US-CERT is aware of public reports of malware spreading via spam. It has been reported that malware is spreading in spam messages related to the upcoming Olympics and to fake CNN news reports. If a user clicks the link to one of these fake news reports they are prompted to install a Flash Player update. If users attempt to install the update, malware may be downloaded and installed onto their system.

US-CERT encourages users and administrators to take the following preventative measures to help mitigate the security risks:

• Install anti-virus software, and keep its virus signature files up-to-date.
• Do not follow unsolicited web links received in email messages.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.
  

Relevant Url(s):

• www.us-cert.gov/cas/tips/ST04-014.html
• ww.us-cert.gov/reading_room/emailscams_0905.pdf
  

====
This entry is available at:

• www.us-cert.gov/current/index.html#rise_in_spam_messages_circulating

With so many people cutting back on travel because of the high fuel prices the chance of getting a 'free' airline ticket anywhere will surely entice some percentage of people to open this attachment and get infected. If it sounds too good to be true... you know the saying.

CudaMail is currently blocking these as Trojan.Zbot variation.

- Shaun

US-CERT Current Activity

Airline E-ticket Email Attack

Original release date: July 31, 2008 at 9:15 am Last revised: July 31, 2008 at 9:15 am

US-CERT is aware of public reports indicating that a new email attack is circulating. This attack uses email messages that appear to be from legitimate airlines and contain information about a bogus e-ticket.
These email messages instruct the user to open the attachment to obtain the e-ticket. If a user opens this attachment, a file may be executed to infect the user's system with malicious code.

Reports, including a posting by Sophos, indicate that these messages have the following characteristics. Please note that these attributes may change at any time.

• The subject line "E-Ticket#XXXXXXXXXX"
• An attachment named "eTicket#XXXX.zip"

US-CERT encourages users and administrators to take the following preventative measures to help mitigate the security risks:

• Install anti-virus software, and keep its virus signature file up to date.
• Do not open attachments in unsolicited email messages.
•  Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

Relevant Url(s):

• www.us-cert.gov/cas/tips/ST04-014.html
• www.sophos.com/security/blog/2008/07/1604.html
• www.us-cert.gov/reading_room/emailscams_0905.pdf

====
This entry is available at

• www.us-cert.gov/current/index.html#airline_e_ticket_email_attack

With the 4 year prison term for Robert Soloway and the Murder/Suicide of Eddie Davidson still fresh in our minds comes the following alert from the US-Cert warning us that the subject of the FBI looking at Facebook is being used to spread a new variation of the Storm Worm. I guess the above two penalties don't phase the authors of the storm worm.

Eddie Davidson fugitive Spammer in Murder-Suicide.

• www.theregister.co.uk/2008/07/25/fugitive_spammer_slays_family/

Soloway given 47 month prison term.

• www.theregister.co.uk/2008/07/23/soloway_sentenced/

- Shaun

---

US-CERT Current Activity

New Storm Worm Activity Spreading

Original release date: July 29, 2008 at 9:41 am Last revised: July 29, 2008 at 9:41 am

US-CERT is aware of public reports of a new Storm Worm Campaign. The latest campaign is centered around messages related to the Federal Bureau of Investigation and Facebook. This Trojan horse virus is spread via an unsolicited email message that contains a link to a malicious website. This website contains a link, that when clicked, may run the executable file "fbi_facebook.exe" to infect the user's system with malicious code.

Reports, including a posting by Sophos, indicate the following email subject lines are being used. Please note that subject lines can change at any time.

• F.B.I. may strike Facebook
• F.B.I. watching us
• The FBI's plan to "profile" Facebook
• The FBI has a new way of tracking Facebook
• F.B.I. are spying on your Facebook profiles
• F.B.I. busts alleged Facebook
• Get Facebook's F.B.I. Files
• Facebook's F.B.I. ties
• F.B.I. watching you
  

US-CERT encourages users and administrators to take the following preventative measures to help mitigate the security risks:

• Install anti-virus software, and keep its virus signature files up-to-date.
• Do not follow unsolicited web links received in email messages.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.
  

Relevant Url(s):

• www.us-cert.gov/cas/tips/ST04-014.html
• www.sophos.com/security/blog/2008/07/1599.html
• www.us-cert.gov/reading_room/emailscams_0905.pdf
  

====
This entry is available at:

• www.us-cert.gov/current/index.html#new_storm_worm_activity_spreading
  

Here's the latest email spam campaign that you should know about ...

