Archive for March 26th, 2008

Phishing-Malware Bait: Brazilian Income Tax Return

March 26th, 2008 by Aivee Cortez (Anti-spam Engineer)

The Web site of the Ministry of Finance in Brazil, Ministerio da Fazenda, has become the new target of the bad guys. Trend Micro Content Security Team found a phishing email that purports itself as a legitimate email coming from the said financial institution.

It asks recipients to confirm that their income tax return that has not been delivered. The confirmation method is by clicking the hyperlink message, which leads to the URL hxxp://www.c3.hu/~vadkert//tagok/formulario.php. However, instead of displaying an ordinary phishing Web site, it downloads a malicious executable file.

The said file is already detected by Trend Micro as POSSIBLE_BANLD- 1, while the malicious URL has already been added on the database and will be blocked by WCS.

- Update: March 27, 2008 -

TrendLabs engineers further analyzed the malicious site and found the various malware being hosted on the said site, such as the following:

  • w.exe - detected as TSPY_AGENT.ALKZ
    (Note: The original file downloaded from the link is already detected as PE_PARITE.A)
  • formulario.exe - detected as TROJ_BANLOAD.CRZ
  • onnas.exe - detected as TSPY_BANCOS.AUE

The file usersonline.txt, on the other hand, is a non-malicious file that contains IP addresses and ports, which based on analysis, are currently not available. Jose Lopez Tello, Trend Micro Virus Coordinator in Latin America, notes that it is not certain if the IP addresses contained in the mentioned text file are from online users or just a fake list, but what is interesting is that all of the IPs are located in Brazil.

Scareware software makes its second round on Mac O/S

March 26th, 2008 by George Moore (Threats Analyst)

Today as the Mac user base grows larger, it becomes a larger target for malware than ever before. Earlier this year we saw a threat known as MacSweeper, the very first scareware application to target Mac users.

Today in our labs, we have discovered iMunizator, a new variation of the MacSweeper threat. Changing the name and download location of the application gives the author a chance to temporarily shed some of their already spreading bad reputation on the Web. However this new version is strikingly similar down to the Web page layout they choose to use. Just look at the screenshots below:

MacSweeper.com: Discovered winter of 2007/2008

iMunizator.com: Discovered March 2008

Previously a Trojan known as Zlob/MediaCodec crossed over onto the Mac platform while simultaneously still targeting Windows users. We have also seen similar scareware applications commonly known as rogue security applications on Windows. These malicious business models have proven to make money for their owners on Windows and its no wonder they want to cash in on the rest of the users on the Web. It looks like the coming year will most likely get a little turbulent for Mac users.

Subscribe in a reader

Most Recent Posts

Calendar

March 2008
M T W T F S S
« Feb   Apr »
 12
3456789
10111213141516
17181920212223
24252627282930
31  

Posts by Month


Scan for free!