While most threats limit file size (not only to evade easy detection, but to avoid possible problems in transmission), one Trojan spyware family has become (in)famous for arriving as big files. TSPY_DENUTARO’s use of big files is not a programming mistake. On the contrary, it has become a distinct technique, aiding DENUTARO’s pretense of being a media file.

To complete the scam, most early variants use the Windows Media Player icon. They can be found in peer-to-peer networks and, with their attractive file names (notably in Japanese), are downloaded by unsuspecting users. DENUTARO is thus one of the growing number of threats that ride on the rising popularity of digital media and file sharing over the Internet, joining TROJ_ZLOB, among others.

However, TSPY_DENUTARO, like any other persistent threat today, is changing. New variants discovered over the last few days now pretend to be screensaver files. One of these variants is TSPY_DENUTARO.DM. Notably, the file size is reduced considerably (though still much bigger than most threats), and they now use the WinZIP icon.

Nevertheless, once executed on a system, these new variants perform the original family routine: they take a screenshot of the system and, along with the system’s hostname and IP address, upload it to a certain FTP site.

New variants even continue a family tradition: they delete image, video, and archive files, and then, using the file names of deleted files, drop screenshots of Japanese anime with subtitles that seem to attack the illegal use of P2P sites, now matter how ironic that sounds. Images dropped by older variants have said “Are you enjoying committing illegal activities through P2P? If you don’t stop that, I will kill you.” The new variants’ images now say “So, you are still using Winny even after {the creator} lost in his case. I hate you guys.”

This is in reference to the recent conviction of the creator of Winny, the most popular P2P application in Japan, for allegedly conspiring to commit copyright violation (arising from the earlier arrest of two Winny users who allegedly shared copyrighted material). The creator got overwhelming support from the computing community in Japan when he was arrested, calling the arrest wrongful.

Apparently, the authors of TSPY_DENUTARO share the same sentiment. Whether this supports the Winny creator’s plea for innocence or further incriminates him, is not clear.

Trend Micro has received reports of a new worm spreading in the wild. This new worm, detected as WORM_ZHELATIN.CH, propagates via Web-based email messages. Some of the affected email service providers are the following:

• AOL




• Bellsouth




• Care2




• Comcast




• EarthLink




• FastMail




• Gmail




• Hotmail




• Lycos




• Outblaze




• Rambler




• Tiscali




• Yahoo!

Users of these email service providers are advised to be wary of email messages from unexpected sources.

It is interesting to note that one of the affected email service providers is Rambler, one of the biggest Russian search engines and Web portals.

Trend Micro is conducting an in-depth analysis of this worm. More information will be posted shortly.

Update (02.23.2007):

Upon further analysis, this worm apparently connects to a certain URL in order to retrieve message details (or message templates), which it sends using the abovementioned Web-based email service providers.

It also drops TROJ_AGENT.JWE, a Trojan that is registered as a Layered Service Provider (LSP). This routine allows this worm to intercept and log network traffic before it redirects an affected user to an originally desired Web site. Apart from fully entrenching the dropped Trojan on the system, that is.

The Trend Micro URL Filtering Engine already blocks the malicious links related to this malware. However, user are still advised to avoid clicking on suspicious links even if they come from known and trusted sources.

Since TROJ_YABE came around, it has targeted German customers of numerous companies/institutions like

• 1&1
  
• Wal-Mart
  
• GEZ

The latest in its growing list of victims is IKEA Home Shopping, a company selling Home Furnitures. The ammo and social engineering tactics used by this particular malware is actually the same with the other TROJ_YABE malwares from Germany. Sending an e-mail to unsuspecting users pretending to be a bill from IKEA.

Below is a sample of the e-mail used.



The attachment connects to different urls but ultimately downloads a file from http:// {block}.uk/11.exe. The other sites

• http:// {block}xas.com/images/index2.txt
  
• http:// {block}sert.org/images/photo_page/index2.txt
  
• http:// {block}club.com/Images/index.txt
  
• http:// {block}epairs.co.uk/Clocks/index.txt
  
• http:// {block}service.com.au/images/index.txt
  
• http:// {block}mages/dvd/index.txt
  
• http:// {block}fe.com/images/index2.txt

contains an obfuscated text of the download url of 11.exe. This file can either contain an updated copy of the trojan or just another DOWNLOADER slash AGENT slash YABE, it actually just depends on whatever the malicious person/s behind this targeted trojan attack wants. As of now, the latest CPR can now detect the e-mail attachment as TROJ_AGENT.IQN and the download file (11.exe) is detected as TROJ_AGENT.ISP. For customers, downloading the latest CPR can take away all your worries about this particular trojan, the URLs related to this malware has also already been blocked.

