Voice phishing is making some noise of late.

This technique — more popularly (and creatively) known as “vishing” — uses the all-too-familiar spammed email message format as initial bait. Trend Micro antispam researchers discovered the following messages which again use the IRS in luring users to hand out sensitive information:

This time, however, the striking difference from past phishing emails is that instead of a malicious URL, the message contains a number that users are encouraged to call for information on possible “tax refunds.” An automated voice recording answers queries and asks callers for sensitive information: credit card and social security numbers, for instance.

The timeliness of this attack is evident as deadline for filing taxes is nearing. Users may have learned to not trust unknown links; this time Trend Micro advises users to be extra careful in disclosing information even to “customer service” numbers as well.

For those of you who have read last month’s malware roundup, Fidel Castro is still alive. Thanks to some malware authors, a spammed email message spread in the early weeks of March, claiming that the old Cuban leader had already passed away. As expected, the link present in the spammed email led to a malicious Web site and resulted in the download of TROJ_AGENT.LAM.

A lot of Web sites also got compromised last March, most of them belonging to educational institutions. Moreover, we had the usual handful of reported malware and some of them really had some significant impact, like the ones that led to massive Web hacking.

Notable Malware

JS_DLOADER.TZE, TROJ_AGENT.KAQ, TROJ_AGENT.TM
These three have been responsible in a mass compromise attack on certain Web sites. Sometime during March 12, malicious scripts were inserted into certain legitimate Web sites. The malicious script was responsible for downloading JS_DLOADER.TZE, which in turn downloaded TROJ_AGENT.KAQ and TROJ_AGENT.TM. The attack took advantage of a vulnerability in RealPlayer. The purpose of the attack was to obtain online gaming information since several variants of notorious online game stealers have been found at the end of the download series.

WINCE_INFOJACK.A
Early last March, a malware targeting Windows Mobile PocketPC was reported. Detected as WINCE_INFOJACK.A, this worm specifically runs on Windows Mobile environment, leaves the mobile phone open to other malware and installs unsigned applications without the user’s consent. It also steals information like mobile device IMEI or serial number, OS version, model and platform and hosts name among others, to which it sends back to the malware author/s. Aside from this, WINCE_INFOJACK.A also changes the security settings of the phone.

Exploits and Vulnerabilities

TROJ_EMBED.AA
Towards the end of March, targeted attacks were reported. It was mentioned that an unpatched security flaw in Microsoft’s Jet Database Engine was involved. This vulnerability is exploited through a specially crafted Microsoft Word document detected by Trend Micro as TROJ_EMBED.AA. The Word file launches a Microsoft Database (MDB) file detected as TROJ_MSJET.C, which serves as a mail-merge file once the document is opened. At this point the vulnerability is exploited, allowing the Word document to drop a malicious .EXE file on the affected system.

Trojanized Excel Files
Early last March, there were reports of Trojanized MS-Excel files that have been sent as email attachments. This was an attempt to compromise computers that are yet to receive a security patch on a still unpatched Microsoft Excel vulnerability reported under CVE-2008-0081. The Trojanized Excel files are known to be capable of dropping and executing Windows binary executables on target machines.

CA Software Vulnerability
A zero-day exploit has been discovered — this time targeting an unpatched ActiveX vulnerability in the CA BrightStor ARCserve Backup product. Reportedly, this exploit code can be used to launch code execution attacks on notebook and desktop computers in businesses. The author has posted the exploit code to this vulnerability online. This discovery goes to show that even security measures can be compromised, and ever more vigilance is needed across all users.

Web Incidents

For March there were more than 10 Web threat incidents that were reported. Almost all of the reported incidents are actually legitimate Web sites that have been compromised to distribute malware. With respect to Web site category, 28% of the reported incidents are related to education Web sites.

That’s all for today. Yesterday we have received some spammed email messages regarding April Fool’s Day. A simple prank or something sinister? More of this on next month’s malware roundup.

A new kind of Web attack has taken form as a JavaScript inserted into the Epilepsy Foundation Web site was used to trigger the display of seizure-inducing images.

Wired.com has reported that the attack began on 22 March 2008, when a script was used by attackers to post hundreds of messages with flashing animated .GIFs on the nonprofit organization’s forum. Seemingly unsatisfied with the previous method, the perpetrators even managed to change their scheme by creating a script that redirected users to a page containing more seizure-causing images. The said script was then inserted into posts on the Web site, thus executing whenever a visitor clicks on the said posts.

