as I can)

Six ways sensitive data finds its way to personal email accounts

    There has been a lot of speculation recently on how much sensitive data a hacker can find on personal email accounts, considering it is against the rules in most places to use personal accounts for work . Although there are strict rules for classified messages and documents, the intruders are often satisfied with just sensitive or just informational messages for building the picture they need. While I don't know how strict the rules are at the White House, the following behavior is common for at least some US Government offices and for many companies. This information is from my own knowledge, as well as accounts of people working for the US Government, military, as well as Fortune 500 companies, non-government research institutions, and other places.

I am sure you will find none of these scenarios surprising, they all are very common.

   
SIX WAYS SENSITIVE DATA FINDS ITS WAY TO PERSONAL EMAIL ACCOUNTS
    1.   Google Apps accounts are often created in addition to corporate/work mail to alllow easy document sharing between different companies  - for one project, or as a permanent setup
    2.   Employees create autoforwarding of all work emails to their personal accounts for easy reading on personal mobile devices (not everyone has work-issued mobile device)
    3.   Employees, regardless of their employer, need to communicate with people who work elsewhere. They cannot control whether their recipients use free webmail or what they do with their mail - and their recipients can be targeted
    4.   Employees often trust personal webmail more than their work accounts for privacy reasons. They know their work mail is heavily monitored, archived, filtered and they sometimes need to say something to each other "off the record". This may include work related topics, their supervisors, etc.
    5.   Employees, especially when traveling, often manually forward selected messages from work to personal accounts. This is  because it is easier to check personal accounts rather than logging in with smart cards, RSA keys, VPN just to refer to a few things they may need for work during their travel or work at home period.
    6.   Employees may forward mail to personal accounts before leaving their job - some places allow auto-forward and in others you can do it manually. People forward contacts or important messages that they may need after they start a new job

Related posts : Targeted attacks against personal accounts of military, government employees and associates