In recent years, we have seen client-side software heavily targeted by hackers in search of vulnerabilities. 2011 saw these threats become more complex and sophisticated. We saw attackers increasingly use zero-day vulnerabilities, some of which have been particularly critical. Examples of these include the vulnerability Duqu exploited (CVE-2011-3402); a Java vulnerability (CVE-2011-3544); or Adobe zero-day vulnerabilities, which were exploited in the wild.

The exploit attacks we saw this year were targeted, original, sophisticated, and well controlled.

Among the applications most targeted in the wild were Adobe Acrobat, Reader, and Flash Player; Java Runtime Environment (JRE)/Java Development KIT (JDK); and Internet Explorer. Exploit kits like Black Hole and Phoenix were really prompt to pick exploits for these applications and go after users with high success rates. We also saw browser vendors release patches several times within the year to patch critical vulnerabilities.

Attacks were successful because a high percentage of users still used unpatched versions of vulnerable software. According to a CSIS study, 37% of users still browse the web with unsecured Java versions. A Zscaler survey also reported that 56% of enterprise users utilize vulnerable versions of Adobe products, putting the onus on security administrators to deploy virtual patching products such as Trend Micro Deep Security or the OfficeScan IDF plug-in.

Server Vulnerabilities

Having said that, there’s an ugly side to server/OS vulnerabilities as well. Things largely remained the same in this space, as shown by the number of vulnerabilities in Windows Server 2008 and Red Hat.

Credit to CVE Details as source of the above data

Cybercriminals also exploited vulnerabilities in web applications. SQL injection attacks were used to compromise millions of web pages. In two separate mass SQL injection attacks, malicious scripts were inserted into legitimate websites. The first one in July hit 8 million websites. A second wave in October affected 1 million websites. Apart from SQL injection attacks, attacks exploiting cross-site scripting (XSS), cross-site request forgery, Directory Traversal, and other vulnerabilities in web applications (e.g., PHP, WordPress, Joomla, etc.) also occurred in large numbers and will continue to do so next year.

Some of the 2011 vulnerabilities worth mentioning are:

What Can Users Do?

To protect against attacks exploiting the above-mentioned and similar vulnerabilities, a good patch management strategy is required. To mitigate any damage during the patch cycle, a virtual patching solution should be deployed as well.

The trends that we saw in 2011 are going to continue in 2012. We will see attacks become more complicated. The defenses against these threats will have to evolve and adjust to keep users protected in 2012.

Post from: TrendLabs | Malware Blog - by Trend Micro

2011 in Review: Exploits and Vulnerabilities

The website was said to have an iframe that redirected users to another compromised site in Brazil. The site executed a malicious Java applet detected as JAVA_DLOAD.ZZC. JAVA_DLOAD.ZZC leverages a vulnerability in Java CVE-2011-3544 to install TROJ_PPOINTER.SM, which in turn drops BKDR_PPOINTER.SM. BKDR_PPOINTER.SM connects to a certain URL to send and receive commands from the attacker. It is also capable of gathering certain information about the affected system.

Based on our investigation, it seems that the initially reported affected organization is just one of the targets in this attack and that the attack itself is fashioned specifically for the targets. We studied the related files and URLs, and found that the string related to the human rights organization was used as the name for both the inserted folder and file in the compromised Brazilian website:

• hxxp://{BLOCKED}.com.br/cgi-bin/ai/ai.html
• hxxp://{BLOCKED}.com.br/cgi-bin/ai/ai.jar

Furthermore, the code of the file retrieved from the URLs above indicate that it was a payload specifically intended for the said human rights organization, as it has related strings mentioned in its code:

Trend Micro Researcher Nart Villenueve checked on this, and found other folder and file combinations hosted on the same compromised website, but with different strings. This strongly suggests the existence of other targets.

• hxxp://{BLOCKED}.com.br/cgi-bin/hk/hk.html
• hxxp://{BLOCKED}.com.br/cgi-bin/hk/hk.jar
• hxxp://{BLOCKED}.com.br/cgi-bin/so/so.html
• hxxp://{BLOCKED}.com.br/cgi-bin/so/so.jar
• hxxp://{BLOCKED}.com.br/cgi-bin/OM/om.html
• hxxp://{BLOCKED}.com.br/cgi-bin/OM/om.jar

The files retrieved from these URLs also had the same strings in their code, similar to the AI case we’ve explained before. The said malicious files are now also detected as JAVA_DLOAD.ZZC and BKDR_PPOINTER.SM.

