Microsoft has not confirmed independent reports. A spokesman said the company was still investigating the issue. Enterprise users are protected by Trend Micro products such as Deep Security and Intrusion Defense Firewall. Trend Micro has issued a security advisory with some more technical details on this vulnerability.

Other users are advised to block the ports used by the SMB protocol and await the official Microsoft response.

Update as of 11:01 P.M. While Microsoft has not confirmed these reports as of this writing, we have verified that Windows 7 is vulnerable.

Update as of November 14, 6:20 A.M. Microsoft has released a security advisory for this vulnerability. Accordingly, the said vulnerability can’t be used to install malicious files and to take control of one’s system. Although the exploit code has been published already, Microsoft said that it hasn’t received any reports of known attacks in the wild. As a workaround, Microsoft advises users to block TCP ports 139 and 445 at the firewall.

Post from: TrendLabs | Malware Blog - by Trend Micro

New SMB Zero-Day Exploit?

A few days after its appearance, reports suggested that the threat had spread. More than 500,000 unique hosts spread across networks in the United States, China, India, the Middle East, Europe, and Latin America fell prey to the threat. Several residential broadband service providers also reported having an even larger number of infected customers.

New Year, New Variant

In January of this year, a few security websites and media outlets reported a wave of detections of another DOWNAD variant.

This variant first sent exploit packets for a Microsoft Server Service Vulnerability to every machine on the network and to several randomly selected targets over the Internet. It then dropped a copy of itself in the Recycler folder of all available removable and network drives and created an obfuscated autorun.inf file on these drives so it can execute every time a user browsed a network folder or removable drive without actually clicking on the file. It then enumerated the available servers on the network and, using this information, gathered a list of user accounts on the machines.

Afterward, it ran a dictionary attack against these accounts using a predefined password list. If it succeeds, it dropped a copy of itself on the systems and used a scheduled task to execute the worm.

Improved Domain Generation Functionality

In March, the most hyped DOWNAD variant reared its ugly head. WORM_DOWNAD.KK’s additional features included an increased number of generated domains, from the 250 generated by earlier variants to 50,000.

While it only attempted to connect to around 500 randomly selected domains at a time, this modification was seen as an effort to increase the botnet’s chances of survival until it was set to unleash its enigmatic payload on April Fools’ Day.

DOWNAD Uses P2P

April 1 came and went. No signs of the DOWNAD worm were seen until a week after. Threat researchers keeping an eye out for new DOWNAD-related activities saw a new file—the newest worm variant—in infected systems’ Windows Temp folder created exactly on April 7, 2009 at 07:41:21. What was odd about this was that no HTTP download took place around that time though a huge encrypted TCP response from a known DOWNAD/Conficker peer-to-peer (P2P) IP node, which was hosted somewhere in Korea, was found.

This variant was set to stop running on May 3, 2009; ran using random file and service names; deleted dropped components afterward; propagated via an exploit to external IP addresses if the system had Internet access or to local IP addresses if it did not; opened port 5114 and served as an HTTP server by broadcasting via an SSDP request; and connected to sites such as MySpace, MSN, and eBay.

Infection Peaks

In a span of just four months (November 2008–February 2009), the DOWNAD infection count peaked, from initially infecting around 500,000 PCs to 9 million PCs. It certainly wreaked a lot of damage, taking advantage of exploits to spread malicious code as a social engineering ploy. DOWNAD was used to create a botnet that can be utilized for the usual range of threats that lurk in the Web—spamming, distributed denial of service (DDoS) attacks, and spreading FAKEAV. According to Trend Micro Advanced Threats Researcher Ryan Flores, “DOWNAD/Conficker opened the IT security industry’s eyes by exposing several truths and areas that IT professionals commonly overlook.”

Updated Patches Still Key

It has been a year since DOWNAD/Conficker first infected PCs. If we have learned anything from this experience, it should be that most worms spread by exploiting network-based vulnerabilities. That is why it is very important to secure connected devices, and keep them up-to-date with the latest patches.

Of course, this would be hard to do if you use pirated software. So using legitimate software copies is also key to keeping data and even your identity secure, especially in today’s worsening threat landscape.

