2007 May | TrendLabs | Malware Blog

Archive for May, 2007

May31

by Paul Oliveria (Technical Communications)

Following the footsteps of TROJ_ARTIEF.A– aka the Better Business Bureau-spoofing Trojan that reportedly “duped” more than a thousand business executives in the US — TrendLabs has recently detected not one, but two new malware attempting to employ similar routines and social engineering techniques…plus more. The first copycat, TROJ_ARTIEF.B, also arrives embedded in an RTF document. The said document is pointed to by a link included in spammed messages posing as email from Criminal Investigation department. The said message has the following deatils:

Dear XXXXX, We regret to inform you that your company is currently being investigated by our CI department for criminal tax fraud due to a complaint that was filled by a {supposed complainant} on 02/05/2007 Complaint Case Number: MT529057251 Complaint made by: {supposed complainant} Complaint registered against :{company} Date: 02/05/2007 You are being investigated for submiting false income tax returns with the California Franchise Tax Board. Instructions on how to resolve this issue aswell as a copy of the original complaint can be found on the link bellow. {link here} Complaint Documents Criminal Investigation (CI) serves the American public by investigating potential criminal violations of the Internal Revenue Code and related financial crimes in a manner that fosters confidence in the tax system and compliance with the law. Criminal Investigation department resides at: {CI office address} Please note that you are required to review the complaint and fill out the document from the above link and mail it to the CI address.

When executed, this Trojan downloads another Trojan detected as TROJ_AGENT.SXR.

The second malware got more our attention. Detected as TSPY_MAHA.S, this spyware takes a page off TROJ_ARTIEF.A’s book and employs a similar social engineering technique (i.e., it also poses as a complaint letter/document, only this time it supposedly comes from the Internal Revenue Service, not BBB — see image below) in order to trick unsuspecting — and possibly alarmed — users into opening and executing the attached file. Once running on an affected system, this spyware proceeds to steal user account information related to such applications as Yahoo! Messenger and Mozilla Firefox.

Trend Micro detects both these new malware with the latest pattern file. However, users are still advised to be wary when opening attachments, especially those that are coming from unknown or unexpected sources. After all, as attacks become more and more sophisticated, user diligence is always the best defense.

Posted in Uncategorized | TrackBacks (4) »

May30

Massive Typo-squatting in Italy

by Jhoevine Capicio (Advanced Threats Researcher)

It seems Italy is fast becoming the hub of malware authors. I still remember the nasty days when the Linkoptim also known as Gromozon malware was spreading like wildfire throughout the net. And now typo-squatters have followed the lead of LinkOptim to again plague the Italian surfers. For those unfamiliar with typo-squatting, you can read more about it here. Internet users in Italy are currently under attack by a massive typo-squatting made by malware authors. Some of the URLs used by this attack are listed below.

3bay.it
4repubblica.it
aklitalia.it
corrieere.it
eba6y.it
eba7y.it
fgazzetta.it
fgoogle.it
gazzetra.it
gazzettaa.it
katsaweb.it
mnsn.it
tyiscali.it
tyttogratis.it

For a full list of URLs used in the attack, download the pdf file here. (Courtesy of Sunbelt-Software.) The page shown below is loaded upon visiting these URLs.

Here is a babelfish translation of the words on the page. Impossible to find the page demanded In order to visualize the demanded page the modernization of Internet Explorer (direct link to a malware file) is necessary. In alternative, it finds on Extra Search the tried page.

1. Through the internet explorer link.

2. Through the search form provided in the page.

3. Through the toolbar link.

4. Through the video.

5. Through the extraricerca icon.

All typo-squatter links listed above leads to the same page. A whois lookup also shows the same results among the URLs.

Status: ACTIVE
Created: 2005-08-24 00:00:00
Last Update: 2007-05-08 16:43:56
Expire Date: 2007-08-24

Registrant
Name: PROLAT
ContactID: PROL20-ITNIC
Address: zip: LV-5400
DE
Created: 2007-03-01 10:27:17
Last Update: 2007-03-01 10:27:17

Admin Contact
Name: Bojarovs Aleksejs
ContactID: BA3396-ITNIC
Address: street: Grodnas 42/72
zip: LV-5400
city: Daugavpils
DE
Created: 2005-06-13 00:00:00
Last Update: 2007-03-01 07:48:12

Technical Contacts
Name: Bojarovs Aleksejs
ContactID: BA3396-ITNIC
Address: street: Grodnas 42/72
zip: LV-5400
city: Daugavpils
DE
Created: 2005-06-13 00:00:00
Last Update: 2007-03-01 07:48:12

Registrar
Organization: FROG
Name: PROLAT-MNT

Nameservers
ns1.metallichosting.com
ns2.metallichosting.com

It also shows that the URLs used in the attack have been in existence since August of 2005.
Typo-squatting is not new; in fact it has existed for a long time now and has also been known to be used by other malwares in the past. Mostly the targets are big companies or websites which are frequented by most internet users like google.com and microsoft.com. Even Trend Micro has been a target of this in the past, I posted a diary entry about this last year.
The malware authors ultimately rely on the user’s carelessness in order to be successful.