Trend Micro products provide protection against this type of attack through the Trend Micro™ Smart Protection Network™ infastructure. Also, Deep Security and OfficeScan™ with Intrusion Defense Firewall (IDF) plug-in protects users through the rule Oracle Java SE Rhino Script Engine Remote Code Execution Vulnerability. Meanwhile, Threat Discovery Appliance (TDA) detects the traffic related to the forwarding of the information obtained by BKDR_PPOINTER.SM as HTTP_REQUEST_PPOINTER.

The home page of the affected human rights organization has been a target at least a couple of times within the past several months, showing how determined cybercriminals are to target the frequent visitors of this site. As of this writing, the site is clean of the malicious code. Site owners of special interest sites catering to particular demographics, organizations or groups of like-minded individuals should be just as cautious about these kinds of attacks as corporations and businesses.

Post from: TrendLabs | Malware Blog - by Trend Micro

NGOs Targeted with Backdoors

Targeted Campaigns

Targeted malware attacks are rarely isolated events. It is more useful to think of them as campaigns – a series of failed and successful attempts to compromise targets over a period of time. An attacker’s prior knowledge of the victim, possibly from a previously successful attack, affects the level of specificity associated with a single attack in a malware campaign. In this case, the attackers used messages with an IT security theme that appeared rather generic but were customized for various targets. The download link in the email messages was made to appear as if it were pointing to the target’s own website. Often, this less-specific level of targeting focuses on communities of interest and is aimed at acquiring information to be used in a future, more precise attack.

Moreover, there is generally a diversity of targets. In this case, the Nitro attackers targeted a concentration of chemical companies but also targeted human rights NGOs, motor companies and defense contractors.

Human Interaction

The backdoor used in the Nitro campaign is known as Poison Ivy. It is a freely available Trojan that provides an attacker with full, “real-time” access to a compromised computer. One often overlooked component of targeted malware attacks is the reliance on real time human interaction. This distinguishes them from automated botnets. When the Poison Ivy backdoor connects to the attackers command and control infrastructure there is a human at the other end that can begin exploring the compromised computer and the network to which it belongs. This attacker can steal information, install additional malware and compromise other machines on the same network. Most importantly, the human on the other end of the Poison Ivy Trojan can react to defensive measures taken by the victim.

Segmented Infrastructure

Attackers need to deploy command and control (C&C) infrastructure in order to maintain connectivity to the computers they compromise. The attackers sometimes maintain distinct sets of C&C infrastructure making it difficult to uncover the full extent of their operations. Using the initial malware samples, domains and IP addresses provided by Symantec, we were able to map out three distinct sets of command and control infrastructure.

The first set of command and control infrastructure contains three domains provided by dynamic DNS services. Attackers often use dynamic DNS services in conjunction with RATs, such as Poison Ivy. These services make it easy for the attackers to update their C&C domains to new IP addresses thus maintaining consistent connectivity with the compromised computers.

The second set of C&C infrastructure centers around three domains which all resolved to the same IP address. The C&C domain, domain.rm6.org was also used in an attack. on the UK government in August 2011.

The third set centers on the domain antivirus-groups.com and the IP address 204.74.215.58 which Symantec has associated with a specific actor which they’ve codenamed “Covert Grove”.

This segmented infrastructure allows the same set of attackers to target different potential victims without having all the attacks linked together. Without additional information, it can be difficult to link together the full scope of targeted malware campaigns. This illustrates how important threat intelligence is to defensive strategies.

