Timing is everything, especially if you’re trying to spread malware. Last week, the developers of the popular Twitter application TweetDeck notified users that due to changes in the authentication protocols Twitter supports, users of older versions will have to upgrade.

Naturally, cybercriminals latched onto this bit of news and sent out their own Tweets saying the same thing. However, their malicious Tweets contained a URL-shortened link to what was supposedly a TweetDeck installer named tweetdeck-08302010-update.exe.

This particular file is not a legitimate installer but a TDSS variant detected by Trend Micro as TROJ_TDSS.FAT. The TDSS malware family functions as rootkits that can take complete control of affected systems. In addition, their complexity and sophistication makes them difficult to remove.

TweetDeck has officially warned users not to fall prey to this attack. In addition to detecting the malicious “installer,” the website hosting the malicious file has been blocked as well.

Trend Micro advanced threats researcher Paul Ferguson was earlier interviewed about this threat by PC World. His comments may be found here.

An independent group of security researchers has announced that they will be releasing zero-day vulnerabilities, Web application vulnerabilities, and proof-of-concept (POC) exploits for patched vulnerabilities throughout the month of September. Many high-profile vendors such as Adobe, Apple, Microsoft, and Mozilla are among those whose products will apparently have vulnerabilities revealed during the month.

According to Trend Micro researcher Rajiv Motwani, the vulnerabilities that will be announced refer to a collection of old and new ones primarily targeting Microsoft. The new vulnerabilities can be considered zero-day flaws and will leave users vulnerable until a vendor patch is offered and applied. However, this process may take some time. Until then, users should use any suggested workarounds.

It is also believed that detailed information for recently released advisories will be published. It is possible that the information released includes POC code, making exploits more likely. Exploit packs on malicious and compromised websites will probably include these new exploits as well.

Any new information released during this period will likely be quickly exploited, putting more users at risk. High-profile applications like Internet Explorer (one of the programs that the researchers have indicated they will release a vulnerability for) can have exploit code released within hours of the POC code’s announcement. Portions of the many exploits already in the wild can be reused in any new exploit attack, further hastening the process.

Enterprise users should note that server applications will be part of the list of vulnerable applications exposed in September. These applications may take longer to patch. In addition, the potential for damage if one server is affected is greater than if one user system is affected.

Vendors will certainly rush out patches to fix any announced vulnerability but hopefully the accelerated development will not cause complications. There have been cases in the past when vendors released patches that did not fix the vulnerabilities completely, resulting in reissued patches.

For users, protecting themselves will prove difficult. No centralized update notification mechanism exists for third-party software, which means that ordinary users may not be aware that certain applications need to be updated. Many applications now integrate some form of auto-update feature but this will still impose unnecessary burden on users who just want their systems to work.

Users should be on guard for any popular application that has vulnerabilities, as exploits for these are likely to spread even faster than usual. Applying patches and/or workarounds for identified vulnerable software is highly recommended.

While patching systems remains essential, Trend Micro also offers several free tools that can help prevent computer compromise, you may download them here.

Despite the consistent media exposure that FAKEAV malware has been receiving, it continues to be business as usual for FAKEAV proponents. To find out why the notorious malware family persists, Trend Micro researchers looked into three important aspects—social engineering techniques, the FAKEAV technology, and the FAKEAV business itself.

Social Engineering

Social engineering is a technique used in furthering malicious activities both online and offline. Online, however, FAKEAV is a good example of a social engineering “success story.” By leveraging human weakness, FAKEAV effectively utilizes social engineering techniques such as blackhat search engine optimization (SEO) to trick users.

The Technology Behind FAKEAV

Behind the professional-looking GUIs, annoying pop-ups, and other scareware tactics FAKEAV uses lies a simple technology. It can thus be said that the FAKEAV technology is more tricky than complex. Despite the relative simplicity of the FAKEAV technology, however, it continues to plays a critical role in the success of FAKEAV’s social engineering tactics.

