Spear phishing has been used by cybercriminals before in attacks that involved specific targets. In the previous post, “So Is It Twitter or Facebook?,” for instance, cybercriminals exploited Twitter’s direct message function to inform users that their pictures were seen on another website, the link to which is embedded in the same message. The link led to a bogus Facebook page from which user credentials are then stolen.

In this attack, the cybercriminals went as far as spoofing the From field to imply that the sender is from the same company the target is employed in. The URL embedded in the email is also customizable, depending on who its intended recipient is. Clicking the link points the user to a bogus Gmail Taiwan login page where the target’s user name has already been entered.

According to TT Tsai, this phishing attack seems to be targeting the Taiwan government as some of the phishing domains we have encountered are hosted in Taiwan, not to mention that the page uses the Chinese language.

Here’s a list of malicious domains users should be wary of:

• http://google.com.microsoft-server.tw/google/accounts/ServiceLogin.asp?uid=vq4hasv2o1xn&name=victim
• http://google.com.microsoft-server.tw/google/accounts/ServiceLogin.asp?uid=vq4hasv2o1xn&name=victim

TT Tsai, however, added that the cybercriminals are rapidly changing domains and taking down previously used ones to avoid detection and blocking.

As of this writing, all spam and phishing URLs related to this attack are already being blocked by the Trend Micro Smart Protection Network™. Non-users of Trend Micro products can stay protected from this and other similar attacks by using free tools such as eMail ID.

Post from: TrendLabs | Malware Blog - by Trend Micro

Taiwan: Spear Phishers Target Gmail Users

The Trojan takes advantage of critical vulnerabilities in Adobe Reader 9.1.3 and Acrobat 9.1.3; Adobe Reader 8.1.6 and Acrobat 8.1.6 for Windows, Macintosh, and UNIX; and Adobe Reader 7.1.3 and Acrobat 7.1.3 for Windows and Macintosh. These vulnerabilities can cause the application to crash and can potentially allow an attacker to take control of an affected system. Adobe has thus advised users to patch their systems and download the necessary updates.

The Trojan belongs to an old but notable malware family known as “ASProx,” which plagued the Web last year. It was so notable that it made its way to Trend Micro’s Top 8 in 2008 list.

Most ASProx variants, including this most recent one, exhibited the same payload. They first compromised several websites. Visiting the said sites then triggerred redirections to various malicious URLs that ultimately led to the download of more malicious files.

The recent reemergence of the ASProx code or the cybercriminals behind it may not have brought anything new to the table but it is noteworthy in that this attack seemingly brought the botnet back from the dead after almost a year of inactivity.

Users, as usual, are thus warned to refrain from opening suspicious-looking files. They are also strongly advised to patch their systems regularly to avoid becoming prey to vulnerability exploits.

Trend Micro Smart Protection Network™ protects users from this threat by blocking access to malicious URLs and preventing the download of malicious files. Mac users are also protected through Trend Micro Security for Mac and Smart Surfing for Mac.

Non-Trend Micro product users, on the other hand, can also stay protected with Housecall, Trend Micro’s highly popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plugins, and other malware.

Important correction, posted October 16, 2009: TROJ_PIDIEF.ASP exploits vulnerabilities cited in CVE-2009-0927 and CVE-2007-5659, not the previously posted vulnerability discussed in the second paragraph above. We apologize for any confusion caused by this oversight. Adobe users should enable the auto-update feature in their product to receive patches that address these vulnerabilities.

Post from: TrendLabs | Malware Blog - by Trend Micro

ASProx Resurfaces with a Mass Compromise in Tow

1. KOOBFACE knows: KOOBFACE has the capability to steal whatever information is available in your Facebook, MySpace, or Twitter profile. Profile pages of these social networking sites may contain information about one’s contact details (address, email, phone), interests (hobbies, favorite things), affiliations (organizations, universities), and employment (employer, position, salary). So beware, KOOBFACE knows a lot! 
2. KOOBFACE doesn’t just know you through your profile information, they also know what you look like!: Not only does the botnet steal profile information, it also makes sure to put a face to the name by getting one’s profile picture as well.
3. URLs leading to KOOBFACE malware are either in compromised or free Web hosting sites: Yep, call them cheap but the guys behind KOOBFACE are making good use of compromised and free Web hosting sites in spamming KOOBFACE-related URLs. These URLs are spammed in social networking sites with catch phrases like “funny video,” which lead to a fake YouTube or Facebook site, which then leads to KOOBFACE malware. 
4. KOOBFACE zombies are made into Web servers on top of being social networking site spammers: KOOBFACE installs a Web server component into infected machines, which effectively makes the infected machine part of the malware’s distribution network. Infected machines serve fake YouTube or Facebook pages, which then lead to the KOOBFACE malware. 
5. KOOBFACE zombies are able to distribute repackaged versions of the malware: KOOBFACE Web servers are able to use UPX, a popular executable packer program, to pack (compress) the KOOBFACE binaries they serve.
6. Half of KOOBFACE infections occur in the United States: This is not surprising since majority of the social networking site users reside in the United States.  
7. KOOBFACE is able to block IP addresses: Probably in an effort to protect itself against takedown or snooping by curious researchers, KOOBFACE implemented a blockIP routine where traffic coming from a particular IP range is blocked. 
8. KOOBFACE is able to defeat Facebook’s spam filtering: Facebook, MySpace, and Twitter have recently implemented a spam-filtering mechanism where known spam URLs are blocked. KOOBFACE tries to circumvent this by first testing if a KOOBFACE spam URL is blocked by Facebook or not.

