Before the August 28 official release of Apple’s OS X Snow Leopard, cybercriminals are already hitchhiking on this to proliferate their malicious activities. Earlier today, Advanced Threat Researcher Feike Hacquebord discovered several fake sites that supposedly give Mac users free copies of the newest version of the Mac OS, Snow Leopard. However, accessing these malicious sites land users to a DNS changer Trojan detected by Trend Micro as OSX_JAHLAV.K.

Once executed, OSX_JAHLAV.K decrypts codes, which include a script that downloads other malicious scripts. The said script then alters the DNS configuration and includes two additional IP addresses in its DNS server. Users are thus possibly redirected to phishing sites and other fraudulent sites. In fact, some of these bogus sites are reportedly hosting FAKEAV (rogue antivirus) variants and components.

As of this writing, all malicious URLs are already blocked by Trend Micro. Users are strongly advised to get only the latest Snow Leopard update directly from the Apple site, as well as consider using Trend Micro Smart Surfing for Macs.

Tartu, Estonia is the hometown of an Internet company that, from the outside, looks just like any other legitimate Internet service provider (ISP). On its website (see Figure 1), the company lists services such as hosting and advertising. According to publicly available information, it posted more than US$5 million in revenue and had more than 50 employees in 2007.

In reality, however, this company has been serving as the operational headquarters of a large cybercrime network since 2005. From its office in Tartu, employees administer sites that host codec Trojans and command and control (C&C) servers that steer armies of infected computers. The criminal outfit uses a lot of daughter companies that operate in Europe and in the United States. These daughter companies’ names quickly get the heat when they become involved in Internet abuse and other cybercrimes. They disappear after getting bad publicity or when upstream providers terminate their contracts.

Some of the larger daughter companies survived up to 5 years, but got dismantled after they lost internet connectivity in a data center in San Francisco, when webhosting company Intercage went dark in September 2008, and when ICANN decided to revoke the company’s domain name registrar accreditation.

This caused a major blow to the criminal operation. However, it quickly recovered and moreover immediately started to spread its assets over many different webhosting companies. Today we count about 20 different webhosting providers where the criminal Estonian outfit has its presence. Besides this, the company own two networks in the United States.

We gathered detailed data on the cyber crime ring from Tartu and found that they control every step between driving traffic to sites with Trojans and exploiting infected computers. Even the billing system for fake antivirus software that is being pushed by the company is controlled from Tartu. An astonishing number of 1,800,000 Internet users were exposed to a bogus “you are infected” messages in July 2009 when they tried to access high traffic pornography sites.

For a detailed analysis, please read our whitepaper: A Cybercrime Hub available at TrendWatch.

We at Trend Micro Research recently produced a short blog series on the Pushdo botnet, a botnet which excelled at staying under the radar for a considerable amount of time. Pushdo is not alone in this regard however: enter Ilomo.

Ilomo has also being active for several years now, and like Pushdo has done so without attracting too much unwanted attention from the security industry. Like Pushdo, the Ilomo threat is quite modular in nature which makes it difficult to see the actions of the overall threat. Added to this is the fact that it uses a commercial virtual machine obfuscator, significantly adding to the effort involved in reverse engineering the malware binaries.

Ilomo has two key components to its business plan. The first is good old fashioned information stealing. Ilomo injects its code into the browser and monitors the internet connection waiting for the user to connect to one of over 4,000 banking, financial or webmail sites. Not content with simply stealing the user’s credentials, Ilomo can also “piggyback” on the user’s session, transferring funds from an infected user’s account and making a mockery of the bank’s secure login system. Ilomo will also harvest all other login credentials from the machine like those for ftp, web servers, local administrators etc. These are then used to spread itself across the network and to take control of web servers online, which it will use to host new versions of the malware.

Ilomo ‘s second source of revenue is selling “anonymity as a service.” Every infected Ilomo machine acts as a proxy so that criminals can route their illegal activities through different networks and countries. In addition to hiding the criminals’ identity this proxy network is very useful for defeating another defense built into many banking sites—namely that they can only be accessed from certain countries. If a criminal needs to access a Brazilian bank, they simply use an infected Ilomo machine in Brazil to route the connection.

We have only touched on some of the high level details of Ilomo in this article, If you want to look at Ilomo in even more detail (and find out about the technical aspects we did not have time to discuss), check out our white paper:

Analysis of Ilomo/Clampi

A new threat targeting Borland Delphi Compilers is fast becoming a global concern, as we have been receiving reports of increased infection incidents. The file infector, detected by Trend Micro as PE_INDUC.A, tampers with Borland Delphi Compilers installed in targeted systems, causing all files compiled using the compromised Delphi compiler to be infected. Borland Delphi Compiler is a tool used to compile several popular enterprise database and desktop applications.

Upon execution, the malware checks if a Borland Delphi Compiler is installed on the system by checking a certain registry entry. Once the existence of the said compiler on the system is confirmed, it modifies the file SysConst.pas, by appending code. Through this routine, it compiles a new copy of the file SysConst.dcu which is detected by Trend Micro as TROJ_INDUC.AA. It then renames the original SysConst.dcu to SysConst.bak and deletes the modified SysConst.pas.

Once done, all files compiled using the affected Delphi compiler are also infected. This puts other users at risk of getting affected by the same malware: if they happen to run a Delphi program that was compiled using a tampered Borland Delphi Compiler, then their own Borland Delphi Compiler will be tampered with as well.

As of this time, there is no known payload for this malware except for infecting the compiled files.

Trend Micro Japan threat analysts have written an entry on this threat here. We will be updating this entry as more information comes in.

While still low-intensity compared to the PC platform, malware attacks against Macs are definitely becoming more prevalent. Trend Micro researcher Ivan Macalintal has found another new variant of the JAHLAV family hosted on known malicious domains. The new variant is detected as OSX_JAHLAV.I and, like other JAHLAV variants, poses as pirated versions of legitimate applications and modifies the system’s DNS settings, allowing malicious users to be victimized by phishing attacks, or surreptitiously redirecting them to sites which might harbor malicious exploits .

Unlike the earlier variants which only posed as versions of QuickTime, this one also poses as pirated versions of Foxit Reader and several antivirus applications. In addition, like the June variant of JAHLAV—OSX_JAHLAV.B—at least one website hosting OSX_JAHLAV.I could also deliver malware onto Windows systems, although the said file is no longer available from the said website.

Both Mac and Windows users are protected by the Smart Protection Network against this threat, as the websites involved are already blocked and the malicious files are detected as noted above.