Hotmail users need to be wary about a malicious spam run that specifically targets users of the said webmail.

Senior Security Analyst Rik Ferguson reports that spam messages arrive with text indicating that it has file attachments that are image files with the JPEG format. In truth however, the file names of attachments are actually links that connect to shortened URLs, which in turn connect to malicious URLs.

Connecting to the malicious URLs, which are now blocked, leads to the download of the malicious file fotos.com which is now detected as TROJ_DLOADR.AQJ. The said file, in turn, downloads a wide variety of information-stealing malware. The malicious URLs and files are all blocked through the Trend Micro Smart Protection Network.

Quite noteworthy is the fact that the links were crafted to, at first glance, look very similar to how file attachments are displayed in most emails. An envelope-shaped icon is even seen at the side of each of the links, which is typical for file attachments.

However, there are also noticeable differences between such spam email and a legitimate email message, which users must watch out for should they receive a suspicious email message.

Here are a few of the noticeable differences between the spam email and a legitimate one:

• The attachment details are indicated not in the message area, but above it, along with the other fields.
• The number of attached files are supposed to be stated right under the email address in the To: field.
• The size of the attached file is displayed beside the file name.
• The attached images are always displayed at the bottom of the message.

Hotmail users are advised not to click on any of the links contained in messages that do not display the abovementioned details.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

Today Trend Micro researchers discovered a spoofed (fake) version of the popular Russian social networking site vkontakte.ru. Visitors of the spoofed site risk exposing their personal login credentials to a third party. Vkontakte.ru is roughly the Russian equivalent of Facebook and is very popular in Russian-speaking countries. According to the site itself it has more than 35 million users. Alexa ranks the site as the second most visited site in Russia.

The infamous UkrTelegroup rogue DNS servers resolve domain name www.vkontakte.ru to a foreign IP address beginning today. These rogue DNS servers belong to the most prevalent DNS Changer Trojans (like TROJ_DNSCHANG) that modify DNS settings of victims to point to foreign IP addresses. DNS Trojan victims are at great risk, because the controllers of the rogue DNS servers can send them to any site at any time, thus exposing the victims to possible information theft, fraudulent traffic and malicious URLs.

Apparently the number of Russian-speaking DNS Changer victims has reached critical mass, so that it becomes profitable to spoof Russian sites as well. Earlier we saw only about 60 Russian porn sites that got rogue resolution by the UkrTelegroup gang in a click fraud scheme, but now they are taking interest in spoofing Russian high-traffic sites like this social networking website.

Apart from personal information leakage, Internet users who visit the spoofed version of www.vkontakte.ru will see a “pop-under” box that advertises a different social networking site called youdo.ru through an intermediary site named youdoitnow.ru. According to Alexa.com vkontakte.ru is the second most visited website in Russia. Alexa however does not have statistics yet on youdo.ru.

Special thanks to Senior Threat Researcher Max Goncharov for additional information in this post.

Trend Micro recently relaunched TrendWatch, its dedicated threat center, to keep users better informed and abreast of the latest threats! As with the website’s earlier launch last year, this year’s relaunch aims to continue to make more intuitive information about all threats as accessible as possible to all our site visitors.

The site will continue to answer the same questions you may have had in the past but will also offer you so much more. The new and improved TrendWatch site promises to be faster, simpler to use, and more intuitive than before.

To get a glimpse of the new and improved TrendWatch, you may visit this URL: http://us.trendmicro.com/us/trendwatch/.

So what can you look forward to seeing in this site?

• Focus Report Series is a Trend Micro first. The featured report each month will give you a more in-depth insight on some of the most prevalent types of malware attacks.
• Threat Meter presents a graphical view of the latest threats (i.e., Web, spam, and malware) affecting users in real time.
• Recent Security Advisories will keep Microsoft application users informed of the latest critical updates to protect their systems from vulnerability exploits.
• Latest Videos and Podcasts provides user education and training support conducted by our tech gurus.
• Recent Threat News provides links to our latest blog entries that will keep you informed of the latest threats you should protect yourselves from.

These and links to our rich and timely security resources are sure to make your TrendWatch experience better than before.

Visit TrendWatch, a threat center designed just for you! Powered by data from TrendLabs, Trend Micro’s global network of research, service, and support centers, TrendWatch is a central resource providing the latest information about threats plus updates on new technologies and access to security tools.

Experience Trend Micro, visit TrendWatch today!

It’s not the second Tuesday of the month, but Microsoft has rushed out several patches for Internet Explorer. These are related to the zero-day exploit that was revealed earlier in the month; however it appears that the underlying vulnerability was not fixed; independent security researchers have discovered the underlying flaw and are ready to release at this week’s Black Hat security conference in Las Vegas. Microsoft is preempting the exploitation of this possible issue by taking the highly unusual step of releasing an out-of-cycle patch.

More information, as well as download links for the said patches, may be found below:

• Cumulative Security Update for Internet Explorer
• Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution

One recent report by Rik Ferguson said that malicious Twitter posts are getting dangerously more customized, increasing the possibility of users getting hooked into malicious schemes.

A Twitter spambot is said to have been used in launching this recent attack. The spambot creates Twitter accounts and fashions them to appear as legitimate accounts by posting seemingly harmless posts like those sharing certain music they listen to, or websites they visit. The spambot accounts then post tweets directed to unknowing users, sharing a link to a PC repair tool they allegedly came across and used.

As Rik Ferguson mentioned, the spambot posting tweets directed to specific users is a noteworthy social engineering technique that was clearly not seen as suspicious by Twitter admins. The spambot accounts were apparently created prior to a spam cleanup recently conducted by Twitter.

Additionally, the spambot uses the URL shortener Doiop.com to mask the original URL in the posts, and for a not so good reason. The URL directs to a URL that triggers a couple of redirections that ultimately lead to the download of the file RegistryEasy.exe, which is detected as TROJ_FAKEAV.DAP. TROJ_FAKEAV.DAP comes off as an application that repairs registry problems. However, in true FAKEAV style, it merely displays false results to convince the user into purchasing the product.

What’s also interesting is that in the root of one of the URLs the user is redirected to, an advertisement for an application dubbed as Bot Lite is posted. Bot Lite is, as the post describes, a light Twitter bot that virtually anyone can use.

Rik confirmed that Bot Lite does function as a spambot for Twitter. Its file name is bot_lite_100.exe. Its detection name is HKTL_FAKEBOT. HTKL_ is the detection prefix used by Trend Micro for hacker-tools which are considered to be grayware. Grayware refers to applications that have annoying, undesirable, or undisclosed behavior but do not fall into any of the major threat (ie. Virus or Trojan horse) categories.