Jul29
5:03 pm (UTC-7)   |   by Aivee Cortez (Fraud Analyst)

Trend Micro senior developer TT Tsai discovered a sequel to the fake Trend Micro iClean tool. Our Web Threat Protection (WTP) add-on is being used as bait to download malware.

An email message with content seemingly copy-pasted from the WTP page of the Trend Micro Taiwan site advertises a link (Figure 1) where a supposed free download of the WTP add-on is located.

Note that the real WTP add-on is actually a trial version of Trend Micro’s Web Threat Protection technology so it can really be downloaded for free.

Screenshot

Figure 1. Screenshot of email message

The link redirects to an uncanny imitation of our real WTP download page with the URL hxxp:// {BLOCKED}.update-windows-microsoft.com/products/enterprise/wtp2.htm. This attack takes advantage of a vulnerability in the ActiveX control for the Snapshot Viewer for Microsoft Access that allows remote code execution to download and execute a malicious file detected by Trend Micro as BKDR_AGENT.AVAJ.

Screenshot

Figure 2. Screenshot of the supposed download site

Trend Micro is not the only victim of the domain hxxp:// {BLOCKED}.update-windows-microsoft.com/. Our initial investigation found spoofed login pages of Taiwan’s Yahoo! mail (Figure 3), Gmail (Figure 4), and Hotmail (Figure 5) hosted in the same domain.

These pages may have been of the usual phishing scheme, crafted and deployed to gather email addresses for spam distribution and for stealing confidential information from the users’ mail accounts.

Fake

Figure 3. Fake Yahoo! email login page

Fake

Figure 4. Fake Gmail email login page

Fake

Figure 5. Fake Hotmail email login page

The malicious site mentioned above is already blocked in the Trend Micro Smart Protection Network.

We are still investigating the various malware samples we found stored in these URLs. Please stand by for updates.

Note also that Trend Micro will NEVER send tools or applications through email.

Trend Micro cautions users to never open or download attachments from people unknown to them, and to download tools or applications from trusted sites only.

Update as of 30 July 2008

Our researchers have found out that the spoofed login pages of Taiwan’s Yahoo! mail, Gmail, and Hotmail take advantage of a vulnerability in Microsoft Data Access (MDAC) function that allows remote code execution. This exploit is used to execute the routines of the spoofed login pages, which is to steal user information. More information on this vulnerability can be found here.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!



This entry was posted on Tuesday, July 29th, 2008 at 5:03 pm and is filed under Malicious Sites, Phishing, Spam . You can leave a response, or trackback from your own site.



Leave a Reply


Malicious Spam News: UFO Lands in New York!
Phishers Spoof ‘The Paypal Blog’


 
TrendWatch Hijack This Web Protection Add-On
Free Online Virus Scan Rootkit Buster Submit Suspicious Files
Global Malware Map RUBotted? Trend Micro
 



    		 
© Copyright 2009 Trend Micro Inc. All rights reserved. Legal Notice