Archive for January 29th, 2008
January 29th, 2008 by Bernadette Irinco (Technical Communications)
For a time, online advertisements have been a constant source of not only nuisance but of malware as well. Earlier this month, we’ve seen malicious banner ads being served on popular Web sites, such as Myspace, Excite, and Blick. This time, TrendLabs was alerted to malicious banner ads infiltrating legitimate special interest Web sites such as Expedia.com and Rhapsody.com.
According to Trend Micro security experts, certain malicious .SWF banners have hacked their way into Expedia.com, a popular site for travel enthusiasts worldwide. Trend Micro detects the said malicious flash banner as SWF_ADHIJACK.A. Based on initial analysis, clicking on this ad leads to several redirections, which eventually result to the installation of a rogue antispyware detected as TROJ_GIDA.A.
Music lovers are also targeted by mal-banners as Rhapsody.com, a music site owned by RealNetworks, is found to be carrying malicious flash banners as well. The malicious .SWF URL found in Rhapsody.com is said to be similar to the notorious Skyauction advertisements that were also found to infiltrate the Blick Web site mentioned earlier.
In any industry, advertising has proven to be an effective way to sell products. Apparently, this holds true in the malware industry as well. It provides another means for malware authors to effectively spread their malicious codes, and earn profits at the same time. With this knowledge, there’s no doubt that malware authors shall do more malvertising, targeting more and more popular Web sites to “advertise” their malware.
Be a smart buyer and don’t fall for false advertising. Not only might you not get your money’s worth, you might also end up spending more without you knowing it.
January 29th, 2008 by JM Hipolito (Technical Communications)
Better keep an eye on your brand new microwave. It seems like there are no electronic devices that will be spared from off-the-shelf malware infection.
Three digital photo frames, small flat-panel displays for digital images, were discovered to each contain a malware, Security Focus reports.
The photo frames were apparently received as presents during the past holidays, and installed malicious code on the systems of the recipients. All three cases involved the same product and chain of stores, suggesting that infection occurred either during shipping or at the factory.
This hitchhiker malware, detected by Trend Micro as WORM_AGENT.TBH, is reported to drop malicious files on the affected system as well as an AUTORUN.INF file to execute the said dropped files.
Earlier this month, China-made media players were discovered carrying a file infector detected as PE_FUJACKS.FL-O. Such incidents are only the most recent of a string of incidents concerning electronic devices shipped with malware. Other USB media such as iPod videos and McDonald’s Japan MP3 player freebies, shipped in 2006, were found to be infected by malware (more details here and here).
Yet again dawns the fact that new devices aren’t always malware free.
January 29th, 2008 by Jake Soriano (Technical Communications)
A recent targeted attack was discovered to be using Trojanized MS Word files embedded with malicious codes. The said files are sent as attachments to spammed email messages, albeit through a very limited distribution.
What’s interesting here, according to Research Project Manager Ivan Macalintal, is that these Trojanized files are related to movements supporting the Tibetan government in exile. He adds that the file names are lifted from actual press releases and news headlines:
- Free Tibet Olympics Protest on Mount Everest.doc
- CHINA’;S OLYMPIC TORCH OUT OF TIBET 1.doc
- 2007-07 DRAFT Tibetan MP London schedule.doc
- DIRECTORY OF TIBET SUPPORT GROUPS IN INDIA.doc
- Disapppeared in Tibet.doc
These files are detected, respectively, as the following:
- TROJ_MDROPPER.GJ
- TROJ_MDROPPER.GI
- TROJ_MDROPPER.GK
- TROJ_MDROPPER.GG
- TROJ_MDROPPER.GH
- TROJ_MDROPPER.TG
- TROJ_MDROPPER.TG
The following is a sample screenshot of the Trojanized document file:
This social engineering technique has been seen before. In October, a Trojan detected as TROJ_MDROPPER.WI also rode on the newsworthiness of the monk-led protests in Myanmar by arriving as an attachment to spam, which purported to be a message of support from the Dalai Lama to the monks. The said technique is also a familiar one from WORM_NUWAR’s book: leveraging on headline-grabbing events to facilitate its propagation.
(Thanks to Maarten of ISC for the heads-up.)