Here are some examples of MD5s connecting to the Nitro infrastructure:

• 37f70717f549f1938e5785527e56978d
• 5d075e9536c5494745135c1176981c96
• 64a4ad90a55e7b6c30c46135435f50a2
• 6e99585c3fbd4f3a55bd8f604cb35f38
• 70fcb3446fce23b18d9a12b2ed911e52
• 76000c77ea9a214f5b2ae8cc387809db
• 87aeec7f7c4ec1b6dc5e6c39b28d8273
• 8d36fd85d9c7d1f4bb170a28cc23498a
• a98d2c90b9494fc885c7cd35d43666ea
• c128c40bd8acb282288e8138352ce4e1
• 841ec2dec944964fc54786a1167713ff
• 22f77c113cc6d43d8c12ed3c9fb39825
• 6f6d6a848f87fbf26f71549d73da61f4
• b2b9702164512a92733939343275245b
• 2173b43a66070aadf052ab66dd6933ce
• f18c7639dbb8644c4bca179243ee2a99
• 9ff1e8e227e1be3dbfc55f17d2e97df8
• 31346e5b39ddb095d76071ac86da4c2e
• 20baa1cbacdab191c717f4ef5626de93
• ffa73b9f9e650f50b8568a647a9a35cf
• 070d1e5c9299afa47df25e63572a3ae8
• d558e1069a0f3f61fedcf58a0c1995fe
• 27103c6c9a80b6cf23789e2f51a846eb
• 2ffe59a6a047b2333a1f3eb58753f3bc
• 0f54a9757f1a2fef2b04b776714a7546
• c2864aff6360feb36f2ff6a6c634ddb4
• cca3af36dff79b27de093a71396afb8d
• 4a35488762f70170dc0d3f46f94a7bcb
• 3037049411db0453c91e60393a248be2
• dd5715cb3b0cdddbe131f03cc08f0f57
• 4fd6453a606e17e5efb166ad80eba5e0
• 091457444b7e7899c242c5125ddc0571
• 6e99585c3fbd4f3a55bd8f604cb35f38
• 07e266f7fb3c36a1f3a5c5d2d229a478
• 17e7022496d8092d3ca76ae9524a7260
• 2f37912e7cb6e5c478e6dc3d0e381a24
• 5d075e9536c5494745135c1176981c96
• 76000c77ea9a214f5b2ae8cc387809db
• a98d2c90b9494fc885c7cd35d43666ea
• c128c40bd8acb282288e8138352ce4e1
• cab66da82594ff5266ac8dd89e3d1539
• 70fcb3446fce23b18d9a12b2ed911e52
• c53c93a445d751387eb167e5a2b901da
• dd5715cb3b0cdddbe131f03cc08f0f57
• 0f54a9757f1a2fef2b04b776714a7546
• 37f70717f549f1938e5785527e56978d
• 31346e5b39ddb095d76071ac86da4c2e
• 330ddac1f605ff8abf60880c584ed797
• 457a2a8d0784e9fc8e49f6ef60f7f29e
• 87aeec7f7c4ec1b6dc5e6c39b28d8273
• 8d36fd85d9c7d1f4bb170a28cc23498a
• de7e293aa9c4d849dc080f3e87573b24
• 64a4ad90a55e7b6c30c46135435f50a2

Defensive strategies can be dramatically improved by understanding how targeted attacks work as well as trends in the tools, tactics and procedures of the perpetrators. Since such attacks focus on the acquisition of sensitive data, strategies that focus on protecting the data itself, wherever it resides, are extremely important components of defense. By effectively using threat intelligence derived from external and internal sources combined with context-aware data protection and security tools that empower and inform human analysts, organizations are better positioned to detect and mitigate targeted attacks.

Post from: TrendLabs | Malware Blog - by Trend Micro

The Significance of the “Nitro” Attacks

The screenshot above shows that the seller appears to have a shell console window with root access to these servers. The price for each access starts at US$3,000 with the exchange of money/access being provided by the well-known garant/escrow system for which a trusted third party verifies both sides of a transaction.

In our previous underground research, we also saw sourcec0de sell stolen PayPal account credentials and discussing the management of botnet command-and-control (C&C) servers.

We contacted MySQL.com about this issue last week. We are making this public to stress the fact that hackers do not only profit from selling stolen data or by inserting bad links into spam or phishing email, websites, and other possible infection vectors.

This case, regardless of whether sourcec0de’s claim is true or not, shows just how brazen cybercriminals are, selling administrative access to specific systems, which can be negatively impacted by their break-ins.

