How do you know if the Web site you’re visiting is legitimate or not?

Given the rise of Web-based (and money-driven) attacks, an average Internet user would probably have a hard time telling. After all, hackers have gone to lengths making sure they trick as many users as possible: URL redirection, IFRAME injection, phishing…and all that jazz.

Of course, the more cautious Web surfers have also noticed these malicious tactics and have since found means to make sure that they are protected from such scams/attacks. Perhaps one of the most popular techniques is the use of third-party “validation” sites, which help ensure that online transactions–e.g., products and sellers–are legit, and that customer data (and money) do not fall into the wrong hands. But what happens when these security measures are also spoofed?

The Register reports of an info-stealing Trojan spyware that steals eBay account information by masquerading as–in a sense–eBay itself. No wonder it has already robbed one eBay user her $8,600.

Indeed, according to the said report, the spyware installs a “scaled down” Web server that hosts several spoofed eBay pages, as well as pages related to “motors” validation sites like Carfax.com, Autocheck.com, and Escrow.com. Simply put, this spyware (detected by Trend Micro as TSPY_BAYROB.B) does not simply monitor specific pages…it goes to another level and spoofs an entire transaction.

Engineers at TrendLabs have analyzed the sample of the spyware that we’ve received, and it seems that it doesn’t really “install” the Web server–or from the looks of it, servers–but rather accesses them by connecting to the following sites:

• {BLOCKED}dealsusa.com
• {BLOCKED}on.com
• {BLOCKED}s.com
• {BLOCKED}c.com

As of this writing, though, these sites are already inaccessible.

What is also notable about this spyware is that it appears to be an updated version of TROJ_BAYROB.A, which first made rounds last March. Symantec has posted a blog entry regarding the said Trojan…and it seems the authors behind these threats are really into vehicle scams. Indeed, it connects to the Web site https://signin.ebay.com/ebaymotors/ws/ebayISAPI.dll and attempts to place a bid.

Below is a diagram depicting how TSPY_BAYROB.B infects:

Notice that it even attempts (albeit unsuccessfully) to launch Kodak Viewer Express in order to hide its malicious routines, so users may get an error message instead:

Nevertheless, Trend Micro continues to provide solutions to protect users from such scary dopplegangers. Of course, safe computing practices is still the key, so users are still advised to be wary when performing online transactions. Otherwise, becoming roadkill in the hands of these online doppelgängers would be an understatement.

A couple of days after a PoC exploit code for a critical flaw in Adobe Reader and Acrobat was discovered (which Trend Micro detects as EXPL_PIDIEF.A), TrendLabs has received reports of Trojan-downloading PDF files making rounds in email inboxes. And yes, the said malicious PDFs use the exploit code. Incidentally, Adobe has just released a patch for this flaw about a day ago, so it seems that the malware authors are banking on the idea that most Reader and Acrobat users haven’t downloaded and installed the critical update yet.

Based on the initial analysis of Senior Threat Researcher Ivan Macalintal, the PDF files bear “business-sounding” file names such as YOUR_BILL.PDF or INVOICE.PDF. Once it successfully exploits the Adobe vulnerability, it proceeds to disable the Windows firewall, downloads an .EXE file, and steals information from the affected system.

Ivan further notes that the servers and file names used by this malware are the same as those used by the VML exploit attacks September last year, and are related to the CWS, Snifula, and UrSnif attacks in the past. In addition, it seems that the spammed messages carrying the malicious PDFs are from the Russian Business Network (see related blog entry here and an interesting article from The Washington Post here). Again.

Trend Micro detects the PDF file as EXPL_PIDIEF.B, and the downloaded .EXE file as TSPY_PAPRAS.CF.

