Investigations are currently being conducted as reports of targeted attacks through an unpatched security flaw in Microsoft’s Jet Database Engine has surfaced.

This vulnerability is exploited through a specially crafted Microsoft Word document detected by Trend Micro as TROJ_EMBED.AA. The Word file launches a Microsoft Database (MDB) file detected as TROJ_MSJET.C, which serves as a mail-merge file once the document is opened. At this point the vulnerability is exploited, allowing the Word document to drop a malicious .EXE file on the affected system.

The mentioned Word file also drops files that Trend Micro detects as the following:

The following sofware are vulnerable to this attack:

On the other hand, systems running under Windows Server 2003 Service Pack 2, Windows Vista, and Windows Vista Service Pack 1 are not affected by this vulnerability as they include a version of the Microsoft Jet Database Engine that is no longer vulnerable to this issue.

More information regarding this vulnerability can be found on this advisory from Microsoft:

The Microsoft Jet (Joint Engine Technology) Database Engine is the underlying building block of Microsoft’s databases (collections of information structured in a certain way) allowing the manipulation of relational database via a single interface.

Users are advised to keep their scan engines, applications and operating systems updated and to avoid clicking on attachments in spammed email messages.

Trend Micro’s Content Security Web Blocking Team has recently encountered attempts to phish account information of users that subscribe to Google’s advertising platform, Google AdWords. The phishing email message appears to be from Google Adwords and tells the user to log on to Adwords and update their billing information, as shown in the image below:

It instructs the user to click a link which appears to the user as a legitimate Google Adwords link, but actually leads to a malicious Web site. Account information entered by the unknowing user on the malicious Web site is then sent to an unauthorized user.

Such technique may trick to most users, making them think the URL shown in the message will connect them to the legitimate Web site. Furthermore, Google is generally known for its sparse, clean email and Web site interfaces so this simple-looking email message can be quite convincing. Users are advised to report it here if they receive a message similar to the one above.

The Web site of the Ministry of Finance in Brazil, Ministerio da Fazenda, has become the new target of the bad guys. Trend Micro Content Security Team found a phishing email that purports itself as a legitimate email coming from the said financial institution.

It asks recipients to confirm that their income tax return that has not been delivered. The confirmation method is by clicking the hyperlink message, which leads to the URL hxxp://www.c3.hu/~vadkert//tagok/formulario.php. However, instead of displaying an ordinary phishing Web site, it downloads a malicious executable file.

The said file is already detected by Trend Micro as POSSIBLE_BANLD- 1, while the malicious URL has already been added on the database and will be blocked by WCS.

- Update: March 27, 2008 -

TrendLabs engineers further analyzed the malicious site and found the various malware being hosted on the said site, such as the following:

• w.exe - detected as TSPY_AGENT.ALKZ
  (Note: The original file downloaded from the link is already detected as PE_PARITE.A)
• formulario.exe - detected as TROJ_BANLOAD.CRZ
• onnas.exe - detected as TSPY_BANCOS.AUE

The file usersonline.txt, on the other hand, is a non-malicious file that contains IP addresses and ports, which based on analysis, are currently not available. Jose Lopez Tello, Trend Micro Virus Coordinator in Latin America, notes that it is not certain if the IP addresses contained in the mentioned text file are from online users or just a fake list, but what is interesting is that all of the IPs are located in Brazil.

Today as the Mac user base grows larger, it becomes a larger target for malware than ever before. Earlier this year we saw a threat known as MacSweeper, the very first scareware application to target Mac users.

Today in our labs, we have discovered iMunizator, a new variation of the MacSweeper threat. Changing the name and download location of the application gives the author a chance to temporarily shed some of their already spreading bad reputation on the Web. However this new version is strikingly similar down to the Web page layout they choose to use. Just look at the screenshots below:

MacSweeper.com: Discovered winter of 2007/2008

iMunizator.com: Discovered March 2008

Previously a Trojan known as Zlob/MediaCodec crossed over onto the Mac platform while simultaneously still targeting Windows users. We have also seen similar scareware applications commonly known as rogue security applications on Windows. These malicious business models have proven to make money for their owners on Windows and its no wonder they want to cash in on the rest of the users on the Web. It looks like the coming year will most likely get a little turbulent for Mac users.

If you have ever bought or sold anything on eBay, you pretty much know how important the seller ratings are. The general rating system is based on a one- to five-star scale and is determined by people you have done transactions with. As customary, five stars is the highest and one star is the lowest. With the condition of conducting business anonymously, the buyer can only depend on these ratings to take that leap of faith of sending his hard-earned money to that total stranger probably sitting halfway across the globe.

Though eBay sites offer practical and legit tips on how to boost one’s seller ratings, it is not surprising that scheming sellers still want to find an easy albeit unfair way of taking advantage of this rating system. After all, more stars virtually spell more sales.

The Register recently reported a scripting trick employed by malicious sellers at eBay.co.uk, purportedly to boost their own seller ratings. An auction for a 2007 Range Rover Sport HSE, a four-wheel drive car usually valued at around 40,000 pounds, offers the vehicle at a curiously low amount of only 12,000 pounds. Apparently, the seller indicated on the main page (an online jewelry seller) has a “PowerSeller” status — meaning he/she has met certain standards from eBay including average sales requirements and of course, the all-important honesty and timeliness.

Picking on the natural interest of people, particularly of eBay customers, for anything that appears to be a bargain, clicking on the auction brings the user to what appears to be a regular item page. The first sign that something is fishy? A suspicious pop-up coming from a page in Russia.

Further analysis later on showed that this apparently regular page from eBay contains an embedded tag pointing to a Shockwave file, which in turn redirects the user to an .ASPX page in Russia. Down further on its root are two other .ASPX pages linking to already completed vehicle auctions. So just when buyers think they are dealing with a reputable seller, they are actually blindingly doing business with sellers they can’t even identify.

Currently, we can only guess if this curious script serves other purposes than boosting those seller ratings. Trend Micro is of course doing its own investigation of the dubious files. Updates will be posted on this blog as soon as more information is available.