So there, some things you may not know about KOOBFACE. If this whets your appetite for more information, you may read our research paper The Heart of KOOBFACE: C&C and Social Network Propagation, fresh off the grill from the White Papers section of TrendWatch.

Post from: TrendLabs | Malware Blog - by Trend Micro

8 Things You Probably Didn’t Know About KOOBFACE

 
According to Senior Threat Analyst Joseph Pacamara who found out about the mass compromise, cybercriminals are now entertaining the idea of employing compromised legitimate sites as an avenue to proliferate FAKEAVs.

As of this writing, Trend Micro has contacted and informed all entities concerned to clean up the said websites. They have also been informed of the user risks brought about by such attacks. We have also notified ThaiCERT regarding the compromised sites. Users of Trend Micro Smart Protection Network are protected from this attack.

Post from: TrendLabs | Malware Blog - by Trend Micro

Several Compromised Thai Sites Serve Malware

Renren users received messages from their friends with a link that pointed to a video of the Pink Floyd song Wish You Were Here which is detected as SWF_EXECJS.A. When the user clicks the said link it executes SWF_EXECJS.A, which does show legitimate video of the song, as seen below:

Figure 1. Legitimate video played by XSS attack

However as the video is shown, SWF_EXECJS.A connects to a URL to execute a script detected as JS_DLOADR.ATJ. JS_DLOADR.ATJ searches for cookies related to Renren and then sends out messages with a link to the same video to everyone on the user’s list of friends. These routine are all done automatically, without any input or consent from the user.

As it is, the attack was fairly limited, but it could have been much worse. It could have taken a page from KOOBFACE malware and sent out links to malicious sites, for example. Such attacks would be enough to put a truly ironic twist on the video used for this attack. As it is, all it did was annoy some people and embarrass Renren.

Similar attacks that do little have hit social networking sites before, most notably Orkut, which is owned by Google.

Both components of this attack are detected by the Smart Protection Network.

Post from: TrendLabs | Malware Blog - by Trend Micro

XSS Attack Targets Chinese Social Networking Site

The site was compromised with a script that sent users to a domain identified by Trend Micro researchers as a known disease vector, as shown in this NoScript window captured by Senior Security Analyst Rik Ferguson:

The compromised pages themselves were detected as HTML_YBLOD.A, but the payload onto the affected system was a varied lot, including the following malware: BKDR_RUSTOCK.GM, BKDR_RUSTOCK.ER, TROJ_PATCHED.P, TROJ_PATCHER.AM, and TROJ_TEDROO.E. Any one of these would have been enough to give users problems, but having this much malware arrive through just one vector just illustrates how serious a threat having a compromised website can be–both for users and website owners.

Ultimately, the burden falls primarily on webmasters to properly secure their websites: best practices such as updating software packages and using strong passwords are a must today. Users must also take care when browsing–being on a known legitimate site is no guarantee of safety.

Trend Micro Smart Protection Network protects users from similar attacks by detecting the website harboring the script as HTML_YBLOD.A (as long as the script is still in the pages’ source codes), and blocking access to malicious URLs.

Post from: TrendLabs | Malware Blog - by Trend Micro

Compromised Websites: It Can Happen To Anyone

• http://lsg.kerala.gov.in
• http://www.lsg.kerala.gov.in
• http://www.bangaloremirror.com
• http://www.mumbaimirror.com
• http://www.kolkatamirror.com
• http://www.mumbaipluses.com
• http://education.indiatimes.com
• http://www.kolhapurbusiness.com
• http://www.bizxchange.in
• http://timesascent.in
• http://www.studio3india.com
• http://www.timesascent.co.in
• http://www.mumbaibusinessdirectory.in
• http://www.tourindianow.org
• http://www.bizxchange.in
• http://www.maharashtradirectory.com

Based on Trend Micro threat analyst Joseph Pacamarra’s initial findings, the Trojan detected as TROJ_AGENT.HOZZ has only been seen so far in two domains, jatrja.com and js.tongji.linezing.com. Figure 1 below shows how users can get infected.

