In our previous FAKEAV white paper, we presented how Trend Micro researchers tracked down the evolution of FAKEAV and followed its development behaviorwise from one generation to the next. One of the earlier generations (fourth, to be exact) in the paper comprises DLL-based FAKEAV—fake antivirus that use a .DLL file to perform all of their malicious routines to primarily avoid easy termination. A few months ago, however, we saw this particular generation again making its rounds in the wild in the form of TROJ_FAKEAV.BTV.

In terms of appearance, fourth-generation FAKEAV variants are not particularly different from earlier generations. However, in the background, fourth-generation FAKEAV varaints are characterized by the considerably big file size of their DLL components (TROJ_FAKEAV.BTV samples are around 1.50MB in size). This is because the fake pop-up warnings, GUIs, and other scareware modules are all found in the DLL.

Read the rest of this entry »

Earlier the other day, I was browsing through the Yahoo! PH site and the Yahoo! Purple Hunt 2.0 ad caught my attention.

Curious, I clicked the ad and found my browser downloading a suspicious file named com.com.

Apparently, this ad redirected me to a randomly generated URL similar to the following, which unfortunately led to the malicious download:

• hxxp://want6.{BLOCKED}.com/se/3da19bea8f9c03e96c9b1acad9cce5a88a2244f0a34d69
  c09b8d3198b2797726789be0228c0df3c762ed088a2327b07f4a183fa6fa753b0acfd7f0afc2d2b
  13b801ba978269fcda413f53e/960b0a2a/com.com
• hxxp://nose8.{BLOCKED}.com/se/3da19bea8f9c03e96c9b1acad9cce5a88a2244f0a34d69c
  09b8d3198b2797726789be0228c0df3c762ed088a2327b07f4a183fa6fa753b0acfd7f0afc2d2b
  13b801ba978269fcda413f53e/960b0a2a/com.com
• hxxp://letter6.{BLOCKED}.com/se/3da19bea8f9c03e96c9b1acad9cce5a88a2244f0a34d69c0
  9b8d3198b2797726789be0228c0f3c762ed088a2327b07f4a183fa6fa753b0acfd7f0afc2d2b13
  b801ba978269fcda413f53e/785c08d8/com.com

Below is a screenshot of the file download dialog box.

Read the rest of this entry »

We were recently made aware of attacks leveraging the recent data breach that involved Epsilon.

According to reports, the attack involves a Web page that looks very similar to the press release issued by Epsilon concerning the breach. The page also instructs the recipients to click a link at the bottom of the post in order to download and run a tool that will supposedly help them determine if their personal information was among those disclosed during the attack.

We were able to analyze the details of the attack and found that the link  downloads an .EXE file now detected as TROJ_MSPOSER.ASM. Running TROJ_MSPOSER.ASM displays the following GUI, which seems to suggest that the system is being checked. 

Of course, the graphic is really just there in an attempt to convince the victims that what they downloaded was really a tool that will help them determine if their information is still secure. In the background, however, another malicious file is being installed into the system.

Read the rest of this entry »

SLAAC is a mnemonic for IPv6 StateLess Address AutoConfiguration, which follows attempts at obtaining router information that happens only after the interface has established an IPv6 address for the local link. IPv6 does not use Ethernet broadcasting, which imposes scaling limitations on the devices supported on a local link. Instead, IPv6 multicasting divides devices into 16.7 million isolated Solicited-Node groups based on the last 3 bytes of their IPv6 address.  Multicasting represents a significant departure from the way networks previously worked using the blunt method of broadcasting.

IPv4 and MAC Address Relationship with Network Interface Unverified

Under IPv4, IP addresses are determined using the ARP [RFC826] to request MAC addresses associated with a specific IPv4 address by using a broadcast (all one’s) destination for the MAC address recognized by switches and interfaces and replicated or flooded across all switch ports. ARP can also announce an address by setting both source and destination IPv4 addresses to the same value or to probe by setting the source to a null IP address.

The inverse of ARP was BootP described in [RFC951] back in 1985. BootP requests an IP address for the MAC address by using a broadcast (all one’s) destination IP address.  BootP was superseded by DHCP. Those new to IPv6 are often surprised to find how multicasting rather than broadcasting changed the way networks, switches, and routers operate.

Router Advertisements Define the Local Network with IPv6

Customer premises equipment (CPE) shipped by Free, a subsidiary of Iliad and the second largest Internet service provider in France, provides DNS configuration in their router advertisements, which eliminates a need for DHCP for most environments.  This feature was a modification that included DNS configurations in router advertisements made by [RFC5006] back in 2007 that was replaced by [RFC6106] in 2010.  Having this feature removed the need to use DHCP, which was important because neither Windows XP or Mac OS X included a DHCP client able to talk over IPv6.

Read the rest of this entry »

Facebook has expanded its range of service offerings, making the site so much more than a place where users can interact with one another. It has been said several times that Facebook is bound to replace email as a means of communication, as it provides a more convenient way for users to send messages.

This convenience, however, was also leveraged by cybercriminals in a recent spam run wherein users were urged to download an application called Facebook Messenger. This would supposedly make it easier for them to access messages sent to their Facebook accounts.

The attack starts with spammed messages that look like a Facebook notification. The email message alerts the users about a message that has been sent to their Facebook accounts. It tells the users to click a link to view the said message. Clicking the message, however, displays a download page for an application called Facebook Messenger.

The downloaded file named FacebookMessengerSetup.exe is malicious and detected as BKDR_QUEJOB.EVL. BKDR_QUEJOB.EVL opens TCP port 1098 to listen for commands sent by a malicious attacker. The nature of the commands may include updating the malicious file, downloading and executing other malicious files, and starting certain processes. It also queries the system for information such as installed antivirus products and OS version then sends the data it gathers to a certain SMTP.

Read the rest of this entry »