March 11th, 2008 by Carolyn Guevarra (Technical Communications)
Early this month, news of the death of The Revolutionary Armed Forces of Colombia’s (FARC) second-in-command, Raul Reyes, circulated in the news. Reyes and 16 other members of the rebel group were killed during a predawn air strike by the Colombian Army against his camp near the border of Ecuador. Bloomberg further writes:
His death is likely to intensify a struggle for power within the half-century-old peasant movement to overthrow the government, said former Colombian President Ernesto Samper.
Certainly, this is another sensational news worthy of social engineering exploit by cyber criminals. TrendLabs received samples of spam email messages that claim to be from the popular Columbian news site Eltiempo.com. The said spam email tries to lure recipients into clicking links that promise videos and photos taken from the computer of Raul Reyes himself.
Of course, the links lead to a malicious Web site and result in the download of malware files, which Trend Micro detects as TROJ_AGENT.LAM. The related malicious URLs are already blocked by Trend Micro Web Reputation Services.
Just recently, malware authors banked on the “apparent death” of Cuban dictator Fidel Castro to spread their malicious programs. Surely, malware authors have their noses up and constantly sniffing for next big news, to be used in their next social engineering ploy.
March 11th, 2008 by Mayee Corpin (Technical Communications)
TrendLabs has gotten word that the official Web site of Swedish rock band The Hives, hxxp:// thehivesbroadcastingservice.com, got hacked. This attack coincides with the US leg of the band’s ongoing tour before they move on to the UK next month. The compromised site incidentally provides tour dates.
An iFrame was found to be inserted into the page, pointing to another page that redirects to hxxp://coripastares.com/in.php?adv=321&val=b81267. This URL hosts a malicious JavaScript detected as JS_PSYME.FE, which then tries to install TROJ_DROPPER.ALS.
TrendLabs anti-malware engineers have downloaded the HTML file where the malicious iFrame was inserted. This HTML file with the malicious iFrame is now detected as HTML_IFRAME.JF.
Trend Micro also now detects the file downloaded from the URL hxxp://coripastares.com/adw_files/100/da41bcd6/install.exe as TROJ_SMALL.AYR, which installs a host of other malware detected as TROJ_RENOS.LA, TROJ_AGENT.AEUM, and TROJ_WANTVI.E.
As if those malicious scripts and Trojans were not enough, this malware also downloads an adware detected as ADW_REANIMATOR from the following site:
- hxxp://www.winreanimator.com/inst/1017/74c321f6c3d70a510c6436c9b79f8090/9/Installer2.exe
By virtue of their popularity, music bands are almost a given as effective tools for social engineering. As has been seen last November, pianist and singer Alicia Keys’ MySpace Web page was compromised; a background image was injected into it and redirected to malicious sites supposedly located in China. Users were then prompted to download a fake video codec — actually a ZLOB Trojan.
Trend Micro strongly encourages you to update your pattern files regularly. It will protect you from the latest as well as old malware threats.
Image courtesy of im-glowing.blogspot.com
Note from Paul Ferguson, Advanced Threats Research: We love The Hives. We just hate malware & cyber criminals.