Post from: TrendLabs | Malware Blog - by Trend Micro

DOWNAD/Conficker Turns 1yr

• Weather Report for Halloween: High Chances of a Storm
• “Halloween Costumes” Bring More Fright Than Expected

But just how scary is the Web 2.0 environment nowadays? Let us run down a list of the scariest threats thus far:

• 2009 saw the emergence or resurfacing of three of the most notorious botnets in relation to information, financial, and identity theft—Koobface, ZeuS, and Ilomo. Botnets control more compromised machines than previously believed. Only a handful of cybercriminals have more than 100 million computers under their control. This means they have more computing power at their disposal than the entire world’s supercomputers combined. It’s no wonder then that more than 90% of all email worldwide is now spam.

Koobface is most known for preying on social networking and micro-blogging site users. It has transcended from its original design of taking over accounts to spread malicious links using the affected users’ credentials to spreading a FAKEAV or its variant to users who just happen to visit a compromised site or to click anywhere on a malicious page where a copy of the malware is hosted.ZeuS/ZBOT

The ZeuS botnet, on the other hand, is best known for ebanking attacks targeting small businesses that do not have full-time IT staff and only 1–2 payroll personnel. It was first introduced by Rock Phishers this April, paving the way for the rise of easy-to-use kits that yielded professional-looking phishing pages. Its latest components, also known as “ZBOT variants,” now come compressed in more and more complex packers.

Ilomo, the third most dangerous botnet, Ilomo, also known as “CLAMPI” or “LOMOL,” is known for injecting code into an affected user’s browser to wait for him/her to connect to one of over 4,000 banking, financial, or Web mail sites so it can steal his/her credentials. It can, however, also “piggyback” on the user’s session to transfer funds from his/her account to a remote one while making a mockery of the bank’s secure login system. The botnet also sells “anonymity as a service” as every infected machine can act as a proxy, allowing cybercriminals to route their illegal activities through different networks and countries, thereby evading detection.

• Tricking users into downloading FAKEAV has been an age-old cybercriminal tactic that apparently has not stopped working. Hence the continuous rise in the number of FAKEAV pushed to unwitting scam victims up to this day. Trend Micro estimates that more than 100,000 users receive messages saying they have been infected by malware while visiting malicious sites and that there are more than 48,000 FAKEAV offerings per month.Apart from its ability to rake in a lot of dough, it is also hard to detect due to its numerous domains and redirectors, giving security experts a hard time tracking all related activities down. FAKEAV will thus continue to plague users for a long time because its ploy works.

• In June 2009, Microsoft broke its December 2008 record of releasing patches for 28 vulnerabilities with the release of 10 security advisories to address 31 vulnerabilities in its OSs and other software.
  Unpatched vulnerabilities can allow cybercriminals to exploit users’ systems. For instance, unpatched vulnerabilities in a system’s browser can allow cybercriminals to run arbitrary code if the user happens to browse through a malicious website, leaving him/her at the mercy of online predators.Microsoft was not alone in this predicament though. Adobe and Firefox have had their share of exploited vulnerabilities as well.

Why do more and more people join the cybercriminal bandwagon? The answer is plain and simple, because there is a lot of money to be made in infecting users. FAKEAV, for instance, sell for an average price of US$50 each. Just imagine how much money cybercriminals can make even if they just sell to a fraction of their target user base!  Our threat research papers provide detailed information of such cybercrime activity, if you’re interested, you can read them here.

And if that isn’t scary enough, Trend Micro’s threat researchers found that the going rates for stolen data (credit card information and user credentials) and for infecting users’ systems continue to rise each year. Cybercriminals never seem to run out of tricks to spread threats to users throughout the Web. No wonder U.S. President Obama officially announced October as the “National Cyber Security Awareness Month!”

Post from: TrendLabs | Malware Blog - by Trend Micro

Trick or Threat?

Based on our findings, the shellcode (that was heap sprayed) jumps to another shellcode inside the .PDF file. The said shellcode then extracts and executes a malicious file detected by Trend Micro as BKDR_PROTUX.BD. The said backdoor is also embedded in the .PDF file and not the usual file downloaded from the Web. Protux variants are known for their ability to provide unrestricted user-level access to a malicious user. Earlier variants of the Protux backdoor were seen to have been used as payload in previous attacks exploiting vulnerabilities in Microsoft Office files.

