Online since 2002. Over 3300 puzzles, 2600 worldwide members, and 270,000 messages.

TwistyPuzzles.com Forum

It is currently Mon Apr 21, 2014 2:33 am

All times are UTC - 5 hours



Post new topic Reply to topic  [ 7 posts ] 
Author Message
 Post subject: BE ALERT OF VIRUS
PostPosted: Wed Feb 27, 2013 3:11 am 
Offline
User avatar

Joined: Mon Feb 07, 2005 6:17 pm
Location: California, USA
Hello my friends!
Some of you have recieved e-mail from me (Aleh Hladzilin), but it's not from me. Please don't open link, it is a virus (I think).
Thanks.

_________________
Image


Last edited by Aleh on Wed Feb 27, 2013 12:06 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: BE ALERT OF VIRUS
PostPosted: Wed Feb 27, 2013 11:01 am 
Offline
User avatar

Joined: Wed Jan 21, 2009 12:58 pm
I already told this to Aleh via PM, but I figured maybe other Yahoo! Mail users should be warned.

Read this if you are using Yahoo! Mail.

If you have a suspicion that someone is accessing your Yahoo! Mail account, you could "View your recent sign-in activity" to verify by country or by IP (more info below). Then change your password immediately.

So, it turns out that it wasn't malware that is going around stealing Yahoo! passwords (e.g., computer virus, keylogger, spyware or any other malicious program that logs all the pressed keys to get a victim's password). These hackers are using a simple (and legal) mobile application that access Yahoo! Mail called "Yahoo! Mobile". Normally, you need the account's password, but apparently there is a bug in that application that gives them access without the password and once in, the application might even give them the actual password (or maybe they modified the app). Then, they send spam to your contacts (and/or anybody on your "Sent" folder).

The main problem is that "Yahoo! Mobile" is active by default for old Yahoo! accounts, which means that this application is authorized to access your account without your permission.

The good news is that this can be fixed to avoid hacks in the future. Here's how to remove "Yahoo! Mobile" from the authorized Apps in your Yahoo! account:
1.- Sign in to Yahoo! making sure it is really mail(dot)yahoo(dot)com and not a phishing website
2.- Hover on "Hi, Your Name" on the top-right corner to get to "Account Info" (this will open a new window/tab and Yahoo! will ask you to verify your password)
3.- In the "Account Information page", select "Manage Apps and Website Connections" (by the way, later you can come back here and select "View your recent sign-in activity", if you are curious).
4.- In the "Manage App and Website Connections" page, click on "Remove" next to "Yahoo! Mobile"
5.- Click on "Back to Account Info" and then "Mail" on the top (or close the new window/tab) to get back to the main Yahoo! Mail page.

By the way, apparently Yahoo! is aware of this because new accounts have that option inactive by default (it says "Currently you have no app or website connections").

Peace,

Skarabajo.

_________________
My collection | My first mod | Making of first mod | Items for sale


Top
 Profile  
 
 Post subject: Re: BE ALERT OF VIRUS
PostPosted: Wed Feb 27, 2013 12:04 pm 
Offline

Joined: Sun Mar 27, 2005 7:37 pm
I received this email and clicked on the link since I know and trust Aleh. As stated it was spam so does that mean I am safe? It wasn't a Yahoo account btw. Naturally I will do a virus scan though AVG seems quite poor these days.

_________________
Image


Top
 Profile  
 
 Post subject: Re: BE ALERT OF VIRUS
PostPosted: Wed Feb 27, 2013 12:06 pm 
Offline
User avatar

Joined: Wed Jan 21, 2009 12:58 pm
Tony, when I first got one of these spam emails (not from Aleh, it was another Yahoo! Mail user), I opened the link in a safe environment (using a computer that has DeepFreeze) and it turned out to be a broken link, so nothing happened. Please keep us posted about the outcome of this spam link. I am curious about it.

Skarabajo.

_________________
My collection | My first mod | Making of first mod | Items for sale


Top
 Profile  
 
 Post subject: Re: BE ALERT OF VIRUS
PostPosted: Wed Feb 27, 2013 12:14 pm 
Offline
User avatar

Joined: Thu Dec 31, 2009 8:54 pm
Location: Bay Area, California
Tony Fisher wrote:
I received this email and clicked on the link since I know and trust Aleh. As stated it was spam so does that mean I am safe? It wasn't a Yahoo account btw. Naturally I will do a virus scan though AVG seems quite poor these days.

You're probably safe Tony. The decay in quality of AV is not just in your imagination and AVG isn't unique in this regard. All AV is struggling.

Yahoo has had numerous account hijack issues for several years now. This is just the latest round of them.

Perhaps somebody could post the full email with headers?

_________________
Prior to using my real name I posted under the account named bmenrigh.


Top
 Profile  
 
 Post subject: Re: BE ALERT OF VIRUS
PostPosted: Wed Feb 27, 2013 12:47 pm 
Offline
User avatar

Joined: Mon Sep 09, 2002 2:19 pm
Location: Yaroslavl, Russia and Maryland, USA
bmenrigh wrote:
Perhaps somebody could post the full email with headers?


