Trend Micro recently discovered malware posing as the Trend Micro iClean tool being sent through email by Chinese hackers. This is a screenshot of the email message:

Figure 1. Spam email in Chinese looking very much like it came from Trend Micro.

The email message was fashioned to look like an email message sent by Trend Micro, with the file attachment iClean20.EXE.

But be warned: iClean20.EXE is detected by Trend Micro as TROJ_FAKECLEAN.A. TROJ_FAKECLEAN.A drops two files, one detected as BKDR_POISON.GO and the other, the real iClean tool. Dropping the legitimate tool along with the malware must have been done to fool users that the message was indeed from Trend Micro, and that the tool was the only file downloaded into their systems.

BKDR_POISON.GO opens a random port and allows a remote user to execute commands on the affected system.

The Trend Micro iClean tool is an application that combines Rootkit Buster and SICTool. Its main functions include:

• Remove common viruses and Rootkit program
• IE cache folder clean-up
• Temp folder clean-up system
• Collection trend antivirus software virus logs
• Collection of diagnostic information related to malicious code

The real Trend Micro iClean tool is available for download at the Trend Micro Taiwan site:

Figure 2. The real Trend Micro iClean tool at the Trend Micro Taiwan site.

Trend Micro will NEVER send tools or applications through email. Trend Micro advises users to be wary in opening and downloading attachments from unknown users and to download tools or applications from trusted sites only.

For the longest time now, Brazilian banking Web sites have been one of the favorite targets of malware criminals for stealing sensitive banking information from users. These spyware Trojans are usually coupled with spam emails with various, and quite clever, social engineering techniques to trick users into divulging such data. From the latest headlines to the sly imitation of legitimate Web sites, these BANKER authors never seem to run out of sneaky tactics for duping the Internet user.

One of the latest variants we’ve seen recently uses spam emails that supposedly came from one of Brazil’s Public Ministry offices. The said email is a fake notice of hearing letter, summoning the recipient to appear in the office of the attorney general for an investigation procedure.

The attached file is a RAR archive, which when opened, leads to the download of the files OUT.JPG and WDFMGR.JPG. Based on the extension names, these files appear to be image files, but in actuality they are malicious executable files, which Trend Micro detects as TSPY_BANKER.GRX. This spyware steals sensitive information when a user accesses PayPal and other online banking Web sites. It does this by recreating the legitimate Web sites with a spoofed login page if a user visits banking sites with the following strings in the title bar:

• BancoBrasil
• Nossa Caixa
• Pay - Microsoft Internet Explorer

Based on analysis, the spoofed login page overlaps the legitimate login area of the legitimate Web site, thus tricking the user into thinking that it is part of the IE window. The spoofed login page is located in a fixed area of the legitimate Web site. It steals information by logging keystrokes entered by the user in the user name and password fields of the spoofed login page. The gathered data is then sent back to the malicious author via email.

TSPY_BANKER.GRX is also able to send out spam messages. But instead of an email like the one above, this time it sends out a fake e-card that contains a link where it downloads other banker spyware, such as TROJ_BANLOAD.EKG. The spam emails may contain any of the following subject lines:

• Lembrei de Você
• É só um simples cartão
• Queria muito que você desse uma Olhadinha.
• Eu mesmo que preparei.

Here’s a sample e-card that it sends out:

To date, data theft reached an all-time high of 342 in the breach meter, growing to 69% in Q2 2008, according to Identity Theft Resource Center (ITRC). Of that number, 80.7% account for electronic data breaches, such as this one. Unless people learn to be more alert and attentive to information theft attacks and unless they learn to properly use security software to safeguard their systems, this number will continue to rise for the rest of 2008.

Spammers have never balked at using Web forms as a way of sending out spam messages–anything to expose their wares. Basically, they will look for a public Web server that allows them to provide feedback or information to a certain company. These Web forms require them to fill up certain fields with information such as names, phone numbers, email addresses, and–wait for it–even spam messages. Even worse, spammers can also send image spam and/or infected files if the Web form contains a field that will allow them to attach such files. If they have finished filling up the form and submitted it to the Web server, recipients of the Web form will now receive the spam.

Strictly speaking, the messages they get are not spam email. What they get are another type of threat/annoyance. Here is a sample Web form:

Figure 1. Web form allowing all sorts of input from site visitors

Here are two sample Web form feedback email that has spam content:

Figure 2. Sample email with spam content sent by the Web form feedback mechanism. Notice the active hyperlinks to spam sites and domains.

Figure 3. Another sample email with spam content

The possible victims here are the employees of the target company, specifically the designated recipients of the Web form feedback. This looks like an automated attack by a bot that scours the Web for possible points of entry. Since the actual sender of email like this is legitimate (the Web form’s feedback mechanism), some anti-spam filters may actually let this email through.

Again, this is a reminder for Web admins to enforce some kind of input sanitization to, at the very least, disallow the use of scripts and HTML tags in Web forms, or to use one of the many secure form-to-email scripts available online. Some require users to decode a CAPTCHA code before being allowed to submit the filled-up form. These proactive measures will save admins both the time and resources needed to sift through these kinds of unsolicited and useless content.