As of this writing, Adobe has indicated that it will include this vulnerability in its upcoming security update release. Meanwhile, users are recommended to disable JavaScript in Adobe Acrobat/Reader to mitigate the said attack. To do this, they should follow these steps:

1. Run Acrobat or Adobe Reader.
2. Go to Edit > Preferences.
3. Select JavaScript under the Categories tab.
4. Uncheck the “Enable Acrobat JavaScript” option.
5. Click OK.

Users are also advised to patch their systems as soon as Adobe releases the security patch. Trend Micro protects users with the Smart Protection Network by detecting the said exploit.

Post from: TrendLabs | Malware Blog - by Trend Micro

New Adobe Zero-Day Exploit

Trend Micro researchers recently came across samples that exploited a new zero-day vulnerability in Adobe Reader 9.1.2 and Adobe Flash Player 9 and 10.

The exploit arrives as a PDF file embedded with Flash objects and malicious binary files. The Flash object contains a shellcode that allocates heaps of blocks in a system’s memory.

The exploits uses a technique known as heap spraying. Once a user opens a specially crafted PDF file, two binary executables are dropped and executed on his/her system. The .PDF file is detected by Trend Micro as TROJ_PIDIEF.ANQ or TROJ_PIDIEF.ANP, while the dropped files are detected as BKDR_HAYDEN.K, BKDR_HAYDEN.L, TROJ_AGENT.AXWS, and TROJ_AGENT.IAAK.

Since Adobe has not yet provided patches for the said vulnerabilities, users are advised to take extreme caution when viewing .PDF files. A workaround has been offered, but it also disables all Flash objects embedded in PDF files – which may or may not be acceptable, depending on one’s usage patterns. Patches from Adobe are not expected until the end of the month.

July has been an exceptionally busy for zero-day exploits. Early in the month, an exploit involving ActiveX controls was used to spread FAKEAV malware; just days ago this was joined by an exploit affecting Mozilla Firefox.

Trend Micro Smart Protection Network users are already protected from these threats.

Post from: TrendLabs | Malware Blog - by Trend Micro

Another Day, a New Zero-Day Exploit for Adobe

• JS_DIREKTSHO.B exploits a vulnerability in Microsoft Video Streaming ActiveX control to download other possibly malicious files.
• JS_FOXFIR.A accesses a website to download JS_SHELLCODE.BV. In turn JS_SHELLCODE.BV exploits a vulnerability in Firefox 3.5 to download WORM_KILLAV.AKN.
• JS_SHELLCODE.BU exploits a vulnerability in Microsoft OWC to download JS_SHELLCODE.BV.

Initial analysis done by Threat Analyst Jessa De La Torre shows that the scripts above may be unknowingly downloaded through either Firefox or Internet Explorer.

According to Mozilla, a Firefox user reported suffering from a crash that developers determined could result in an exploitable memory corruption problem. In certain cases after a return from a native function, the just-in-time (JIT) compiler could get into a corrupt state. This could then be exploited by an attacker to run arbitrary code. However, this vulnerability does not affect earlier versions of Firefox, which do not support the JIT feature.

Firefox 3.5 users can avoid this vulnerability by disabling the JIT compiler as described in the Mozilla Security Blog. This workaround is, however, unnecessary for Firefox 3.5.1 users.

On the other hand, the vulnerability in Microsoft Video ActiveX Control allows remote code execution if a user views a specially crafted web page with Internet Explorer, executing the ActiveX control. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Microsoft is aware of attacks attempting to exploit the said vulnerabilities and advises its customers to prevent the OWC from running either manually or automatically using the solution found in Microsoft Knowledge Base Article 973472.

Trend Micro advises users to refer to the following pages to download updates/patches for the vulnerabilities the aforementioned script files exploit:

• Firefox: Mozilla Foundation Security Advisory 2009-41
• OWC: Microsoft Security Advisory (973472)
• DirectShow: Microsoft Security Bulletin MS09-032

Trend Micro advises users to download the latest scan engine to protect themselves against the above-mentioned exploits.

Post from: TrendLabs | Malware Blog - by Trend Micro

More Zero-Day Exploits for Firefox and IE Flaws

• http://lsg.kerala.gov.in
• http://www.lsg.kerala.gov.in
• http://www.bangaloremirror.com
• http://www.mumbaimirror.com
• http://www.kolkatamirror.com
• http://www.mumbaipluses.com
• http://education.indiatimes.com
• http://www.kolhapurbusiness.com
• http://www.bizxchange.in
• http://timesascent.in
• http://www.studio3india.com
• http://www.timesascent.co.in
• http://www.mumbaibusinessdirectory.in
• http://www.tourindianow.org
• http://www.bizxchange.in
• http://www.maharashtradirectory.com

Based on Trend Micro threat analyst Joseph Pacamarra’s initial findings, the Trojan detected as TROJ_AGENT.HOZZ has only been seen so far in two domains, jatrja.com and js.tongji.linezing.com. Figure 1 below shows how users can get infected.