I had to remove the actual email addresses.



Delivered-To: XXXXXXX@gmail.com
Received: by 10.58.211.194 with SMTP id ne2csp139230vec;
Tue, 26 Feb 2013 10:17:21 -0800 (PST)
X-Received: by 10.60.28.228 with SMTP id e4mr2426625oeh.111.1361902641623;
Tue, 26 Feb 2013 10:17:21 -0800 (PST)
Return-Path: <XXXXXXX@yahoo.com>
Received: from nm16-vm3.bullet.mail.ne1.yahoo.com (nm16-vm3.bullet.mail.ne1.yahoo.com. [98.138.91.146])
by mx.google.com with ESMTPS id h4si2176096obn.80.2013.02.26.10.17.21
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Tue, 26 Feb 2013 10:17:21 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of XXXXXXX@yahoo.com designates 98.138.91.146 as permitted sender) client-ip=98.138.91.146;
Authentication-Results: mx.google.com;
spf=pass (google.com: best guess record for domain of XXXXXXX@yahoo.com designates 98.138.91.146 as permitted sender) smtp.mail=XXXXXXX@yahoo.com;
dkim=pass header.i=@yahoo.com
Received: from [98.138.226.178] by nm16.bullet.mail.ne1.yahoo.com with NNFMP; 26 Feb 2013 18:17:20 -0000
Received: from [98.138.89.195] by tm13.bullet.mail.ne1.yahoo.com with NNFMP; 26 Feb 2013 18:17:20 -0000
Received: from [127.0.0.1] by omp1053.mail.ne1.yahoo.com with NNFMP; 26 Feb 2013 18:17:20 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 746233.93795.bm@omp1053.mail.ne1.yahoo.com
Received: (qmail 83929 invoked by uid 60001); 26 Feb 2013 18:17:20 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1361902640; bh=Ht8ufjam3z+X8LIaCYfVEqyqe8DKiURkOZOKe+0YkaY=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=K37dcDUJvVT8NB6nOQXpAmPXUKgC1PROamDjLWkOQ4u0RcdEPsstmS7odweAKzIFI5WKRXlt9LMUlQzMdNZq118el7EkBkrijUhO8dglHFOlAy9/4BP1GKzsl/K0o07VyA5JrZood/HCCrkla0todmW62oUorcYiNx6PTInC99E=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type;
b=06Z+QoTt7tJqWLspbgbs4daDYnF0dJ1GDZszrEdAaZLgOISmXHjU5dWpr9nLw9U7FH12d2vdpsaRU5dnyfmijoaLqeSPSAnYoHkvSRWmsobgpGcBWLdHQ+lWbHaZwq819ejAAhszt7e8GGX26m3ps09AOeN5V5JlhxWdcpfrSCM=;
X-YMail-OSG: dSyGR6kVM1nFDZdy2xFvDVAzxr1XOd5zBBV90OhDjoed6bR
raJTSiJO.p7gna8EjBGfmd0QtHeBrMIjGWk65bC.r9vyW5zdMOiBYrZD7hKP
34isP3UGt.i0VKHdXPh9v3uvyue2ATJDjCbr_RUPxb0SQ3NJ7tosWUe0yn09
xDq9kH1TDlMayZTPBb53B96M7.0XPf22OlrYhCxgnxcuSgZSqClCV9wkZexS
hzpY9NB5hLNkDRk77BOm2MaSQtXCHwFuDF6Jqz7mzxB2tVZTb5L4RZyEnjhY
TLsle9gwRF4wQJJa6.rX0SHhgcooOpE46gWPZWC2OpLDLOtUayAr6uR8_9ui
mk3DkmJsDJ.LSoFrjZotitR66VgJazuJkt4mdRIb8pwce2R2_k.xdptFs211
bJYAbf.05jSNA6B7vshgdLIuywduSXg5xRa7Ef6n2_d0HeZZLpIkvuQtUoXi
zFodDauqAZAwp44wR8.qxNTuaaBjGVeDaapAQ6UhpBErw3cVwRVwOyhX_B8P
PI79R9pvvePsxCDbLIvSThvqF64gS_P8Wd60QPzr6w7RuY4EeF1sIjjnCd9b
D1H_pgtQKM0vyQJ76yHV1SGvXHO4Dm4eyyI.t2OPxsDTZLs47Xtm3sg--
Received: from [180.215.45.228] by web124903.mail.ne1.yahoo.com via HTTP; Tue, 26 Feb 2013 10:17:20 PST
X-Rocket-MIMEInfo: 001.001,Jm5ic3A7aHR0cDovL3lhbmR1cGlzbGFuZC5jb20vc2dsa2V5L3FrczF1bW13ND9wNWp5b2lidjB6NTR0NGkwZmkyeGlhJm5ic3A7Jm5ic3A7Jm5ic3A7IAombmJzcDsmbmJzcDsmbmJzcDsgCiZuYnNwO0FsZWggSGxhZHppbGluCgEwAQEBAQ--
X-Mailer: YahooMailWebService/0.8.135.514
Message-ID: <1361902640.82375.YahooMailNeo@web124903.mail.ne1.yahoo.com>
Date: Tue, 26 Feb 2013 10:17:20 -0800 (PST)
From: Aleh Hladzilin <XXXXXXX@yahoo.com>
Reply-To: Aleh Hladzilin <XXXXXXX@yahoo.com>
Subject: Aleh Hladzilin
To: XXXXXXX <XXXXXXX@gmail.com>, XXXXXXX <XXXXXXX@hotmail.com>,
XXXXXXX <XXXXXXX@mms.att.net>, XXXXXXX <XXXXXXX@mefferts.com>,
XXXXXXX <XXXXXXX@gmail.com>, XXXXXXX <XXXXXXX@gmail.com>,
XXXXXXX <XXXXXXX@mefferts.com>, XXXXXXX <XXXXXXX@hotmail.com>,
XXXXXXX <XXXXXXX@gmail.com>,
XXXXXXX <XXXXXXX@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="-904242613-41921432-1361902640=:82375"

