Cybercriminals leveraged on the tropical storm, Ondoy (International name: Ketsana) that hit the Philippines and killed around 140 people. Senior Threat Analyst Joseph Pacamarra found several malicious sites that appeared each time the users search the strings, “manila flood,” “Ondoy Typhoon,” and “Philippines Flood,” among others. The said sites emerged as one of the top search results.

Once the user clicks the URL, they will be redirected to several landing pages where they are asked to download an EXE file, soft_207.exe. Trend Micro detects it as TROJ_FAKEAV.BND. This attack does GeoIP checks, which mean it only targets specific regions or location (one of the landing sites is hxxp://{BLOCKED}uterbestscan11.com/scan1/geoip.php).

Figure 1. Screenshot of the malicious search result

Figure 2. The EXE file that users need to download

“Cybercriminals heartlessly exploited the calamity that unfolded in the Philippines. They rigged multiple URLs related to this news to point unknowing users to FAKEAV. Such SEO poisoning campaigns attract users all over the Web especially those who are trying to get information about their loved ones and fellow countrymen in the Philippines,” Pacamarra said.

Although riding on tragic events is not exactly new, what is notable is it employed once again blackhat SEO to lead users to a FAKEAV as we had previously discussed here.

Users are advised to be wary in clicking any URLs. Trend Micro protects users from this attack via its Trend Micro Smart Protection Network as it blocks all URLs and detects the said FAKEAV.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

Trend Micro researchers discovered another wave of mass compromised websites involving several Thai government agencies’ sites. One of the compromised sites, the Thai Police site, was injected with malicious codes to redirect users to several malicious sites. One of the landing pages, http://{BLOCKED}t.ru/ip/bchqu1.exe served a downloader detected by Trend Micro as TROJ_DLOADER.DNG. This Trojan downloader is responsible for downloading several malware (detected as TROJ_FAKEREAN.BW, TROJ_CUTWAIL.GQ, and TSPY_ZBOT.ACH).

 
According to Senior Threat Analyst Joseph Pacamara who found out about the mass compromise, cybercriminals are now entertaining the idea of employing compromised legitimate sites as an avenue to proliferate FAKEAVs.

As of this writing, Trend Micro has contacted and informed all entities concerned to clean up the said websites. They have also been informed of the user risks brought about by such attacks. We have also notified ThaiCERT regarding the compromised sites. Users of Trend Micro Smart Protection Network are protected from this attack.

Trend Micro threat analysts recently snagged an email pushing a bogus Windows Live Messenger residing in http://{BLOCKED}s-live-msn.serveftp.com/Windows_Live_9.0_beta.exe (detected as WORM_VB.PAB). The .EXE file is, of course, not the “real” Windows Live Messenger but a bot that reports to an IRC-based C&C with the following details about the infected system:

The said bot’s primary function seems to be MSN spamming. As of this writing, the C&C channel is currently idle, as it has not yet issued commands. Apart from MSN spamming, the said bot was also designed to spread via USB autorun and P2P networks like Kazaa and Limewire.

Windows Live Messenger users should thus refrain from clicking the malicious URL spreading via email to avoid infection. Trend Micro Smart Protection Network already blocks the malicious URL and detects the fake Windows Live Messenger as WORM_VB.PAB.

Apart from SEO poisoning, cybercriminals have found another avenue to proliferate FAKEAV malware—bogus sponsored links (sitio patrocinados in Spanish). Just recently, Trend Micro researchers were alerted to malicious search engine ads that appeared in Microsoft’s Bing and AltaVista, among others, when a user searches the string “malwarebytes.” (Malwarebytes is a free antivirus product, but of course, not a FakeAV.) Clicking the malicious URL points the user to an executable file named MalwareRemovalBot.exe-1 (detected by Trend Micro as TROJ_FAKEAV.DMZ).

Figure 1. Malicious banner ad on Bing

Figure 2. Malicious banner ad on AltaVista

Upon execution, the rogue antivirus displays false information that the system is infected with files that do not even exist.

Figure 3. Fake scan results

In the past, cybercriminals employed the same tactic when it hitchhiked on Trend Micro. Some Google searches then showed banner ads that led to a fraudulent Trend Micro website.

Though the ads may not appear in all regions, all users are still strongly advised to be extra careful when clicking links in search engines. Users connected to the Trend Micro Smart Protection Network are protected from this attack as it detects and blocks all malicious URLs.

Removable drives are one of the most common infection vectors for malware today. Worms propagate via these vectors to proliferate their payload and ultimately, infect more users.

Users need to perform some countermeasures to secure their systems. One way of doing this is to protect removable drives against worms using the Autorun feature.

One popular way of protecting removable drives is by creating a folder or file and renaming it as AUTORUN.INF. It could enable the malware to automatically run on the system even without the users executing it. By creating this file beforehand, ideally, worms would not be able to run in this way.

However, this method is not perfect. Worms can delete the existing AUTORUN.INF file or folder, and then replace it with a malicious version. This would negate any protection placed by the user on the said file. However, by using file permissions to restrict changes, the AUTORUN.INF file can be protected more effectively.

Note: Make sure that your external drive is formatted using NTFS, as this procedure uses a specific feature of NTFS. If your removable drive is formatted using either FAT or FAT32, back up any data on the said drive first and reformat using NTFS. This may require Windows Vista or Windows 7.

1. Create a new folder in the root directory of the removable disk and rename it as “AUTORUN.INF.”
2. Create four more folders in the same location and named it as “recycle,” “recycler,” “recycled,” and “setup” respectively.

   Note: The folders recycle, recycler, recycled and setup are optional but it is recommended for users to create these as malware often use these names/titles.

3. Open a command prompt (cmd.exe) and go to the root directory of your removable drive.
4. Set the folder attributes using the following DOS command:
   attrib autorun.inf /s /d –a +s +r
   
   Figure 1. Setting the folder attributes

5. Set the privilege level of the folder using the following DOS command:
   cacls autorun.inf /c /d administrators
   
   Figure 2. Setting the privilege level of the folder

6. Select ‘Y’ and press enter when the message, “Are you sure (Y/N)?” is prompted.
7. To test it, try to delete, modify, rename, copy, or open the created folder. If you cannot perform any of these functions, then the procedure is successful.

In addition to the above procedure, users may also choose to use hardware means of protection. Certain removable drives have an external switch that prevents the device from being written to. This would prevent malware from making any modifications to the drive, including the AUTORUN.INF file. However, as this may prove to be somewhat inconvenient, it is still a good idea to use the procedure shown above.

In the past, Trend Micro has blogged about prominent threats that propagated via removable drives:

• Autorun Worm Invades ZIP
• The Mess that is WORM_DOWNAD
• Belated Odinga Campaign

Such threats could have been avoided from further propagation by simply protecting your removable drive.