Archive for February 5th, 2008
February 5th, 2008 by Loucif Kharouni (Threats Analyst)
While checking personal spam emails that I received today, my interest was drawn by a certain email claiming that users can get $2400 by downloading the casino application:
Once you click on the link hxxp://bearte.net.cn, you are sent to this Web page:
This Web page asks you to download a file named InstallCasinoV2.exe. The said file is already under analysis; more updates to follow.
But this is not what I really want to talk about here. This casino story made me think about pay-per-install programs and I decided to look for those programs with a simple search as follows:
As you can see, I couldn’t have made it any simpler.
Here is the result displayed:
The second link here is interesting: “Get Paid to Read Email”. I thought, why not, so I clicked on this link and this is what it led to:
This page looked every bit normal, and I started to browse and check the links on the left. So I just clicked on the link “MyPaidEmails”. It proved to be the beginning of a huge infection chain.
Once the following page is loaded, you have no more access to your computer, which becomes too busy loading iFrames, scripts and malware:
You can see the number of malicious processes loaded in memory from the screenshot of the machine’s Task Manager above, and this is only the beginning of the infection. All the files gathered are already under analysis, as well as the URLs added for Web Threat Protection (WTP) blocking. The malicious files are detected as the following:
- TROJ_DLOADER.BG
- TROJ_DLOADER.CO
- TROJ_NUWAR.KE
- TROJ_PROXY.KN
- TROJ_DLOADER.DJA
- TROJ_DLOADER.DJH
- TROJ_PAKES.XH
- TSPY_LDPINCH.AJW
- TSPY_LDPINCH.AOL
- HTML_AGENT.HDF
- HTML_AGENT.HFA
- HTML_AGENT.HDU
- HTML_AGENT.HEC
- HTML_AGENT.HEL
- HTML_AGENT.HFB
- HTML_AGENT.HFC
February 5th, 2008 by Macky Cruz (Technical Communications)
It seems that cyber criminals are hoping to take advantage of the Chinese New Year.
A few hours ago, Trend Micro researchers were alerted to malicious URLs that were supposedly exploiting a certain Chinese gaming application. Research Project Manager Ivan Macalintal was later on able to confirm that these URLs indeed carried lines of code attempting to exploit popular Chinese gaming platform Lianzong.
Thankfully, Trend Micro Web Threat Protection proactively detects this as EXPL_EXECOD.A, and so Trend Micro users have, in fact, already been protected against this threat at the onset.
This exploit resides in a line of code which references an exploitable DLL file. This code downloads a Trojan downloader (TROJ_DLOADER.DUY) from a certain URL, which in turn downloads a configuration file from another URL. The said URL contains links to several malicious executables hosted in other domains known to house malware. Said executables are mostly MMORPG password stealers such as the following:
- TSPY_ONLINEG.LPE
- TSPY_ONLINEG.MGU
- TSPY_ONLINEG.OCN
- TSPY_ONLINEG.OMQ
- TSPY_ONLINEG.OMR
- TSPY_ONLINEG.OMS
- TSPY_ONLINEG.OMT
- TSPY_ONLINEG.OMU
- TSPY_ONLINEG.OMV
- TSPY_ONLINEG.OMW
- TSPY_ONLINEG.OMX
- TSPY_ONLINEG.OMY
- TSPY_ONLINEG.ONB
- TSPY_ONLINEG.ONC
- TSPY_ONLINEG.OND
- TSPY_ONLINEG.ONE
- TSPY_ONLINEG.ONF
- TSPY_ONLINEG.ONG
- TSPY_ONLINEG.WN
This attack is evidence of the increasing interest by cyber criminals to home in on certain user groups by taking advantage of the vulnerabilities of local but widely used applications.
As of this writing, no patch has been given by the vendor yet. Meanwhile, users, especially those in China, should practice safe browsing. Users should also install patches once they are made available; these should be found at the vendor’s Web site here.
More information about this attack here.
February 5th, 2008 by JM Hipolito (Technical Communications)
A recently released patch from Skype issued to address a flaw connected to its SkypeFind feature is insufficient, according to the security researcher who found it.
Aviv Raff, who also discovered the cross-zone scripting vulnerabilities, warned that the VoIP platform of the SkypeFind application is still not secure. It is reported to use VoIP in letting users recommend businesses or post reviews. An attack to this flaw may involve malicious code injected into the “full name” field of an attacker’s Skype account. When any of the businesses reviewed using the said malicious account is viewed by a user in the SkypeFind dialog, malicious script will be executed on the user’s system.
Though Skype dismissed the flaw in its security notice as not a very alarming one, Raff disagrees. In this report from The Register, he warns that there are probably other ways to inject a malicious script into the SkypeFind dialog. He also advised users to disable the said feature until a more sufficient patch has been provided.