Spam has gone audible, or at least spam generated by yes-they’re-at it-again the Storm network. It has been confirmed that the celebotnet of the moment employs yet another deviously creative gimmick to further its pump-and-dump stock scams. Trend Micro threat analyst David Sancho confirmed that EMEA TrendLabs’ Storm system has been catching a lot of spammed email messages with attachments such as the following:

• babylaugh.mp3
• bartsimpson.mp3
• cassidy.mp3
• chrisbrown.mp3
• ringtones.mp3

Yup, you’ve heard, er, you’ve read it right folks. Spam are now carrying MP3 files. These babies don’t even have Subject and Message Body details. The MP3 files speak for themselves, literally. Transcribed, the attached files usually say the following pitch in a female android voice:

hallo, this is an invest-tone alert
hexitone ring incorporated has announced that it’s ready
to launch it’s new textforcards dot com Web site,
already a huge success in Canada.
We are expecting amazing results in the USA
go read the news and get on EXTO
that symbol again is EXTO
thank you

File size ranges roughly from 50-120KB. This “invest-tone” alert appears to be marketing the stock EXTO of Exit Only, Inc., an Internet company that sells and buy cars via Text4cars.com. Stock Web sites show that this particular stock, as of 2:12 PM EST, has its price on a slow rise. Tsk, tsk.

Trend Micro researcher Ivan Macalintal analyzed some of the mail samples and identified the distinctive string “LAME” in the offset:

0001e8b0h: 55 55 55 4C 41 4D 45 33 2E 39 37 55 55 55 55 55 ; UUULAME3.97UUUUU

This may be connected to LAME, an open source shareware MP3 encoder/decoder, mainly popular to Unix users.

There’s just no abating for the Storm network. It has now gone and done a caterwaul of a musical. Yes, we are certainly ‘hearing’ the menace of Storm annoyingly loud and cringingly clear.

Imitation, they say, is the best form of flattery, but surely the maker/s of this executable have more on their mind than exuding fan-hood. Skype, a hugely popular peer-to-peer VoIP application at 220 million total users worldwide, recently made the news for going offline for almost two days last August. This October, we see it receiving another blow (albeit tangentially but possibly as damaging), this time from a Trojan spyware.

TSPY_SPEYK.A, Trend Micro’s detection for a program which, upon execution, mimics Skype’s login page, has been reported to us by users and verified to be malicious. When installed by an unsuspecting user, it first displays the following message box:

A new proof-of-concept exploit that takes advantage of a vulnerability in the way URIs (uniform resource identifier) - a compact string of characters that identify a resource- are handled in PDF files was released with a full disclosure [http://security.fedora-hosting.com/0day/pdf/pdf_poc.pdf].

Opening this PDF file also opens a New Message window

URI of the PDF file shown above

The vulnerability is caused when Adobe Acrobat passes the parameter received by the URI command to a ShellExecuteA API.

It affects the following Adobe products:

• Adobe Reader 8.1 and earlier versions
• Adobe Acrobat Standard, Professional and Elements 8.1 and earlier versions
• Adobe Acrobat 3D

As of this writing, there is still no patch available for the said vulnerability. However, exploits like this can be prevented from executing by modifying the following registry entry:

For Acrobat:

HKEY_LOCAL_MACHINESOFTWAREPoliciesAdobeAdobe Acrobat8.0 FeatureLockDowncDefaultLaunchURLPermstSchemePerms = version:1|shell:3|hcp:3|ms-help:3|ms-its:3|ms-itss:3|its:3|mk:3|mhtml:3|help:3|disk:3|afp:3|disks:3|telnet:3|ssh:3|acrobat:2|mailto:3|file:2

For Reader:

HKEY_LOCAL_MACHINESOFTWAREPoliciesAdobeAcrobat Reader8.0FeatureLockDowncDefaultLaunchURLPermstSchemePerms = version:1|shell:3|hcp:3|ms-help:3|ms-its:3|ms-itss:3|its:3|mk:3|mhtml:3|help:3|disk:3|afp:3|disks:3|telnet:3|ssh:3|acrobat:2|mailto:3|file:2

This vulnerability can be used by malicious programs to enter a target system through the automatic opening of URL and/or downloading malicious files over the internet.

More information is posted on Adobe security advisories Web site. [http://www.adobe.com/support/security/advisories/apsa07-04.html]

Additional information taken from http://www.heise-security.co.uk/news/96982.