Another swine flu-related spam run was recently reported, this time targeting Japanese users. Aside from using the swine flu as its social engineering method, which has already been used in earlier spam runs, this spam run also uses a technique where the sender of the message appears to use the .yahoo.co.jp domain. This serves not only as a means to evade spam filters, but also to further fool the users that the message is legitimate, thus convincing them to open an attached malicious file.

Spammed messages with the subject Warning of Swine Flu claiming to be from the National Institute of Infectious Diseases, encourages users to open an attached .ZIP file, to “learn” more about the pandemic (detection available as TROJ_PIDIEF.UA and TROJ_PIDIEF.TY). Our engineers have verified that TROJ_PIDIEF.TY drops and executes BKDR_KUPS.G.

The real National Institute of Infectious Diseases issued a warning of the fake spam messages on their website to alert users who may get the deceiving message.

Here is a translation of the text contained in the spam message:
________________________________________________

From: National Institute of Infectious Diseases address@yahoo.co.jp
Subject: Warning of Swine Flu!
Attached file name: Information on the swine flu

National Institute of Infectious Diseases

________________________________________________

Users are strongly advised not to judge the legitimacy of an email simply by its content.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

Websites related to pornography that appear to be compromised were found by Trend Micro engineers loading malicious JavaScript which redirects users onto malicious domains that ultimately lead to the download of an MBR rootkit (TROJ_SNOWAL.A)onto the affected system.

The malicious JavaScripts are now detected as the following:

• JS_IFRAME.APQ
• JS_IFRAME.ABG
• JS_IFRAME.QD
• JS_PSYME.CRT
• JS_IFRAME.APU
• JS_IFRAME.APW

The abovementioned malicious scripts all follow a similar routine: upon execution, it checks for the date on the target system then generates a URL based on the date obtained. It then creates an IFrame, which would redirect the user to the generated URL. The URL then leads to the download of a malicious file, which in turn downloads an MBR rootkit.

Steps on how to identify and fix files infected by TROJ_SNOWAL.A can be found in the Virus Encyclopedia.
On the other hand, the Smart Protection Network protects users by detecting the malicious JavaScript which leads to the download of the rootkit, therefore preventing the rootkit from being downloaded onto users’ systems in the first place.

Early this week, we’ve encountered a new Koobface spam campaign which involved links that eventually led users to this Youtube copycat web page.

The scheme uses the old flash player trick (see Figure 1) where the user is told that they need to download the latest version of Adobe Flash Player to view a certain video. In this case, the Flash Player in the page is an actual Flash .SWF file, which will redirect users to a file named setup.exe detected by Trend Micro as TROJ_KOOBFACE.DU through the Smart Protection Network.

A short while after running setup.exe, Koobface fetches a picture file from a remote server which is actually a CAPTCHA image. The user is then presented with the Windows prompt as shown in Figure 2.

The panic-inducing screen displays the time before the system will shutdown as shown in Figure 3, while the image (blurred) in the middle is the downloaded CAPTCHA image. The above prompt is essentially telling the user that the system will shutdown in 2 minutes and 29 seconds unless they enter the CAPTCHA correctly!

After the user correctly solved the CAPTCHA image, Koobface promptly reports the solved CAPTCHA code to a remote server. This Koobface strategy creates a low-cost, distributed CAPTCHA breaking service. This time though, instead of using cheap labor, Koobface is now using the infected users themselves to break CAPTCHAs.