The Miss World 2006 beauty pageant will be held in Poland on September 30. Unlike other popular international beauty pageants, the Miss World beauty pageant has an interactive way of selecting the winner. Using SMS, people from around the world can vote for the contestant whom they consider to be the one worthy of the beauty title.

A new threat has taken advantage of the event’s unique way of choosing the winner. In another bout of social engineering, it employs the use of instant messaging applications as a distribution vector for the malware. Instant messenger users who are often online may have received the following message recently:

Let’s vote for Miss Vietnam – Mai Phuong Thuy – for the upcoming Miss World championship…

The message is followed by a URL that the unsuspecting user may expect to lead him to a site or webpage where he can vote for the candidate. Obviously, this does not happen at all. When the URL is accessed, the user is redirected to another website offering credit card debt consolidation, which has absolutely nothing to do with voting for the next Miss World. Here’s what the user didn’t know: when the link was accessed, it redirected to another site that downloaded a Trojan into the system. To cover-up the download, it redirected to another site that featured the credit card scheme. In that way, the user wouldn’t notice anything.

Unless he tried to open the task manager or the registry editor.

Initial analysis shows that this Trojan disables the task manager and the registry editor. Furthermore, Internet Explorer’s startup page is modified so instead of the user’s default web page being loaded when the browser is opened, the site where the malware originates is accessed instead.

Disabling these system applications are a common technique of most malware to hide themselves from computer-savvy users. Moreover, it prevents knowledgeable users from verifying if a malware is present in the system. Modifying the startup page in IE ensures that even if the malware is deleted or cleaned from the system, it still has a chance of reinstalling itself.

Fortunately, a solution is currently in the works for this threat. Trend will be detecting this malware as TROJ_AGENT.EVJ. We’ll update you once the detection pattern for this Trojan has been released.

Update (Jasper, Wed, 20 Sep 2006 09:55:05 AM)

The detection pattern for this threat has already been deployed in CPR 3.764.01

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

We’ve just received reports of several sites using the new IE zero-day exploit in conjunction with a Web Attacker kit. Previously, Web Attacker kits were more commonly used with known browser vulnerabilities, many of which were already patched by Microsoft. However, now that its being used with the new IE 0-day, alot more users may be vulnerable to this sort of attack.

For those people who have never heard of Web attacker kits, it gained quite a bit of media attention earlier this year. It’s basically a user-friendly, do-it-yourself type of hacking kit. That particular kit was made available to the public via a russian-based website for a sinfully low price ranging from 15 to 20 US Dollars. Any script kiddie could easily purchase the kit off the internet and infect computers using the code provided with the kit. Then after that, all that’s left to be done is spam messages containing the link to the compromised website.

This just serves as another heads up. We’re still trying to get more information on this. Hopefully more will be available soon. Stay tuned for updates!