TrendLabs received sample spammed messages claiming to be lawsuit notices. The messages informed recipients of a copyright infringement lawsuit that has been filed against them. The email supposedly came from legitimate law firms such as Marcus Law Center and Crosby & Higgins and even included a copy of the said “lawsuit.”

The first sample contains an embedded link to a copy of the “lawsuit” while the second has a .DOC file attachment that contains details of the said “lawsuit.” Clicking the link and opening the file attachment, however, led to the download of malicious files detected by Trend Micro as TROJ_DLOADR.AUI and TROJ_AGENT.STM, respectively, instead of more details on the supposed lawsuit.

Trend Micro™ Smart Protection Network™ protects product users from this attack by preventing the spammed messages from even reaching users’ inboxes via the email reputation service and by blocking access to malicious sites and domains that host malware-ridden files via the Web reputation service.

Non-Trend Micro product users can also stay protected from similar attacks by using eMail ID, a free tool that uses a two-step verification process to help users quickly find legitimate messages in their inboxes.

Yesterday, a 6.0-magnitude earthquake shook the Philippine capital, causing a bit of concern among its inhabitants and their relatives from the rest of the country and abroad. As such, many tuned in to the Web for the latest news and updates on this incident. As expected, cybercriminals were one of the first in line to provide information about the earthquake rigged with rogue antivirus applications.

Trend Micro advanced threats researcher Norman Ingal discovered that some FAKEAV variants already took advantage of this incident as a social-engineering technique. He said this malware also used blackhat search engine optimization (blackhat SEO) tactics to make malicious links the top-ranking search results whenever users used the string, “earthquake manila philippines.”

These links lead to the download of FAKEAV variants, particularly TROJ_FAKEAV.ENZ, which also used the recent wardrobe malfunction incident of a Philippine TV personality as an attack vector.

Clicking the links also led to the download of JS_REDIR.SMB, which displays a warning dialog box that tells users that their computers have been infected.

Clicking OK opens the following message boxes and windows and downloads the malicious file onto users’ computers.

Earthquakes are natural occurrences and we never really know when or where they will hit next. One thing for sure though is that cybercriminals will most definitely ride on every earthquake or natural calamity news that will hit the press next just as they did during the Haiti and Chile earthquakes.

Trend Micro product users are protected from this threat by the Smart Protection Network™, which blocks user access to related malicious sites and prevents them from being downloaded onto users’ systems.

Non-Trend Micro product users can likewise stay protected by using free tools like Web Protection Add-On, a lightweight add-on solution designed to proactively protect computers against Web threats.

TrendLabs senior advance threats researcher Ivan Macalintal found spammed messages claiming to come from the Internal Revenue Service (IRS). The email message warns recipients of either underreporting or not reporting their incomes in line with the tax season (April). It asks users to click the embedded link to correct the supposed errors.

Once clicked, the URL leads users to download a ZBOT variant detected as TROJ_KRAP.SMDA. Like previously detected  ZBOT variants featured in the following entries, this malware also steals information from users’ systems then sends the stolen data to a remote user:

• Bogus IRS W-2 Form Leads to Malware
• Social Engineering Watch: Another IRS Scam
• Tax Season Is Phishing Season

TROJ_KRAP.SMDA also terminates security-related processes and disables Windows Firewall. For more information on the ZBOT malware and the infamous ZeuS botnet, please refer to Trend Micro’s recently published research paper, “Zeus: A Persistent Criminal Enterprise.”

Trend Micro™ Smart Protection Network™ protects product users from this threat by preventing the spammed messages from even reaching users’ inboxes via the email reputation service. It also blocks access to the malicious sites via the Web reputation service and stops the download and execution of the malicious files via the file reputation service.

Trend Micro senior advanced threats researcher Paul Ferguson received a spam claiming to be from the Bureau of the Shanghai World Expo, which is coordinating “Expo 2010,” from a technology news group journalist who actually received it.

The spammed message contains a malicious attachment detected by Trend Micro as TROJ_PIDIEF.ACV. This malicious .PDF file exploits a known flaw in Adobe Acrobat and Reader, which was fixed in an out-of-cycle patch in the middle of February. Attacks using this vulnerability were also seen earlier this month.

However, the method that was used to exploit this vulnerability differed from that used earlier this year. According to Trend Micro researcher Rajiv Motwani, these .PDF files have an embedded malicious .TIFF file. TIFF, short for Tag Image File Format, is a popular image format used to store high-quality images.

This embedded .TIFF file, when processed by vulnerable Adobe products, triggers the vulnerability and the execution of arbitrary code. In this particular case, a backdoor detected by Trend Micro as BKDR_RIPINIP.I is dropped onto and executed on the affected system.

Further analysis of this threat is ongoing so updates to this post are likely.  In the meantime, users should demonstrate increased vigilance when opening email messages and attachments from unexpected sources.

Trend Micro™ Smart Protection Network™ protects users from these kinds of attack by blocking the spammed messages via the email reputation service. In addition, both the malicious .PDF file and the backdoor payload are detected by the file reputation service.

Update as of March 26, 2010, 3:25 a.m. (GMT +8:00):

Further analysis of BKDR_RIPINIP.I indicates that it gathers system information such as the name, CPU information, OS version, and IP address of the affected computer. It then connects to a remote server to which it sends the stolen information. It waits for a reply from the server, possibly for remote malicious commands to execute on the affected system. As of this writing, however, our threat engineers have not received any reply from the remote server during analysis.

Update as of March 26, 2010, 5:40 a.m. (GMT +8:00):

Web reputation technology now blocks the associated domain server to which the backdoor connects to and sends stolen information. Trend Micro Deep Security™ can also help shield users from the vulnerability related to this attack. Trend Micro OfficeScan™ users with Intrusion Defense Firewall (IDF) plug-in are also protected from this attack if their systems are updated with the IDF10-014 release.

Update as of March 30, 2010, 4:40 p.m. (GMT +8:00):

Trend Micro advanced threats researcher Paul Ferguson has been quoted by media sources regarding this threat. His thoughts can be found in these ComputerWorld and Network World articles.

Cybercriminals—spammers, to be specific—typically hide their malicious intent behind well-known company names. Just recently, TrendLabs engineers encountered a spammed message claiming to be from the Apple Store.

The email message encouraged users to view their latest status updates and to make changes to their online Apple Store orders. This new spam run is probably related to the imminent arrival of the iPad, which is slated to start hitting the U.S. market on April 3.

The spam samples directed users to websites that are not even related to the Apple Store, making these emails highly suspicious. Further investigation shows that the URLs in the messages were found to be connected to a recently created domain that is involved in selling male enhancers such as Viagra and Cialis.

The following are just some of the previous blog entries related to Apple and its products:

• iPad Giveaway Gives Users’ Identities Away
• Yet Another Phish but from Apple Store

As always, Trend Micro advises users to be extra careful when opening email messages they receive because cybercriminals will always attempt to lure possible victims through legitimate-looking spam.

Trend Micro™ Smart Protection Network™ protects product users from this attack by preventing the spammed messages from reaching users’ inboxes via the email reputation service and by blocking access to malicious sites and domains via the Web reputation service.

Non-Trend Micro product users can also stay protected from similar bogus email messages by using eMail ID, which uses a two-step verification process to help users quickly find legitimate messages.