A new Symbian malware detected by Trend Micro as SYMBOS_BESELO.A attempts to spread what appears to be the good stuff via Bluetooth and Multimedia Messaging Service (MMS) messages. Disguised as a picture or a multimedia file, it uses any of the following file names to spread to other mobile phones:

• beauty.jpg
• love.rm
• sex.mp3

Notice the file extensions? Do not be deceived because in reality, these are .SIS files, the typical installer files used in mobile technology. Aside from using enticing file names, the disguised file extensions help in effecting its successful installation.

Once the user unwittingly installs the malicious .SIS files, this malware drops certain files and creates several other ones. It then uses the infected phone as a launchpad for wider propagation by sending MMS messages that contain any of the mentioned innocent-looking file names. And so the cycle continues. This is a disturbing prospect given the ubiquity of mobile phone transactions in that sometimes users no longer give a second thought to entertaining messages from unknown senders.

SYMBOS_BESELO.A affects mobile phones running the Symbian/S60 2nd edition operating system, which is commonly found in the following Nokia models:

• 6600
• 6630
• 7610
• N70
• N72

It does not affect newer Nokia models, such as the Nokie E-series, N71, N73, N75, N76, N80, N91, N92, N93, N93i, N95, etc. as those phone models use Symbian 9.1/S60 3rd edition. In any case, users are advised to not accept unexpected files sent via Bluetooth, and to be careful when opening MMS messages. Mobile users with Trend Micro Mobile Security 3.0 for Symbian/S60 or 5.0 for Symbian/S60 installed are automatically protected from this malware.

Additional information provided by Todd Thiemann and Rolf Rennemo

A new worm detected as WORM_IRCBOT.SN is currently making its rounds via MSN Messenger. In some instances, it drops popular social networking sites’ names MySpace and Facebook as it spreads itself. It sends any of the following messages together with a link where the picture referred to in the messages can be “viewed” by its recipients:

• can i throw this picture of you and me on myspace?
• Wanna see my pictures before i send em to facebook?
• can I throw this picture of us on my facebook.. please?
• I think this picture is terrible. but my friends on myspace want to see it. please dont show noone.
• do I look dumb in this picture? I want to put it on myspace.
• do you think I look ugly in this pic? its one of my new ones too :(
• hey i found your picture on hotornot.com! I swear its you!
• OMG, i found ur pic on cuteornot.com! im not kidding either!!!
• jesus this person really looks like you!
• This picture isnt you… right? lol

This is only a partial list; it has a lot more lines that are mostly talking about photos. Another interesting thing about this worm, as observed by our senior analysts, is that the messages change according to the language of the affected operating system used. Based on the ploys used (using the MySpace and Facebook names and having references to country codes in its registry) as well as the varying languages by this localizing MSN worm, its authors are trying to capture a wide audience.

No sooner had the world learned of the untimely death of Heath Ledger (Brokeback Mountain) than malware authors started using the late actor’s name as a social engineering ploy. Within hours of these reports, Research Project Manager Ivan Macalintal discovered a couple of malicious URLs that turn up when users key in the search terms “heath” and “ledger”:

This is very similar to the poisoned Google searches reported last Christmas. If a user clicks on any of the links, he is led to the following SEO (search engine optimization) keyword-riddled page:

However, the user doesn’t even get to see this, as this page automatically redirects to another site. This site requires the user to download a “new version of ActiveX Object.” As expected, this is just the beginning of a series of redirections that end in the download of different malicious files (like TROJ_RENOS.LZ in one infection chain, and WORM_NUCRP.GEN in another).

There seems to be a bigger story behind this particular attack. Upon deeper analysis, researchers find reason to believe that these malicious URLs are among those resulting from the suspected hacking of Web servers of a certain Czech hosting provider. Hacked sites residing in these servers carry a malicious JavaScript code (detected by Trend Micro as JS_DLOADER.DAT), which, when accessed, follow the same redirection algorithm as the Heath Ledger links above.

Piggybacking on newsworthy events is not new. A month ago, malware authors also jumped on the assassination of Pakistan Prime Minister Benazir Bhutto. In this case, malware authors simply used news of Ledger’s death to jumpstart massive redirections as they know many people are wont to do searches on this hot news item.

Trend Micro’s Web Threat Protection provides various defenses at different points of the infection story: our Web Filtering technology blocks access to malicious sites, and our scan engine detects the JavaScript launching the attack, and the files which this malware attempts to eventually download onto the affected system.

