We recently captured a spam email that appeared to be from Orkut. It is written in Portuguese, and translates to the following (via GoogleTranslate):

Problems with your account.

Dear User,

We received some complaints against your profile saying you are “using copyrighted material,” and before Orkut disables your account unfairly, asks for you to contact us stating the problem.

Some information from the complaint:

Your Profile: {malicious link to phishing page}
Report: {directly download malware}

* Please do not reply to this email, follow the instructions in the report of the complaint.

Warning: Your period for justification is 48h.

Regards,
{name}
Administration Orkut.com

Note: *We are taking measures in accordance with the laws in your country. (Brazil)
* Please meet the requirements of the report within the stipulated period.

Figure 1 shows the Portuguese Orkut spam (click to view larger version). Users who click on the first link on the email are led to a phishing page (see Figure 2). At this point users may be led to key in their credentials at this fake site, compromising access to their Orkut accounts. When the browser opens to the phishing page, the browser also automatically downloads a certain file which, should the user accept the download, when saved and run, introduces a BANKER variant (TROJ_BANKER.GAT) to the system.

BANKER variants and their components are notorious malware that together sit silently in victims’ PCs waiting until users browse online banking sites. These then either change the online banking site from the real site to a fake one or directly steal keyed in information such as user names and passwords.

Users are always advised to enter sites requiring logins using their clean bookmarks or by typing in the correct URL at the browser address bar. Also, ignore email (and the links therein) that come from doubtful or unknown sources. Smart Protection Network protects Trend Micro users from this attack by identifying the phishing mail as malicious, by blocking access to the phishing page, by preventing the download of the malicious file, and by detecting the downloaded file (and related malware) as malicious.

Cybercriminals have long used videos as a lure to get unknowing users to download and install malware onto their systems. Recently, however, a new variant came up that differs just a little from the usual modus operandi.

TROJ_SMALL.UY, at first glance, appears to be a fairly standard malware that’s installed by claiming it’s needed for a video. There’s one difference, though: TROJ_SMALL.UY, which poses as an installer for Adobe Flash Player, does appear to actually install Adobe Flash Player.

In fact, TROJ_SMALL.UY goes to a fair amount of trouble to look like a legitimate program. Consider, first of all, the page where it can be downloaded from:

Whoever was behind this Trojan went to a lot of effort to replicate the look and feel of the real Adobe site, and even used a domain name very close to the word Adobe.

The same is true for the installer:

Similarly, some effort has been made here to replicate a legitimate Windows installer. It wouldn’t be too hard to conclude that this was a legitimate installer for Adobe Flash Player. It even adds an uninstaller in the Control Panel, after all!

While TROJ_SMALL.UY may indeed install Adobe Flash Player, something extra is along for the party: it also drops a DLL file that’s detected as TROJ_DLOADER.ZEK. As this is a Trojan downloader, as a practical matter this means that the field is wide open to any malware threat.

While the website hosting this modified Flash Player is already blocked through the Smart Protection Network, it’s doubtful this is the last we’ll see of this particular threat.

Gumblar.{BLOCKED}, the domain to which visitors of reported compromised websites were directed to was taken down, only to be replaced by a new one: Martuz.{BLOCKED}.

In an attack which quickly garnered much attention in the security industry, visiting compromised websites were found to redirect the user to Martuz.{BLOCKED}, which leads to a download of a file in users’ systems. It then uses Adobe PDF and Flash player vulnerabilities to gain system access. Once installed, the malware is able to steal stored passwords, which it delivers back to its creators via FTP. These stolen passwords may ultimately lead to the unauthorized tampering of the user’s web server files, wherein obfuscated JavaScript is inserted into several files. The vandalized pages containing the JavaScript now become the malware author’s newest redirectors, continuing the vicious cycle of information stealing. Additionally, the malicious file poisons the results of Google searches conducted by the user of the affected system, thus leading them to more malicious domains.

Our engineers are still in the process of analyzing the said malicious file. In the meantime, Trend Micro detects the redirecting scripts as HTML_JSREDIR.AE and HTML_REDIR.AC. Injected scripts vary for each infected page, and the exact epicenter of the attack is still yet to be determined.