TrendLabs has recently received samples of TROJ_AGENT.IQN being spammed in email messages supposedly coming from IKEA Deutschland. Consitent with the “Rechnung” Trojans’ social engineering technique, the mentioned spammed message asks target recipients to verify the attached billing statement (which is actually the Trojan copy disguised as a PDF file). However, once the user opens the attachment, TROJ_AGENT.IQN connects to several URLs to download another Trojan detected as TROJ_AGENT.ISP. IKEA, of course, is a well-known furniture superstore in Europe and the United States, so its no surprise the Rechnung gang are out shopping for a fresh batch of targets. It’s a move reminiscent to that HAXDOOR backdoor targeting Wal-Mart customers: when there’s shopping money involved, the probability of users clicking on the attachment high. Here’s another thought: IKEA is based in Sweden. Makes one wonder if we will be seeing a Nordic version of the spammed message soon… Trend Micro recommends users to avoid opening the attachment on email messages bearing the following subjects:

• Ihre IKEA Bestellung
  
• Rechnung IKEA 10.2.2007

Note: Click on the pictures to see the full image. Last week I received a malicious file detected as TROJ_LOWZONES.CO which is a component of the Gromozon chain malware.

After having analyzed and executed the file, I noticed that the malware modifies IE start page (not really surprising) to h_ttp://www.gooogle.bz (where bz stands for Belize country from Central America) as below:



The peculiar thing here is that it shows up a fake Google Italian main page. The malware also modifies the IE registry in order to register several websites in IE trusted sites in order to avoid IE Active X checking security:
HKEY_CURRENT_USERSOFTWAREMICROSOFTWindowsCURRENTVERSIONInternet SettingsZoneMapDomainsscalalap.comwww HKEY_CURRENT_USERSOFTWAREMICROSOFTWindowsCURRENTVERSIONInternet SettingsZoneMapDomainscywanstorage.bizwww HKEY_CURRENT_USERSOFTWAREMICROSOFTWindowsCURRENTVERSIONInternet SettingsZoneMapDomainsforteforte.comwww HKEY_CURRENT_USERSOFTWAREMICROSOFTWindowsCURRENTVERSIONInternet SettingsZoneMapDomainsgooogle.bzwww HKEY_CURRENT_USERSOFTWAREMICROSOFTWindowsCURRENTVERSIONInternet SettingsZoneMapDomainsricercadoppia.comwww HKEY_CURRENT_USERSOFTWAREMICROSOFTWindowsCURRENTVERSIONInternet SettingsZoneMapDomainsplaymore.bizwww HKEY_CURRENT_USERSOFTWAREMICROSOFTWindowsCURRENTVERSIONInternet SettingsZoneMapDomainsciritorno.bizwww HKEY_CURRENT_USERSOFTWAREMICROSOFTWindowsCURRENTVERSIONInternet SettingsZoneMapDomainsmelagodo.bizwww HKEY_CURRENT_USERSOFTWAREMICROSOFTWindowsCURRENTVERSIONInternet
SettingsZoneMapDomainswhat-you-want.bizwww
HKEY_CURRENT_USERSOFTWAREMICROSOFTWindowsCURRENTVERSIONInternet
SettingsZoneMapDomainstuttaqualita.comwww



These websites are now blocked by IWSS, Pc-Cillin. Another thing to point out here, once you are connected to w_ww.gooogle.bz the search engine is working the same way as the Italian one, see below:



So, I started to dig further and here is what I could see when I did a snap using ethereal on the infected:



Here, you can see the connection to h_ttp://what-you-want.biz, this is done when you execute the infected file. On line 9, you see the connection on h_ttp://www.gooogle.bz. This website is composed of 3 files: – Index.htm:



This file is calling for up.asp.htm and index-1.htm. – up.asp (line 19) is called and here is its content:



We can see here that gooogle.bz initiate the downloading for cip.exe. The file cip.exe is now detected as DIAL_PORN.BCB. – Index-1.htm



In detailed: href=”https://www.google.com/accounts/Login?continue=http://www.google.it/&hl=fr”> After I found out this, everything starts to be in relation, now I knew why the malware connected to google.com and google.it. But another question came, why it is using https? On line 20 you see that some queries are made on h_ttp://www.google.it then on line 26 it starts downloading the file cip.exe. The file cip.exe is then executed and starts its routine as shown below:



You can see on line 306 that cip.exe connects to a site crl.thawte.com which is a company who delivers certificates such as Verisign. The file cip.exe starts downloading a certificate named ThawtePremiumServerCA.crl and also ThawteCodeSigningCA.crl which enable the file to execute its routine without user consent. The certificates by themselves are normal files. I had a look on google and I may assume that it is using AJAX API (http://code.google.com/apis/ajaxsearch/) from google where you need to login and it may explain why the search engine is really working as the Italian one. A whois search shows up that these 2 people are the contacts for all the websites listed above:

Tanzania Import
sa Silvano Mammola (john@mrcallaghan.com)
+1.55565659998
Fax: +1.55565659998
123 Wilson Rd
Santaclaus, ST 92115
CX
La Lapide Inc.
Rigor Morto (rigor@acquadirose.com)
+55.333666225
Fax: +55.333666225
235 Gustav Av.
Buffalu, BU 55220 EC

The registrar company is ENOM and the websites are hosted by Zipservers which is a company where your websites can be stored.