Trend Micro product users need not fret though as Smart Protection Network already protects users from these threats but should still be wary of the sites they visit as the final malware payload seems to be a new type of information stealer.

Update as of 17 July 2009, 16:00

Trend Micro threat analyst Joseph Pacamarra confirms that the number of websites compromised in this attack is 6,810 and rising.

Post from: TrendLabs | Malware Blog - by Trend Micro

Massive SQL Injection Ensues

The Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code Execution was used in a zero-day attack last week that involved around 967 compromised Chinese websites. A script that triggered the exploit was inserted in the said websites, which when successfully executed drops WORM_KILLAV.AI into the affected system. The security advisory MS09-032 already addresses the vulnerability used in this attack.

Here is the full list of security advisories issued for this month:

• (MS09-028) Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution (971633)
• (MS09-029) Vulnerabilities in the Embedded OpenType Font Engine Could Allow Remote Code Execution (961371)
• (MS09-030) Vulnerability in Microsoft Office Publisher Could Allow Remote Code Execution (969516)
• (MS09-031) Vulnerabilities in Microsoft ISA Server 2006 Could Cause Elevation of Privilege (970953)
• (MS09-032) Cumulative Security Update of ActiveX Kill Bits (973346)
• (MS09-033) Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of Privilege (969856)

The Office Web Components ActiveX vulnerability is the other vulnerability used in a malware attack this month. Similar to the zero-day attack, a script that triggers the exploit was inserted in compromised websites. This placed any visitor of the compromised websites who hasn’t updated their system at risk of being affected by TROJ_DLOADR.DOF, which drops a rootkit component detected as TROJ_ROOTKIT.DOF, and downloads TROJ_DLOADR.UIG and TROJ_INJECT.AKI. A patch for the said vulnerability hasn’t been issued, but Microsoft provided a workaround, to protect users while an update is being developed.

Meanwhile, users are advised to update their systems as soon as possible.

Post from: TrendLabs | Malware Blog - by Trend Micro

July 2009 Microsoft Security Updates

Last week saw another wave of compromised websites that had one thing in common—they were all running ColdFusion on their servers. ColdFusion is a popular platform for developing Internet applications. It is currently owned by Adobe. Users blamed the effectivity of this attack on older versions of certain ColdFusion applications that sported security vulnerabilities and allowed malicious users to upload code to run on already-compromised servers. Cybercriminals then modified the compromised sites to include iframe links to malicious websites.

As with previous attacks, these compromised websites download a malicious file Trend Micro detects as TROJ_DROPPER.PXQ onto the affected system. This file then drops and runs another file detected as TROJ_DLOADR.XNI, which in turn, downloads and executes files detected as TROJ_WIMPIXO.BG and TROJ_SOMEX.C.

Just like the other attacks, the end goal of this particular wave is to steal user information. However, the files in question are already detected by Smart Protection Network.

Post from: TrendLabs | Malware Blog - by Trend Micro

ColdFusion Spurs Another Mass Compromise

The shellcode of the exploit is XOR encrypted. Below is the screenshot of the decrypted shellcode:

Microsoft already released a security advisory regarding this vulnerability. More information can be found in the following page:

• Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code Execution

Upon successful exploitation, the script downloads another malware detected as WORM_KILLAV.AI. This malware disables and terminates antivirus software processes, and drops other malware on the affected system.

As of this writing, all domains are blocked already by Smart Protection Network. Furthermore, OfficeScan users with Intrusion Defense Firewall plugin installed are protected from this threat if they have updated to the latest filters (IDF09021).

Post from: TrendLabs | Malware Blog - by Trend Micro

Zero-day MPEG2TuneRequest Exploit Leads to KILLAV

Exactly three months ago, the whole IT sector was waiting with bated breath for April 1. The latest DOWNAD/Conficker variant–WORM_DOWNAD.KK–was poised to strike. We know that on that day, it would attempt to access 500 of 50,000 websites and download new malicious files. This led to fears–somewhat misplaced–that new, possibly damaging payloads could cause severe problems, not just for systems already affected by DOWNAD but the Internet as a whole. Many sectors assumed the worst.

