Hard-to-detect PE_VIRUT variants, with their entry point obscuring (EPO) techniques, created quite a buzz last April. Before PE_VIRUT stole the scene, however, there was another file infector that may not have made as much noise as PE_VIRUT, but had an infection routine that can rival Virut’s in its complexity. Detected in the wild last February, PE_DARKSNOW employs old, new, and borrowed tactics enough to keep threat analysts on their toes. Read more about this file infector here.

MS Office alternatives are becoming attractive to a lot of users because of their competitive pricing and because they are not as targeted by hackers out to find application holes.

Popular Microsoft is continually under fire because of vulnerabilities found in its products. However, malware authors can also hound lesser-known Microsoft rivals as evidenced by recent infections of a Visual Basic script that targets Sun Microsystemsoffice suite StarOffice (also known as StarSuite in some countries). This VBScript drops a malicious JavaScript, an Internet Relay Chat (IRC) file, and a worm on affected systems. Trend Micro detects it as VBS_BADBUN.A and it affects all Windows, Mac, and Linux OS with StarOffice installed. The name BADBUN comes from an image displayed by one of its dropped files. The said image contains a person wearing a bunny costume.
The dropped files are detected by Trend Micro as:

• JS_BADBUN.A - dropped JavaScript
  
• IRC_BADBUN.A - dropped .BAD file that replaces a legitimate mIRC file
  
• WORM_BADBUN.A
  

The malicious JavaScript and IRC files ensures the spread of this malware “wagon” via the Internet while the worm can ensure spreading capability via other vectors.

Aside from dropping files, the said VBSript launches a distributed denial of service (DDoS) attack using Ping method against antimalware-related Web sites, including the Trend Micro site.

It is a very Bad Bunny indeed.

Another Symbian Series 60 malware makes the rounds on the World Wide Web, making itself available for download from an unnamed FTP site. SYMBOS_VIVER.A poses as an installer for a photo editor, a video codec, or an Internet tool for mobile phones, ensuring its §downloadability”. Once executed and installed on the affected phone, it sends SMS messages to a certain premium number every 15 seconds.

There’s nothing new with this Symbian malware, having the same routine as J2ME_REDBROW.A. However, SYMBOS_VIVER.A takes off where J2ME_REDBROW.A left — successful profit via direct execution of its routine. With J2ME_REDBROW.A, users must agree to send a message. In SYMBOS_VIVER.A, automatic sending ensures automatic profit for its creators.

Though the said capability is alarming, it is worth noting that Symbian malware have never made significant impact on users and that propagation via bluetooth in mobile phones is not a sure way of mass-spreading. However, this malware’s author/s have posted this malware to the Internet and downloading can boost it spread.

Pirates of the Caribbean spun a yarn with Admiral Becket always being two steps behind the half-drunk swagger of Captain Jack Sparrow. This reel life is actually a very good metaphor of real life software piracy as pirates elude authorities–making bigwigs like Microsoft initiate efforts such as the Windows Genuine Advantage (WGA) in Windows XP and Vista. The bad guys are turning the tables though. A Trojan spyware detected by Trend Micro as TSPY_KARDPHISH.A is using WGA to phish for credit card information.

Once installed on a system, it displays the following to to activate Windows:

If the user clicks Yes, it then displays these fields to get the user to reveal credit card information:

It gets nasty if the user doesn’t enter the required information because it shuts down the computer.

This spyware technique is reminiscent of another spyware that hit systems early this month that also used a known Windows feature to steal personal finance-related infomation. Looks like malicious spyware have found a new window of opportunity in Windows.

Spyware Ahoy!

Cellphones have evolved into being the proverbial nerve centers of our social (and even work) lives. The information they hold are virtual fingerprints of our interactions with other people, sensitive information that can be used against us if a malicious user gets hold of it. This scenario may not be too far off the mark.

Trend Micro detects a spyware produced by Retina-X Studios as SPYW_RETRINAX.A (also known as WINCE_RETRINAX.A). This spyware is designed to run on Windows CE, the Microsoft OS for Pocket PC devices. It monitors calls and SMS/text messages sent and received by an affected user. The information it gathers are then sent to a server, where said data can be viewed later on. While this spyware is not a malicious application per se, it can be installed by someone with ill intent on a mobile device without the owner’s consent.

This spyware is already included in the latest Trend Micro pattern files.