Trend Micro researchers discovered another wave of mass compromised websites involving several Thai government agencies’ sites. One of the compromised sites, the Thai Police site, was injected with malicious codes to redirect users to several malicious sites. One of the landing pages, http://{BLOCKED}t.ru/ip/bchqu1.exe served a downloader detected by Trend Micro as TROJ_DLOADER.DNG. This Trojan downloader is responsible for downloading several malware (detected as TROJ_FAKEREAN.BW, TROJ_CUTWAIL.GQ, and TSPY_ZBOT.ACH).

 
According to Senior Threat Analyst Joseph Pacamara who found out about the mass compromise, cybercriminals are now entertaining the idea of employing compromised legitimate sites as an avenue to proliferate FAKEAVs.

As of this writing, Trend Micro has contacted and informed all entities concerned to clean up the said websites. They have also been informed of the user risks brought about by such attacks. We have also notified ThaiCERT regarding the compromised sites. Users of Trend Micro Smart Protection Network are protected from this attack.

Trend Micro threat analysts recently snagged an email pushing a bogus Windows Live Messenger residing in http://{BLOCKED}s-live-msn.serveftp.com/Windows_Live_9.0_beta.exe (detected as WORM_VB.PAB). The .EXE file is, of course, not the “real” Windows Live Messenger but a bot that reports to an IRC-based C&C with the following details about the infected system:

The said bot’s primary function seems to be MSN spamming. As of this writing, the C&C channel is currently idle, as it has not yet issued commands. Apart from MSN spamming, the said bot was also designed to spread via USB autorun and P2P networks like Kazaa and Limewire.

Windows Live Messenger users should thus refrain from clicking the malicious URL spreading via email to avoid infection. Trend Micro Smart Protection Network already blocks the malicious URL and detects the fake Windows Live Messenger as WORM_VB.PAB.