The FAKEAV Business

Of course, a malicious campaign is meaningless if it does not benefit its proponents. When it comes to the FAKEAV business, the stakes are high. Apart from taking away about US$40–100 from a user’s account as payment for rogue software, the more pressing concern with regard to FAKEAV is information theft.

Learn more about the persistent FAKEAV malware and its three fundamental aspects in the Security Spotlight article, “Why FAKEAV Persist.”

Over the weekend, Microsoft issued a new security advisory which covered a vulnerability in how Windows handles DLL files. The attack scenario would go this way: a vulnerable application would be used to open a file.

The opened file can be a perfectly legitimate file; however the malicious file must be located in the same directory and given the same file name as a legitimate DLL file. When the vulnerable application loads, instead of calling the legitimate DLL file the malicious file is loaded instead.

This is because of errors in how Windows selects which DLL files to load, giving preference to libraries located in the same directory as the opened file instead of those in the correct system directories. Any code in the malicious file would be executed, causing a full-fledged problem for users.

These kinds of attacks–known as binary planting or DLL preloading–have been known for years. However, they were not much of a threat because the malicious file had to already be on the user’s system. Recently, however, independent researchers have found a way to exploit this attack remotely, via network shares. This resulted in Microsoft issuing the said advisory.

Popular applications like Firefox and Powerpoint are among those initially reported as affected by the vulnerability. However, more exploits for many other applications have been found, and reports on attacks actively exploiting the bug have been posted.

The existence of malware attacks actively leveraging on the said vulnerability may drive Microsoft to take more drastic action. Until a clear solution is given, users are strongly advised to be careful about files opened from network shares.

Enterprise users with certain Trend Micro products such as Deep Security and OfficeScan with Intrusion Defense Firewall (IDF) plug-in may download the latest rules to help protect themselves against this threat; these rules prevent DLLs from being loaded from remote shares.

A spammed message supposedly from Newegg, a popular online computer hardware/software seller has been found in the wild. It informs users that their online purchase has been charged to their Visa card. It also contains two clickable links that point to the same malicious page, an example of which is http://{BLOCKED}nthenet.net/1.html. Clicking the link leads to a series of redirections that ultimately land users on a FAKEAV-hosting site where TROJ_FAKEAV.FNZ may be downloaded.

In addition to the FAKEAV download, the binary on the landing page constantly changes so users may also end up with TROJ_HILOTI.FNZ and ADWARE_ZANGO infections, too.

Upon further investigation, we discovered that the email is not the only malware vector the cybercriminals behind the attack are employing. They also leveraged compromised Blogspot pages to host the same spam. We believe that the cybercriminals are using Blogspot’s email feature. The secret email addresses set up by the blog owners may have somehow been harvested to send out spam, in effect auto-posting these in Blogspot pages. The followers of compromised Blogspot pages can thus be potentially infected, too, since the malicious spam is hosted on a known source.

Threats analyst Edgardo Diaz adds that one of the download binary connections lead to {BLOCKED}.{BLOCKED}.117.21, which has its own status page. Further analysis of the IP address and the compromised Blogspot pages revealed that some of the compromised pages’ URLs point to domains hosted on the same IP address.

Users are advised to be wary of clicking any link even if it is posted on a trusted source. Furthermore, changing one’s secret Mail2Blogger email address once found to have been used in a spam run will definitely help, as the attacker can easily reuse this address to instigate another spam run.

Trend Micro product users need not worry, however, as they are already protected from this attack via the Smart Protection Network™ , which prevents the spammed messages from even reaching users’ inboxes, blocks access to all malicious URLs, and detects all related malware.

Additional analysis and screenshots provided by threats analysts Patrick Estavillo and Edgardo Diaz.

Update as of August 25, 2010, 10:30 p.m. (UTC)

After further investigation, we’ve found that other kinds of spam were also found posted in affected Blogspot pages. Spam related to UPS, Amazon, LinkedIn, and run-of-the-mill Resume and eCard spam messages were found posted in the said blogs. Affected Blogspot users are advised to change their Mail2Blogger email address as soon as possible.