Trend Micro product users need not fret though as Smart Protection Network already protects users from these threats but should still be wary of the sites they visit as the final malware payload seems to be a new type of information stealer.

Update as of 17 July 2009, 16:00

Trend Micro threat analyst Joseph Pacamarra confirms that the number of websites compromised in this attack is 6,810 and rising.

Post from: TrendLabs | Malware Blog - by Trend Micro

Massive SQL Injection Ensues

Click fraud has become a rapidly growing problem for legitimate companies and advertising networks as it inflates online advertising costs. In the past few years, cybercriminals have been using malicious software to perpetrate click fraud. They hijack search results displayed by engines whenever a user tries to find something online. Unfortunately, these scams can be unwieldy, as victims often quickly figure out that something is wrong when their searches are redirected to unfamiliar portals.

Click fraud Trojans are as old as Internet advertising itself. These usually come in one of the following two types:

• Browser hijackers that change a user’s start page and searches to redirect to a third-party search engine
• Trojans that silently pull down a list of advertising URLs and generate fake clicks on the ads in a hidden Internet Explorer window

The new Trojan, however, differed, as every click on an advertisement is user generated. The user does not even notice any change in his or her Web-browsing activities.

This Trojan may also be unknowingly downloaded by a user while visiting malicious websites. It executes and attaches an NTFS Alternate Data Stream (ADS) to a legitimate system file. It then deletes the .EXE file after execution to prevent detection and consequent removal, leaving the ADS in place. Afterward, it connects to a remote URL to download its configuration file. Once done, it monitors the user’s Web-browsing activities and redirects searches in Google to the website found in the downloaded configuration file.

Trend Micro product users need not fret though as Smart Protection Network already protects their systems from this threat.

Post from: TrendLabs | Malware Blog - by Trend Micro

Click Fraud Takes a Step Forward with TROJ_FFSEARCH

The new component uses a victim’s Twitter account to post tweets using Internet-browsing cookies to log in to the target user’s account. Tweets can more successfully be posted when the victim is currently logged on to his/her Twitter account as the ‘evil’ Koobface binary runs in the background.

Figure 1. Twitter account of an infected PC

The supossed tweets are retrieved from a Koobface C&C domain and use Tinyurl.com to shorten and kind of obfuscate the URL included in the message.

Figure 2. Network stream of an affected PC

Visiting the posted URL leads to a Koobface redirector page that opens the same old ‘fake’ YouTube page that hosts the Koobface loader posing as an Adobe Flash Player update also known as the infamous setup.exe.

Figure 3. Fake YouTube page that installs setup.exe

As with earlier Koobface-related attacks, however, Trend Micro product users need not worry about being infected as Smart Protection Network already blocks malicious sites and files from running on their systems. They should, however, still keep in mind that an ounce of prevention is always better than a pound of cure.

Related posts on Koobface:

• Koobface Worm Alive and Wriggling
• Koobface Tries Captcha-Breaking
• Bogus Facebook Malware and a Dancing Girl

Twitter, likewise, was never that safe from attacks:

• Another Sex Tape, Another Malware Attack
• Wholsesale Redirects to Malware Averted For Now
• Iran Street Protests Paralleled by DDoS Attacks

Update on June 28:

Setup.exe is now detected as WORM_KOOBFACE.DC. It has the ability to fetch information from the affected PC and to send said info to URLs via HTTP POST.

Moreover, Koobface writers immediately updated their mal-tweets, cleverly using current events related to Michael Jackson’s death. Luckily, the URL included in the message did not change and is still being blocked by Smart Protection Network.

Along with the updated tweets is an update of a Koobface binary (TROJ_KOOBFACE.AJ) targeting Facebook. This binary is already being processed. More details will be provided as analysis progresses.

Post from: TrendLabs | Malware Blog - by Trend Micro

Koobface Tweets

As reported by Ivan Macalintal, Trend Micro Threat Research Manager, the infection starts when a user accesses a compromised site that automatically redirects him/her to several sites. These sites were actually a trio of malicious domains (specific .KZ and .TW sites) constantly used by attackers in their scheme of redirecting users to a malicious IP address registered somewhere in the Ukraine.

