Stock spam seems to be growing no end. Most recently, stock spam came in such elaborate formats as PDF, XLS, FDF, and even highly obfuscated text that meant to make spam filters’ jobs harder. This shows that spammers are putting much effort in packaging their messages to see which ones work best. This time, however, they seem to be going back to basics with new samples of stock spam such as this:

The spammed email message contains only a link that points to a Yahoo! Finance page where stock information about a certain mobile solutions company is displayed.

With Yahoo name involved, spammers are clearly aiming to add more credence to the stock. Notably, the said page IS legitimate, according to Maria Estella Manly, a TrendLabs Antispam Research Engineer.

What users need to know, however, is that Yahoo! is not in the habit of sending out stock notices to promote certain companies that may or may not be willing subjects of spam campaigns. Manly adds that there are no indications that either the link or the site contains malware, but rather just part of another pump-and-dump scam.
So unwitting users who may have already clicked on the said link and were led to the site are not in actual danger of getting their machines infected, but they may be victimized nonetheless when they put their money into the company in question, in the belief that buying shares will prove profitable. Users need, as always, to exercise caution when dealing with financial matters, especially when conducted online. Perhaps they also need to remember that looks can be deceiving. Even if stock spam has started looking less cluttered, it still poses a risk that is no less simple.

TrendLabs has received reports of a malware strain, which encrypts all files ending with the following extensions:

• csv
• doc
• docx
• mdb
• mpl
• pps
• ppt
• pptx
• rar
• rtf
• txt
• vsd
• vst
• xls
• xlsx
• zip

Then it drops a ransom note named README_ASAP.TXT:

Dear User,

Thank you for using our service.
We’ve recently inspected your system and found out many critical security holes.
It’s not a joke, and it bring out clearly that we were able to crypt all of your text files, documents, archives and data files.

For your security we did it before than someone else: hacker, virus or just stupid vandal.
In world, hijackers are hunting for your bank account, credit card information, or something valuable.
Now, even if they’ll hack your computer they steal nothing, because all of your important files are now crypted and secured. There is no technology or scientific method to crack this kind of encrypting in near future Unfortunatelly as like other job, our services cost money. Just only 150$ US dollars. It is worth much less than if you loose all your files.
We accept only Western Union, and we garantee that your’ll receive decrypting program with detailed manual in less than hour after we’d received your payment.
If you need your information back, just send an email to:

XXXXX@XXXXXXXXXXXXXXXX

and we’ll send you further instructions in 5 minutes.

Do not worry, you’ll get all back in hour after we get Western Union Transfer details. ONLY IN ONE HOUR!!!

We are sorry for your inconvenience, but better we and less, than somebody and more.

Q. I didn’t order your service and dont want to pay! I’ll go to police!
A. It’s up to you. If you belive they do it better, then do it.

Q. I am poor studentbankrupthousewife. I dont have money.
A. It’a sad to hear.

Q. I’ve sent an email to you for a discount.
A. Sorry, but we can’t answer to all our correspondents due to high load.

Q. I need my information ASAP!
A. Dont worry! You will get it in one hour after we receive your MTSN. (western union control number)

Q. How i can trust you? Maybe you’ll rip me?
A. We understand if you send money for our work-your info important for you.And we don’t want make your life worse.You’ll certanly get the Decription Program.

Thank you,
Network Security Audit Plus

Users are then left with hundreds of unusable data, with no means of recovery as of yet. TrendLabs has identified the culprits to be TROJ_GPCODE.AB and TROJ_GPCODE.AC.

This routine is similar to the TSPY_KOLLAH.F attack reported last month, where various file formats were held “hostage” by encryption using the RSA-4096 algorithm method. Similarly, the earlier attack left a READ_ME.TXT file informing users that a certain software must be purchased to revert the encrypted files to their un-encrypted form. However, interesting to note is that this attack offers a cheaper price for its decryption software (for $150) than last month’s $300.

Ransomware has been defined as malware used for an extortion crime. Such malicious routines are nothing new as cases have been reported as early as 2005. However, they have remained low-key until now, indicating that ransomware may be on the rise.

In this regard, TrendLabs strongly advocates making back-up copies of your files, in case they get infected, deleted, stolen — or in this case, ransomed.

