It has been a year since WORM_DOWNAD.AD (aka Conficker) began a trail of system infections around the world. Since then, Trend Micro has detected new variants, including WORM_DOWNAD.KK, which proved to be an upgraded version that enabled the worm to increase the number of domains it generated from 250 to 50,000.

In recent months, things have been relatively quiet in the DOWNAD/Conficker front. This does not mean, however, that the world is now safe from a similar massive number of infections that it previously experienced. In fact, data released by the Conficker Working Group, of which Trend Micro is part of, proves that the worm remains active. Recently released data also shows that there has been an average of more than 100 million unique IP addresses connecting to the group’s tracking systems in the first week of 2010 alone. The graph below shows the number of unique IP addresses connecting to the tracking systems in a span of one year.

These figures are further supported by the State of the Internet report for Q3 2009 from Akamai. Based on the report, there continues to be significant port 445 activity. Updates on the worm further show that there has been a change in the trend with most attacks now originating from Russia and Brazil, replacing China and the United States as the top 2 sources of traffic.

As such, users should consistently patch their systems and programs as soon as fixes are made available. It is also advisable to continue disabling AutoRun to reduce risks of infection propagation or reinfection.

Trend Micro™ Smart Protection Network™ protects users from all known variants of DOWNAD/Conficker in real-time by blocking access to identified malicious sites and domains and by detecting and preventing the download of malicious files.

The firewall modules available in Trend Micro’s desktop products stop DOWNAD/Conficker from spreading in networks. Moreover, applying the Trend Micro Deep Security solution assures protection on servers and clients against this particular and other network attacks.

Trend Micro fraud analysts were recently alerted to the discovery of a new phishing campaign that specifically targets AOL Instant Messenger (AIM) users.

The spammed message purports to be from AIM and urges recipients to download and execute the latest AIM version to reactivate their currently inactive accounts.

This becomes a problem if the receivers actually have AIM accounts, as they may be tricked into clicking the link, http://{BLOCKED}update.aol.com.yhff13.com.pl/products/aimController.php?code=826954935720939660939448
039218184173&email=angelan@bc4.so-net.ne.jp. The end result may be the loss of pertinent personal information or, worse, their identities. Instead of getting an actual application update, the link leads to a spoofed AIM website.

Users who land on the phishing page are then prompted to download the malicious file aimupdate_7.1.6.475.exe, which has been detected by Trend Micro as TSPY_ZBOT.JF, which injects threads into certain normal processes. Like its ZBOT predecessors, it also attempts to access a website to update its list of target banks and other financial institutions, which it then sends to a remote site.

Trend Micro™ Smart Protection Network™ protects users from this attack by blocking the spammed messages, preventing user access to malicious sites, and detecting and blocking the download of malicious files.

Trend Micro threat analysts from EMEA have found a blackhat search engine optimization (SEO) attack that uses strings with the phrase “free printable” to hijack search traffic by directing it to a rogue search engine.

Our researchers found that search engine queries using the string “free printable” yield results that include compromised websites (see Figure 1). The said compromised sites are rigged with malicious JavaScript malware detected as JS_REDIRECT.SMF and JS_REDIRCT.MAC. JS_REDIRECT.SMF and JS_REDIRCT.MAC trigger a set of redirections whenever users visit compromised sites. The redirections ultimately lead to a rogue search engine, which by default puts the original search string into its own search text box.

As of now, the cybercriminals’ goal in all these seems to be hijacking search traffic from search engines and redirecting them to their own ones to earn money. If it stays as such is not yet known but users need to be wary since it would be very easy for cybercriminals to change the final landing site of the redirections to a malware-hosting site.

A diagram illustrating how hijacking searches work is shown below.

It is very possible that this blackhat SEO attack takes advantage of the fact that the interest in free printable items is relatively high, especially in South Africa and in the United States.

We are strongly advising users not to use search strings that include the words “free printable,” as the results may lead to malicious websites.

We are currently monitoring this attack and will update this entry for developments.

Update  as of January 27, 2010, 5:30 p.m. (GMT +8:00):

Below are screenshots of a page (and its source code) found inside a hijacked website that comes up when using the search string “free printable (some item).”

The compromised sites were made to host these pages ridden with keywords in an attempt to lead users to eventually execute the malicious JavaScript malware.