January 28th, 2008 by Roderick Ordoñez (Technical Communications)
Looks can be deceiving, and malware authors are relying on that old adage to lure potential victims into their most recent scheme. The plan? Dress up as a spyware removal tool, use a great-looking site, complete with blogs, news and product lineup, dazzle the user with plausible reviews, and encourage them to click through.
The site hxxp://removal-tool.com manages to do all that:
Anyway, who’d suspect that a professional-looking anti-spyware site will give them just the opposite of what they’re looking for — and even more? With most of the pages hosting malicious iFrames, here’s a list of what could be lurking in your system after a visit to their site:
The use of legitimate-looking Web sites is a regular (yet undoubtedly still very effective) tactic in disseminating Web threats, mainly used to fool users into downloading fake codecs (see here and here), though security applications have also been reported in the past. Any Web-savvy developer knows that professional design and robust content attract customers, and is most likely to earn their trust to initiate one more click.
Sadly, even those with malicious intent abide by this rule, and most users can hardly tell a good site from a bad one. Luckily, Trend Micro has the ability to block these possibly malicious URLs, just in case a site’s “beauty” turns out to be only skin deep.
Technical information and screenshot provided by Research Project Manager Ivan Macalintal
January 28th, 2008 by Macky Cruz (Technical Communications)
The long arm of the law in Japan has finally caught up with the makers of the Harada malware. The operation, which ended with the arrest of the three suspects last January 24, was the joint effort of the High-Tech Crime Control Office in the Kyoto Head Police Station and the Gojoh Police Station. Instrumental to the investigation was the Association of Copyright for Computer Software, which cited several instances of copyright infringements committed by the suspects.
One suspect was charged for using an image from the Japanese cartoon Clannad as a social engineering ploy in distributing malware over the Winny network. Winny is a Japanese peer-to-peer (P2P) application notorious for being a haven for copyright violators, and, as with other file-sharing apps, for being an attractive propagation vector for malware authors hoping to net in more victims.
As more and more details about their malicious activities are revealed, it seems that these cyber criminals are involved in the use and proliferation of several malware with the intention of stealing online credentials to perpetrate fraud.
HKTL_DESTROYER.B (more popularly known as P2P-Destroyer Pro) is the detection for the hacking tool used to create variants of the Harada malware family by binding pieces of code into a single file, with customized file names and various file name extensions.
The variants created by this hacking tool are generally detected by Trend Micro as variants of the TSPY_HARADONG or TSPY_DENUTARO family. It is also possibly related to TROJ_KILFILE.
In certain instances, the malware codes created by this hacking tool include a certain text file that purports to be written by “that legendary guy,” a certain Mr. Harada:
which, when translated to English, reads:
Here I am that legendary guy, {BLOCKED} Harada!!
Right now, hey, give me a ring at the number here!
Otherwise, Mr. Harada {BLOCKED} might visit you!
TEL 054-{BLOCKED}-8900
This file is with Harada Virus, hehe.
You know, your information has been already exposed all over the world, hehe.
So, hey, stop using P2P!
… This file is fabricated.
Right now, stop using P2P!
Otherwise, Mr. Harada {BLOCKED} might visit you.
TEL 077-{BLOCKED}-2809
This fabricated file is with virus, you know.
You know, your information has been already exposed all over the world.
So, stop using P2P!
Interestingly, this Mr. Harada also comes up in a certain image as displayed by the malware detected as TROJ_VB.WL:
which, when translated from Japanese, says:
Infected! Harada Virus! Daaa!
Launch the nuclear missile!
The remaining time before The Third World War is,
48 hours 12 minutes 53 seconds!!
This malware breaches the host sever of Pentagon, United States Department of Defense,
And destroys the nuclear defense system. In other words, it launches the nuclear missile… orz
This is not a threat. Everything is true!
If you think this is not true, you can just stay there!! Later, without knowing anything, you will be burned. But I do not care that! Because it is your fault, if you did not use P2P, you would not be suffered from this!
My life, give me back a half of it! Hey, you guys, crazy!!
This is the end of the world, dear Hokuto no Ken (Fist of the North Star) …. orz
The variants of TSPY_HARADONG and TSPY_DENUTARO steal certain information such as host names, IP addresses, the date of the malware’s first execution on the system, along with other sensitive account-related information such as user IDs. Some variants can also take screenshots of the affected system, and delete system files, multimedia files, document files, HTML files, files archived using .ZIP and .RAR, and files associated with anti-malware applications.
Right now the suspects face charges of copyright violations, which is currently the most severe that can be made against them, as legislation in Japan regarding the creation and willful propagation of malware is just beginning to advance. In any case, it is clear that there are many out there, in whatever part of the world, who seek unjust gains through the Internet, and it is best to equip one’s system with the latest tools to identify and protect against these threats.
Information in this blog entry was based on the blog post of the Japan BU.