April 1 came and went, and… nothing happened. Several days later, another variant appeared, but without the Internet ending (as some of the worst reporting would have led readers believe) most people believed that DOWNAD, as a major threat, was gone.

While it may no longer be as in the news at it was at its height, DOWNAD didn’t suddenly go away. Recent estimates from the Conficker Working Group place the number of unique IP addresses affected by the top 3 DOWNAD variants at well over 5 million. Even considering the group’s disclaimer of putting the number of actually infected systems at only 25-75% of that number, a minimum of 1.25 million infected systems is nothing to laugh at.

The Trend Micro World Virus Tracking Center (WTC) numbers bear this out as well. Almost 790,000 systems were found to be infected with DOWNAD variants in the first three months of the year. In the three succeeding months, that number was almost 1.9 million. Clearly, DOWNAD did not decide to quietly go away.

In addition, out of the public eye, DOWNAD went off and did something with all those infected systems: it went off and formed its own botnet. This was documented in mid-April by Advanced Threat Researchers Paul Ferguson and Ivan Macalintal. The short version, however, is simpler: DOWNAD was used to create a botnet. These can be used for the usual range of threats: spam, Denial of Service attacks, spreading FAKEAV malware, and so on.

Like it or not, malware threats are part of what users have to deal with day in, day out. Like anything people deal with regularly, people become used to malware threats. What was once noteworthy and unusual becomes dull and ordinary. However, this in fact does not make the threat any less dangerous. If anything, it can be argued that it makes the threat more dangerous, as users are more likely to be caught unaware of a threat that may not be something they’re looking out for.

In a very real way, threats like DOWNAD become part of the background noise that is a part of life on the Internet. While it may be unrealistic to expect individual users to keep in mind all threats, but good computing practices will help immensely. The most important one may be: keep your software up to date. This is particularly true for your operating system–a properly patched system would have been proof against most DOWNAD variants. Trend Micro users would have been protected via the Smart Protection Network, of course, but closing the underlying vulnerability would still have been essential.

The price of using your computer freely in today’s Internet may well be constant and unceasing vigilance.

Post from: TrendLabs | Malware Blog - by Trend Micro

Three Months Later: Where’s DOWNAD?

As reported by Ivan Macalintal, Trend Micro Threat Research Manager, the infection starts when a user accesses a compromised site that automatically redirects him/her to several sites. These sites were actually a trio of malicious domains (specific .KZ and .TW sites) constantly used by attackers in their scheme of redirecting users to a malicious IP address registered somewhere in the Ukraine.

The chain ends when the user’s browser lands on a page that contains exploits for vulnerabilities in various software including Adobe Acrobat and Shockwave. Advanced Threat Researcher Joey Costoya also pointed out that a previously reported PoC in Office OCX Word Viewer is also among the exploits used in this attack.

Compromised websites were injected with blocks of obfuscated script, detected as JS_DLOADR.ALP (see Figure 1):

• hdOruVsHnKBXZuvtsRmw
• eMCeGjolMPJFNuucZWLk
• vIkytowORShQVZqTBFox

The number of blocks can be as many as seven to eight, which can be seen in the snapshot below of a compromised site of a Web hosting provider in Hong Kong. Hosting provider? Yikes!

The user will then be redirected to a series of websites that use referrers to avoid detection and subsequent removal. The infection chain ends when the user is finally redirected to an exploit-laden landing page.

The final pages in the infection chain, Costoya also reported, are part of a Web exploit toolkit called Yes Exploit System, which includes .PDF and .SWF exploits, detected as TROJ_PDFEX.J and TROJ_SWFLDR.AB, respectively.

Both .PDF and .SWF files lead to binary payload that look similar to a new kind of information stealer detected as TSPY_SILENTBAN.U. TSPY_SILENTBAN.U installs itself as a Browser Helper Object (BHO) on the affected system and monitors Internet activity. Gathered information are then sent to a remote user using HTTP POST.

Note that as of this writing, the binary payload retrieved from the attack uses this spyware. It is more likely that in future attacks, other payloads can be used.

Fortunately, Trend Micro Smart Protection Network blocks all malicious sites and detects all related malware. Thus, users need not worry about being infected.

