Archive for January, 2008
January 29th, 2008 by Jake Soriano (Technical Communications)
A recent targeted attack was discovered to be using Trojanized MS Word files embedded with malicious codes. The said files are sent as attachments to spammed email messages, albeit through a very limited distribution.
What’s interesting here, according to Research Project Manager Ivan Macalintal, is that these Trojanized files are related to movements supporting the Tibetan government in exile. He adds that the file names are lifted from actual press releases and news headlines:
- Free Tibet Olympics Protest on Mount Everest.doc
- CHINA’;S OLYMPIC TORCH OUT OF TIBET 1.doc
- 2007-07 DRAFT Tibetan MP London schedule.doc
- DIRECTORY OF TIBET SUPPORT GROUPS IN INDIA.doc
- Disapppeared in Tibet.doc
These files are detected, respectively, as the following:
- TROJ_MDROPPER.GJ
- TROJ_MDROPPER.GI
- TROJ_MDROPPER.GK
- TROJ_MDROPPER.GG
- TROJ_MDROPPER.GH
- TROJ_MDROPPER.TG
- TROJ_MDROPPER.TG
The following is a sample screenshot of the Trojanized document file:
This social engineering technique has been seen before. In October, a Trojan detected as TROJ_MDROPPER.WI also rode on the newsworthiness of the monk-led protests in Myanmar by arriving as an attachment to spam, which purported to be a message of support from the Dalai Lama to the monks. The said technique is also a familiar one from WORM_NUWAR’s book: leveraging on headline-grabbing events to facilitate its propagation.
(Thanks to Maarten of ISC for the heads-up.)
January 28th, 2008 by Roderick Ordoñez (Technical Communications)
Looks can be deceiving, and malware authors are relying on that old adage to lure potential victims into their most recent scheme. The plan? Dress up as a spyware removal tool, use a great-looking site, complete with blogs, news and product lineup, dazzle the user with plausible reviews, and encourage them to click through.
The site hxxp://removal-tool.com manages to do all that:
Anyway, who’d suspect that a professional-looking anti-spyware site will give them just the opposite of what they’re looking for — and even more? With most of the pages hosting malicious iFrames, here’s a list of what could be lurking in your system after a visit to their site:
The use of legitimate-looking Web sites is a regular (yet undoubtedly still very effective) tactic in disseminating Web threats, mainly used to fool users into downloading fake codecs (see here and here), though security applications have also been reported in the past. Any Web-savvy developer knows that professional design and robust content attract customers, and is most likely to earn their trust to initiate one more click.
Sadly, even those with malicious intent abide by this rule, and most users can hardly tell a good site from a bad one. Luckily, Trend Micro has the ability to block these possibly malicious URLs, just in case a site’s “beauty” turns out to be only skin deep.
Technical information and screenshot provided by Research Project Manager Ivan Macalintal
January 28th, 2008 by Macky Cruz (Technical Communications)
The long arm of the law in Japan has finally caught up with the makers of the Harada malware. The operation, which ended with the arrest of the three suspects last January 24, was the joint effort of the High-Tech Crime Control Office in the Kyoto Head Police Station and the Gojoh Police Station. Instrumental to the investigation was the Association of Copyright for Computer Software, which cited several instances of copyright infringements committed by the suspects.
One suspect was charged for using an image from the Japanese cartoon Clannad as a social engineering ploy in distributing malware over the Winny network. Winny is a Japanese peer-to-peer (P2P) application notorious for being a haven for copyright violators, and, as with other file-sharing apps, for being an attractive propagation vector for malware authors hoping to net in more victims.
As more and more details about their malicious activities are revealed, it seems that these cyber criminals are involved in the use and proliferation of several malware with the intention of stealing online credentials to perpetrate fraud.
HKTL_DESTROYER.B (more popularly known as P2P-Destroyer Pro) is the detection for the hacking tool used to create variants of the Harada malware family by binding pieces of code into a single file, with customized file names and various file name extensions.
The variants created by this hacking tool are generally detected by Trend Micro as variants of the TSPY_HARADONG or TSPY_DENUTARO family. It is also possibly related to TROJ_KILFILE.
In certain instances, the malware codes created by this hacking tool include a certain text file that purports to be written by “that legendary guy,” a certain Mr. Harada:
which, when translated to English, reads:
Here I am that legendary guy, {BLOCKED} Harada!!
Right now, hey, give me a ring at the number here!
Otherwise, Mr. Harada {BLOCKED} might visit you!
TEL 054-{BLOCKED}-8900
This file is with Harada Virus, hehe.
You know, your information has been already exposed all over the world, hehe.
So, hey, stop using P2P!
… This file is fabricated.
Right now, stop using P2P!
Otherwise, Mr. Harada {BLOCKED} might visit you.
TEL 077-{BLOCKED}-2809
This fabricated file is with virus, you know.
You know, your information has been already exposed all over the world.
So, stop using P2P!
Interestingly, this Mr. Harada also comes up in a certain image as displayed by the malware detected as TROJ_VB.WL:
which, when translated from Japanese, says:
Infected! Harada Virus! Daaa!
Launch the nuclear missile!
The remaining time before The Third World War is,
48 hours 12 minutes 53 seconds!!
This malware breaches the host sever of Pentagon, United States Department of Defense,
And destroys the nuclear defense system. In other words, it launches the nuclear missile… orz
This is not a threat. Everything is true!
If you think this is not true, you can just stay there!! Later, without knowing anything, you will be burned. But I do not care that! Because it is your fault, if you did not use P2P, you would not be suffered from this!