Mahou no iLand, a free home page service site, announced that their official Web site was attacked. A malicious program was injected to the said site. According to Mahou no iLand, the attack was detected last 5 July 2007 and they suspended all of their services on 17 July 2007.

A similar case happened to a well known company for mutual fund information where a malicious access to their Web site was also detected. These incidents only highlight the increasing number of cases of similar attacks.

The first half of 2007 brought a series of attacks that seem to herald what we now see as a recurring problem. Three incidents inevitably stood out from the rest. They arrived quietly, but they immediately sent alarm bells clanging:

• Super Bowl (January), where the Web site was compromised when hackers injected malicious scripts. It was believed that a lot of users may have been affected as the site was getting more visits because of the Super Bowl.
  
• ANI attacks, which were widely felt in Asia (March)
  
• Italian Job (June) was dubbed by Trend Micro as the fastest widespread malicious web attack worldwide.

It cannot get more global than this. As evidenced by these high-profile cases, US, Europe, and Asia have all been targeted. The attack on Mahou no iLand in Japan, only proves that this problem will continue to persist.

Meanwhile, users will just have to continue to be on the lookout for possible attacks. After all, prevention remains to be a fool-proof plan, and staying clear from those suspicious Web sites is a start.

Last August 17, a zero-day exploit using a vulnerability in the Japanese compression/decompression software Lhaz ver 1.33 was discovered. While the exploit only affects users who have installed the said program and is yet to cause a widespread infection, Trend Micro advises users to take every precaution when using the application.

Note that this is not the first time a Japanese compression/decompression software was exploited: last June, a similar exploit took advantage of a flaw in +Lhaca archiving software.

The sample Trend Micro obtained has the .TGZ extension (indicating a compressed TAR+GZIP file) and poses as a chronological table of events that happened during World War II. It is assumed that this file was used as a timely social engineering technique to attract an affected user’s interest, because August 15th marks the anniversary of Japan’s surrender during the said war.

Once the sample is decompressed using Lhaz, a compressed .TGZ file with no name is extracted, along with an .RTF document and a .PPT presentation (see image below). These documents contain the aforementioned WWII table. This content seems to be copied from a Web site.

However, during decompression, a dropper Trojan is executed via the unknown vulnerability. Once this Trojan executes, it notifies a remote server that it has successfully infected a system. It then proceeds to install a backdoor program in the Windows system folder:

The dropped backdoor uses the name wuausrv.dll, which is also the name of a legitimate Windows file. The said routine allows the backdoor to avoid easy detection and consequent removal. Indeed, even its version information (in File Properties) looks similar to that of the legitimate one, except for certain trademarks (such as Ã?© and Ã?® — see images below; the one at the bottom is the legitimate one).

Compression/decompression software has two prominent types: one that uses general compression/decompression .DLL files, and one that uses its own. The previously exploited Lhaca+ software falls under the former, while Lhaz is of the latter type. This latter type (software that uses its own .DLL files) also seems to be the preferred one by most organizations because it is easier to handle.

Trend Micro already detects the compressed file that exploits the Lhaz vulnerability as TROJ_LZDROPPER.A. The installed backdoor program, sav.exe on the other hand, is detected as BKDR_PROTUX.AK.

A fix that addresses this vulnerability has been recently released and included in Lhaz ver 1.34 B2. Users are advised to update their products to avoid being victimized with this exploit.

additional information given by Edgardo A. Diaz Jr (Escalation Engineer).

We’ve just received reports that the website of DaHua High School (hxxp://www.thsh.tyc.edu.tw/), a private high school in Taiwan, has been compromised.
It seems that an errant IFRAME tag has made its way into the website’s initial page (default.asp) and eventually loads a malicious web page (hxxp://www.832821.cn/rrr.htm) that is completely unaffiliated with the high school.

The malicious web page that is loaded by the IFRAME downloads several files, namely a bitmap file, a couple of javascript files and a pair of HTML files. The bitmap is actually an ANICMOO exploit, which is detected by Trend as EXPL_ANICMOO.GEN. These files in turn download a malicious executable file, SYSDOWN.EXE, which is detected by Trend as TSPY_DELF.GMN. Because of the malicious content being downloaded, even Google has already issued a warning for this website.

Credits go to Nick Lee (China Regional TrendLabs) for informing us of the incident.