TrendLabs^SM security researchers recently noted an increase in the volume of spammed messages posing as newsletters from Amazon. These email messages even sported a supposed Amazon email address, {BLOCKED}ers@amazon.com, to make them look more credible.

The messages even featured various product endorsements to fool recipients into thinking they were legitimate. Clicking the images and embedded links, however, led to the same possibly malicious site. Though the site is currently inaccessible, it is in no way associated to the real Amazon site.

Some users have been wary of the spammed messages from the alleged Amazon email subscription as discussed in the site’s forum. The spam turns out to be an effective social engineering ploy as the spammed message can easily pass off as a legitimate email which users are likely to click.

We can expect to see more threats like this online, especially since it is summer in some parts of the world. Internet users typically troop online in the summer to search for and book vacations, shop, or look for that perfect summer job. Cybercriminals will of course take advantage of this wave of online browsers, the Amazon spam being just one of the many possible ways users are lured into becoming victims of cybercrime.

Trend Micro product users are protected by the Smart Protection Network™ as it detects the above spam and blocks access to the malicious URL.

Beware, Twitter enthusiasts! Spam posing as Twitter email notifications are currently proliferating in the wild. The spam are of two types—the first type attempts to steal personal information or login credentials while the second attempts to infect systems with malware.

A legitimate Twitter notification email looks like this:

It usually begins with “Hi, *name of user*” and contains the words, “You have a direct message:,” followed by the message itself.

The two Twitter spam samples, on the other hand, look like these:

The sample on the left uses a generic greeting while the email body only says, “You have 1 unreaded message from Twitter,” followed by a URL. This directs recipients to a site where they are asked to give out personal information. The sample on the right also uses a generic greeting along with the message, “You have 3 information message(s),” followed by a URL. Instead of asking the recipients for personal information when they click the link, malware are instead downloaded onto their systems. However, the malicious URLs are already inaccessible as of this writing.

Spammers and cybercriminals have had a long history with Twitter and its users, as featured in these previous entries:

• Diet Twitter Spam (on the) Run
• A New Twitter Worm Is Making the Rounds
• Twitterbuilding.com—Stealing Your Passwords One Tweet at a Time

To protect yourself against similar attacks, always pay attention to every detail in emails you receive. It is, after all, easy to distinguish what is real from what is not. All you need to do is carefully observe.

.PDF files—or their inherent features—have been used by cybercriminals in some of the most noteworthy attacks we have encountered. Modified versions of this file type have been especially notorious these past few months since they are capable of attacking user systems by initially exploiting inherent vulnerabilities found in Adobe Reader and Acrobat. TrendLabs^SM has documented a number of these attacks:

• More Adobe Exploits in the Wild
• Shanghai Expo Spam Carries Backdoor
• Spam Attack Against the U.S. Defense Department Exploits an Adobe Vulnerability

A newly spotted malformed .PDF was found to also attack flaws found in the aforementioned Adobe software products; however, this kind of .PDF contained an object that was embedded within itself using FlateDecode and ASCII85Decode, two common filters used in .PDF files to filter images before compressing them. This object turned out to be an Extensible Markup Language (XML) file bearing a malicious Tagged Image File Format (TIFF) file.

Trend Micro detects the .PDF file as TROJ_PIDIEF.AAL. It can exploit the following vulnerabilities:

• Adobe Reader ‘util.printf()’ JavaScript Function Stack Buffer Overflow Vulnerability
• Adobe TIFF File Vulnerability

Once these vulnerabilities are exploited, this Trojan connects to several URLs to download files, which were also found to be malicious. Trend Micro detects these downloaded files as TROJ_DNSCHANG.XT and TROJ_FRAUDPAC.QL.

Trend Micro protects users via the Smart Protection Network™, which blocks access to all malicious URLs via the Web reputation service and detects all related malware via the file reputation service.

ZeuS/ZBOT is best known for its information-stealing routines via the use of configuration files downloaded from their home sites. They are created using toolkits that allow remote control of the malware. Getting them to infect target systems is the tricky part. Cybercriminals have thus tried utilizing drive-by downloads, spammed messages, worm propagation, and many more ways. This time, they are trying out file infection.

The malware detected by Trend Micro as PE_ZBOT.A injects code into target files and modifies its entry point to redirect to its code. This allows the malware to run its code whenever the infected file is executed. It then attempts to connect to the remote sites from which it downloads and executes malicious files that allow it to steal information from an affected system. The downloaded files are detected as TROJ_KRAP.SMDA and TSPY_ZBOT.SMAP. Once it completes its routine, it returns control of the affected system to its host file.

This only shows that cybercriminals are continuously finding new ways to make sure they do not go out of business. The best way to protect one’s system is to be aware of the many techniques cybercriminals use and to keep security solutions and other pertinent applications patched and up-to-date.

TrendLabs^SM received reports of a suspicious email claiming to be an IT notification. It informs users that their mailbox settings have been changed. This email has a .PDF attachment that supposedly contains instructions that the users need to read before updating their settings.

This attack is similar to many we have seen previously purporting to come from a real sender and looking like a semilegitimate company notification.  Through this design, cybercriminals hope to make the malicious email more believable for recipients, enticing them to open the .PDF attachment. Here is a sample screenshot of the of one of the emails we received:

There are some simple safe computing practices that can always be used when opening emails and executing attachments.

• Always check who the email sender is.
• Look for errors in messages.
• Do not click embedded links.
• Check attachments’ real extension names and never click executable files.

The .PDF attachment is actually a malicious file Trend Micro detects as TROJ_PIDIEF.ZAC. When executed, this .PDF file calls on the embedded script batscript.vbs, which drops and executes a worm component named game.exe. The worm component also carries the rootkit file bp.sys to possibly hide its malicious routines and to prevent itself from being discovered by the user.

These components are detected as follows:

• batscript.vbs (248,867 bytes) as VBS_EMOTI.A
• game.exe (35,328 bytes) as WORM_EMOTI.A
• bp.sys (8,416 bytes) as RTKT_EMOTI.A

Ultimately, this threat tries to access an FTP server to possibly download other malicious files onto the affected system.

TrendLabs engineers are currently working to provide a more detailed analysis of this threat. Updates will be provided shortly.

Our in-the-cloud correlation engines quickly identified the multiple components of this attack to ensure the protection of Trend Micro customers.  Trend Micro protects users from this attack via the Smart Protection Network™, which blocks user access to malicious URLs and blocks spammed messages through the Web and email reputation services. It also detects all malware related to this attack via the file reputation service.

If you think your system may have already been infected, scan and clean your system with HouseCall, Trend Micro’s free online malware scanner.

Update as of April 28, 2010, 5:30 p.m. (GMT +8:00):
Other spam messages using similar social engineering techniques have been spotted. These contain a malicous attachment detected as TROJ_KATUSHA.F.

Update as of April 30, 2010, 9:19 a.m. (GMT +8:00)
Upon further analysis of WORM_EMOTI.A there was no longer any indication that the URL http://{BLOCKED}ason.com/lde/ld.php is an FTP site that resolves to HTTP. However, it may still access two additional URLs: http://{BLOCKED}isa.com/lde/ld.php and http://{BLOCKED}nss.com/lde/ld.php.