TrendLabs researchers were alerted of a newly released Proof-of-Concept (PoC) that listens and records voice calls carried out via Skype. Trend Micro detects this as TROJ_SPAYKE.C. Skype is a popular application used for making voice over IP (VoIP) calls.

Upon execution, the DLL component (also detected as TROJ_SPAYKE.C) intercepts Skype traffic and hooks the send and recv APIs. This is done before Skype encrypts the traffic it sends to other users. This enables the Trojan to save all gathered information as audio files, which could then be sent to a malicious user. Here’s a screenshot of the captured information:

Figure 1. Sample of intercepted traffic

This poses no threat as of the moment; it only collects information but does not decrypt the said information and consequently send it to a remote user. However, future attacks that do engage in information theft cannot be ruled out.

Users are advised not to give away any crucial information when conversing online to prevent info theft. Trend Micro protects users from this attack through the Trend Micro Smart Protection Network.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

Users are under the impression that mobile phones are more secure than PCs, according to the latest Trend Micro survey. A number of users are found not practicing safe browsing when using their mobile phones.

The survey shows that 44% of over 1,000 respondents are lax when it comes to surfing using their mobile phones. The respondents are actually more concerned of losing data such as contact numbers via physical phone loss rather than information loss due to Web threats and phishing or spam attacks. In fact, only 23% utilize security software already installed in their phones. Some even believe there is no use for such software as mobile phones are not as prone to security risks.

Quite unfortunate is the fact that users’ assumption that mobile phones are spared of attacks by cybercriminals is very much incorrect, as mobile threats have been around for the past four years now. Trend Micro researchers often see Symbian malware such as SYMBOS_BESELO.A, SYMBOS_VIVER.A, SYMBOS_FEAKS.A, and SYMBOS_YXES.B infect Symbian-based phones. Other notable mobile malware include WINCE_INFOJACK.A and WINCE_CRYPTIC.A, which target Windows mobile phones. These so-called traditional mobile malware are still very much active up to this day as seen in the chart below.

As mobile phones become more Web-based and as users more heavily rely on them to conduct their day-to-day business, potential risks brought about by phishing and other Web threats will become more rampant as well. Users are advised to be wary when browsing as this could lead them to malware infection and information loss. They are strongly urged to use security software to stay protected from malware infections.

Trend Micro protects mobile users with Trend Micro Mobile Security. It also offers Trend Micro Smart Surfing for iPhone to iPhone and iPod Touch users. These enable users to have worry-free surfing experiences, as they hinder access to malicious sites.

Trend Micro threat analysts were alerted to the discovery of a spyware (detected as TSPY_EBOD.A) purporting to be an Adobe Flash Player update. Upon execution, the spyware creates a Firefox add-on called “Adobe Flash Player 0.2,” the installer of which uses JavaScript (detected as JS_EBOD.A) and appears to spread via forum posts.

The said add-on injects ads into the user’s Google search results pages. More disturbing, however, is its capability to monitor the user’s browsing activities, particularly his/her Google search queries using the Firefox browser. It then sends the information it gathers to http://{BLOCKED}jupdate.com.

We have seen a lot of malware target Internet Explorer in the past. This is probably one of the reasons why a huge number of users are opting to use alternative browsers such as Firefox, Chrome, Safari, and Opera instead. Though this used to be considered a safe computing practice, it seems it no longer is with the proliferation of malware targeting the most popular alternative Internet browser—Firefox.

Users should be wary, as always, of downloading updates from unknown sources. They should also note that no browser is safe from malicious attacks, as cybercriminals will do just about anything to infect users with their malicious code.

The Trend Micro Smart Protection Network already detects and consequently blocks the malicious code from running and the malicious add-on from being downloaded so Trend Micro product users need not worry.

Recently we’ve encountered a cross-site scripting attack that targeted the Chinese social networking site Renren. Fortunately for users, it was quite harmless as far as these kinds of threats go—but it could have been much, much worse.

Renren users received messages from their friends with a link that pointed to a video of the Pink Floyd song Wish You Were Here which is detected as SWF_EXECJS.A. When the user clicks the said link it executes SWF_EXECJS.A, which does show legitimate video of the song, as seen below:

Figure 1. Legitimate video played by XSS attack

However as the video is shown, SWF_EXECJS.A connects to a URL to execute a script detected as JS_DLOADR.ATJ. JS_DLOADR.ATJ searches for cookies related to Renren and then sends out messages with a link to the same video to everyone on the user’s list of friends. These routine are all done automatically, without any input or consent from the user.

As it is, the attack was fairly limited, but it could have been much worse. It could have taken a page from KOOBFACE malware and sent out links to malicious sites, for example. Such attacks would be enough to put a truly ironic twist on the video used for this attack. As it is, all it did was annoy some people and embarrass Renren.

Similar attacks that do little have hit social networking sites before, most notably Orkut, which is owned by Google.

Both components of this attack are detected by the Smart Protection Network.

Trend Micro threat analysts were alerted to another mass compromise attack affecting around 55,000 consumer-oriented sites spread throughout Canada, China, the United Kingdom, and India as of the first report.

This incident is a painful reminder of the persisting risk of unprotected Web-surfing. In this particular case, the malicious scripts injected in the legitimate sites lead to other sites that eventually resolve to the download of the following backdoor programs and components:

• axa0727.exe-1 (BKDR_REFPRON.FH)
• d.binaxa072776988 (TROJ_REFPRON.FI)
• ms.binaxa0727588773 (TROJ_REFPRON.FJ)
• so.binaxa0727737721 (BKDR_REFPRON.FH)

The backdoors drop other components and connect to other IP addresses to download other malware with further the risk for users.

Trend Micro Web Threat Protection-enabled products have already been blocking the infection chain starting with the injected scripts’ related domains and URLs down to the URLs hosting the malicious binaries.

As of this writing, searching for the offending script yields 99,000 results.