News of another plane crash shook Americans on Thursday morning. Reportedly, a begrudged pilot, furious with the Internal Revenue Service (IRS), intentionally crashed a small plane on the building that housed the agency’s office in Austin, Texas. Although the said incident was tagged “an isolated event” and not an act of terrorism, cybercriminals launched their own “terrorist” attack by scaring unknowing users using another FAKEAV variant to gain profit.

Using the usual blackhat search engine optimization (SEO) techniques FAKEAV peddlers use, this variant immediately tops search results when users try to find news updates about the said incident. Clicking the malicious link leads to the download of TROJ_FAKEAV.LGJ.

This similar tactic has also been seen to take advantage of recent notable news and events like the “Superbowl 44” and Bill Cosby’s alleged death, the Winter Olympics, and even the February Microsoft patch release.

Apart from being scammed into buying a useless application, users who are tricked into clicking the malicious link and filling up the order form can also fall prey to data or, worse, identity theft should the perpetrators decide to sell their credentials (i.e., credit card numbers and other pertinent personal information) to the highest bidders in underground markets.

Trend Micro™ Smart Protection Network™ protects product customers from this and similar threats by blocking user access to all related malicious sites via the Web reputation service and by detecting and preventing the download of malicious files like packupdate_build6_195.exe, aka TROJ_FAKEAV.LGJ, via the file reputation service.

Non-Trend Micro product users, on the other hand, can also stay protected from such threats via free tools like Web Protection Add-On, which has been designed to block access attempts to potentially malicious websites in real-time.

Trend Micro security experts have not seen pump-and-dump spam campaigns in a fairly long time. In fact, some of the most recent attacks of this kind were last seen last year:

• Pump-and-Dump Spammers Take on Amazon
• “Storm Pump and Dump”: The Musical
• Taking Stock of Spam

In a pump-and-dump attack, spammers raise the stock prices of companies they own shares in by sending spammed messages with misleading or outright untrue positive news about the said companies. Once the companies’ real stock prices have sufficiently risen, the spammers will then sell or dump their own shares to gain profit.

TrendLabs engineers, however, recently saw the recent comeback of this tactic hit the popular VoIP application, Skype. Spammers used the application’s instant-messaging (IM) feature to send the pump-and-dump spammed messages below.

Spammers tried to promote two companies—EcoBlu Products, Inc. and Terra Energy & Resource. Like other spam runs using IM applications, Skype users received these email messages from users who were not in their lists of contacts.

As usual, we urge users not to click any link in messages sent via email or IM applications that come from people they do not know.

Trend Micro™ Smart Protection Network™ protects product users from this threat by preventing the spammed messages from reaching their inboxes via the email reputation service and by blocking access to malicious sites via the Web reputation service.

Non-Trend Micro product users, on the other hand, can also keep their systems safe by using free tools like eMail ID, a browser plug-in that helps identify legitimate email messages in your inboxes.

Since the beginning of the year, Adobe and Microsoft have been under a bad light since most of the most recent attacks notably exploited the two companies’ software vulnerabilities. Adobe Reader and Acrobat, in particular, are currently cybercriminals’ favorite targets. When news that Adobe would be releasing an out-of-band security update to prevent an exploitable hole in certain versions of Reader and Acrobat, some raised their brows in question while some rolled their eyes and declared that this was the last straw.

According to Adobe’s latest security bulletin, the said critical vulnerability could affect Adobe Reader 9.3 for Macintosh, Windows, and Unix; Adobe Acrobat 9.3 for Macintosh and Windows; and Adobe Reader and Acrobat 8.2 for Macintosh and Windows based on reports from Microsoft and Michael Yong Park. If cybercriminals exploited the said vulnerability, they could make unauthorized cross-domain requests or worse take control of affected systems, similar to the effects of a flaw in Adobe Flash and Adobe AIR Park also spotted days earlier.

According to ZDNet, Adobe insisted that there were no active exploits in the wild targeting the said vulnerability. TrendLabs engineers, on the other hand, have documented a number of noteworthy incidents wherein cybercriminals utilized Adobe Acrobat and Reader vulnerabilities, specifically in the way these software handled JavaScript:

• New Adobe Zero-Day Vulnerability Again
• Unpatched Adobe Vulnerability Is Still Being Exploited in the Wild
• Spam Attack Against the U.S. Defense Department Exploits an Adobe Vulnerability

Users of affected versions of Adobe Reader and Acrobat are strongly advised to download the updates in this security bulletin.