My life, give me back a half of it! Hey, you guys, crazy!!
This is the end of the world, dear Hokuto no Ken (Fist of the North Star) …. orz
The variants of TSPY_HARADONG and TSPY_DENUTARO steal certain information such as host names, IP addresses, the date of the malware’s first execution on the system, along with other sensitive account-related information such as user IDs. Some variants can also take screenshots of the affected system, and delete system files, multimedia files, document files, HTML files, files archived using .ZIP and .RAR, and files associated with anti-malware applications.
Right now the suspects face charges of copyright violations, which is currently the most severe that can be made against them, as legislation in Japan regarding the creation and willful propagation of malware is just beginning to advance. In any case, it is clear that there are many out there, in whatever part of the world, who seek unjust gains through the Internet, and it is best to equip one’s system with the latest tools to identify and protect against these threats.
Information in this blog entry was based on the blog post of the Japan BU.
January 27th, 2008 by Trend Micro
The very first computer virus did not happen on a Windows machine, or a Mac or an Apple II. The first virus did not travel via the Internet or in an email or in a floppy disk. The first virus was not on a minicomputer, nor was it on a mainframe. That’s because the first computer virus didn’t exist on any computer hardware or software of any kind.
It was in a work of fiction.
By the late1970’s, movies books and television shows had given the public a very strong impression of hackers, viruses, and other computer threats.
Unfortunately, these dramatic ideas have nothing at all to do with reality.
In the movies, viruses destroy computer hardware, sometimes leaving a trail of smoke and fire. In reality, no virus was ever known to damage any computer hardware. Ever.
In the movies, a virus or worm always has an immediate and dramatic visual effect. There is always an animated screen (HACKERS) or a warning message (SNEAKERS) or you can actually see the data being destroyed before your very eyes (THE NET). In reality most malware leaves no visible trace of it’s existence.
On the big screen, malware is used to open bank vault doors, to tip over an oil tanker, to blow up a power plant or even to crash an alien spacecraft. In reality, the most insidious virus ever would locate a spread sheet and randomly change one number.
Computer geeks (like me) get a real laugh out of movies about hacking and cybercrime. When a “hacker movie” opens you will find theaters in Silicon Valley or other computer tech havens full of people laughing at all the wrong things, and at all the things gotten wrong. To our amusement and dismay, these overblown, crazy overdramatic portrayals of hacking and cybercrime are what sets the public’s understanding of all things cyber. People believe in the world described by these movies. It frequently makes them less safe behind the keyboard.
So I was very interested by an ad for a movie called UNTRACEABLE. It portrayed a criminal Web site and the FBI effort to bring it down. I got ready to watch another travesty of technical misrepresentation, and talked my boss into letting me watch the very first screening.
And I was wrong. They got every single technical detail right. When they talk about spoofing, or IP addresses, or keyloggers, they get it exactly right. Now all of those old school movies did research. (One of them sent the screenwriter to talk to me personally, some years ago) and still got it wrong. They couldn’t let go of the idea that in a visual medium, the computers needed to respond with something visual. They couldn’t get over the fact that fighting computer crime is primarily done at a computer keyboard, staring at long columns of numbers.
But not UNTRACEABLE, they got it all right. The Web page was only used for a limited period of time, and was proxied and mirrored and botnetted all over the place, standard operation in cybercrime. The social engineering used to get a backdoor into the FBI agent’s home Wi-fi network was right out of the real world. None of the computer screens at the FBI headquarters had magic graphics to show where the Web site was hosted. All in all, very very believable — well done to the screenwriters and researchers involved.
Just one little problem. The movie was about horror porn online, and a serial killer with a need to invent ever escalating and absurdly disgusting ways to kill people, while feeding video to a growing internet spectator crowd. Now I know there is a long tradition of graphic violence in drama (Oedipus Rex, anyone? Romeo and Juliet?) but the modern craft is so convincing that a Grand Guignol fest like this was too much for me. I covered my eyes, I went for a diet soda, coming back to watch the plot. Diane Lane was actually quite good, as was the rest of the cast, and the procedural/plotting of the mystery and denouement were clever and inventive — but the movie has a LOT of problems, and is too preachy. It got a Rotten Tomato score of 14 (out of 100). Notably, Roger Ebert liked it a lot, and pretty much everyone else did not. Several reviewers refused to even see it.
So we have a movie that is finally getting the tech right (thanks again, guys) and pretty much nobody will see it. Not on my recommendation, anyway.
I leave with the hope that more movies get the tech right (help is offered if anyone is interested) and the prayer that nothing like this movie ever happens this side of the projector.
This post was authored by David Perry, Trend Micro’s Director of Global Education.
January 24th, 2008 by Dianne Lagrimas (Technical Communications)
Cyber criminals who took advantage of Hollywood actor Heath Ledger’s death are at it again, this time attempting to lure unsuspecting Super Bowl fans. When users search for “Superbowl,” Google search results turn up the following:
Is the Super Bowl on cyber criminals’ social engineering lists? It does seem somewhat passé (even if the event is in two weeks). But what’s interesting in this case is that the malicious URLs are once again found in the servers of the Czech hosting provider believed to be hacked.
Our analysts have been in contact with CERT CZ and the Czech hosting provider but the malicious codes are still present as of this writing.
Trend Micro customers are protected from the harmful outcomes of these malicious URLs with the Web Threat Protection’s Web Filtering technology, effectively blocking the first-level malicious URL.
Information and screenshot provided by Research Project Manager Ivan Macalintal
Next Posts
Previous Posts
