We have received a lot of positive feedback for our three-part paper on KOOBFACE (I, II, III) from all parts of the IT industry, but how the malware authors themselves have chimed in.

The KOOBFACE gang (who are attempting to make people believe that they are a legitimate company) have left a Christmas message on each of their infected hosts. Part of this message includes personal messages for several members of the security industry—ourselves included:

Trend Micro (http://trendmicro.com), especially personal thanks to Jonell Baltazar, Joey Costoya, and Ryan Flores, who had released a very cool document (with three parts!) describing all our mistakes we’ve ever made

This is not the first time cybercriminals have left messages for the security industry. In fact, we posted another blog entry on this last year.

Nice to see we are causing these groups some annoyance, something we definitely plan to continue in 2010.

Happy new year everyone!

Trend Micro threat analysts were alerted to the discovery of several compromised websites inserted with a JavaScript. The JavaScript is detected by Trend Micro as JS_AGENT.AOEQ. When executed, JS_AGENT.AOEQ uses a defer attribute, which enables it to delay executing its routine, that is, redirecting the user to several malicious websites. This is done so users will not suspect that they are being infected already. In addition, this malicious JS is hosted on PHP servers. If a user visits an infected website, it will display a white screen. On the other hand, viewing the source code will yield the following obfuscated code:

Upon analysis, it was observed that the code (found on most infected sites) begins with /*GNUGPL*/try{window.onload=function(){var or /*CODE1*/ try{window.onload = function(){va.

According to the Unmask Parasites blog, the cybercriminals behind this attack incorporated certain legitimate sites’ names such as Google, Bing, and WordPress, among others, in their code to appear as a legitimate URL.

Trend Micro Smart Protection Network secures users from this attack by blocking all related malicious domains to prevent user access and, consequently, malware infection. It is, however, advisable for users to keep their systems up-to-date and for Web administrators to change their FTP credentials.

Erratum: The compromised websites are running on PHP servers.

Update as of January 5, 2010, 1:00 PM PST

According to security specialist, Noriaki Hayashi, since the redirections are controlled by the owners of the malicious Web servers, the final payload of the whole infection routine is that users are infected with either a FAKEAV variant (detected by Trend Micro as TROJ_FAKEAV.SMF) or a BREDOLAB variant (detected as TROJ_BREDLAB.SME).

Spammers are clearly putting the holidays to good use, as they have made Christmas just another reason to spread malware.

Trend Micro threat analysts recently received a spammed message purporting to come from 123greetings.com, a legitimate site that users can access to send e-cards to family and friends. The email message even sported the site’s logo (see Figure 1).

However, upon further investigation of the spammed message’s header, we noticed that the sender’s IP address (see Figure 3) did not match that of the legitimate 123greetings.com site (see Figure 2).

The spammed message urges the user to download and open the .ZIP file attachment (see Figure 4), which is actually an .EXE file detected by Trend Micro as WORM_PROLACO.Z (see Figure 5), in order to view the greeting card.

In addition, according to 123greetings.com, the e-cards sent from the site are stored on 123greetings.com servers and so should not be attached to emails. In other words, to view e-cards sent from the site, users do not need to download anything.

To keep your system malware-free this festive season, do not open unsolicited email messages. Be smart, use an effective security suite.

Smart Protection Network protects Trend Micro product users by blocking the spammed messages and related malicious files (WORM_PROLACO.Z).

While scouting the Web for the latest threats, Trend Micro threat analysts stumbled upon FAKEAV variants riding on the impending eruption of the Mayon Volcano. Renowned for its “perfect cone” shape, the Mayon Volcano became one of the candidates for inclusion in the New 7 Wonders of Nature list. It is not surprising, therefore, that news of its impending eruption, during the Christmas holidays no less, will attract the attention of both curious onlookers and concerned individuals alike.

Close on the heels of users seeking out news on the event, of course, are cybercriminals with their usual blackhat SEO tactics. Searching for news on the topic on Google using the string “Mayon Volcano eruption” may lead users to the malicious URL http://{BLOCKED}acsi.com/fgq.php?in=mayon%20volcano%20eruption. Clicking the link redirects users to the CNN homepage unless their browser has google.com as referrer, in which case, they are redirected to another malicious URL, http://{RANDOM}.xorg.pl. Afterward, they will again be redirected to any of the following URLs where FAKEAV variants are downloaded onto their systems:

• http://{BLOCKED}can.com, which redirects to http://{BLOCKED}m.cn, where they will prompted to download install14300.exe (detected by Trend Micro as TROJ_FAKEAV.MVE)
• http://{BLOCKED}puter22.com, which redirects to http://{BLOCKED}omputer.com, where they will be prompted to download setup_build6_195.exe (detected as TROJ_FAKEAV.PTO)
• http://{BLOCKED}antispywaresolutions.com where they will be prompted to download install.exe (detected as TROJ_FAKEAV.XMS)

Smart Protection Network protects Trend Micro product users by preventing user access to the said malicious sites and detecting and by blocking the download of all related malicious files. As added precaution, however, users are advised to only rely on trusted news sites for updates on the event.

Cybercriminals have been found riding on Brittany Murphy’s sudden death to scare people into buying FAKEAV. Searching for keywords like “brittany murphy’s death” on Google resulted in at least two suspicious URLs:

• http://{BLOCKED}erracing.net/vwb.php?sell=brittany%20murphy%20death
• http://{BLOCKED}x.net/icd.php?go=brittany%20murphy%20death

The spike in searches on Murphy’s death has become the theme for the latest blackhat search engine optimization (SEO) attack, which pushed malicious sites to redirect users to scareware portals. These portals have been injected with a malicious script detected by Trend Micro as HTML_FAKEAV.WAF.

Users who click poisoned search results will be alerted to supposed malware infections via a fake message prompt, followed by bogus scanning results and another message prompting them to download a FAKEAV to rid their system of the infection.

HTML_FAKEAV.WAF also accesses URLs (detected by Trend Micro as JS_RENOS.WCF) to download more malware and TROJ_KRAP.DAM (a damaged FAKEAV installer).

Users are thus advised to rely only on trusted news sites for reports on Murphy’s death to prevent system infection. By now, they should have learned that cybercriminals often use celebrity deaths to further their malicious causes as shown in earlier blog posts:

• Michael Jackson Video Leads to Malware Download
• Compromised Sites “Heath” It Up
• Blackhat SEO Quick to Abuse Farrah Fawcett Death

Trend Micro product users are protected from this threat by the Smart Protection Network, which blocks user access to related malicious sites and prevents the download of the malicious scripts.