Archive for March 23rd, 2008
March 23rd, 2008 by Aileen Clemente (Technical Communications)
If you have ever bought or sold anything on eBay, you pretty much know how important the seller ratings are. The general rating system is based on a one- to five-star scale and is determined by people you have done transactions with. As customary, five stars is the highest and one star is the lowest. With the condition of conducting business anonymously, the buyer can only depend on these ratings to take that leap of faith of sending his hard-earned money to that total stranger probably sitting halfway across the globe.
Though eBay sites offer practical and legit tips on how to boost one’s seller ratings, it is not surprising that scheming sellers still want to find an easy albeit unfair way of taking advantage of this rating system. After all, more stars virtually spell more sales.
The Register recently reported a scripting trick employed by malicious sellers at eBay.co.uk, purportedly to boost their own seller ratings. An auction for a 2007 Range Rover Sport HSE, a four-wheel drive car usually valued at around 40,000 pounds, offers the vehicle at a curiously low amount of only 12,000 pounds. Apparently, the seller indicated on the main page (an online jewelry seller) has a “PowerSeller” status — meaning he/she has met certain standards from eBay including average sales requirements and of course, the all-important honesty and timeliness.
Picking on the natural interest of people, particularly of eBay customers, for anything that appears to be a bargain, clicking on the auction brings the user to what appears to be a regular item page. The first sign that something is fishy? A suspicious pop-up coming from a page in Russia.
Further analysis later on showed that this apparently regular page from eBay contains an embedded tag pointing to a Shockwave file, which in turn redirects the user to an .ASPX page in Russia. Down further on its root are two other .ASPX pages linking to already completed vehicle auctions. So just when buyers think they are dealing with a reputable seller, they are actually blindingly doing business with sellers they can’t even identify.
Currently, we can only guess if this curious script serves other purposes than boosting those seller ratings. Trend Micro is of course doing its own investigation of the dubious files. Updates will be posted on this blog as soon as more information is available.
March 23rd, 2008 by Roderick Ordoñez (Technical Communications)
Spam continues to come to a cellphone near you, Trend Micro analysts confirm. Unlike spam received through the email inbox on computers, “text message” spam are actually more costly to the user, as users are charged for any spam they receive. “For some people, if it’s in your plan — unlimited — you’re free. If it’s pay as you go, that’s going to be pretty expensive” explains Threat Research Analyst Jamz Yaneza, who has been monitoring this latest development in spam delivery.
Spam has been constantly pestering users since email was invented, and has been usually confined to email systems functional within a PC. Recent advances in anti-spam technology may have prompted spammers to look into other means to deliver their message, and with mobile capabilities becoming more PC-like, spamming through cell phones is set to increase, particularly in North America.
Already, users receive billions of unsolicited text messages. NBC11 cites 1 billion text messages spammed in the past year. The Register has also pointed out that users in China and Southeast Asia suffer the most, “partly due to low costs in sending and receiving text messages.” Mobile spam has been a fact of mobile phone usage in Asia for years now.
The implications of this kind of spam are far graver, but there are actions the user may take in case of its occurrence. For one, users may inform their carrier. Text message spam is illegal and most carriers will credit the affected account should a refund be requested.
Users may also download software (such as Trend Micro Mobile Security) to address these concerns. Note however that spam is most likely to evolve as technology advances, so keeping one’s software up to date is important to ensure protection.
Watch Jamz give his take on the issue in this NBC news clip.
March 23rd, 2008 by Fatima Bancod (Email Security Analyst)
The Better Business Bureau (BBB) is the target of a new phishing scam, in which a user is asked to download a rogue ActiveX installer upon visiting the Web site www.national-bbb.com/complaints/ViewReport.php?case=509134429&;biz=&bbb=1186. The said installer is actually a Trojan downloader file named Acrobat.exe.
The domain www.national-bbb.com/* is already blocked by the Content Security Team.
The BBB has a history of being a target of malware authors and spammers, besides phishers. Previously, it has been used as a subject of spam that contained malware detected as TROJ_ARTIEF.A.
March 23rd, 2008 by Edward Sun (Software Engineer)
The combination of MBR rootkits with Web threats is becoming more and more popular these days, as detailed in this previous post.
Security providers and independent anti-rootkit authors also started to update their solution for the detection of this new rootkit threat. After those detection tools were released to the public, anti-rootkit makers might think the case is over. However the war has never stopped. Over the last weekend, a new MBR rootkit variation got released in the wild with new technology to prevent detection.
In the previous version, the MBR rootkit hooks the dispatch routine of storage driver (like disk.sys) to hide the real content of MBR. The method that anti-rootkits used to detect this is bypassing of this hook. Because the original dispatch routine of storage driver is an unreported routine of Classpnp.sys which called “ClassPnpReadWrite”, this makes it possible for anti-rootkits to bypass the hook via direct calling of “ClassPnpReadWrite”.
In order to call the “ClassPnpReadWrite” directly, anti-rootkit tools like “Gmer” will first locate the address “ClassPnpReadWrite” from Classpnp.sys in the memory. The algorithm they used to locate “ClassPnpReadWrite” address is by searching it with the disassembly code of “ClassInitialize”. Since the “ClassInitialize” is exported and it will reference “ClassPnpReadWrite” internally for initialization, anti-rootkits can easily go over the disassembly code of this routine, to find assembly code corresponding to the following C statement:
DriverObject->MajorFunction[IRP_MJ_READ] = ClassReadWrite;
DriverObject->MajorFunction[IRP_MJ_WRITE] = ClassReadWrite;
Then they get the address of “ClassReadWrite” from the raw assembly code.
However, the MBR rootkit author has discovered this, and made a clever and effective update for anti-rootkit in their new variation. What they did is not hook enhancement or going deeper, but replaced some special data in the assembly code of “ClassInitialize” to make anti-rootkits find the wrong “ClassPnpReadWrite”:
From the above screenshot, we can see the rootkit alternated the MOV instruction with their own address 0×8176742A, which is an address that exceeds Classpnp’s driver range, and an obvious rootkit routine address. With this method, the rootkit then successfully escapes from current anti-rootkits’ detection.
Trend Micro advises users to scan systems using the latest pattern file versions to block the rootkit. The content security feature of our products can block all related domains as well.
