The year is already halfway through and June was quite a busy month, filled with malware in disguise, compromised websites and a couple of application vulnerabilities. One of the highlights of this month is the attack on legitimate Italian websites through the use of web threat toolkits.

---

Notable Malware:

TROJ_PROXY.AFV. Arriving in a spammed email, the subject and content of the email is taken from real news headlines, unlike most spammed messages that rely on bogus events to capture the users’ attention. This calls to mind WORM_NUWAR tactic of parsing news-related websites to gather keywords to be included in the email that it sends out.

TROJ_AGENT.JPO. Last May we discovered a malware that leverages its social engineering tactics by pretending to be a Microsoft Security Console. This June we saw a similar thing in the form of TROJ_AGENT.JPO, which is received in a spammed email disguised as a Microsoft Security Update.

TROJ_STARTPA.QC and TROJ_DROPPER.HRZ. Both of these malware are hosted in websites that took the likeness of download sites for Winrar and Adobe Shockwave Player respectively. Although the Trojans do not automatically download themselves into the user’s system, the look and feel of a trusted website eliminates any form of doubt on the part of the user that (s)he is downloading something that is malicious, making it also as effective as any technological exploit. It seems that crafting the message or a webpage in the likeness of trusted sources and institutions is fast becoming the norm for today’s malware social engineering techniques.

Web Threats: Compromised Websites

NEFCC Website Compromised. This website belongs to the Nigerian Economic and Financial Crime Commission, which is a law enforcement agency that investigates terrorism, cybercrime, scams and financial frauds within their region. Their website has been compromised this June and visitors to the website would find a bunch of Trojans suddenly installed on their systems just by simply viewing the initial webpage alone. It’s an interesting case because the compromised site belongs to an organization that investigates cybercrime. It is highly possible that cybercriminals are retaliating against such institutions.

Another Italian Job. More than 3,000 Italian websites were compromised this June, reminiscent of the Linkoptim attack that happened earlier this year. Legitimate websites were hacked and their HTML content was modified to include an IFRAME tag, one which could redirect the user to a malicious website that would eventually download Trojans into their systems. A lot of websites were compromised in a relatively short time, due primarily to MPACK, which is a web threat toolkit that can be employed to hack into websites. Several days later after the initial attack more web threat toolkits were also uncovered, namely this one and this one.

Vulnerabilties

Yahoo Messenger Webcam Vulnerabilities and Exploits. Two vulnerabilities for Yahoo! Messenger’s webcam feature were discovered this month. A few days after the disclosure, malicious codes were already in the wild , downloading Trojans once the vulnerability was exploited. Fortunately Yahoo released an update for the application to patch the vulnerability

Safari 3 for Windows. Apple released the third version of their web browser, Safari, this June. Just hours after its release, various security researchers discovered vulnerabilities that could allow remote code execution and denial of service attacks. Safari 3 is still in its beta stage and its likely that Apple will release another edition to address the vulnerabilities

---

So that’s it for the month of June. We’ve still got six more months to go for 2007 and chances are, the new things that we’ve seen will probably turn up again in the remaining months of the year..

Users who often chat on multiple instant messenger applications may be familiar with Trillian, which is an instant messenger application that allows you to connect with various IM services such as AIM, Yahoo, WindowsLive, etc.

Recently, a couple of vulnerabilities were discovered in this IM application regarding how it processed certain URIs. The first vulnerability can be exploited to automatically execute a potentially malicious file on the user’s system while the second one can be used to cause buffer overflows. To prevent the attack, it is recommended that unnecessary URIs be unregistered.

Towards the end of 2006, we have seen the dramatic rise of image spam as spammers continuously attempt to bypass spam-filtering tools. This forced antispam appliances to improve their detection capabilities, which in turn decreased the number of image-based spam in the recent months. This did not stop spammers from improving their tactics as well though.

What came after is PDF-based spam, which proved effective for spammers because this format is much exhaustive to filter out and traditionally, PDF files have rarely been associated with spam and malware, so very few have been examining PDF files. Of course, PDF also uses text and it was not long before spam filters figured out a way to easily detect them. So spammers thought, “Why not use both PDF and JPEG to send out spam?” Lo and behold, a JPEG-embedded-in-PDF spam emerged. This spells double-trouble for users because this kind of spam can effectively bypass most antispam appliances, which usually have no ability to handle the processing power needed to decode images, much less those encoded inside a PDF file. Trend Micro, however, addresses this problem through its Spam Prevention Solution, which includes image spam detection technology.

Based on a report received by TrendLabs, the said spam comes from fake recipients, which most likely indicates that they are distributed by bot machines. They do not carry malicious payloads though, but we have yet to see the PDF + JPEG + MALWARE combo being exploited by malware authors in the near future. Rest assured, Trend Micro continuously provides cutting-edge approaches to protect users and organizations as these kinds threats evolve.

Part of malicious authors’ tactics in effectively spreading malware is using sophisticated social engineering pitches, which usually include a recent, and most often than not, tragic events like the Katrina hurricane or the Kyrill storm. As most attacks are now targeted, they also write their pitches in local language. Such is the case for this new malware that takes advantage of a recent tragedy in Brazil.

Yesterday, a Brazilian airliner (TAM) skidded off a runway at a Sao Paulo airport and crashed into a gas station and a TAM building, killing almost 200 passengers and employees. While the whole world mourns for the loss of lives, cyber criminals are not wasting any time in exploiting this tragedy to spread malware, steal information and gain profit from it. Trend Micro detects this malware as TROJ_BANLOAD.CGL.

According to initial analysis by TrendLabs Threat Analyst Jhoevine Capicio, this malware arrives via spammed email messages that contain news about the said Brazilian tragedy and a link to a video. When users click on the link, they are directed to the following Web site and asked to run an EXE file (TROJ_BANLOAD.CGL), which in turn downloads a spyware:

This site appears to have been hacked by the malware author to host the Trojan. The spyware, on the other hand, connects to an FTP site where it uploads stolen information, mostly email addresses.

This Trojan also downloads the spyware TSPY_BANKER.JHR from another Web site. This Banload variant is reminiscent of last month’s TROJ_BANLOAD.CZE, which also downloads another BANKER variant. Malware authors are still on the money trail.

Users are advised to be wary of opening email messages they receive containing details about this recent tragedy.

Experts are raining on the parade of the gadget celebutante of the moment, Apple’s iPhone. This week, at least two reports surfaced claiming to have found vulnerabilities on iPhone that can give way to malicious activities.

The Register described iPhone as a “phisherman’s friend” after a security company reported a possible hole on iPhone’s email client that can expose users to phishing Web sites. iPhone’s email client displays only the the first few characters of a Web link, making it relatively easy to hide the end of fake links.

Another possible hole is how iPhone links its Internet browser and phone functions, which can allow the embedding of scam telephone numbers within Web sites that unsuspecting users may be prompted to dial. eWeek.com also reports this vulnerability citing SPI Labs’ warnings on the use of the Safari browser in dialing telephone numbers via mobile devices. The security company clarifies that the bug they found is not exclusive to iPhone and may be applicable to Treos or Windows Mobile devices but they chose to check iPhone first. Note that a user can dial any phone number displayed on a Web page simply by tapping it on iPhone. An attack like this can be launched from a malicious site, from a legitimate site with XSS, or as part of a malware’s payload.

These reports, however, are just drizzle that can hardly stop iPhone’s march. Real downpour is yet to come.