http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20090704

adoresong.com
alldatanow.com
alldataworld.com
bestlovehelp.com
cantlosedata.com
chatloveonline.com
cherishletter.com
cherishpoems.com
freedoconline.com
losenowfast.com
lovecentralonline.com
lovelifeportal.com
mingwater.com
theworldpool.com
wagerpond.com
whocherish.com
worldlovelife.com
worshiplove.com
yourdatabank.com
yourteamdoc.com

These have been updated and added to the list on the Shadowserver site at:

http://www.shadowserver.org/wiki/uploads/Calendar/waledac_domains.txt

Steven

http://www.shadowserver.org/wiki/uploads/Calendar/waledac_domains.txt

However, just wanted to reiterate to people that you should block all of these domains:

Registered January 23, 2009:

adorelyric.com
adorepoem.com
adoresongs.com
bestadore.com
bestlovelong.com
funloveonline.com
youradore.com
yourgreatlove.com

Registered January 19, 2009:

bestgoodnews.com
goodnewsdigital.com
goodnewsreview.com
linkworldnews.com
reportradio.com
spacemynews.com
wapcitynews.com
worldnewsdot.com
worldnewseye.com
worldtracknews.com

Registered January 15, 2009:

bestbarack.com
bestbaracksite.com
bestobamadirect.com
expowale.com
greatbarackguide.com
greatobamaguide.com
greatobamaonline.com
jobarack.com
superobamadirect.com
superobamaonline.com
thebaracksite.com
topwale.com
waledirekt.com
waleonline.com
waleprojekt.com

Older:

bestchristmascard.com
bestmirabella.com
bestyearcard.com
blackchristmascard.com
cardnewyear.com
cheapdecember.com
christmaslightsnow.com
decemberchristmas.com
directchristmasgift.com
eternalgreetingcard.com
freechristmassite.com
freechristmasworld.com
freedecember.com
funnychristmasguide.com
greatmirabellasite.com
greetingcardcalendar.com
greetingcardgarb.com
greetingguide.com
greetingsupersite.com
holidayxmas.com
itsfatherchristmas.com
justchristmasgift.com
lifegreetingcard.com
livechristmascard.com
livechristmasgift.com
mirabellaclub.com
mirabellamotors.com
mirabellanews.com
mirabellaonline.com
newlifeyearsite.com
newmediayearguide.com
newyearcardcompany.com
newyearcardfree.com
newyearcardonline.com
newyearcardservice.com
smartcardgreeting.com
superchristmasday.com
superchristmaslights.com
superyearcard.com
themirabelladirect.com
themirabellaguide.com
themirabellahome.com
topgreetingsite.com
whitewhitechristmas.com
worldgreetingcard.com
yourchristmaslights.com
yourdecember.com
yourmirabelladirect.com
yourregards.com
youryearcard.com

Waledac Exploit Domain List:

googol-analisys.com
seocom.name
seocom.mobi
seofon.net

—-

Also, if you are interested in all things Waledac (omghi2u!), check our Jeremy’s Waledac tracker here:

http://sudosecure.net/waledac/

It looks like Google Chrome is a pretty risky proposition right now. Yes, it is beta but some of these items are a bit alarming. I am not one of the people that calls Google evil, but I try not to let them near my data whenever possible. Using this browser definitely won’t further that cause. It is still a bit early with a few early adopters(testers), so we might see a lot of fixes and improvements across the board before its final release. I’ll post my two cents at a later date for anyone that might care.

I did a quick check and I can see that at least two visitors of the blog are trying out Google Chrome. Hopefully I’m not scaring anyone away from testing the browser, that certainly isn’t my intent. However, I just want people to know about the potential risks to privacy and security that presently exist. All browsers have security issues, however, that doesn’t mean we should ignore them. If you have any comments on this issue or the browser, feel free to submit them and I will post them.

In case there’s any interest, the Google Chrome User-Agent looks like this:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.2.149.27 Safari/525.13

In 2004 I got a copy of PGP 8.1 for Windows to use on an XP install at home. With this install came the standard PGP system tray icon that would let you control a sleuth of things to include clipboard and current window encryption/decryption as well as give you quick access to the PGP keys interface. This fine little install also had an Outlook (Express for me on that machine) plug-in for easy encryption/decryption of e-mail. It had its kinks and bugs but it worked pretty well. Now jump 4 years ahead to the present and on my Mac and Linux systems I use GnuGP (gpg) but that’s all done on the command line, so it’s kind of a pain. On an XP install with Office 2007 that I have at home — I do not have anything at all (no PGP or GPG).