Trend Micro™ Smart Protection Network™ protects users from these kinds of attack by blocking user access to malicious sites and domains via the Web reputation service, by preventing spammed messages containing links to malicious sites from even reaching their inboxes via the email reputation service, and by detecting and consequently deleting malicious exploits from their systems via the file reputation service.

Smart Protection Network™ also protects Trend Micro product users via Trend Micro Smart Surfing for Mac and Trend Micro Security for Mac.

It seems that a recent Windows “patch” has been the cause of a series of blue screen crashes after users install a so-called Microsoft security update. The said patch, MS10-015, is said to be linked to this system malfunction, which leaves user systems with blue-screen-of-death (BSoD) errors.

According to an entry in the official Microsoft Blog, the distribution of the said Windows Update has since been suspended.  However, the company also issued a statement that the cause of the BSoD error may be malware related.

Trend Micro engineers found that TROJ_TDSS.AJD patches atapi.sys, which turns the .SYS file into a rootkit detected as TROJ_TDSS.SME. This then causes updated systems to crash right after installing the security update.

Known for its ability to stealthily operate, TDSS variants are known malware components whose final payload comprises the malware’s careful, unseen operation. The discovery of new TROJ_TDSS.AJD samples even triggered Microsoft to release two important updates regarding the issue—Update—Restart Issues After Installing MS10-015 and the Alureon Rootkit and Restart Issues on an Alureon-Infected Machine After MS10-015 Is Applied to prevent further occurrences of BSoD crashes.

Trend Micro product users should not worry, however, as Smart Protection Network™ protects them from similar occurrences.

Update as of February 22, 2010, 1:17 a.m. (GMT +8:00):

Please note that TROJ_TDSS.AJD has recently been renamed to TROJ_TDSS.SMG.

Update as of February 23, 2010, 3:23 a.m. (GMT +8:00):

Please note that TROJ_TDSS.SME has recently been renamed to PE_TDSS.MTR, which is now detected by this tool.

Cybercriminals again exploited one of the most-awaited global sports events—the “2010 Vancouver Winter Olympics”—to propagate at least two of their malicious wares. They piggybacked on the Olympics fever to promote malware-ridden sites.

In an attempt to affect as many users as possible, cybercriminals poisoned Google search results regarding the upcoming event. As usual, clicking the malicious links to get the latest news lead to sites that either host a bogus Windows Media Player update (see Figure 1) or FAKEAV.

Trend Micro advanced threats researcher Norman Ingal found that sites that led to a bogus Windows Media Player update, which urged users to download player_update.exe-1, actually asked them to download a malicious .EXE file detected by Trend Micro as BKDR_INJECT.ANI (see Figure 2).

BKDR_INJECT.ANI drops an encrypted system file (config\qkqitqie.sav) onto affected systems then connects to the site http://{BLOCKED}ock.info/install/setup.php? to possibly download more malware.

The sites that lead to at least three FAKEAV variants (see Figure 3), on the other hand, download TROJ_FAKEVIME.AB, a FAKEAV component that connects to any of these two sites to download TROJ_FAKEAL.SMDP (aka Security Antivirus):

• http://{BLOCKED}system.in/index.php?controller=microinstaller&abbr=SAV&setupType=xp&ttl=21105299546&pid=
• http://{BLOCKED}dsystem.in/index.php?controller=mic oinstaller&abbr=SAV&setupType=xp&ttl=21105189b9a&pid=

TROJ_FAKEAL.SMDP, like previously featured FAKEAV variants, also uses scareware tactics to convince users of infected systems to download and ultimately purchase a rogue antivirus application (see Figures 4–10).

Fortunately, Trend Micro™ Smart Protection Network™ protects product users from these kinds of attack by blocking access to known malicious sites and domains via the Web reputation service by detecting and consequently deleting identified malware (i.e., BKDR_INJECT.ANI, TROJ_FAKEVIME.AB, and TROJ_FAKEAL.SMDP) from systems via the file reputation service.

Non-Trend Micro product users can stay protected as well with Web Protection Add-On, a free tool that is designed to block access attempts to potentially malicious websites in real-time.