The chain ends when the user’s browser lands on a page that contains exploits for vulnerabilities in various software including Adobe Acrobat and Shockwave. Advanced Threat Researcher Joey Costoya also pointed out that a previously reported PoC in Office OCX Word Viewer is also among the exploits used in this attack.

Compromised websites were injected with blocks of obfuscated script, detected as JS_DLOADR.ALP (see Figure 1):

• hdOruVsHnKBXZuvtsRmw
• eMCeGjolMPJFNuucZWLk
• vIkytowORShQVZqTBFox

The number of blocks can be as many as seven to eight, which can be seen in the snapshot below of a compromised site of a Web hosting provider in Hong Kong. Hosting provider? Yikes!

The user will then be redirected to a series of websites that use referrers to avoid detection and subsequent removal. The infection chain ends when the user is finally redirected to an exploit-laden landing page.

The final pages in the infection chain, Costoya also reported, are part of a Web exploit toolkit called Yes Exploit System, which includes .PDF and .SWF exploits, detected as TROJ_PDFEX.J and TROJ_SWFLDR.AB, respectively.

Both .PDF and .SWF files lead to binary payload that look similar to a new kind of information stealer detected as TSPY_SILENTBAN.U. TSPY_SILENTBAN.U installs itself as a Browser Helper Object (BHO) on the affected system and monitors Internet activity. Gathered information are then sent to a remote user using HTTP POST.

Note that as of this writing, the binary payload retrieved from the attack uses this spyware. It is more likely that in future attacks, other payloads can be used.

Fortunately, Trend Micro Smart Protection Network blocks all malicious sites and detects all related malware. Thus, users need not worry about being infected.

Information on the vulnerabilities exploited in this attack can be found on the following pages:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0927
• http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2007-5659
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2496

Users are also strongly advised to update their software in order to avoid being affected by this attack.

Post from: TrendLabs | Malware Blog - by Trend Micro

Another Messy Mass Compromise Emerges

Unfortunately, cybercriminals have used such services as part of various schemes before. Earlier this week, in fact, it’s safe to say the Internet dodged a big bullet.

The database of Cligs, the #4 URL redirection service used on Twitter, was compromised sometime on Sunday night/Monday morning. According to the official Cligs blog, approximately 2.2 million redirects were edited to go to a post talking about Twitter hash tags at a blog maintained by the Orange County Register. It’s unclear who did it and why, although it might well be a case of it being done because it could be done.

While the attack caused little long-term damage, it could have been indescribably worse. Had it happen to a bigger redirection service like Bitly or TinyURL, the numbers of affected users would have been far greater. In addition, the links didn’t go anywhere malicious. It would have been just as easy for the links to go to malware – and it wouldn’t have been very hard to do so in a way that would be invisible to most users.

This could have been a far bigger problem, but thankfully it wasn’t. What it is, however, is a warning about the dangers of URL redirection. There’s not much consumers can do on their own, but providers should double-check their own security measures.

Post from: TrendLabs | Malware Blog - by Trend Micro

Wholesale Redirects to Malware Averted, For Now

Although it hasn’t been confirmed if the DDoS attacks were indeed successful, several Iranian government websites have been reported inaccessible. Noah Shachtman from Wired expressed his concerns about Iran’s network infrastructure being centralized, which causes Internet connection across the country to normally be unstable as it is. Unnecessary, overwhelming traffic caused by the attacks may affect Internet access not only for those actually targeted by the DDoS, but pretty much every one else in Iran.

The centralization of Iran’s network also enabled the blockage of certain websites, which left people using social networking sites such as Facebook and Twitter, in order send out information to outside Iran. Twitter, most especially, was used as the main channel for people to post information, and was even forced to reschedule a planned maintenance just to keep the channel open to the people who are rallying information to and from Iran.

Calling for attacks for the sake of getting their messages across is an action far from actually causing any positive development in the situation. The only thing these hacktivists are succeeding in is making things worse. So please, do not participate in any of these activities.

The Web has been a convenient avenue for activists to express their beliefs, all of which affecting not only those targeted by the attacks, but other users as well.

Other posts on hacktivism:

Post from: TrendLabs | Malware Blog - by Trend Micro

Iran: Street Protests Paralleled by DDoS Attacks

Once decoded, it tries to connect to URLs to download exploits for several vulnerabilites in order to gain access of the affected user’s system. The obfuscated malicious JavaScript is detected as JS_DROPPER.LOK while the URLs that trigger the download of the exploits are detected as TROJ_SHELLCOD.HT. Upon successful exploitation, other malicious files are then downloaded, which Trend Micro detects as TROJ_MEDPINCH.B, and TROJ_MEDPINCH.A.

