Looks like the Storm gang (or at least the Russian/Ukrainian criminals behind it) is expanding its business.

Is it because of the “arrival” of Kraken, which, following the footsteps of MayDay and Mega-D, is challenging the said gang for the “Biggest Zombie Network” title? Whatever the case, only days after re-professing its love to unsuspecting users via blog pages, the Storm malware is at it again, this time posing as a video codec.

TrendLabs researchers discovered several sites that offer, what looks like, a YouTube-look-alike streaming video. The infection vector and messaging is actually still the same, that is, users are most likely to access this site via links on specially crafted, love-themed blogs. What is interesting this time is that on the said site, users are required to download the so-called Storm Codec in order to view the said video. Yes, you read that right: the codec is called Storm Codec. Below is a screenshot:

Is that blatant enough?

Of course, the said “codec” is actually a NUWAR/Storm variant, which Trend Micro already detects as WORM_NUWAR.JQ since April 2.

If the social engineering tactic of using video codecs is familiar, it’s because it is — ZLOB Trojans became infamous because of it, after all (see some detailed analysis here). Thus, the Storm gang’s attempt to venture into the said codec “business” has our researchers speculating whether they are now in cahoots with the ZLOB authors, or that they are trying to take over ZLOB’s niche, much like they did with STRATION when the two first started battling it out late 2006. Or maybe the gang is just trying to reaffirm to their competition that they’re still the one to beat.

In the end though, it’s still the unsuspecting users who become collateral damage of all this brouhaha. Users are thus advised to be wary when visiting Web sites or blogs, especially those that require installation or execution of files. Video files — especially those posted online — almost always do not require video codecs anymore, lest they lose the much coveted site traffic to other sites (YouTube, anyone?). Come to think of it, if someone really loves a person that much, he or she won’t have that person go all through the trouble of finding the appropriate codec, right?

As readers of this blog may recall, I’ve written about SCADA issues in the past, but one issue that I’ve consistently tried to emphasize is that critical control systems should never, ever interact nor interconnect with Internet systems in any way, shape, or form.

There’s a good reason for this, and it’s always been referred to as the “Air Gap” Principle.

But as I also noted previously, companies make business decisions that favor cost savings over systems security on a regular basis.

Recent news reports from Australia indicate that Energy Australia will be deploying “smart” metering device which use WiFi communications to collect consumer energy consumption statistics.

Now, this is not to single out this particular company, but the opportunity presents itself for commentary. There are energy companies in the United States and elsewhere which are making similar business decisions regarding their service infrastructure, and it is somewhat troubling.

According to an article in itWorldCanada, “…The system will transmit power usage and maintenance data from two million digital smart meters across the states of New South Wales and Queensland to a central database over a Wi-Fi and fiber-optic network.”

Notwithstanding the business issues involved, or second-guessing Energy Australia’s assessment of the cost-benefit analysis of this decision, it nonetheless raise some serious security questions with regards to the possibility of denial-of-service attacks, or complete compromise of an associated system (it does happen, and has been documented on several occasions) .

The “Air Gap” principle exists for a reason — real security segmentation. Without proper segmentation, you basically begin to add risk — the security posture of unauthorized access or other cyber shenanigans - enormously. I cannot stress this issue enough.

When you cut corners in the name of cost savings, you will inevitably be victimized by the fickle finger of fate, as the saying goes.

I’m a little unnerved to realize that the systems which deliver my electricity, gas, water, and other basic services are making some very risky decisions when it comes to their infrastructure.

You should probably be worried too. Maybe a little bit. Maybe a lot.

“Fergie”, a.k.a. Paul Ferguson
Internet Security Intelligence
Advanced Threats Research

As expected, cyber criminals have renewed their illicit campaigns to bilk consumers of their money, but also infected them with malware intended to perpetrate identity theft. This sort of effort to fraudulently victimize consumers during the rush up the filing deadline (April 15th) of the U.S Tax season generally always shows up this time of year, but the social-engineering and sophistication continually evolves to ensnare as many victims as possible.

This year is no exception.

Earlier today, Trend Micro researchers began to receive reports of a new, targeted spam campaign which are specifically targeted to high-profile companies — some of them being Fortune 500 companies and U.S. Defense contractors — which would indicate that financial fraud is not the only intended goal of these criminals. Given their targets, they are possibly also looking to infiltrate high-profile companies for other, perhaps more insidious, reasons.

The malicious spam messages all look similar to the image above, and all have a subject line that are identical in format, yet crafted for each individual company:

“Re:tax contract for [company name], Inc.”

The MS Word attachment harbors a Trojan (which Trend Micro will detect as TROJ_DELF.HAV), and if opened, tells the user that “…Microsoft Word has encountered an error and needs to close. Please double click the icon to reload…” — which will initialize the Trojan.

Internet users are reminded that they should NEVER open unsolicited e-mail attachments, especially involving tax issues, and especially during tax season. These types of ploys are always malicious, and can only lead to some very bad experiences.

“Fergie”, a.k.a. Paul Ferguson
Internet Security Intelligence
Advanced Threats Research

What is that old cliché about publicity now? The essence seems to be that all publicity, whether positive or negative, is good — good for celebrities but a different thing altogether for Web users, as gossip could lead them to malware.

TrendLabs reported two months ago of a malware operation that took advantage of Yahoo!’s redirection services and pointed users to malicious Web sites. The social engineering technique was the center of gossip during the time: Britney Spears.

The style seems to not have waned as even now celebrities are still being used to lure users to malicious sites, where malware is downloaded into their systems. The following is a screenshot of a spammed email message with a malicious link that would look irresistible for those interested in celebrity gossip:

Britney Spears this time was replaced with another media hound: Nicole Richie. The subject of the spammed mail promises users of a pornographic video supposedly featuring Richie. The observant would notice, however, that the details in the email mention another celebrity: Penelope Cruz. While Cruz is not really in the same league as Britney and Nicole, the supposed graphic content of the “video” in the email would make her still an effective bait for those who might want to “see and find out.”

Users who click the link are redirected to this Web page:

A video would seem to be downloading here but this screen in fact just defers user discovery of malware infection. Trend Micro is still analyzing the malware involved in this spamming activity. Users are still advised not to let curiosity get the best of them.

Who doesn’t love getting freebies when purchasing a brand-new electronic device? However, it’s another story altogether if the freebie is pre-installed malware.

HP Australia has recently warned the public about an undisclosed number of 256 MB and 1 GB USB keys shipped with some of its Proliant line of servers that come infected with the Fakerecy and SillyFDC malware, which could be transmitted onto the system once the keys are plugged in. These USB keys are to be used by those who want to install optional floppy-disc drives into their server devices. The malware bear file names that could be mistaken for legitimate system files (such as WinUpdter and ctfmon). They are detected by Trend Micro as WORM_AUTORUN.AZB and WORM_VB.BDN.

Although HP and even the Australian Computer Emergency Response Team (AusCERT) assure that this is a low-level threat given the nature of the USB keys’ purpose and capabilities of the malware, this incident once more highlights the growing use of USB devices as a carrier of those undesirable applications. Early in the year, a batch of China-made media players called Victory LT-200 was shipped with a file infector.

To be safe, it is best to check even brand new USB devices for potential infections by scanning them with up-to-date antimalware software before accessing any of its contents. As Forrest Gump was known to have said, “Life is like a box of chocolates, you’ll never know what you’re gonna get.” I guess these days, that goes for USB drives, too.