The images shown on affected pages were said to display a pattern of squares rapidly flashing in different colors. Images of such nature are known to trigger epileptic seizures and are banned from being shown publicly. A recent case of which was Gnarls Barkley’s music video which was banned due to its possibly hazardous effects.

Evidence regarding the incident points the finger to online troublemakers collectively known as Anonymous, who previously waged war against the Church of Scientology. The group’s clash with the Church is said to have originated from the latter’s efforts to apply censorship on the Web.

Fortunately enough, users who visited the site at the time it was affected reported that the images did not cause them to have convulsions. They however stated that it did bring about unpleasant effects such as migraine. Few people have reported being affected by the attack, but the Epilepsy Foundation believes there may be more unreported cases.

With an attack that inflicted damage on a physical level to its victims, we can only conceive this sick ploy as its executors’ way to establish themselves as the troublemakers they really are.

Endangering the lives of innocent people reaching out to other people with a similar condition just to send a message — it is easily an all-time low for hackers.

Trend Micro uncovered another phishing Web site that attempts to steal confidential credit card information.

Below is a screenshot of the Web site:

Using string manipulation, it is able to spoof the official Web site of the Royal Bank of Canada. Note that the said URL contains a variation on the actual domain name (”banking” vs. “bank”) to trick the users into thinking that it is the official Web site of the affected bank.

The spoofed URL masks the actual phishing URL by using a certain frame source. This frame source URL is responsible for gathering account-related information, such as credit card numbers and account passwords, from the affected users.

What is interesting about this phishing attack is that when the first frame source URL is blocked, a second frame source is used. The next time the phishing Web site is visited, it already uses another frame source URL. This is clearly a distinct approach in circumventing security restrictions related to phishing attacks.

Furthermore, it was determined that the domain used by this phishing Web site is registered for just one year. Dubious indeed, if one considers how a supposedly legitimate Web site intends to operate for such a short term.

As of this writing, Trend Micro customers are protected from this phishing attack, with the said frame sources already blocked by our products, preventing them from redirecting unknowing users to other phishing Web sites.

Trend Micro has been documenting a number of threats employing old-school methodologies since September 2007 with the trend clearly suggesting that malware authors are looking up old tricks, and old but unpatched flaws exploitable to their advantage.

Take for example the exploit for the Zenturi ProgramChecker vulnerability. Dating back to May of 2007 as reported by Exploit Prevention Labs’ Roger Thompson in his blog, the exploit is a buffer overflow that can be exploited using a specially crafted HTML document to enable a remote attacker to execute arbitrary code on vulnerable systems. Despite being discovered almost a year ago, a patch has not yet been developed. More information and a workaround can be found on this advisory from US-CERT.

Trend Micro Security Researcher Joey Costoya reports that the exploit is available on the Web through an updated version of the exploit toolkit Neosploit. It is currently being sold by its author who goes by the alias grabarz for $1,500 as seen on this post in an underground forum:

“Neosploit is the exploit toolkit. Think of it as a delivery platform: the downloaded files are the payload, the delivered goods. The downloaded files are therefore decided by whomever sets up the exploit toolkit,” Costoya explains.

Investigations have revealed that the following sites in China are housing the exploit:

• http://{BLOCKED}tal.cn/top/count.php?o=13
• http://{BLOCKED}rai.info/upd/1.exe
• http://{BLOCKED}tal.cn/top/getexe.exe?o=13&t=1206046640&i=1173887221&e=1

Trend Micro detects the files downloaded from these sites as the following:

• count.php-1 (13,242 Bytes) - JS_AGENT.IGF
• 1.exe-1 (28,672 Bytes) - TROJ_BUZUS.BD
• getexe.exe-2 (48,640 Bytes) - TROJ_AGENT.MUZ
• get.exe-1 (48,653 Bytes) - copy of getexe.exe-2 with code errors

The aforementioned Web sites are now blocked by Trend Micro’s URL Filtering Service.

As users’ negligence in updating their systems is usually put to blame in situations like this, it is also important to point out the developers’ responsibility in making patches available in a timely manner. Many attacks in the past have been made possible by old, known vulnerabilities that were left unpatched.