The purpose of embassies as a diplomatic channel is continuously being tainted by cybercriminals. Initially reported by researcher Dancho Danchev in his blog, the Indian Embassy in Spain was found serving malware through an injected malicious iFrame.

The said malicious injected iFrame leads to a file detected by Trend Micro as BKDR_TDSS.CG. Trend Micro researchers are currently analyzing file to identify its routines.

Investigations by Trend Micro researchers also reveal that aside from the malicious iFrame, a different and large amount of code was also inserted into the website of the said embassy. Numerous <div> tags were found in the site, with headers containing links to various websites. The said headers are hidden from unknowing visitors, though, since the code is set where the size of the header is too small to be visible.

Figure 1. Screenshot of code found inserted into the Indian Embassy website

Further analysis also suggests that the Indian Embassy website isn’t the only one injected with the codes, pointing to the possibility of a massive and global code injection attack. The set of injected codes was also reported to change from time to time.

Trend Micro Advanced Threats Analyst Ryan Flores also revealed that there is inserted code in the compromised websites that injects pages that look like blog entries into the compromised sites’ domain. The inserted pages contain various pharma information. Flores then states that this is possibly an SEO poisoning scheme, or a plot to use the legitimate domains of the compromised websites to evade spam filters.

Figure 2. Inserted pharma blog entries in one of the compromised websites

Though no trace of malware was found in the other links, Trend Micro Antivirus Engineer Edgardo Diaz, Jr. suggests that this is possibly an advertisement scam or a massive malware attack in its early stage. This would also explain why parts of this threat do not appear to be fully functional. He warns, though, that since the website is already compromised, it’s just a matter of modifying the tags to turn the seemingly “non-malicious” injection of code into a full-blown malware attack.

Updated 5:49 PM: BKDR_TDSS.CG drops a rootkit that is then injected into SVCHOST.EXE. While injected, the rootkit attempts to connect to several websites to send and receive information.

Updated February 1, 2009: At this time, BKDR_TDSS.CG is also downloading an encrypted configuration file. Once decrypted, this file appears to contain commands to download other dll files and an updated copy of TDSSserv.sys, load certain modules from the dll files, upload log files (which contain error logs, process lists, and OS details), display popup ads, prevent security software from running, and set command delays. While the content of the files from the download URLs are not the same every time, this backdoor does keep accessing from the list of URLs even after completing its routine–so it may eventually get to access all URLs (except of course the currently inaccessible ones) it needs to achieve all mentioned functionalities.

Parts 1 and 2 happened in succession in November two years ago: the open redirection services of Google and AOL were used by spammers to trick unknowing email recipients into clicking links which led them to different websites. This sequel’s celebrity is Yahoo!:

Figures 1 & 2. Sample spam.

The above sample spammed messages contain links with the string search.yahoo.com, which may convince users to think the site is legitimate or trusted. They are led to sites (an example is shown below) which, true enough, sell replica watches and other cheap products.

Figure 3. This website offers cheap replica watches.

These sites have been created just this month, and they share a single IP address. Similar to the old Google and AOL incidents, spammers took advantage of open redirection functionalities, which is used by search engines to redirect users to target websites automatically. Users need to just enter a URL or string that is predictably related, even if not exactly, to the site they are looking for and they are immediately led to it without having to see a results page.

The links given in the email messages in this attack look like Yahoo! itself yielded the results, but spammers were able to fiddle through search results and obfuscate the URLs to add credibility to the sites they are advertising.

Given the two-year time difference between the earlier two spamming operations and this current one, it seems clear that this technique still works for spammers. Other than adding site credibility, spammed messages are also able to evade filters because the links inside them appear legitimate. This kind of search engine exploitation is considered to be blackhat SEO (Search Engine Optimization) practice.

The timing of this run may also be related to the upcoming Valentine’s Day as more users are expected to purchase presents online. The malware family WALEDAC was first to take advantage of this said event, sending fake ecards that led to malware.

The Trend Micro Smart Protection Network already blocks these spammed messages.

Holidays and popular annual events as a social engineering tool in spamming is a signature Storm technique. The following spammed email message should then cement WALEDAC’s association with the said bot giant.