---

US-CERT Current Activity - U.S. Customs and Border Protection Email Attack

Original release date: July 25, 2008 at 3:09 pm Last revised: July 25, 2008 at 3:09 pm

US-CERT is aware of public reports of an attack circulating via bogus email messages that claim to be from "US Customs Service." The messages may contain the subject line "Parcel requires declaration"
and indicate that a parcel has been received addressed to the recipient of the email. These messages may also encourage users to open an attachment to the message that may contain malicious code.

US-CERT encourages users to do the following to help mitigate the risks:

• Review the alert posted by the U.S. Customs and Border Protection regarding this issue.
  
  
• Do not open attachments contained in unsolicited email messages.
  
  
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
  
  
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.
  
  
• Install anti-virus software and keep virus signature files up to date.
  

US-CERT will provide additional information as it becomes available.

Relevant Url(s):

http://www.us-cert.gov/cas/tips/ST04-014.html

http://www.us-cert.gov/reading_room/emailscams_0905.pdf

http://www.customs.gov/xp/cgov/newsroom/alerts/email_virus.xml

====

This entry is available at: http://www.us-cert.gov/current/index.html#u_s_customs_and_border

 Just a heads up that the storm worm is up to the same tricks again with a war theme this time.
As always watch out for these kinds of tactics.

- Shaun

---

US-CERT Current Activity: New Storm Worm Variant Spreading

Original release date: July 9, 2008 at 8:48 am Last revised: July 9, 2008 at 8:48 am

US-CERT has received reports of new Storm Worm activity. The latest activity uses messages that refer to the conflict in the Middle East.

This Trojan is spread via unsolicited email messages that contain a link to a malicious website. The website is noted as having the following malicious characteristics which may be used to infect the user's system with malicious code.

• A video that, when opened, may run the executable file "iran_occupation.exe."
• A banner add that, when clicked, may run the executable file "form.exe."
• A hidden iframe linked to "ind.php."
  

Reports, including a posting by Sophos, indicate that the following subject lines are being used. Please note that subject lines can change at any time.

• 20000 US soldiers in Iran
• Iran USA conflict developed into war
• More than 10000 Iranians were murdered
• Negotiations between USA and Iran ended in War
• Occupation of Iran
• Plans for Iran attack began
• The Iran's Leader Mahmoud Ahmadinejad declared Jihad to USA
• The World War III has already begun
• The begining of The World War III
• The military operation in Iran has begun
• The secret war against Iran
• Third War in Iran
• Third World War has begun
• US Army crossed Iran's borders
• US Army invaded Iran
• US army is about 20 kilometers from Tegeran
• US soldiers occupied Iran
• USA attacked Iran
• USA declares war on Iran
• USA occupeid Iran
• USA unleashed war on Iran
• War between USA&Iran
• War with Iran is the reality now
• Washington prefers to shoot first
  

US-CERT encourages users and administrators to take the following preventative measures to help mitigate the security risks:

• Install anti-virus software, and keep its virus signature files up-to-date.
• Do not follow unsolicited web links received in email messages.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.
  

---

Relevant Url(s):

http://www.us-cert.gov/cas/tips/ST04-014.html

http://www.sophos.com/security/blog/2008/07/1569.html

http://www.us-cert.gov/reading_room/emailscams_0905.pdf

---

This entry is available at:

www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iQEVAwUBSHS1LXIHljM+H4irAQIHjQf/VmTJlMuebVWbXRIHH5D8xXw6zU5Ma9Yg
t0RqZlMIT7o5ILoNXlDNs9mmoq0fYrQeQz7WkW3hoV/E+H8ip4VX0XeOZerxxpGr
fpSwXaVcmwGxyD8XImelDOOa4fBAVPL6MOr1/40zg8Fc83ZSr6WRzwNoTGZc0OFR
0eyVe3D4hRGHiJSwtgRH79KoD1QjKli1i75R1brn2AiG2N2Z1OC2/03FJbhgo1mO
yIN6LsKCaEzMaUta3kqL0sGhUnzPWcpDbBaz7NlWCBXhs8bq11LAyuQ1iq5fBIDu
OXxJJa1BjNXvBuZBGPpRSLU0h7qSJykc5/6GiVrDgxYp+oHIw9qmcw==
=UYty
-----END PGP SIGNATURE-----