May 12th, 2008 by JM Hipolito (Technical Communications)
This definitely won’t be music to the ears of music aficionados who acquire their MP3s from peer-to-peer (P2P) networks, but it’s definitely not something they haven’t heard of either.
A host of adware under the guise of media files on P2P networks have been reportedly raking up numbers of victims on the Web. It was initially reported by McAfee in their blog and gained attention after it was deemed worthy of a “medium” threat level by the said security vendor.
Investigations made by Trend Micro researchers reveal that some of the adware pose as an MP3 or MPG file in P2P networks under the following fake file names:
- Preview-T-3545425-kylie carried away.mp3
- Preview-T-3545425-patayin sa sindak si barbara.mp3
- Preview-T-3545425-say it tpain.mp3
- Preview-T-3545425-you are what love jenny lewis.mp3
- T-192511-Preview-T-3545425-hank wiiliams sr.mp3
- T-210943-Preview-T-3545425-lolie pop lil wyane.mp3
- T-2559308-Rare Recording.wma
- T-27595-Preview-T-3545425-last king of scotland 2006.mpg
- T-3523960-T-3545425-never back down sound track.mp3
- T-408673-T-3545425-billy ellot.mpg
- T-482753-Preview-T-3545425-ever same bon jovi.mp3
- T-56319-Preview-T-3545425-buddy holly just you know why.mp3
- T-660855-Preview-T-3545425-(Porno) Kim Kardashian & Ray J (full sex tape).mpg
- T-89957-Preview-T-3545425-that chick mariah carey.mp3
Researchers believe that the fake file names are derived from users’ files themselves and are used at random. These files come in adware packages detected as the following:
- ADW_AGENTODK
- ADW_SAHAGENTBJ
- ADW_ZENO
Upon download of the supposed media file, it connects the user to the URL http://www.{BLOCKED}3player.com/affiliates/772465/1/PLAY_MP3.exe and downloads PLAY_MP3.EXE. This file is detected by Trend Micro as ADW_AGENT.FMG.
As notable and “rampant” as this attack is known to be, a malware posing as a media file in a P2P network isn’t exactly breaking news. As Trend Micro Security Researcher Joey Costoya explains, “It should be noted that propagating malware through P2P, even through media files, is not that new. This technique has been seen some years ago. And P2P networks are always loaded with fake stuff that will eventually lead to a malware infection.”
The silver lining: P2P networks have been infamous mostly due to copyright violation issues and its reputation as an unsafe source for media files. With such cases as this to prove that, users now ought to think twice before resorting to P2P networks for their next MP3 file, or else music will not tame the savage malware beast, but unleash it.
May 10th, 2008 by Dianne Lagrimas (Technical Communications)
There’s no breathing easy when it comes to online security these days. As some several thousands of Web sites try to recover from being hacked via SQL injection barely two days ago, in comes another massive attack on more than half a million Web sites.
Advanced Threats Research Program Manager Ivan Macalintal found the malicious script JS_SMALL.QT injected into various Web sites believed to be either using poorly implemented phpBB, or are using older, exploitable versions of the said program. In the past, some of these compromised sites were found to have been riddled with “phake pharma” and porn comment spam, while others were seen to be previously defaced by underground hackers. Advanced Threats Researcher Alice Decker have seen infections relating to this malicious script as early as February this year.
This compromise is almost similar to the mass compromises that we’ve seen earlier — visiting a compromised site leads to a series of redirections, which eventually causes the downloading of malware. In this case, TROJ_ZLOB.CCW is on the tail-end. In true ZLOB fashion, this variant poses as a video codec installer:
Sure, this one is not at all tricky, since we’ve seen our share of ZLOB variants posing as video codecs before. However, consider that this specific variant tries to lure users into installing the codec by presenting itself as being necessary to view porn:
Who wouldn’t want free porn? Unfortunately users expecting explicit videos will instead get a slew of Trojans detected as the following:
These types of Trojans are known for changing an affected system’s local DNS and Internet browser settings, thus making the system vulnerable for even more potential threats.
Trend Micro Web Threat Protection already prevents access to the malicious URLs. And as always, users are advised to display extra caution when browsing Web sites, and ensure their security software is up to date.
Our researchers are continuing to investigate this case. We will be posting updates on this compromise as more information becomes available.
Consolidated findings of the Advanced Threats Research, Escalation, and Threat Respone teams at TrendLabs
May 9th, 2008 by Fatima Bancod (Email Security Analyst)
The Trend Micro Content Security Team has encountered a phishing attack similar to what affected the Bank of America and Comerica recently. The scheme, which involves a malicious digital certificate supposedly downloaded from a link found in the spammed email, is now used to fool Merill Lynch Business Centre customers.