TROJ_MEDPINCH.B connects to other URLs to download info-stealers SPYW_IEWATCHER and TSPY_LDPINCH.CBS. On the other hand, TROJ_MEDPINCH.A drops yet another info-stealer: TSPY_LDPINCH.ASG. TSPY_LDPINCH.ASG steals user names, passwords, and other account and installation information of the following applications:

• INETCOMM Server
• Microsoft Outlook
• Mirabilis ICQ
• Opera Software
• The Bat!
• Total Commander
• Trillian

Though this compromise occurs within close proximity days after Gumblar’s last attack, no mention of the Gumblar.{BLOCKED} domain appears in the code. This attack may indeed be a separate one from Gumblar, or possibly be inspired by it. Related URLs are already blocked by the Smart Protection Network, but it is highly advised that user’s patch their system to minimize the chances of exploit through the following updates:

• Vulnerability in Windows Explorer Could Allow Remote Execution
• Buffer overflow in Apple QuickTime 7.1.3
• Buffer overflow in the WZFILEVIEW.FileViewCtrl.61 ActiveX control
• Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution
• Microsoft Internet Explorer 7 Memory Corruption Exploit

Post from: TrendLabs | Malware Blog - by Trend Micro

Another Wave of Mass Compromises Serve Info-Stealers

Invariably, summer (at least for people in most parts of the world) is when people troop to online shops, book flights to go on much-awaited vacations, and schedule recreational activities or hobby-type classes. Trend Micro identifies some of the biggest threats that take advantage of summer, an “important season for the social agenda of individuals.”

1. Shopping invoices for ghost transactions: Users, even those who don’t really purchase anything online might, out of curiosity, open fake receipts sent via email or click malicious receipt links, become immediately vulnerable to identity theft.
2. Ecommerce phishing: Shoppers on eBay, one of the most popular online retailers, should be vigilant not to fall prey to phishing attacks and other illicit schemes as the site is also one of cybercriminals’ favorite places to launch the largest number of phishing attacks
3. Compromised high-traffic websites: High-traffic websites, especially during the summer when shoppers flood to online stores and auction and other ecommerce sites, are likely to attract cybercriminals like bees to honey.
4. Poisoned shopping search results: Query results for summer-related strings can be manipulated to yield links to websites rigged with malware.
5. Malicious advertisements or malvertisements: Users fond of getting good bargains online can fall prey to malware-carrying ads, particularly those strategically placed on high-traffic websites.

Apart from online-shopping-related scams that proliferate during the summer season, companies also usually release new products this time of year. For instance, the official launch of Windows 7 RC was soon followed by its release in warez and torrent sites that, unfortunately, came with malware surprises.

Besides being famous for the release of new products, summer is also the time when big movie producers release their blockbuster bets. In fact, almost every week, a highly anticipated film or sequel is shown in theaters worldwide, much to the delight of moviegoers and, of course, cybercriminals. In the past, potential viewers were lured with raffle entries for either free tickets or movie merchandise. Some use codecs embedded in exclusive trailers or downloadable uncut versions. Still others compromise high-traffic fan sites, blogs, or even the movies’ official sites themselves then spread malware to unknowing users’ computers.

Users should therefore be wary when searching for the next big thing as hackers never rest and never stop developing the next big security threat as well.

Post from: TrendLabs | Malware Blog - by Trend Micro

Social Engineering Watch: Summer

While the site is now clean, Threat Analyst Joseph Pacamarra found another attack capitalizing on the same sex video scandal, this time using the Ask George website, the state-wide information portal of Washington DC in the US. Accessing the said page, which had been injected with a script containing the words “katrina+halili+sexy+pic,” redirects to a site under a certain hot-unlikely-tube(dot)com domain.

Clicking on the black screen, the user is informed that s/he needs to download a codec to be able to watch the video. But instead of a codec, the user downloads malware: TROJ_DLOAD.TID and its payload, TROJ_COGNAC.J.

TROJ_COGNAC.J is saved as b.exe. It modifies the system registry to make sure it runs at every startup. It assists TROJ_DLOAD.TID in downloading files named qwerce.gif and a.exe from different URLs. As of this writing, the .gif file is non-malicious, and the URL that downloads a.exe is not accessible. While this means little danger for current victims of these attacks, the actual contents of the URLs may actually change any time to exhibit more dangerous side-effects.

The affected pages from the said site appear to have been modified last May 30, early morning US time. (Updated June 2, 22:40 PM PST: We have verified that the affected site is now clean as of this writing. Website administrators are advised to conduct penetration testing for their sites especially for high-traffic and high-interactivity ones.)

Post from: TrendLabs | Malware Blog - by Trend Micro

Government Sites Tainted with Sexy Star Video Lures