So to mitigate, users should be careful how they type. Also for sites that are frequently used, you should just bookmark it so that no typing would be necessary. Microsoft has also released a software called Strider URL Tracer which is made to combat typo-squatting. And last for the security admins, especially for the ones in Italy, you can download the whole list of the URLs used in the recent attack from Sunbelt-Software and block them from your network. This way all users even the careless ones are protected from this attack. This doesn’t give excuse to be careless though. We should always be vigilant and have security on our minds especially when critical data are being handled.

Posted in Uncategorized | TrackBacks (2) »

May30

The Wonderful Wor1d of Warcraft

by Sheryll Tiauzon (Advanced Threats Researcher)

I’m pretty sure most, if not all, of us have already heard about the phenomenal pay-to-play MMORPG called “World of Warcraft”. With over 8 million subscribers worldwide and more than 2 million in just the United states alone. Well, upon seeing these numbers it wouldn’t be a surprise to learn that Malware authors have taken advantage of the games popularity to spread some other malware cheer.

Just recently another set of websites have been found to contain variants of TSPY_WOW and TROJ_ANICMOO.AX. TSPY_WOW variants are basically known to monitor users internet browsing activities as well as steal information related to the online game World of Warcraft such as usernames and passwords.

Users should be wary of the sites they visit as they may often look like the official WOW site. Below is a list of domains that were recently verified to host malicious files:

http://world0fwarcraft.net
http://www.wor1dofwarcraft.com

Posted in Uncategorized | 1 TrackBack »

May29

Scammerâ??s Fund: Leaving No Stone Unturned Either

by Carolyn Guevarra (Technical Communications)

Early this month, news of the disappearance of 4-year old Madeleine McCann struck the interest of the public all over the world, as various efforts from different communities are put into action to help find the missing child.
One of these is the setting up of the Official Web site, which has been launched to help the search campaign. A fund-raising effort, called “Madeleine’s Fund: Leaving No Stone Unturned” was also started to help finance Madeiline’s search, as well as to aid in the search for other abducted children.

As usual, scammers are not leaving any stone unturned as well when it comes to exploiting for profit. Banking on the public’s curiosity and emotions, these scammers are using this tragic event to lure victims into giving out their credit card and bank account numbers.
These malicious users have created a series of fake Web sites that pose as the official bringmadeleinehome.com site, asking for donations from unsuspecting donors.

Recently, Belgian IT security professional, Didier Stevens, discovered that clicking one of the links in the News items of bringmadeleinehome.com site led to the downloading of a malicious JavaScript, which is already included in the generic Trend Micro detection JS_EXCEPTION.GEN. He noted, however, that “the Trojan was not hosted on or linked to from the findmadeleine.com site.”

Posted in Uncategorized |

May29

Docs and more…

by Sheryll Tiauzon (Advanced Threats Researcher)

Over the weekend, we intercepted one particularly typical sample via our honeypots. The file we received was a Rich Text Format (RTF) document. Nothing new you might think and upon initial inspection nothing seemed out of the ordinary. However, further analysis of the file revealed that it actually contained a malicious executable file embedded within the document itslef.

Trend Micro already detects this as TROJ_ARTIEF.A

Upon execution of the said file, it drops an HTML component in the Windows TEMP folder. The HTML file is then injected into the process IEXPLORE.EXE so that it is opened in a hidden Internet Explorer window each time the user runs IE.

It also downloads a file from:

http://66.116.{BLOCKED}.202/cp/scripts/scripts/updater.exe

and saves it to your Windows TEMP folder using the filename UPDATE.EXE. As is uses the Adobe PDF icon, it tricks the user into thinking it is a non-malicious file. It even displays the following error message as part of its ploy.

Below is a screenshot of the email containing the said attachment:

Posted in Uncategorized | TrackBacks (2) »

Archive for May, 2007

Recent Posts

Videocast

Calendar

Blogroll

Links

Follow us on Twitter

May 2007
M	T	W	T	F	S	S
« Apr				Jun »
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31