On December 20, Trend Micro detected the 879th TSPY_QQPASS variant in the wild. This variant joins the almost 1,200 members of the ever-growing QQPASS family that includes spyware, worms, backdoors, Trojans, and even scripts. In recent months, QQPASS has consistently been one of the most prevalent Trojan spyware (TSPY) around based on actual customer submissions.

This information-stealing threat family targets Tencent QQ, an instant messaging application hugely popular in Mainland China and South Africa. It hooks an infected computer’s keyboard and mouse to steal QQlogin information.

Proof of its notoriety is the news-grabbing event it stirred in Japan last October. One of QQPASS’ worm variants was found to be infecting more than 10,000 MP3 players given away by McDonald’s Japan as prizes. The event prompted a public apology and a mass recall operation from the fast-food chain.

In an article, Miray Lozada, Associate Engineer at Trend Micro, documents QQPASS’s behavior and describes how stolen information can be used by the malware author. The writer further infers that monetary reward is the motive pushing this threat family to stay in the wild for so long and evolve with the changing threat landscape.

Read the article here: QQ Me… But TC .

This Christmas, malware authors still seem to be pretty busy spreading malicious codes instead of holiday cheers.

Trend Micro discovered today a new virus that is infecting 64-bit Windows Operating Systems (AMD64). Detected as W64_ABUL.A, this virus infects 64-bit systems by injecting its codes to all executable (.EXE) files in drive C and its subfolders.

To date, W64_ABUL.A is probably the third known file infector to target 64-bit systems, and the second to target the AMD64 platform. First seen was W64_RUGRAT.A, discovered on May 2004. Followed by W64_SHRUGGLE.A, which came out on August 2004. Both of these viruses were considered proof-of-concept viruses created by an author (who calls himself “roy g biv”) to prove that new systems are penetrable to virus attacks.

Well, that much is true nowadays, and we all know that the current trend is to attack new and different platforms as much as possible for profit.

However, with W64_ABUL.A, seems the malware authors of this virus are just out to taunt the AV industry, as you can probably notice in the malware code. This file infector creates the following mutex to mark its presence on a system:

64_absolute by tM & SH,a nice gift for all the AV
community, Marry X.mas to all the AV

Since this file infector targets 64-bit systems, it is not able to infect 32-bit files. It also cannot run on 32-bit processors without software that enables these processors to support 64-bit programs. Clearly, there is no intention to make this virus widespread.

A warning or just pure mockery, whatever is behind this “holiday greeting”, this just shows that malware authors can and will always try to use all available means in spreading their malicious codes.

Clearly the holidays are far from over.

Just days after the 64-bit malware W64_ABUL.A was detected, news regarding the sudden surge of Christmas-themed malware suddenly came out. Prolific STRATION did not miss out on the celebration, as Trend Micro detected TROJ_STRAT.IG on Christmas Day, allegedly being spammed via holiday-themed email messages.

Users should thus be wary when opening cute, warm-and-fuzzy holiday greetings, especially if they come from unexpected sources. In these times when even a seemingly harmless PowerPoint presentation or Word document could exploit vulnerabilities to drop malicious files into a recipient’s system… well, let’s just say these are the “gifts” we definitely do not want to receive.

Vista receives the first potshot on its supposedly impenetrable armor as Microsoft confirms the existence of a PoC code that targets the Client Server Run-Time Subsystem. This PoC affects Windows 2000 SP4, Windows Server 2003 SP1, Windows XP SP1, Windows XP SP2, and Windows Vista. It reportedly allows the local elevation of privilege. Initial analysis, however, shows that in order for the attack to be successful, the attacker must already have authenticated access to the target system.

As can be expected, Microsoft still maintains that Vista is their most secure platform to date. Que sera, sera. Happy patching in 2007!

News of a threat that supposedly propagates via the popular VoIP application Skype zoomed through the security industry earlier this week. Its supposed spreading capability classified the threat as a worm. However, based on its analysis, Trend Micro saw only an information theft routine characterizing the Skype threat as a Trojan spyware and detected it as thus ( TSPY_SKPE.A).

After working with the Skype security team, Websense, who first raised the alert, confirms that the threat is indeed a Trojan attempting to use the Skype API for its malicious activities.

Note that, as of this writing, Skype has no known vulnerability and that the Web sites where the Skype code and copies of the Trojan can be downloaded from are all unavailable.