Using a browser other than Internet Explorer may help minimize the risk of getting infected, and updating software to address vulnerabilities is a must. Site owners should do an immediate cleanup if an infection is detected, and passwords should be changed as soon as possible.

This is the final part of our report on Pushdo. Read the first, second, third, and fourth part of this report for more information.

Over the course of our blog series on Pushdo we have covered some of the key aspects of the threat – how it spams, its stealth components, sniffer and some background on its underground links to Russia. But out of all of these articles the part that got the most feedback was when we declared traditional AV incapable of dealing with this threat. So what can we do–or is it time to invest in lots of tinned food to best prepare for the coming apocalypse?

Perhaps we should clarify our point by saying that traditional antivirus cannot deal with Pushdo on its own–but must be deployed in conjunction with other lines of defense. To defeat Pushdo we need to fight it in the Web, over email AND on the endpoint itself. The fact is that this is exactly what the Trend Micro Smart Protection Network is set up to do, by blocking malicious web threats and emails before they even arrive to the end user. SPN is described as an in-the-cloud technology, but what does this mean? After all the software is installed on one of your machines sitting in your office. What’s so in-the-cloud about that?

The fact is that the really cool stuff behind the Smart Protection Network actually takes place in the cloud. The end user may simply see (or not as the case may be) a spam email being blocked–but in the background this can kick off a whole series of processes–such as automatically blocking malicious URLs in the mail, spidering the malicious site to download all hosted malware, automatically analysing and detecting these malware (and all the spam / malicious URLs that are associated with them of course), etc. This whole process helps constantly improve user’s protection without any need for action on their part.

So the next time someone tells you that they are safe from malware because they have antivirus installed, tell them to think again–it really does matter what additional levels of protection they have in place.

For those of you who have found these articles interesting, congratulations on getting this far! If you want to look at Pushdo in even more detail (and find out about the technical aspects we did not have time to discuss), check out our white paper:

Paper: A Study of Pushdo / Cutwail

Previous Pushdo/Cutwail posts from this series can be read at following links :
Pushdo/Cutwail – The Art of Spamming (Part 1 of 5)
Pushdo/Cutwail – From Russia with Love (Part 2 of 5)
Pushdo/Cutwail – Can’t Touch This (Part 3 of 5)
Pushdo/Cutwail – Sniffing for the Win (Part 4 of 5)

These days, German users receive emails announcing that a company called IT-Electronics is looking for professionals in search of extra income.

Here is a rough translation of the email message:

Dear recipient,

IT Electronics, the leading Asian firm in the field of information technology, announces again its intention to employ workers in Germany. We give you another chance to work with us and to have extra income.

We are looking for honest, responsible and industrious people aged 21 to 67 years old for the representation of our company at your region. To optimize our company’s work in Germany and for the improvement of our business development, we need people who can afford 2-3 hours per day. This is an opportunity to work from home and to earn 300-500 € (Euro) per week.

We invite you to the visit IT-Electronics web site to overview our job vacancy.

There are no fees and expenses required, we offer a real and honest opportunity to work from home for an extra income.

The link in the email connects to what seems to be the IT-Electronics website, where the careers tab contains a job offer written in German (the rest of the web page is in English). While this is so far nothing new or unexpected, it turns out that the job description is something very similar to the infamous Nigerian Scam:

The job description translates to the following:

Process:
1. Our client (which might be located in your region) informs us about his desire to enter a supply contract.
2. We give our customers your contact data and he transfers funds directly to your bank account. You must tell us when the funds are received.
3. In the same or in the next day, we proceed with the shipment of our production to the customer.
4. You’ll get instructions, how these funds may be transfered to our bank account.

We pay you a percentage of each transaction. Typical amount is 5-7% of the funds received in your bank account. You will receive this commission immediately, after the customer’s payment is received by us. We will also cover all cost associated with the money transfer.

The job aspirant only needs a phone and a bank account, using the phone to arrange money transfer with potential customers of IT-Electronics, and the bank account to facilitate the money transfer to IT-Electronics.

Analysis reveals that the emails were sent by accounts located in Columbia, Mexico, US, Germany – most probably by botnet-zombies. The IT-Electronics website is hosted in China, which is quite infamous for hosting rogue sites.

Well in case you’re interested in taking the job, here is one important fact that they didn’t put in the job description: money laundering is illegal.