Post from: TrendLabs | Malware Blog - by Trend Micro

Underground Radar: Possible Compromise of MySQL.com and Its Subdomains

Within the same week, we also found a malware that may be related to the particular incident. The said backdoor, which we detect as BKDR_SOGU.A (with the SHA1 hash 1733217aa852957269cd201f6cf53ef314e86897), connects to {BLOCKED}n.duamlive.com, its C&C server. The C&C server communicates with the remote infected system via HTTP POST in order to send and receive commands from a remote malicious user.  As of this writing, this URL is already inaccessible.

One notable routine of this backdoor is its capability to access a specific database in infected systems in order to fetch and collect data from the said database. This routine was done using several ODBC APIs such as SQLAllocHandle, SQLDriverConnect, SQLNumResultCols, SQLFetch, and SQLExecDirect. The figures below show the code disassembly of how the malware uses the said APIs.

The database the backdoor accesses and the types of information it gathers are defined based on the parameters the remote server provides. Other backdoor routines (e.g., enumerating registry values or listing files in a specified directory) may be able to provide such data as well.

So far, nothing in the code suggests that it was solely and specifically created for certain attacks. In fact, it may be used and reused as long as the malware is not detected by the network’s security software. As we stated before, attacks against large corporations do not always require highly sophisticated malware technologies but a combination of ingenious use of other techniques (e.g., exploiting known vulnerabilities, social engineering, etc.) that can lead to a successful targeted attack.

The Trend Micro™ Smart Protection Network™ infrastructure detects the backdoor and blocks access to the malicious URLs related to this attack.

We are still conducting further investigation on this incident. We will update this blog entry as soon as possible for any relevant development.

Analysis assistance provided by Paul Kimayong and Kathleen Notario

Update: We posted a follow-up entry on August 10, 10:47 AM entitled, Updates on the SK Comms Data Breach. Also, read the initial blog post Large Data Breach in South Korea, Data of 35M Users Stolen.

Post from: TrendLabs | Malware Blog - by Trend Micro

Analysis of BKDR_SOGU.A, Database-Accessing Malware

The affected websites were found using osCommerce, an open source e-commerce solution that allows users to easily manage their online shops.

Based on our analysis, more than 90,000 pages were compromised. The attackers inserted an iframe that leads to certain URLs in each of these sites, triggering several redirections. The redirections finally lead to an exploit kit that abuses the following vulnerabilities in an attempt to download a malicious file onto systems:

• CVE-2010-0840
• CVE-2010-0188
• CVE-2010-0886
• CVE-2006-0003
• CVE-2010-1885

Successful exploitation of the above-mentioned vulnerabilities triggers a connection to another URL in order to download a final payload that we now detect as TROJ_JORIK.BRU. This malware searches for Internet caches, cookies, and histories in order to steal login credentials and other data used for specific websites, usually banks and other financial institutions. TROJ_JORIK.BRU then forwards the stolen information to specific websites.

Customers as the Biggest Target

This attack greatly affects not only the site owners whose businesses get disrupted by a compromise. Even worse, it attacks their potential customers who get their credit card information stolen just for visiting a supposedly trusted site. As Trend Micro threat response engineer Karl Dominguez observes, “This attack is quite efficient. It specifically targets users who visit e-commerce sites since they are the ones most likely have gone shopping online before and are more likely to have their credit card information stored in their systems.”

The attacker also seemed to use the “get it and go” approach, as he immediately deleted the malicious file after execution. “This is not like ZeuS attacks wherein the malware hides in the system for continuous monitoring. The malware just executes, takes the information that it wants to steal, then deletes itself. This may be done to prevent detection by the victims,” Dominguez explains.

Website Owners Need to Be More Vigilant

This is not first mass compromise involving osCommerce users. Multiple websites were also reported to have been compromised earlier this month while another compromise from late last year revealed osCommerce websites being used as FAKEAV redirectors.

This use of osCommerce as a platform for attacks should definitely call the attention of osCommerce website owners, as well as their developers.

According to Trend Micro senior threat researcher Hayashi Noriaki, osCommerce has a famous directory traversal vulnerability as well as an XSS vulnerability for version 2.2-MS2. Considering this, owners of osCommerce sites are strongly advised to update all of their software to the latest versions and most importantly, to check their sites for any code injection.

