Photobucket, one of cyberspace’s more popular image-sharing Web sites, was attacked by the Turkish hacker group NetDevilz, as reported in forums, discussion boards, and security blog posts. The Register also reported of the attack.

Hackers were said to have used a Domain Name Server (DNS) hack that leads anyone who accesses photobucket.com to be redirected not to the legitimate page, but to a greeting page from the hackers who performed the attack. A screenshot of the said page can no longer be replicated at this time, but one of the forum posters saved the text (in Turkish), as follows:

# NeTDevilz #
… ve NeTDevilz yeniden sahnede
Bizi hatırlayan var mı ? Unutulduğumuzu düşündük ve tekrar
hatırlatmaya karar verdik !
( Turkish hackers group )
ZeberuS - GeCeCi - MiLaNo - The_BeKiR - h4ckinger - SerSaK - KinSize
we are came back !
©2008 NetDevilz Co.
We’re not first,But We’re the BEST!

The text approximately translates to the following (thanks to a posting on FierceCIO.com, an executive IT management briefing for CIOs and CTOs):

“Is there anyone who remembers us? We thought you forgot us and we decided to remind you again.”

Although Photobucket.com is already back to normal, those concerned about this issue are still waiting for an update from its owners. As of this writing, there is no confirmation as to whether the image hosting site’s servers had indeed been hacked, and neither is there word as to the scope of damage. Users are left to content themselves with this response, which Photobucket posted in its own forum:

As to the motive, it seems that the Turkish hacker group is only out this time to roll out some good ol’ cyber vandalism (note that the attack seems to have been conducted against Photobucket’s servers, and not on PCs as others may think). The fact that the hacker group has successfully infiltrated the image-sharing site’s servers is a neon warning sign that they can do more damage to the site–or any site for that matter–than just place a plain old sign declaring their existence.

Perhaps it is a wise move to take this “threat-greeting” seriously. No one knows if these same perpetrators would be the group responsible for cooking up the next hottest security threat that can cripple a bigger chunk of cyberspace.

Almost two weeks ago, independent security researcher Dancho Danchev reported in his blog about an attack against ImageShack, a site similar in nature to Photobucket. Only this time, this second image-sharing site was attacked using typo squatting and users were redirected to sites that serve malware. More details from ZDNet here.

Below are some of the most notable DNS attacks on sites to date:

• Al Gore’s Site Hacked
• Comsat Hacked
• Internet Root Server Hacked
• Metasploit Hacked
• YouTube Hacked

We have been seeing a slew of spam bearing mismatched or unrelated subjects and message bodies similar to these:

Other subjects seen so far:

• Hiliary admits past failures
• Star Trek star dies at age 79
• Find out about Harry Potter’s last novel
• Turner Empire poised for bankruptcy file
• Obama suffers setback in polls due to sex secrets
• Nokia unveils revolutionary new phone design
• Ford unveils latest 2 door design hatch
• Italy knocked out of Euro 2008
• Britney found hanged in locker room

Message bodies seen so far:

• Lindsay Lohan converts to Islam, causes uproar
• Heir to Prada empire found strangled
• Don’t belittle the effects of power enlargement
• Fantastic upgrade to your manhood available now
• Try out the latest herbal solution that will make you a new superhero
• Lindsay Lohan converts to Islam
• Italy showed France the difference in length

The body text is followed by clickable URLs, similarly made up of irrelevant sounding domain names, all ending in R.HTML. All R.HTML files lead to the download of the same malware, VIDEO.EXE (detected as TROJ_AGENT.ISU, similar file name last seen in this spam run), via redirect, iFrame and codec-style installation codes found in r.html. For others, however, they will be redirected first to hxxp:// 61.{BLOCKED}.{BLOCKED}.12/index.php and will see a fake 404 page:

The algorithm also ends in the download of TROJ_AGENT.ISU, though from hxxp:// 61.{BLOCKED}.{BLOCKED}.12 instead. In this case, the INDEX.PHP-generated pages have random variables used per each generated page and the resulting Trojan installed in the system will also have a random file name. TROJ_AGENT variants are small files that aid a main malware one way or another (by downloading the main malware file from the Internet, or hiding it, or helping with its autostart technique).

The spam-malware tandem is a common tactic, and most spam does lead to malware. Thus, the tried and tested method of not clicking on links sent through spam is highly effective in protecting your system, as well as keeping one’s spam filter and antivirus up-to-date. Remember: links received in spam lead to malware, and ultimately, to disaster.

Malware writers never tire of using VIDEO.EXE as a file name for malware. Here are some posts of malware hiding under the said overused disguise:

• When Spam Promises the Stars
• Info Stealer Trojan Arrives With News of Nardoni Case
• AntiSpySpider Weaves An Intricate Web Threat
• Another Nuwar Caught on Video

This new backdoor reminds everyone that, indeed, the myth that Mac is safe is, well, a myth.

Exploiting a vulnerability in a component of Apple Remote Desktop, this malware detected by Trend Micro as BKDR_HOVDY.A, runs hidden on an affected operating system and allows a remote malicious user to escalate privileges to root. Also this backdoor is capable of performing the following functions, giving remote users complete remote access to an affected system:

• Add a hidden admin user
• Collect user account information on the affected system and send it to a remote user
• Open ports in the firewall and turn off system logging
• Enable personal Web sharing and open Web sharing ports in the firewall
• Install and execute LogKext for its keylogging routine
• Disable update-checking for the current user
• Take pictures with the built-in Apple iSight camera and take screenshots

In Washington Post’s blog entry, this malware was developed by a group of hackers who named the code Applescript Trojan horse template. The malware-writers discussed the code in a user forum on the Web site Macshadows.com, where talks of distributing the malware through peer-to-peer applications were also seen, as SecureMac reports. All content from the said user forum has been removed.