Today I decided to put and end to that and paid for the upgrade for $29.99 (I was eligible from my old license) to PGP Home Desktop 9.8. Sure I feel like a sucker paying for software for which there are similar free options, but the GUI and a couple of other features are something I wanted to have. The new version also has some full disk encryption options as well as the creation of encrypted drives/storage spaces, which sounds nifty I suppose. Still consider checking out TrueCrypt anyway.

Anyway, the first thing I noticed was that the download of PGP Desktop was 72 MB .zip file, which seemed a little large. To my surprise they decided to pack both the 64-bit and 32-bit versions into the same .zip file. I really don’t see the logic in this. They could save bandwidth usage and time for both parties and I’ll take an absolutely wild stab in the dark that their 64-bit installs aren’t quite as numerous as their 32-bit installs (I could be wrong… it happened once). Great so I managed to install the correct version and am all fired up and good to go. Only I guess I suck at the whole RTFM thing because I didn’t realize there is no longer an Outlook plug-in. They went with the god awful proxy-detect-email-look-for-encryption-keys-we-suck method. All I can say is that I am very disappointed. I believe the plug-in was one of the best features of the old product. Now you’re stuck with some half-assed detection method that will send unencrypted messages if it messes up — super idea! I think I will pass on that.

Anyone else have some thoughts and opinions on the latest versions of PGP? I would love to hear them and I’ll approve/post the comments as long as they’re not overly vulgar (PG-13 at worst please).

Subject: We have hijacked your baby

Body:

Hey We have hijacked your baby but you must pay once to us $50 000. The details we will send later…

We has attached photo of your fume

Funny topic and bad grammar all make for a good virus/spam campaign. However, you might be wondering if I am nervous about receiving such an e-mail? Well, e-mail never really makes me nervous and then again I also don’t have a baby. Although I think I would be concerned if I had a baby and someone “hijacked” it. It seems my message got nibbled on by “MIMEDefang”, which was a bit disappointing since I wanted to see the attachment. I wanted to see if the trojan included a picture of a baby or not. I guess I’ll have to wait in suspense until someone shares a copy with me.

Feel free to drop me a line with a copy of this e-mail if you have it intact - steven [at] securityzone [dot] org

Update: 11:40 PM

Got a copy of the e-mail with the attachment in place. Sorry no picture but there is an attachment called “photo.zip” that has “photo.exe” inside of it. File MD5 for the .exe is 807efe034e50327234e83bc9e6a94b32.

This is a piece of malware which then downloads more malware from the known malicious website reddii.org. Stay away from these e-mails and that domain.

Potential affected OS versions that may have received these updates:

Red Hat Desktop (v. 4)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux AS (v. 4.5.z)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux ES (v. 4.5.z)
Red Hat Enterprise Linux WS (v. 4)

You can grab the OpenSSH blacklist script from the Red Hat website by clicking here. This script can be run by a non-privileged users to check if the OS has any of the listed malicious packages.

You can check your current flash version by clicking here.

You can upgrade to the latest version of flash by clicking here.

Don’t wait - just upgrade right now!

Subject: Tax Notification
From: “Internal Revenue Service” <taxrefund@1×8c.8xdb95d4.irs.gov>
Date: Tue, May 20, 2008 6:36 am

Internal Revenue Service (IRS)
United States Department of the Treasury

Dear Taxpayer,

After the last annual calculations of your fiscal
activity we have determined that you are eligible
to receive a tax refund of $184.80.

Please submit the tax refund request and allow us
6-9 days in order to process it.

A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying
after the deadline.

To access the form for your tax refund, use the following personalized link:

http://0×7C.0xDB11D1/www.irs.gov/

Regards,
Internal Revenue Service

Document Reference: (0×7C.0xDB11D1).

Notice that the URL is http://0×7C.0xDB11D1/www.irs.gov/ and that they used 0×7C.0xDB11D1 as the “Document Reference” in attempt to make it look more official. Well it turns out that 0×7C.0xDB11D1 really converts to an IP address in Taiwan - 124.219.17.209. Visiting this IP address or the URL abovve ends up redirecting you http://www.comtipps.de/www.irs.gov/index.htm?memberID=0×7C.0xDB.0×11.0xD1.

This then tries to get your social security number, credit card information (including CVV code and ATM PIN), date of birth, full name and address, phone number, and finally e-mail address (wouldn’t one assume they already have this if they e-mailed you? :D). Be on the look out for this slightly different take on an old trick.