---904242613-41921432-1361902640=:82375
Content-Type: text/plain; charset=us-ascii

&nbsp;http://yandupisland.com/sglkey/qks1ummw4?p5jyoibv0z54t4i0fi2xia&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;
&nbsp;Aleh Hladzilin

---904242613-41921432-1361902640=:82375
Content-Type: text/html; charset=us-ascii

<html><body><div style="color:#000; background-color:#fff; font-family:tahoma, new york, times, serif;font-size:10pt"><span style="font-size: 18px;">&nbsp;</span><span style="font-size: 16px;"><a href="http://yandupisland.com/sglkey/qks1ummw4?p5jyoibv0z54t4i0fi2xia">http://yandupisland.com/sglkey/qks1ummw4?p5jyoibv0z54t4i0fi2xia</a></span><div><span class="tab">&nbsp;&nbsp;&nbsp; </span><br><span class="tab">&nbsp;&nbsp;&nbsp; </span><br><span class="tab"><span style="font-size: 18px;">&nbsp;Aleh Hladzilin</span><br></span></div></div></body></html>
---904242613-41921432-1361902640=:82375--

_________________
Aleksey


Top
 Profile  
 
 Post subject: Re: BE ALERT OF VIRUS
PostPosted: Wed Feb 27, 2013 1:17 pm 
Offline
User avatar

Joined: Thu Dec 31, 2009 8:54 pm
Location: Bay Area, California
Fortunately that email doesn't contain any malware or exploit. The link (hxxp://yandupisland.com/sglkey/qks1ummw ... t4i0fi2xia) is the intended payload. It seems like yandupisland.com is a legitimate site that has been compromised (pretty typical). I don't know what exploit the site is attempting since all of the requests I've tried result in a 302 redirect. I suspect the site is targeting a specific user-agent string or doing other filtering such as looking for a referer coming for Yahoo.

The site has been compromised since at least the 15th since I've seen a request to hxxp://yandupisland.com/fajm/su4yqqj5=v ... t0b4pv2ajl which also does a 302 redirect.

The perpetrator that logged into the Yahoo webmail interface to send the email was 180.215.45.228 which is located in India. That IP has been observed participating in fast flux DNS. for example:
Code:
6b89aece57633daf.flinchquarry.com.   A   180.215.45.228
043e8b9b71c10276.gaeliccomedy.com.   A   180.215.45.228
0a455f313c31d6e5.objectshabby.com.   A   180.215.45.228
e17dd1230fa0eca8.anothercamden.com.   A   180.215.45.228
0aae14ee1ca95553.deaconsmuseum.com.   A   180.215.45.228
0aae14ee1ca95553.favoursissues.com.   A   180.215.45.228
0a455f313c31d6e5.losersroberts.com.   A   180.215.45.228
eada8baea0f17d4c.losersroberts.com.   A   180.215.45.228
e17dd1230fa0eca8.mediumlacking.com.   A   180.215.45.228
0a455f313c31d6e5.recoupgradual.com.   A   180.215.45.228
043e8b9b71c10276.seekervaughan.com.   A   180.215.45.228
6f01e851d20e4e94.slashedposted.com.   A   180.215.45.228
043e8b9b71c10276.warnockartist.com.   A   180.215.45.228
2d30dd0ca92d1207www9.usuallysweater.com.   A   180.215.45.228


So it's most likely just botted.

I can't find any more info on the botnet(s) being used or the exploit they may be delivering to some users.

Keep your OS up-to-date (do Windows update), and make sure you've either removed Java or updated to the latest release.

_________________
Prior to using my real name I posted under the account named bmenrigh.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 8 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  

Forum powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group