The security industry was recently abuzz with the discovery of a worm supposedly targeting users of the popular VoIP telephone application Skype.

According to Websense’s Threat Blog, this worm uses Skype’s Chat feature to download and execute a file named sp.exe. The said file, in turn, appears to drop a password-stealing Trojan. The entry further notes that this possible worm is packed using NTKrnl Secure Suite– a relatively rare (if not unknown) compression — and that infection reports originated in the APAC region, specifically Korea.

Two things come to mind in light of this event. One is that despite the fact that this worm’s propagation technique is still… well, common, VoIP as a new malware vector is obviously becoming a good prospect for malicious authors to sink their teeth into. Two, well… again it’s obvious: password-stealing routine, polymorphic compression to avoid easy detection, and a specific country of origin? Sounds like a localized/targeted attack geared — once again– for profit, doesn’t it?

The (sort of) good news is that no widespread outbreak has been reported yet. That doesn’t mean that Skype users should just go ahead and click the links they receive while chatting, though.

Trend Micro currently detects the malware’s password-stealing component as TSPY_SKPE.A. Keep posted for updates.

Free MP3 anyone? Advertisements like this has been scattered through out the internet, only on most sites, like the one shown below, give more than just mp3s. Instead, they give you a bucket load of malware downloaders.

Here is a snapshot of the website as promised…I won’t show any of the URLs for obvious reasons…

Upon viewing the site and searching for mp3s like the ones in the snapshot above, the site would say that you need their plug-in (Fastmp3_Setup.exe) in order to download mp3s from their site.

Once Fastmp3_Setup.exe is executed, the cycle of “download and execute” begins until the system has been infected with a bunch of malware. Fortunately for Trend Customers, most of the files that are being used here are already detected including the one who started it all, Fastmp3_Setup.exe. See below for a list of malware downloaded and their corresponding detection names.

• http://[blocked]com.ar/Fastmp3_Setup.exe TROJ_DLOADER.GXW
  
• http://[blocked]com.ar/1.exe TROJ_MONDO.AF
  
• http://[blocked]com.ar/inst.exe TROJ_SMALL.DTH
  
• http://[blocked]com.ar/install.exe TROJ_DLOADER.FYG
  
• http://[blocked]com.ar/vig.exe TROJ_HIDEPROC.G
  
• http://[blocked]fic.com/loadadv559.exe TROJ_SMALL.DTI
  
• http://[blocked]fic.com/vv815.exe TROJ_ADLOAD.RU
  
• http://[blocked]fic.com/install.exe TROJ_DLOADER.FYG
  
• http://[blocked]s.com/si.exe TROJ_REQLOOK.AE

These files aren’t detected, not yet anyways…But I have already given them to the service team and will soon be given their detection.

• http://[blocked]fic.com/inst.exe
  
• http://[blocked]com.ar/Fastmp3_Setup1.exe
  
• http://[blocked]fic.com/1.exe

Update(Jhoevine Capicio, Fri, 15 Dec 2006 07:30:35 AM)

Files below will be detected as

• http://[blocked]fic.com/inst.exe TROJ_DLOADER.EXJ
  
• http://[blocked]com.ar/Fastmp3_Setup1.exe TROJ_DLOADER.ELU
  
• http://[blocked]fic.com/1.exe BKDR_SMALL.EIS

Checking more on this site, this is slowly becoming another LinkOptim thing…

More and more trojans are being downloaded.

Ultimately, the goal of this site, came clear as pretty soon, I was seeing SPAM on the network environment.

Below is a sample email.

Like I said above, malware authors just love the users easily fooled by their social engineering tactics. They see them as paychecks waiting to be cashed in!

We’ll update this blog as more information is found.

Today we received via our systems numerous samples of TROJ_STRAT. These samples are detected by Trend Micro as TROJ_STRAT.IC in the latest OPR 4.121.00, thus, users are advised to update their pattern files to the latest release.

The samples we have, comes in two files with different MD5 hashes. Here are the md5 hashes:

• 4ed79f2f9180235069782067999ab548
  
• f8d2c08cf1cf57d5b2fb28099a6cfe14

For network administrators you may want to block emails with the following details:

Earlier this week, Trend Micro EMEA has received reports of a Trojan malware being spammed. The e-mail containing the Trojan malware is apparently written in German, as below…

Bestellung # 67321 von EUR 391.00 ist angenommen.

Sony RX-F18 8.0 MP Digital Camera

Ihre Bestellung # 67321 von EUR 391.00 ist angenommen.

Ihre Karte wird mit dem faelligen Betrag belastet. Danke fuer Ihren Kauf.

Als Anlage finden Sie die Rechnung.

Which roughly translates to…

Subject:

Order # 67321 of EUR 391.00 was accepted

Body:

Sony Rx-F18 MP digital camera

Your order # 67321 of EUR 391.00 was accepted.

Your credit card will be charged with the pyable amount. Thank you for your puchase.

Attached you’ll find the bill.

The attachment filename is of the form rechnung_?????.exe where ????? is the order number found on the e-mail subject.

This particular incident seems to be a seeding attempt where the target users are, of course, those who read and understand German. The malicious attachment is a downloader Trojan detected by Trend Micro as TROJ_DLOADER.FWM, which downloads other Trojan malwares from the site idite-nahiy-abusery.com.

The downloaded malwares are variants of TROJ_BZUB and TROJ_AGENT, both Trojans serves as proxy servers that waits for commands posted on idite-nahiy-abusery.com.

New variants of Zlob-TROJ_ZLOB.DSB and TROJ_ZLOB.DSC-have just turned up. Once again, these new variants pose as codec installers that can be downloaded from legitimate-looking websites, mediaobjectguide(dot)com and activexsource(dot)com. As an effort to trick more users into thinking that the website offers reliable codecs, they mention the name of Microsoft to add some credibility and explains the related technology of Active X and OLE 2.

Don’t let the websites’ professional-looking design and techno-babble fool you. These websites do not contain any codec installers at all. Rather, the files that they are offering you for download are nothing more but TROJ_ZLOB variants.