Trend Micro customers are already protected from this threat. The malicious URLs related to the redirections and the malicious files are already being blocked and detected by the Trend Micro™ Smart Protection Network™. In addition, Trend Micro Browser Guard prevents the above-mentioned exploits from executing, thus preventing the download of the malicious file.

Update as of July 31, 2011, 8:58 PM, PST
The above mentioned exploit kit is already detected as JS_EXPLOIT.BRU.

Post from: TrendLabs | Malware Blog - by Trend Micro

osCommerce Mass Compromise Leads to Information Theft

Based on Google searches, there is no common denominator in terms of the industry to which the compromised sites belong. We saw compromised websites related to astronomy, clubs, hospitals, sports, funeral homes, electronics, and others.

More URLs Involved

Investigations revealed that five URLs were used for the attack and were inserted into the compromised sites through SQL injection. The said URLs all resolve to a single IP server—a known malicious IP Trend Micro researchers are monitoring. Thus, the related URLs have been proactively blocked by Trend Micro as early as March 25, 2011:

• {BLOCKED}of-books.com/ur.php
• {BLOCKED}ane.com/ur.php
• {BLOCKED}carter.com/ur.php
• {BLOCKED}on.com/ur.php
• {BLOCKED}6.info/ur.php

New developments are currently being observed. We’re seeing compromised websites that were previously inserted with a script leading to {BLOCKED}on.com/ur.php already modified to connect to {BLOCKED}s.com/ur.php. The said URL also resolves to the same IP server as the four previously mentioned URLs. It is possible that the cybercriminal behind this attack is updating the compromised sites with new URLs to connect to since the previous ones are already being blocked.

Infection Chain Leads to FAKEAV and WORID

So far, the infection chain has been typical. Visiting a compromised website with the malicious script leads to any of the above-mentioned URLs, which then triggers a series of redirections, finally leading to the download of malicious files. The redirections are visible to the user, as the displayed pages show a fake antivirus scan. The scan is, of course, fake, and is the first part of the whole FAKEAV scam, followed by a prompt to download a malicious file disguised as an installer.

Retrieved samples from active instances are now detected as TROJ_FAKEAV.BBK and TROJ_WORID.A.

Web compromises such as this one are not uncommon but do pose a great threat, especially if a particular website with high incoming traffic is among those compromised. Trend Micro, through the Smart Protection Network™ protects users from being affected by this compromise, as the related malicious URLs are already blocked and the malicious files detected.

Website owners who suspect that their websites have been compromised are advised to clean up their sites as soon as possible.

Update as of April 6, 2011 2:00 AM Pacific Time

Further analysis reveals that ASPX and ASP web app sites are being exploited by a GET request containing parameters with SQL statements and the encoded script tag and URL shown below:

This resolves to the following:

We also found that attackers were using a certain IP ({BLOCKED}.{BLOCKED}.29.190) to try to inject sites with lizamoon(dot)com/ur.php and other URLs pointing to the same IP location as lizamoon. We saw the said IP address trying to compromise a web server located in the APAC region using the following technique.

Trend Micro customers using Threat Discovery Appliance (TDA) as well as Deep Security are already protected from having their sites compromised using the mentioned technique.

Clean up efforts as well as development of fixes have reportedly started to mitigate the effects of the massive attack. However, we’re also still seeing new URLs being injected into websites, connecting to an IP server different from the one previously used. We’ve already blocked access to the said URLs.

Considering such developments, website owners of both infected and non-infected sites are strongly advised to take action. Owners of infected sites should clean up their sites and apply security updates to all software, and those not affected should make sure that their sites are not vulnerable to similar attacks, such as making sure that all inputs to the website are well-validated.

Post from: TrendLabs | Malware Blog - by Trend Micro

LizaMoon, Etc. SQL Injection Attack Still Ongoing

Fake system diagnostic tools such as this variant named System Defragmenter were first discovered in October 2010. These tools very frequently change their names. At present, we are aware of at least 30 different names/aliases that these tools use. Cybercriminals may believe that changing their products’ names makes detecting and removing these much more difficult.

