Trend Micro fraud analysts recently came across spammed messages targeting customers of the Fifth Third Bank. The messages urged recipients to log in to a temporary link, http://www.53.com.{BLOCKED}.com.pl/wpserver/cmportal/cblogin.php?session=667882698791972326077742654898739&email=p2t2all@tacobell.com, in order to download and install a digital certificate that would supposedly reinforce the bank’s security. Clicking the link, however, led users to a phishing page that prompts them to key in their user names and passwords. This, as you all probably know by now, is a typical tactic to trick users into giving out their personal credentials, which can then be used for further malicious activities or sold in underground forums.

After signing in, users will see a prompt to download the said digital certificate, certificate.exe, which is actually a malicious file Trend Micro has detected as TSPY_ZBOT.SMAP, which is capable of stealing personal credentials via keylogging. The stolen data, mostly banking-related information, are then sent to a couple of URLs via HTTP POST. It also has the capability to stop firewall-related processes to mask its malicious activities.

Trend Micro™ Smart Protection Network™ already protects users from this attack by detecting and blocking the spammed messages, access to the malicious sites, and the download of the malicious file.

As additional precaution, however, users are advised to be wary of clicking links in suspicious-looking messages, particularly those that come from unknown senders.

Trend Micro was alerted to the discovery of a new attack that exploits a vulnerability in certain Adobe Reader and Acrobat versions. The said vulnerability allows remote attackers to execute arbitrary code via a crafted .PDF file using ZLib compressed streams on Microsoft OS-based systems.

Cybercriminals targeted contractors of the U.S. Department of Defense with spammed messages with a .PDF file attachment (detected by Trend Micro as TROJ_PIDIEFX.F) posing as a memorandum regarding a conference that will be held in Las Vegas sometime this March. Though the featured conference is real, the memo is not.

Upon execution, TROJ_PIDIEFX.F drops and executes another malicious file detected as TROJ_DLOADR.AUE. This attempts to connect to the remote site http://{BLOCKED}6.202.49 though as of this writing, the URL remains inaccessible.

Users are, however, also advised to apply the latest patch, which Adobe released last Tuesday. For more information on the said vulnerability, visit this Threat Encyclopedia page.

Trend Micro™ Smart Protection Network™ protects users by blocking the spammed messages and detecting and deleting the related malware. OfficeScan users with Intrusion Defense Firewall (IDF) plug-ins are also protected from this attack if their systems are updated with the IDF1003879 filter.

Recent cyber attacks on Google and other organizations have been greatly covered by the media, owing much to the size and notability of the companies affected. However, what this incident really does is bring to light the true complexity and sophistication of computer threats and that any user or organization—large or small—can potentially be at risk.

Although these attacks were orchestrated to target certain groups or organizations, any computer can actually fall prey to them. Trend Micro strongly suggests that users keep their systems updated with the latest patches and to apply the necessary workaround fixes for the said Internet Explorer (IE) vulnerability, which can be found in this Microsoft Security Advisory page.

The string of attacks, which uses several vectors, appears to primarily arrive via malicious websites. Users with unprotected systems may unknowingly download a JavaScript malware detected by Trend Micro as JS_DLOADER.FIS. This specially crafted malware exploits a specific vulnerability in IE, rendering it incapable of properly handling objects in memory. This then allows remote code execution except in IE 5.01 by allowing access to an invalid pointer reference within the browser even after an object has already been deleted. To address this issue, Microsoft advises its clients to set their IE 7 browsers in “Protected Mode” if these run on Windows Vista and to enable “Data Execution Prevention (DEP).”

However, in cases wherein the attack is not preempted, the JavaScript connects to a URL and downloads an encrypted malware detected as TROJ_HYDRAQ.SMA, also known as “Aurora.” Once decrypted and executed on the system, this Trojan executes backdoor routines. It is capable of executing other files, terminating services and processes, and more importantly, stealing information from the affected systems. The pertinent data collected are then sent to a remote user for possible use in other malicious activities.

Although there have been some reports that the IE exploit was also found to take advantage of vulnerabilities in Adobe Reader and Acrobat, Adobe states that there has been no evidence that its products were being used as vectors for the said attack. It was, however, one of the organizations that suffered from an attack similar to Google. These Adobe vulnerabilities were found to be exploited by TROJ_PIDIEF.SHK, which, in turn, downloads TROJ_DLOAD.COB onto the affected systems.

Trend Micro™ Smart Protection Network™ protects users from these kinds of attack by preventing the download of all the detected malicious files and by blocking user access to malicious sites.

Trend Micro OfficeScan™ users with Intrusion Defense Firewall (IDF) plug-in are also protected from this attack if their systems are updated with IDF1003879 and IDF1003909 filters.

Additional text by Oscar Abendan, Carolyn Guevarra, and Elizabeth Bookman

DarkMarket closed shop recently. If you have not heard from them, do not worry too much. This website, which operates from different places worldwide managed to join all sorts of credit card crooks and provided different levels of seller verification, escrow services, and malware consulting.

It finally went offline and its owners put in custody, thanks to the efforts of different law enforcement units throughout the world. It is, in moments like these, that the combined efforts of the IT security industry and law enforcement can really be appreciated.

For cybercriminals, it is, of course, just a drop in the ocean, and I am sure the underground will recover (in fact, it has probably already done so) but this is definitely a step toward the right direction and that feels reassuring.

The arrest of these two individuals, one in London and the other in Turkey, sends a message to all cybercrooks out there—that no matter where you are, you are not above the law. More information about this story can be found in the Guardian.

I, like many others, am a big fan of Twitter, although I am fairly ruthless about pruning those I follow. Most of the people I follow are either other security professionals or close friends and they normally Tweet content that I am genuinely interested in. The first hint of someone going to the dark side are Tweets like:

In McDonalds—should I get a cheeseburger or a big mac?
4 minutes ago from iPhone by InaneTwit

So confused—must decide soon—1 person in front of me in Q!
3 minutes ago from iPhone by InaneTwit

I got the cheeseburger!
2 minutes ago from iPhone by InaneTwit

And I will ruthlessly remove them. There is one exception to this, however, one of my younger siblings, who for some reason, I let get away with with this kind of thing. So I was not too surprised to see the following Tweet earlier today:

This site is AWESOME!!!—http://TwitterBuilding.com
about 2 hours ago from API

Following the link, I came to the following page:

Suddenly, my spider senses are tingling—call me paranoid but that does not look particularly official.  A quick search of the Web shows thousands of identical Tweets from thousands of people who have gladly handed over their passwords to this website (which is  most likely the same password they use for everything, including the Holy Grail, their email account—something I wrote about way back in February 2009).

What is the message here? Simple—“Think before you click!”

Would you give your Twitter password to a random person on the street? Of course not, so why would you give it to a random site on the Web? If nothing else, it will save you time when, like my younger sibling, you have to now change your password on  every site you use.