Archive for February 11th, 2008
February 11th, 2008 by Macky Cruz (Technical Communications)
Income tax filing season in Australia is months away (ITRs are due October each year), but already some users are receiving email notices from the Australian Taxation Office enticing them to file their taxes early to obtain a refund. If this sounds familiar, it is because it is the same tax refund ruse our Content Security team has been seeing last year, only this time, instead of appearing to come from the Internal Revenue Service, the spammed messages use the Australian Taxation Office as the “sender.”
Bad news for early birds, indeed.
The said email message contains basically the same string of text in the past IRS spam runs (here and here):
The “click here” link leads to the following phishing page, which prompts the user to key in credit card information such as the name appearing on the card, credit card number, expiration date and CVV code:
It also asks the user for other personal information like the user’s birthday, address, and mother’s maiden name. The phishing site looks exactly like the official Web site of the Australian Taxation Office complete with the search box at the upper right section and the page links at the left sidebar.
Needless to say, Trend Micro Antispam technology captures spam and phishing-related email messages before they have the chance to fool users into giving up sensitive information. However, users are advised to be wary of email messages coming from unknown sources even if (or in this case especially if) they appear to be helpful or enticing.
Information and images for this blog entry was provided by Verna Sagum of the Content Security Team
February 11th, 2008 by David Sancho (Threats Analyst)
As we had already forecast last month, Storm is already sending their Valentine greetings this week. The owners of this powerful botnet are doing as much as possible to keep their size up. This includes spamming people with messages containing plain text and making them click on malicious links. They may arrive looking like these two email messages:
This time around, the messages are of love.
The spammed messages contain a link that leads to malicious Web sites displaying one of eight cute Valentine images shown below.
As usual, if you run the executable named VALENTINE.EXE, your system will inevitably join the Storm botnet to start spamming other Internet users…not very loving of them, right? In any case, have a happy (and Storm-free) Valentine’s Day!
Update by Lordian Mosuela, Escalation Engineer:
Here are a couple of samples of how the images above appear inside the Web sites referred to by the spammed email messages:
Below is the source code of the Web page in the spammed email message in the first image. Unlike other NUWAR Web pages that use Defanged HTML scripts, this new variant was rather straightforward. Users are able to see quite plainly that the image was referenced to a file named VALENTINE.EXE.
Upon clicking the image in the Web page, the user is prompted to download the mentioned file.
There were no changes in this new NUWAR variant’s main P2P routine. The only difference is that the malware author created a new executable module that is capable of loading a kernel service file driver which uses an anti-emulation technique with the use of dummy APIs (Application Programming Interface) in order to bypass antivirus detection.
The executable is detected by Trend Micro as WORM_NUWAR.AR.
Additional images provided by Lalaine Gregorio of the Content Security Team
February 11th, 2008 by Roderick Ordoñez (Technical Communications)
Malicious intent may be involved as malware authors use the Brazilian telecom carrier TIM in their latest scam to deliver malware. Trend Micro researchers have come across the following site, supposedly from the telecom company:
- http://{BLOCKED}rfilho.sites.uol.com.br/___http://www.tim.com.br/downloads/
MMS/VideoMensagens/VideoMensagem.html
The site invites the user to see a video clip sent to him/her by the video message service offered by TIM. However, the site tries to download an ActiveX component that most probably contains malicious code. The source of the downloaded file is deeply buried within obfuscated code.
After further analysis, it has been discovered that the malware connects to an FTP server where it downloads files having a .MOD extension. The downloaded files are then modified and installed on the infected system.
What’s even more surprising is that an HTML file included in the download contains an iFrame connecting to http://{BLOCKED}rrychristmasdude.com/ind.php — one of the URLs previously associated with the infamous Storm botnet. Surprise, surprise!
It is not excluded that, the Storm botnet has been rented out to some Brazilian Trojan Bancos group, as one may argue. Christmas-themed URLs may be way out of season but its spirit lives on — especially for malware creators — in any part of the world, in any time of the year, ready to serve and deliver malicious content. And its guise of an innocent-looking legitimate telecom site may be just to reach out to more unsuspecting victims.
February 11th, 2008 by David Sancho (Threats Analyst)
No, that’s not me…
I am a Senior Antivirus Researcher, while the David Sancho in the above screencap is a young Spanish actor with the same name. He has this cute promo page that has a gallery of his pictures and performances.
Amazingly, the page was first compromised and iFramed as early as November 2007.
I contacted my namesake and he seemed to clean up the page after a few weeks. Shortly after that, the page was infected again and since then it has been sporting a number of different iFrames and obfuscated JavaScript code. I contacted the abuse team of the site provider and hopefully it will be solved once and for all–and soon. I hate having my name associated with malware, even if I had nothing whatsoever to do with the page.
If people got around to thinking I was the David Sancho owning this compromised site, then it would have been truly ironic.
February 11th, 2008 by Jake Soriano (Technical Communications)
Storm certainly served as inspiration to yet another growing botnet dubbed Mega-Dik.
Speculations are afloat that the said botnet could be behind the recent spamming campaign that floods user inboxes with ads on male enhancements and replica watches. These spammed messages have links to Mega-Dik.com. Trend Micro Senior Threat analyst Jamz Yaneza believes that the product MegaDik is a scam.
Researchers are divided in their views regarding this said botnet. Marshal reports that Mega-Dik was responsible for more than a third of spammed messages in the past three months.
That information would be a testament to the apparent decline of Storm, which probably resulted from its immense popularity: being popular means everyone is after Storm. Yet it remains unclear whether Mega-Dik is independent of the infamous Storm, or if the people behind the latter are also behind it.
Yaneza adds that the Mega-Dik Trojan/botnet could in fact be old and much of it is being detected generically.
The mayhem caused by Storm could serve as a precedent for any routines demonstrated by this apparently rising botnet if indeed it poses a threat to Internet security — and a grave threat at that.