Communication with Czech CERT has already been initiated by our analysts to properly inform affected parties in this massive hacking incident.

Information and screenshots provided by Ivan Macalintal and Threat Response Engineer Maersk Menrige
Write-up updated by Ma. Christina Cruz

This issue is something that we have blogged about on several occasions recently here on the TrendLabs blog, but sometimes the issue needs to be highlighted and emphasized to articulate the underlying trends that are emerging.

How bad is the problem of compromised Web sites/Web servers in The Internet? Epic.

Brian Krebs wrote earlier today about how alarming this issue has really become — and we are seeing the same alarming level of escalation.

Why? Insecure Web site implementation and/or no ongoing effort by Web site administrators to ensure that the platforms that these Web sites are built upon are maintained properly, patched diligently, and regularly examined for security deficiencies.

Cyber criminals are actively and successfully preying on the unfortunately large number of Web sites out there which are not implemented or maintained properly, to surreptitiously embed exploits for unwitting Web surfers.

Why? Mainly to obtain user credentials — logins, passwords, credit card information, etc.

This is perhaps the most dangerous, and least appreciated threat to casual Internet users today. There is a wholesale effort underway by cyber criminals to subvert and compromise Web services around the globe to use for their own criminal purposes.

And it gets worse, unfortunately.

The real threat is no longer “scanning for viruses” on the local PC, although it is a useful tool that will probably always play a role in the total threat protection scenario.

The threat “game” has now gone into and onto The Web, and in a big way. Cyber criminals started focusing their attention on Web threats last year in a big way, and in a way which takes advantage of the fact that most Web sites/Web pages are not actively maintained by professionals — they are, in fact, constructed and put into play by folks who have no professional training in secure Web implementations (or simply walk away and don’t update older software vulnerabilities as they are discovered, etc.)

I’ve said this many times, and I’ll repeat it here: The days of simply putting a Web page up on The Internet and forgetting about it are long gone.

An ongoing effort to do due diligence must be a focus — otherwise criminals will exploit the opportunity to seed their malicious craft, and victimize unwitting Internet users.

Criminals are targeting Web sites with “high user count” probabilities — Web sites with large audiences, e-commerce Web sites with potential “high value” compromise possibilities, and entire server farms in third-party hosting facilities.

And some Web sites are being used simply as a means to an end — pit-stops on the criminal highway — legitimate Web sites that can be compromised to harbor redirects to criminal content (e.g. malicious redirects using iFrames, JavaScript, phishing content, malware, etc.)

Not only are they targeting “high-profile” Web sites, they are also targeting any Web site which they can use to host criminal activity.

The latest example of this trend: We were alerted to the fact that a Web site hosting content for the Thai Royal Air Force is being used to harbor a phishing redirect for major banking fraud yesterday (see screenshot below).

We alerted the ThaiCERT folks about this incident yesterday, but it is has not been removed at the time of this posting.

Not to pick on any particular organization — we are all at risk here. Don’t kid yourself.

We’ve recently seen literally thousands of compromised Web sites and Web pages that, if an unsuspecting users happens upon the content (and has some arbitrary unpatched vulnerability), they are victimized.

I cannot stress how important this issue has become, and how this will fundamentally change the way we use The Internet if we do not take dramatic steps to correct these basic deficiencies.

The lifeblood of the Internet depends on it.

When Vint Cerf spoke at the World Economic Forum in Davos, Switzerland, last year, he pretty much nailed the issue spot on — “Criminals may indeed overwhelm the web” as we (collectively) sit idly by.

Take action. Now.

“Fergie”, a.k.a. Paul Ferguson
Internet Security Intelligence
Advanced Threats Research

Skype has yesterday released a security bulletin to deal with a cross-zone scripting vulnerability. Security Bulletin SKYPE-SB/2008-001 addresses the said vulnerability in Skype, which may allow a remote and unauthenticated malicious user to execute arbitrary codes on an affected system.

Skype’s “add video to mood” and “add video to chat” functions were seen as possible areas that attackers could exploit to execute malicious codes on target systems. Because Skype uses Internet Explorer web control to render HTML content, browsing through Skype’s video gallery section and watching videos with arbitrary codes trigger the vulnerability; watching videos in a chat or in a mood message, however, does not.

As of the moment, Skype has rendered inoperative adding videos from the video-hosting service Web site Dailymotion gallery until an official fix has been made available.

Trend Micro advises users of this software to download the necessary patches to fix any vulnerability once they are available from Skype.