Upon installation, the backdoor attempts to exploit two vulnerabilities in Mac OS X to be able to install itself without the user’s consent. Interestingly, one of the two vulnerabilities is a recently reported bug that hasn’t been patched yet, while the other is quite old, and has been patched by Apple since 2006. This suggests that malware authors are counting on both new and old bugs in getting their malicious programs into user systems.

Also from the same report by Washington Post were comments from someone who is reported to be one of the authors of the backdoor. He told Washington Post that despite Apple’s declaration of OS X’s security, they fail confirm their own statement themselves; thus users like him are left to find out for themselves if it is true.

Users are advised to install critical patches upon release by Apple. And again, caution in downloading files always keeps malware away from systems.

We have discovered a new Adobe Reader/Acrobat exploit (detected since 24 June 2008 as TROJ_PIDIEF.AC) hosted on the following URL:

http://{BLOCKED}e-actions.com/secure.cgi?…

The vulnerability targeted by this Trojan causes Adobe Acrobat to execute arbitrary malicious code that downloads and executes a file found in:

http://{BLOCKED}e-actions.com/secure.cgi?…

The downloaded file is saved inside a temporary folder as Eyal.exe. Trend Micro detects this file as TROJ_DLOAD.BO. This Trojan modifies the current wallpaper of the infected user to:

Figure 4. Wallpaper modified by TROJ_DLOAD.BO.

Furthermore, TROJ_DLOAD.BO downloads screensavers that disable the Screensaver tab in the Display Properties of the compromised PC:

Figure 5. TROJ_DLOAD.BO disables the Screensaver tab normally found among the tabs under Display Properties.

TROJ_DLOAD.BO then displays random screensavers, some of which are shown below:

Figure 6. Sample screensaver 1

Figure 7. Sample screensaver 2

Figure 8. Sample screensaver 3

Figure 9. Sample screensaver 4

According to the Adobe Security Bulletin on this issue, the vulnerability exists in Adobe Reader 7.0.9 and earlier versions, 8.0 to 8.1.2, and in Adobe Acrobat 7.0.9 and earlier versions, 8.0 to 8.1.2. From our analysis the exploit does work on lower versions but only causes 8.1.2 to crash.

We believe that this was not the first time this specific vulnerability was exploited. So far, we have two other reports of malicious PDFs that behave in somewhat the same manner as the exploit discussed here. They are TROJ_PIDIEF.NN (detected since 07 June 2008) and TROJ_PIDIEF.AE (detected since 24 June 2008).

As of the most recent testing, TROJ_PIDIEF.AC is observed to download an info-stealer (mostly monitoring and gathering information about running processes, installed programs and system information) and a spammer which connects the compromised PC to a botnet. The common danger faced by users who encounter downloaders: you never really know what you’re going to get. Since malware writers have continuous access to the URL, they can update the downloaded file with different or more damaging payloads. It thus becomes all the more important to employ a protection suite that cuts off infection at various points of the attack.

In this case, Trend Micro Smart Protection Network already blocks the malicious URLs and detects the file taking advantage of the critical vulnerability. Users are highly encouraged to update their scan engines and to immediately update their software once patches are available from the vendor.

Spammers were doing it before so it was also only a matter of time before phishers learned the trick and started doing it too. “Personalized” phishing emails, even with all the available social engineering techniques out there, are old, right? Now phishing emails in Yahoo! Groups, that’s new.

TrendLabs’ Content Security Team got hold of the following phishing email message:

Phishers appear to have sent this email through Yahoo! Groups via either of the standard posting methods: through the Yahoo! Groups site’s Post Message feature or through sending an email to the group’s @yahoogroups.com address. Thus, users who receive this email from a Yahoo! Group (of which they are members) are likely to believe that it is legitimate.

The success of this phishing attempt further depends on how the group mailing list is actually moderated (there are settings that allow the moderator to approve all messages before they are sent out to members, see Yahoo! Groups spam abuse prevention features), and the veracity of past emails sent to the same distribution list. All these efforts and clues are laid to waste, however, should the email come from a legitimate member with an infected or bot-controlled PC, as is typical in spamming operations.

However, we detect this as a phishing attack because the link to which it connects the recipient to is different from where the browser actually connects to. Even more to the point, the URL leads to a page that steals user identities by gathering personal and sensitive user information, such as phone numbers, PINs, passwords, account numbers and debit card numbers. These information are sent over to the phishers who may then peruse the information themselves or sell them in underground forums to cyber criminals. A screenshot of the phishing page is found below.

Note that the legitimate URL of The Royal Bank of Scotland (rbs.co.uk) is different from the domain of the URL which opens to the above page (rtsrv.co.uk).

Trend Micro Smart Protection Network uses an integrated approach that protects users against online threats before users ever see them. It ensures that this phishing attempt does not reach Trend Micro users’ email inboxes, while blocking the malicious domain in case this phishing attempt slips through.

Moderators of Yahoo! Groups (but not only!) should take time to read about their options related to keeping their members safe from spam and phishing attempts (or even just off-topic emails) at the Yahoo! Groups FAQ on spam abuse prevention, and list management in general.

Thanks to Grace Ermitanyo, Anti-phishing Engineer, for the detailed analysis about this attack.