Information on the vulnerabilities exploited in this attack can be found on the following pages:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0927
• http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2007-5659
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2496

Users are also strongly advised to update their software in order to avoid being affected by this attack.

Post from: TrendLabs | Malware Blog - by Trend Micro

Another Messy Mass Compromise Emerges

The spammed emails suggest that there are images in the attached PowerPoint presentation related to both the China-made jumbo jets and the Air France Flight 447, in order to lure the user into opening the specially crafted file.

The reported circulation of photographs showing the cabin of the Air France Flight 447 has been confirmed as being a hoax, while the China-made C919 Jumbo Jets haven’t been completed yet, announced rolling off the production lines in eight years.

The specially crafted .PPT file is detected by Trend Micro as TROJ_APPTOM.C. It exploits a vulnerability in Microsoft PowerPoint that allows remote code execution. Upon successful exploitation, it drops TROJ_INJECT.AIO which in turn opens a hidden Internet Explorer window and connects to a certain URL, to download additional malicious files.

Users are strongly advised to apply the patch provided by Microsoft to avoid being victimized by this threat. The Smart Protection Network provides protection from this threat by blocking the spam messages and detecting malicious files.

Post from: TrendLabs | Malware Blog - by Trend Micro

Air France Flight 447 Spam Arrives with PowerPoint Exploit

Once decoded, it tries to connect to URLs to download exploits for several vulnerabilites in order to gain access of the affected user’s system. The obfuscated malicious JavaScript is detected as JS_DROPPER.LOK while the URLs that trigger the download of the exploits are detected as TROJ_SHELLCOD.HT. Upon successful exploitation, other malicious files are then downloaded, which Trend Micro detects as TROJ_MEDPINCH.B, and TROJ_MEDPINCH.A.

TROJ_MEDPINCH.B connects to other URLs to download info-stealers SPYW_IEWATCHER and TSPY_LDPINCH.CBS. On the other hand, TROJ_MEDPINCH.A drops yet another info-stealer: TSPY_LDPINCH.ASG. TSPY_LDPINCH.ASG steals user names, passwords, and other account and installation information of the following applications:

• INETCOMM Server
• Microsoft Outlook
• Mirabilis ICQ
• Opera Software
• The Bat!
• Total Commander
• Trillian

Though this compromise occurs within close proximity days after Gumblar’s last attack, no mention of the Gumblar.{BLOCKED} domain appears in the code. This attack may indeed be a separate one from Gumblar, or possibly be inspired by it. Related URLs are already blocked by the Smart Protection Network, but it is highly advised that user’s patch their system to minimize the chances of exploit through the following updates:

• Vulnerability in Windows Explorer Could Allow Remote Execution
• Buffer overflow in Apple QuickTime 7.1.3
• Buffer overflow in the WZFILEVIEW.FileViewCtrl.61 ActiveX control
• Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution
• Microsoft Internet Explorer 7 Memory Corruption Exploit

Post from: TrendLabs | Malware Blog - by Trend Micro

Another Wave of Mass Compromises Serve Info-Stealers

In an attack which quickly garnered much attention in the security industry, visiting compromised websites were found to redirect the user to Martuz.{BLOCKED}, which leads to a download of a file in users’ systems. It then uses Adobe PDF and Flash player vulnerabilities to gain system access. Once installed, the malware is able to steal stored passwords, which it delivers back to its creators via FTP. These stolen passwords may ultimately lead to the unauthorized tampering of the user’s web server files, wherein obfuscated JavaScript is inserted into several files. The vandalized pages containing the JavaScript now become the malware author’s newest redirectors, continuing the vicious cycle of information stealing. Additionally, the malicious file poisons the results of Google searches conducted by the user of the affected system, thus leading them to more malicious domains.

Our engineers are still in the process of analyzing the said malicious file. In the meantime, Trend Micro detects the redirecting scripts as HTML_JSREDIR.AE and HTML_REDIR.AC. Injected scripts vary for each infected page, and the exact epicenter of the attack is still yet to be determined.

Using a browser other than Internet Explorer may help minimize the risk of getting infected, and updating software to address vulnerabilities is a must. Site owners should do an immediate cleanup if an infection is detected, and passwords should be changed as soon as possible.

Post from: TrendLabs | Malware Blog - by Trend Micro

Gumblar Finds Successor, Continues Info Stealing Spree