Below is a screenshot of the spammed email message:
The visible link in the said email is a hypertext string that leads to the phishing URL
hxxp://wcma.businesscenter.mlbank.bcprivate9054.wcmaloginea.aspxsystem.meetingid.12469.
programs.dvppserv.1291logon.info/WCMALoginEA.htm. The said URL poses as the Business Centre’s home page.
Clicking on the said link connects users to a URL where they are prompted to download a required “digital certificate.” However, the phishing site is already inaccessible as of this writing.
Sunbelt also warns users in their blog that this scheme is highly likely being used for other schemes as well.
May 9th, 2008 by Paul Oliveria (Technical Communications)
Unsuspecting users who may wish to buy (or simply admire) the new Honda Accord are warned that may fall victim to a drive-by download, leading to the installation of an info-stealing malware. TrendLabs discovered today an attack on the official web site of Honda Cars in Thailand.
According to Advanced Threats Researcher Jonell Baltazar, who discovered the compromise, the affected page, hxxp://www.honda.co.th:80/accord, was injected with a malicious script tag (detected by Trend Micro as HTML_IFRAME.QJ), which loads a page within the cleverly named getanewmazda.info domain. This page contains a script that looks for vulnerabilities to download and execute a certain file on the victim’s system. The downloaded file (which is named crypt.exe and saved as c:\winQZfio771.exe) is detected as TSPY_ZBOT.LA.
This compromise was discovered due to a feedback technology on our customers’ products. This mechanism allows our systems to monitor and block potential malicious URLs. In this case, a client visit to the compromised site automatically registered the HTML_IFRAME.QJ detection, thereby protecting the user from further infection. Trend Micro Web Threat Protection has prevented access to the compromised site, protecting customers from possible infection.
Below is a screenshot of the compromised page within the Honda Cars site. Note that the malicious script also affects both the English and Thai landing pages (main.html) after a user accesses any one of them:
The downloaded TSPY_ZBOT.LA, in turn, accesses yet another domain, where possibly more malicious files can be downloaded. As of this writing, our researchers found user names and passwords related stored in this domain, suggesting that it is used either as a phishing page or mere storage in which cyber criminals can easily retrieve stolen information.
This is not the first time a Thai site has been compromised. In the past couple of months, we have reported similar incidents affecting the sites of the Royal Thai Air Force and Udiya Tours of Northern Thailand, among others.
Note that this seems to be an isolated incident so as far as the Honda enterprise is concerned, only Honda Cars Thailand site has been injected with the malicious script. As of this writing, Honda Cars Thailand has promptly taken their site offline in order to address the matter.
Consolidated findings of the Advanced Threats Research, APAC RTL, and Web Threat Protection teams at TrendLabs
May 7th, 2008 by Paul Ferguson (Advanced Threats Researcher)
“The Tragedy of the Commons is a type of social trap, often economic, that involves a conflict over finite resources between individual interests and the common good.”
- Wikipedia
In a perfect world, we all understand that certain situations should not exist which put our critical infrastructure at risk — we all like to be able to have electricity, water, and other common utilities which we normally take for granted.
But we do not live in a perfect world, of course.
I have written about SCADA (Supervisory Control And Data Acquisition) issues before on this blog, but I’d like to renew & enjoin the public interest in certain recent events & issues which may put these resources at risk.
First, let’s look at the issue of “convergence”, or rather, “premature convergence” which seems to be a better definition:
“…premature convergence means that a population for an optimization problem converged too early, resulting in being suboptimal.”
- Wikipedia
This is similar to — what I believe to be — the situation wherein some unknown portion of the SCADA controls & operations community has strategically moved itself into: using the same platforms, operating systems, and software, which are now susceptible to the vulnerabilities that we all know too well. Buffer overflows, remote exploitation, denial of service vulnerabilities, and so forth and so on.
Now, this wouldn’t be a problem if these system were, in no uncertain terms, not connected to the Internet in any way, shape, or form.
But that is increasingly not the case.
Due to operational “optimization” (meaning: it is cheaper to use publicly available connectivity to manage these systems), the SCADA threat landscape now begins to look a lot like the network security landscape that we all know and respect — one of constant vigilance and constant defensive threat posture.
Within the past couple of days, there have been a couple of SCADA systems management platform vulnerabilities announced which could result in some rather serious exploitation. The SANS ISC reported yesterday a situation in which one software suite which “…provides unauthorized access, allows partial confidentiality, integrity, and availability violation, allows unauthorized disclosure of information, allows disruption of service.”
This seems rather serious. And I have been informed that there is at least one more similar vulnerability which has not been publicly disclosed yet.
As utility companies make operational decisions based on economic business savings (using the Internet, or an Internet VPN, to manage their client-control base to save money), the unintended consequences can be severe. When they occur. If they occur.
Throw the dice.
Let’s keep our fingers crossed that the SCADA community quickly comes to grips with the nature of network security.
“Fergie”, a.k.a. Paul Ferguson
Internet Security Intelligence
Advanced Threats Research
Previous Posts
