Just recently, the China Internet Network Information Center (CNNIC) announced that parties who plan on applying for .CN domain names will now be required to submit hard copies of documents, in addition to their online application, to prove the legitimacy of their request. The said documents (original application form with business seal, and photocopies of both company business license and registrant ID) have to be submitted within 5 days after the online application. The said documents must also meet certain requirements before being approved. If the applicant refuses to submit the necessary documents or fails to meet the set requirements, the domain applied for will be removed. This new policy is set to develop the domain name registration process, as well as enhance the accuracy of the information associated with the domains.

We at Trend Micro are certainly pleased with this move by CNNIC, as it clearly goes into the right direction of monitoring .CN domains. Domains associated with China had been infamous for serving malicious files and involved as landing pages of sites compromised with exploits. However, based on our experience in deep monitoring modern threats, the five-day delay will still give cybercriminals a big enough window of opportunity to continue their criminal business.

Malicious URLs can infect as many users that are led to them in as little as a few minutes. Cybercriminals thus already benefit even if a URL is up for only a few hours. Giving the cybercriminals a total of 120 hours before a domain gets withdrawn will do very little in stopping their crimes.

The new policy is indeed a good start; it is however rather unfortunate that it is not enough to stop modern threats.

It looks like spammers have found a new service to host their sites in. For several days, Trend Micro threat researchers have seen spammed messages advertising various prescription medications.

As expected, clicking any of the links in the email will lead you to the spammers’ website. Unusually, however, the links are hosted on blogs that are hosted by Yahoo!

The presence of Yahoo!’s logo on these sites may well be interpreted by some users either as an endorsement or as a sign that the site is legitimate.

Trend Micro product users need not worry, however, as the spammed messages are blocked by the Smart Protection Network, along with user access to the spam sites.

ZBOT has currently been spotted engaging in another spam run targeting Facebook yet again.

By clicking the link embedded in the email, users will land on a Facebook phishing page.

This time, however, the phishing page contains an iframe that points to a Web exploit toolkit. This exploit toolkit can deliver a variety of exploits, depending upon the user’s browser and OS.

For users of Firefox, the toolkit will push a .PDF file (detected by Trend Micro as TROJ_PIDIEF.PAL) to exploit a known vulnerability in Collab.getIcon. If the user is not infected via the exploit toolkit, ZBOT is still left with the social engineering aspect. After a user enters credentials into the phishing page, the user is led to a download page of updatetool.exe or the ZBOT binary (detected as TSPY_ZBOT.CCB).

Trend Micro Smart Protection Network blocks all related spammed mesasges and ZBOT domains and prevents the download of all related files.

BREDOLAB set out on a spam rerun just in time for the holidays. This recent run is similar to the laptop delivery note spam run we reported in August. This time, however, the spammed message appears to have come from known courier, DHL.

The spammed message makes it appear as though the users have received a notification from DHL, alerting them about an error in shipping a certain package. The message also prompts the users to open an attached file.

The attached file DHL_package_label_cfb35.exe is detected as TROJ_BREDOLAB.CB.

The dynamics of this spam run, although relatively old and simple, could still pack a punch, especially now that we are well within that part of the holiday season where most people do their gift shopping. People who may have purchased a laptop online and are expecting it to come through the mail are prone to being victimized by this attack.

Last month, we posted a Trend Micro research, which revealed connections between BREDOLAB and FAKEAV and ZBOT. BREDOLAB has been used numerous times to deploy FAKEAV and ZBOT variants. Such behavior is similar to PUSHDO, which also led to the conclusion that PUSHDO and BREDOLAB were developed by the same cybercriminals. Our full report on BREDOLAB can be found here.

Trend Micro product users are protected from this threat through the Smart Protection Network.