TSPY_MAHA.S, is a keylogger Trojan Spy that uploads captured information to a certain site. Testing one of the URLs being accessed by the keylogger to check if it was still up.

http://in-2-[BLOCKED]eb2.com/img/parse.php

The URL displayed nothing which was a good sign that it was still up. No error messages returned. Testing further, by simply removing “parse.php” from the URL, I wanted to see if I can find further information.

http://in-2-[BLOCKED]eb2.com/img/

To my surprise, directory listing is enabled! From here, you can either download the whole arhive (archive_5f4a8.tar.gz) or just browse through the logged keystrokes in the folder “Logs”.

The malware used the format _ of the infected machine/account where logged keystrokes are found.

Browsing further inside, log files are named in the format DD_MM_YYYY.html where it corresponds to the actual date the log file was posted to the server.

Various types of logged keystrokes (such as Bank Accounts, Yahoo! & MSN accounts, PayPal account, Email conversations) were found inside the folders which I believe are still active and the password have not been changed.

If you need to download a Shockwave player to view some animation-laden, rich multimedia content on the web, you’d probably download the player from one of the two websites depicted below. Question: from which one are you going to download?

We’ve raised this question because of a new report regarding a fake Adobe Shockwave Player download site. Yes, one of the website depicted above is a fake one, supposedly hosting a Trojan that Trend detects as TROJ_DROPPER.HRZ. So instead of installing Shockwave Player, the unsuspecting user would end up installing a Trojan and compromising his system. As for their social engineering tactic, the perpetrators behind this malware take advantage of the ordinary user’s naivetÃ?©. The apparent likeness of the fake website in comparison to the real one is aimed to capture the user’s trust and to lure him into clicking that download link. Furthermore, it doesn’t even allow the user to view the page’s HTML source, although in a limited way. The fake website contains a javascript code that denies access to the context (popup) menu, done by disabling the right mouse click. However, the HTML source can still be viewed by selecting View and then Source from the main menu in Internet Explorer.




Similar incidents have happened in the past, most recently a fake Winrar download site. Just in case you’re still wondering which one is the fake website, it’s the one at the top

While the recent Italian job uproar has still yet to settle down, a new attack is trying to cause a stir again in Italy. This time, it is a spam attack. Seems like the Web bullies are not about to back down on Italy just yet. The malicious email capitalizes on the much-awaited releases of Harry Potter s next book and movie installment, which are both scheduled this July. The said email message promotes the next Harry Potter movie, saying that clicking the attachment gives the recipients a chance to win two seats to the movie premier. However, instead of getting movie passes, users who click on the attachment get an HTTP downloader. Based on initial analysis by Senior AV researcher David Sancho, this malware connects to a malicious Web site to download other malware into the affected user s computer. Trend Micro detects this downloader as TROJ_DLOADER.NKY. The promotion is said to be only for Italy, which indicates that the attack is yet again targeted on the said region. But regardless of where the attack is targeted, users should be wary of the said email message. TrendLabs is currently working to provide an in-depth analysis for this new threat. Updates to be posted soon.

Update: Here is the snapshot of the email.

Be careful in searching for porn sites, you may get other forms of “malicious” content that is definitely undesireable.

Just a few days after the infamous Italian Job malware, Trend Micro found another one with a similar modus operandi, but instead of hacked Italian web sites, the infection chain starts on certain pornographic sites.


The pornographic sites, which tend to specialize on incestuous content, has an obfuscated IFRAME code appended at the end of the HTML code. This IFRAME redirects to another domain that will serve a script file to download a copy of TROJ_AGENT.QMN. Right now, we are not sure whether the porn sites are compromised to host the IFRAMES, are created to do so, or are being paid to host the IFRAMES.



The detections for web pages containing the obfuscated IFRAME code, as well as the script file that downloads TROJ_AGENT.QMN are still being created as of writing.

This particular attack uses the tookit MPack v0.86, the same one used in the Italian Job attack, and, despite only having 197 domains with IFRAMEs (as compared to the Italian Job’s 10,000++ domains), are able to infect twice as much as the Italian Job.

It is most likely this attack was made online sometime last week, around June 17, based on Trend Micro’s World Virus Tracking Center.

Update: The pages containing the obfuscated IFRAME code will now be detected as HTML_IFRAME.CV and the file that downloads TROJ_AGENT.QMN will be detected as JS_DLOADER.NUF. You may now view the reports for these malware in our Virus Encyclopedia.

A pair of proof of concept code for a cross-site scripting (XSS) exploit involving Yahoo Mail has been discovered recently. The POC code involved in the exploit comprises of two components. The first component is a CGI script directly responsible for the exploit while the second component acts as a module that generates a URL string, which, as we’ll see later on, is critical in the execution of the exploit.

Here’s how the exploit works. The first component (which is written in Perl) is installed on a web server. This code is supposed to execute whenever a user visits a web page that is hosted on that server. The path of the CGI script on the web server is then parsed by the second component and appends a Yahoo URL string to it. An entirely new URL is generated. This URL can be sent to an unsuspecting user through an innocent-looking email or YM message. When the user clicks on the URL, his Yahoo account becomes compromised.

Fortunately this piece of POC code does nothing but display an email from the user’s inbox in a webpage that is external from Yahoo’s domain. Despite its limited functionality, the POC code has made its point that the user’s web mail account can be easily compromised by a simple click of a link. Trend detects the pair of POC exploits as EXPL_YAHOXSS.A.