Late last week, Trend Micro Senior Threat Researcher Paul Ferguson reported a Web site compromised by a malicious JavaScript that links users to a known Graphical Device Interface (GDI) exploit.

You may recall that this critical exploit gives the remote user complete control over vulnerable systems once a specially crafted .EMF or .WMF image file is executed. The compromised site is the official Web site of the Tibetan government in exile.

Visitors to that site would unwittingly download an embedded malicious JavaScript:

http://www.tibet.com/{BLOCKED}/tibet.js

A closer look at the script reveals that it refers to the following sites containing iFrame tags pointing to malware files and the GDI exploit:

• http://ad.{BLOCKED}.googlepages.com/ad02.jpg - the GDI/WMF exploit file, which Trend Micro detects as HTML_EXP.AZ
• http://ad.{BLOCKED}.googlepages.com/rm03.html - the obfuscated JS file, which is detected as HTML_EXP.AA
• http://ad.{BLOCKED}.googlepages.com/142.htm - the obfuscated Visual basic (VB) script, which is detected as as VBS_VBSWGBASE.BH

Trend Micro detects the JS file, tibet.js, as HTML_IFRAME.OB.

Obviously, cyber criminals are still finding issues concerning Tibet, China, and the Olympics to be hot. TrendLabs has documented a couple of such occurences here and here.

One may take this as just another case of one party going head-to-head with an opposing party using malware. It is easy to point to hacktivists with political agendas, with the news of Chinese hackers supposedly launching a distributed Denial-of-Service attack surfaced during the weekend. The attack was in protest against a CNN coverage that was deemed “pro-Tibet,” but the said attack never transpired. Anti-CNN.com, a Chinese Web site created solely for the purpose of exposing the Western news company’s “biases,” urged street protests in European countries.

Though no proof was established regarding the connection between the anti-CNN movement and the supposed hacking incident, a team who had been investigating Chinese hackers believed that the online attacks should supposedly go hand-in-hand with the street protests. Think of it as a synchronized protest in the real and digital worlds. CNN has already released a statement regarding their Tibet coverage.

Chinese hackers did, however, manage to disrupt the SportsNetwork Web site, as reported here on TechCrunch.

Keep patches up to date to protect your systems from being exploited. At the same time, Trend Micro implores users to regularly update pattern files for improved system protection. Note that all related malicious Web sites are already blocked by the Content Security Team.

Do you know the story where a human and a monkey lived in two rooms separated by a single door?

The first part of the story says that after a while in that room, the human started to get curious and decided to find out what was happening behind the door. As the human peeked through the keyhole, what he saw was another eye, which apparently was the monkey’s.

Cyber criminals can use the simplest of methods and maximum yield by simply exploiting human curiosity. How?

The first step is to send a spam email message. This message is supposedly sent through well-known botnet infrastructure.

The message above was sent in German but it could be sent in any language. The message above reads “With our completely free service, you can find out whoever blocked you in MSN or deleted” in English.

The link opens a Web site that includes the invitation to use the free service to check the validity of the MSN account.

All the user has to do here is “to peek through the keyhole” by typing the MSN account and the right password to figure out if his account is “indeed blacklisted”. Of course no answer comes back but…What happens then?

If the data entered in these fields are valid then the user could be considered an accomplice for the next criminal actions done by the users of the engellembul@gmail.com mailbox, the mailbox where the data is sent.

This gives cyber criminals a free choice to use their unlawfully acquired data in any of their illicit activities. The hacked MSN account can be used to send out spam, distribute malware both through email and the instant messaging application, MSN Messenger. Apart from this, the unauthorized user will then have access to the mailbox and can gather personal data about the affected user.

This week, we’ve received some reports related to a new malware attack regarding a tragedy that has early this month: a five-year-old child was thrown out of a window. The police are investigating the tragedy and the latest reports say that all evidences indicate the parents as the ones responsible.

Hackers sent the spammed email message below, where they promise a video with new and exclusive information regarding the case, including findings about who the suspects are.

Figure 1: Email message promising to reveal the responsible parties of the murder

The link in the mail has an obscured address (hxxp://83.x.x.136/terranoticias/index.html) to a fake page from a big and legitimate ISP in Brazil (Terra Networks):

Figure 2: Fake page from a Legitimate Brazilian ISP

After the user clicks the link promising the video, the browser instead tries to download the file verdade.com.

Figure 3: Download dialog box

This file is detected by Trend Micro as TROJ_BANLOAD.EOZ. Users who have Trend Micro protection have been safe from this threat from the beginning, as Web Reputation Services (WRS) proactively recognizes the fake Web site.