As rescue efforts continue in Haiti, the world waits with bated breath for more good news about survivors. Unfortunately, while most people are thinking of ways to help victims, cybercriminals are using the tragedy to further their own malicious causes. Blackhat search engine optimization (SEO) poisoning attacks related to this tragedy have already led to FAKEAV infections.

However, the most recent FAKEAV run appears to be only the start of more Haiti-related malware attacks. We recently received Portuguese spam samples purporting to be from the international news site, BBC. Translated to English, the spammed message describes the current situation in Haiti. It also attempts to convince recipients to click the link to the embedded video, which supposedly contains photos taken by an amateur photographer who witnessed the earthquake.

Upon clicking the link, however, users are redirected to a site where they are asked to save an .EXE file detected by Trend Micro as TROJ_BANLOAD.JAE. This Trojan connects to websites to download another malicious file detected as TSPY_BANKER.LMG.

This is a good reminder of how spammers will do anything to make their spammed messages appear legitimate. It is thus important to check for data consistency so as not to fall into their trap. In this case, if the video truly contains photos of the aftermath, then there is no need to download or execute an .EXE file. Users are thus advised to exercise caution when opening messages, particularly those that come from unknown senders.

Trend Micro™ Smart Protection Network™ already protects users from this attack by detecting and blocking the spammed messages, preventing user access to malicious sites, and blocking the download of the malicious files.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

Even before the first user could buy the latest and upcoming Apple technology, the iPad, cybercriminals are already making profits from it by taking advantage of its popularity.

Trend Micro threat engineers today found some malicious search results while looking for information related to the announcement of the Apple Tablet.

These poisoned search results turned out to be related to the never-ending blackhat search engine optimization (SEO) FAKEAV campaigns. When clicked, the search results lead to the download of a rougue antivirus software, which Trend Micro detects as TROJ_FAKEAV.EAM.

Since Apple announced when the iPad will be made available to consumers, it has been one of the hottest topics circulating the Web today. And cybercriminals are not just about to let this slide. With the growing user anticipation for this new product, it is most likely that many users will be victimized by the latest FAKEAV attack. Users are thus advised to be wary of malicious links and to instead go to reputable news sites to get the latest information about the iPad.

Trend Micro is continuously working to protect users from this threat and to provide more information about this latest FAKEAV SEO attack.

Update (January 27, 2010, 11:50 p.m. (GMT +8:00):

When executed, TROJ_FAKEAV.EAM displays a professional-looking graphical user interface (GUI) to supposedly install the software. Then it displays fake infection alerts. Should the user choose to clean his/her system to rid it of supposed infections, the Trojan will display the following page, which could lead to a phishing page should the user opt to buy the FAKEAV.

News involving celebrity deaths (real or hoax) have a habit of spreading across the Internet like wildfire, sensationalizing bits of information to entice readers. So, it is easy to see why pranksters and cybercriminals exploit the fact that people love gossip.

So when rumors of Johnny Depp’s supposed death due to a car crash broke out, it did not take long before cybercriminals took advantage of the supposed reports to spread malware via their usual blackhat search engine optimization (SEO) tactics.

While most hoaxes come in the form of spammed messages, this particular scam involved the creation of several malicious sites where rigged search results led to, which led curious readers to system infections rather than to more information on Depp’s alleged death.

If taken at face value, the blog pages above may pass off as a reputable source. Once users click the embedded links, however, they will be redirected to a video entertainment site that claims to host footage of Depp’s accident.

Upon playing the supposed video, users will be prompted to download a codec in order to watch it, which is actually a malicious file detected by Trend Micro as TROJ_DLOADER.GRM.

When executed, TROJ_DLOADER.GRM connects to a remote site to download a malicious file. It then displays a professional-looking graphical user interface (GUI) promoting a bogus software called DriveCleaner 2006 before opening a window that shows the software—an executable file—installation’s progress.

If there is one thing all users should realize, it has to be that they should never underestimate the speed at which an Internet hoax spreads. Whether seasoned Web surfer or first timer, it does not matter, it is always advisable to keep your guard up.  Cybercriminals want profit.  So, the more successful an attack, the more money they make.

Trend Micro™ Smart Protection Network™ protects users from this threat by blocking access to malicious sites and detecting and preventing the download of harmful codecs and malicious files.

It has been a year since WORM_DOWNAD.AD (aka “Conficker”) began a trail of system infections around the world. Since then, Trend Micro has detected new variants, including WORM_DOWNAD.KK, which proved to be an upgraded version that enabled the worm to increase the number of domains it generated from 250 to 50,000.

In recent months, things have been relatively quiet in the DOWNAD/Conficker front. This does not mean, however, that the world is now safe from a similar massive number of infections that it previously experienced. In fact, data released by the Conficker Working Group, of which Trend Micro is part of, proves that the worm remains active. Recently released data also shows that there has been an average of more than 100 million unique IP addresses connecting to the group’s tracking systems in the first week of 2010 alone. The graph below shows the number of unique IP addresses connecting to the tracking systems in a span of one year.

These figures are further supported by the State of the Internet report for Q3 2009 from Akamai. Based on the report, there continues to be significant port 445 activity. Updates on the worm further show that there has been a change in the trend with most attacks now originating from Russia and Brazil, replacing China and the United States as the top 2 sources of traffic.

As such, users should consistently patch their systems and programs as soon as fixes are made available. It is also advisable to continue disabling Autorun to reduce risks of infection propagation or reinfection.

Trend Micro™ Smart Protection Network™ protects users from all known variants of DOWNAD/Conficker in real time by blocking access to identified malicious sites and domains, and detecting and preventing the download of malicious files.
The firewall modules available in the desktop products are able to stop spreading DOWNAD/Conficker into the network. Moreover, applying the Trend Micro Deep Security solution assures protection on servers and clients against this particular and other network attacks.

Trend Micro fraud analysts were recently alerted to the discovery of a new phishing campaign that specifically targets AOL Instant Messenger (AIM) users.

The spammed message purports to be from AIM and urges recipients to download and execute the latest AIM version to reactivate their currently inactive accounts.

This becomes a problem if the receivers actually have AIM accounts, as they may be tricked into clicking the link, http://{BLOCKED}update.aol.com.yhff13.com.pl/products/aimController.php?code=826954935720939660939448
039218184173&email=angelan@bc4.so-net.ne.jp. The end result may be the loss of pertinent personal information or, worse, their identities. Instead of getting an actual application update, the link leads to a spoofed AIM website.

Users who land on the phishing page are then prompted to download the malicious file aimupdate_7.1.6.475.exe, which has been detected by Trend Micro as TSPY_ZBOT.JF, which injects threads into certain normal processes. Like its ZBOT predecessors, it also attempts to access a website to update its list of target banks and other financial institutions, which it then sends to a remote site.

Trend Micro™ Smart Protection Network™ protects users from this attack by blocking the spammed messages, preventing user access to malicious sites, and detecting and blocking the download of malicious files.