Figure 1. Spammed Valentine’s greetings.

These messages flood inboxes weeks before Valentine’s day, also typical of previous Storm spam runs. Clicking on the link redirects a user to a site with a heart images. When this page is clicked, the user is prompted to download a file, malicious of course, detected by Trend Micro as WORM_WALEDAC.AR.

Figures 2 & 3. The link in the email leads to malware.

WORM_WALEDAC.AR propagates by spamming email messages with malicious links where copies of the same worm are downloaded. Like other WALEDAC variants, it compromises the security of infected systems by opening random ports to listen for commands from a remote user.

These other earlier threats by this same malware family exhibit routines and characteristics very similar to Storm:

• Fake Obama News Sites Abound
• What is Old is New Again: Malicious New Year e-Card Spam
• Merry Malware Greetings Flooding Inboxes

Beside the social engineering techniques used in email,  following are the similar methods applied by this worm family:

• Fast-flux networks and several different name servers used per domain
• Files names ecard.exe and postcard.exe
• In some instances, the installation of rogue antispyware

The Trend Micro Smart Protection Network blocks the email messages spammed by this worm, and detects the worm itself so it doesn’t run from systems anymore. Users should be careful in clicking links in spammed messages and in downloading files from unknown websites.

Trend Micro researchers last week discovered yet another government web compromise — this time using a domain owned by the Republic of Mali government.

The attack strategy here is not even that notable, given that we continue to see websites of all kinds being victimized by cyber criminals for all sorts of malicious means.

The legitimate website, which uses the domain essor.gov.ml normally looks like this:

Figure 1. Legitimate website.

Cyber criminals were able to compromise the Mali website, and by creating an additional HTML page on a subdomain, enabled them to insert the following PayPal phishing page:

Figure 2. Phishing website.

The motivation for cybercriminals to perform this operation appears not really to directly target Mali users and lure them into keying in their credentials on the phishing page. The advantage for the phishers is the free domain — free for them, at least, since the Mali government owns it and pays for it.

The bigger and more important implication that this threat highlights is the continuing problem of goverment-owned pages with regard to security. The threat listed above show the relative ease in which criminals are able to compromise these sites for their own respective gains.

Online security may not be a priority for governments when they set up these pages, but incidents like this, and possible future losses (think medical records and social security records) should be a warning to take Web site security seriously.

Users are warned to be careful of bogus and malicious pages, and to make sure that what’s in the address bar is the right domain name of the site they are accessing. The URL of the Mali website meanwhile is being blocked by Trend Micro Smart Protection Network until it is cleaned.

In this economic crisis, people tend to trust the government for possible employment opportunities. Unfortunately, cyber criminals know this and use these circumstances by attacking job-related government sites.

The Ministerio do Trabalho e Emprego, or the Ministry of Labor and Employment in Brazil is being mimicked by the cybercriminals to distribute malicious files:

Figure 1. Fake Ministry of Labor and Employment in Brazil website

The link that leads to downloadable link is displayed in left bottom of the site:

Figure 2. Ministry of Labor and Employment in Brazil website

The downloaded file despacho_artigo987221.scr is detected by the Trend Micro Smart Protection Network as TROJ_BANLOAD.JMO. TROJ_BANLOAD.JMO gathers email addresses from the affected machine by looking through files with the following file extensions:

• .dbx
• .eml
• .mai
• .mbox
• .mbx
• .tbb
• .wab

The collected email addresses are saved in a text file on the affected system and then sent to a remote “drop box” through FTP. This scheme is possibly an email-harvesting technique, wherein the collected email addresses will be used for future spam runs.

TROJ_BANLOAD.JMO also connects to certain URLs to download malicious files detected as TSPY_BANKER.MOA and TSPY_BANKER.MOB. TSPY_BANKER variants are notorious info-stealers of banking-related information from affected systems.

This attack places Brazilian job hunters at risk of getting their banking information stolen, which would only worsen the affected users’ current situation.

The fake website, as well as malicious files, are now blocked and detected respectively by the Trend Micro Smart Protection Network.