Just when you think old-school network bots are dead, a group of cybercriminals revives them from them grave in the name of Chuck Norris. Dubbed the “Chuck Norris botnet,” based on the Italian comment in its source code, in nome di Chuck Norris (translation: “in the name of Chuck Norris”), this botnet infects vulnerable DSL modems and routers to spread a worm Trend Micro detects as WORM_IRCBOT.ABJ.

This worm tries to gain access to a target router by guessing the router’s configuration password using brute force. It may also spread via shared networks by exploiting a known Microsoft vulnerability, MS03-039 Buffer Overrun in RPCSS Service. The worm’s routines make users who are connected to the same network or router at risk of being infected.

This worm also has backdoor capabilities that allows attackers to execute remote command on affected systems, which include downloading and executing other malware and launching denial-of-service (DOS) attacks against other systems. Ultimately, its main goal is still to gain profit from unknowing users by stealing personally identifiable information (PII) and credentials to access certain websites, particularly online banking sites.

Its infection routine via router may be unusual for most bots of its kind, which usually infects computers. But it is not the first time that bots have used modems and routers as a propagation platform. Trend Micro has, in fact, reported such attacks in the past in relation to other threat families such as ZLOB, RBOT, and QHOST.

For more information on how old-school network bots work, you may read Trend Micro’s white paper, “SDBOT IRC Botnet Continues to Make Waves.”

Users are highly advised to keep their systems updated with the latest patches and to use strong router and modem passwords to avoid infection. Computers that may have already been compromised should be immediately isolated from networks and cleaned of the bot.

Trend Micro™ Smart Protection Network™ already protects product users from this threat by detecting and preventing the file’s execution on affected systems via the file reputation service.

Non-Trend Micro product users, on the other hand, can use free tools like RUBotted, which monitors computers for suspicious activities and regularly checks with an online service to identify behaviors associated with bots. Upon discovering potential infections, it prompts users to scan and clean their computers.

Trend Micro recently came across a .PDF file sample that exploits a vulnerability that was discovered as early as mid-2009. The specially crafted .PDF file detected as TROJ_PIDIEF.SML contains malicious JavaScript in its code that uses the getAnnots() method to corrupt an affected system’s memory.

It is interesting to note that its final payload is the download of a malicious binary file that happens to be a ZBOT/ZeuS variant detected as TROJ_ZBOT.BYZ. This acts as a combination of the two most
prevalent threats today—ZBOT and PDF exploits. From phishing emails to social-networking sites, the widespread ZeuS Trojan has now been making its rounds across various attack vectors to get into users’ systems.

ZeuS has been around since 2007 and even if most antivirus companies have caught on with its stealth and polymorphic routines, this malware still shows no signs of slowing down.

Learn more about ZBOT/ZeuS by reading more about the various tactics it uses in the following blog entries:

• Keeping an Eye on EYEBOT and a Possible Bot War
• New ZBOT/Zeus Binary Comes with a Hidden Message
• ZBOT Variant Spoofs the NIC to Spam Other Government Agencies
• Phishing in the Guise of Enhancing Security
• ZBOT Targets Facebook Again

Trend Micro protects users from this attack via the Smart Protection Network™, which blocks user access to all malicious URLs via the Web reputation service and detects all related malware via the file reputation service. Not a Trend Micro user? We also offer free system checks with HouseCall, which identifies and removes all kinds of viruses, Trojans, worms, unwanted browser plug-ins, and other malware from affected systems. You may also use RUBotted to find out if your machine is already part of a botnet.

Spammers are clearly becoming more and more creative as they try new ways to bypass our anti-spam filters. Just recently, we received a spammed message disguised as a spam quarantine notification message from a competitor.

To the untrained eye, the email looks quite convincing. However, closer inspection of the message properties reveals that while the email purports to come from a certain security company, the sender’s domain name is indosatm2.com.

According to the spoofed mail, an email sent to the user has been blocked by the administrator. The user is then instructed to ignore the message if the blocked mail was indeed a spammed message or to click the embedded link to view the message.

The spammers may be trying to lure users by leveraging people’s natural curiosity. A user who wishes to know the content of the quarantined mail is thus likely to click the link. The said link currently redirects users to an already unavailable website. However, users are still advised to exercise caution when opening email messages and clicking links, even if these appear to be legitimate. It never hurts to be extra careful.

Trend Micro™ Smart Protection Network™ protects product users from this attack by preventing the spammed messages from reaching users’ inboxes via the email reputation service and by blocking access to malicious sites and domains via the Web reputation service.

Non-Trend Micro product users can also stay protected from similar bogus email messages by using eMail ID, which uses a two-step verification process to help users quickly find legitimate messages.

A new wave of spammed messages posing as mail service notifications targeted antivirus companies, including Trend Micro. These messages ask the receivers to update their mailbox settings by opening and executing the attachment.

The two samples above TrendLabs obtained were sent to domains that belonged to Trend Micro. The file attachment does not contain any mailbox settings but instead a malicious file detected as TROJ_FAKEAV.EAO.

This spam run is similar to a run that TrendLabs earlier reported wherein Trend Micro advanced threats researcher Joey Costoya said the subdomains may have been tailor-made, depending on the recipients’ email addresses. That spam run was actually part of a phishing attempt that targeted employees of various companies, including Trend Micro.

The Trend Micro™ Smart Protection Network™ protects product users from this attack by preventing the spammed messages from reaching users’ inboxes via the Web reputation service and by detecting and removing the malicious file via the file reputation service.

Non-Trend Micro product users can also stay protected by using eMail ID, which prevents fake messages from reaching their inboxes. It also helps users quickly find legitimate messages.

Where news leads, cybercriminals follow. Over the weekend, a massive earthquake hit Chile and killed hundreds of people. This, of course, was soon followed by a blackhat SEO attack that successfully placed multiple malicious links leading to FAKEAV malware on top of the search results for “chile earthquake 2010 wiki.”

According to senior threat analyst Joseph Pacamarra, clicking the malicious links leads to the download of several files detected as TROJ_FAKEAV.JSA and TROJ_FAKEAV.STL. First, an online scan window is displayed.

After the online scan window, the fake antivirus program called Security Tool loads and presents the user with fake scan results.

Finally, the user is asked to activate the product, which actually costs him/her money.

These FAKEAV tactics are already well-tested and have been discussed before both here in the Malware Blog and elsewhere.

Trend Micro™ Smart Protection Network™ protects customers from this and similar threats by blocking user access to all related malicious sites via the Web reputation service. It also detects and prevents the download of malicious files such as TROJ_FAKEAV.JSA and TROJ_FAKEAV.STL via the file reputation service.

Non-Trend Micro product users can also stay protected from such threats via free tools like Web Protection Add-On, which prevents user access to potential malicious websites.