None of this should be taken to mean that conventional fake antivirus attacks have gone away, however. Last week, a very high-profile attack involving a rogue antivirus detected by Trend Micro as TROJ_FAKEAV.SMTV hit Twitter. Many users fell prey to this when they clicked links that used the goo.gl URL shortener to lead to this FAKEAV variant’s download.

Attacks involving fake diagnostic tools are similar to traditional FAKEAV attacks. A fake tool appears to function like a real system diagnosis tool though its supposed diagnostic functions never work. Once users’ PCs are infected by such a tool, these repeatedly displayed fake warnings saying that the system is suffering from hard disk problems.

Inexperienced users may worry and panic over these problems. They may end up paying for additional “tools” and giving cybercriminals their personal information such as email addresses and credit card numbers. Like FAKEAV, these fake diagnosis tools will cause many problems for users.

Infection Vectors

Fake diagnostic tools may arrive via several different infection vectors:

• Users visit malicious sites and manually download and install malicious files.
• Users visit malicious sites that are riddled with exploits, which silently install malicious files in the background.

The tactics cybercriminals use to distribute fake diagnostic tools are broadly similar to those used for FAKEAV malware. Cybercriminals may lead users to their own sites by using Black Hat Search Engine Optimization (SEO) poisoning or to compromised legitimate sites. Cases where these fake tools are installed without the users’ knowledge may lead them to think the fake tools are actually legitimate programs, allowing the attacks to succeed.

System Defragmenter is detected as TROJ_FAKEAL.GG. While the sites that distribute it are now inaccessible, similar attacks did not stop from being launched, albeit using constantly changing names and sites. Understanding how these attacks are conducted will help users avoid becoming their victims.

Its installer uses the same icon as Windows Update.

Fourteen minutes after the tool is installed, it displays a fake alert in the user’s notification area.

The following gallery shows the various fake images that this malware displays:

Here are some of the other names the fake diagnostic tools use:

• Check Disk
• Defragmenter
• Disk Doctor
• Disk Optimizer
• Disk Repair
• DiskOK
• EasyScan
• FastDisk
• GoodMemory
• Hard Drive Diagnostic
• HDDControl
• HDDDefragmenter
• HDDDiagnostic
• HDDFix
• HDDHelp
• HDDPlus
• HDDLow
• HDDRecovery
• HDDRepair
• HDDRescue
• HDDTools
• MemoryFixer
• MyDisk
• QuickDefrag
• Scan Disk
• Scanner
• Smart HDD
• Support Tool 2011
• System Degragmenter
• Ultra Defragger
• Win Defrag
• Win Defragmenter
• Win Scanner

Solutions and Workarounds

Trend Micro free tools can clean systems that have been affected by System Defragmenter. However, users have to first go around one of this malware’s behaviors—monitoring the execution of applications—so that some security tools like HijackThis as well as files in the C:\Windows and C:\Program Files folder will not run and instead display the following:

Users will have to terminate the malware process first. The procedure starts by determining the file name that malware used. To do this, follow these steps:

1. Right-click the shortcut (System Defragmenter) on the desktop and select Properties.
2. Check and note the file name, which is usually made up of random characters. In the following screenshot, the file name used was 1181500.exe.

After taking note of the file name, open Task Manager by pressing Ctrl+Alt+Delete and use it to terminate the fake tool’s process.

Using HijackThis, take note of any or all of the registry entries that the malware added. HijackThis can then remove these entries to stop the malware from running whenever the system starts. (The suspicious entries have been enclosed in a red box.)

Our online scanner HouseCall can then be used to scan and remove the malware from the system.

Post from: TrendLabs | Malware Blog - by Trend Micro

Fake System Tools Spread to Japan

The compromised page (shown in Figure 2) was injected with a search engine optimization (SEO) kit leveraging certain topics. In addition, we also found spamdexed content that was specifically prepared for the upcoming Black Friday holiday event in the United States.

Figure 3 below shows the search keywords used in the compromised page.

Visiting the compromised site leads users to redirection chains similar to previous attacks. We detect the malicious files as TROJ_FAKEAV.SMVK. In addition, the websites that are part of the redirection chain have been blocked. Trend Micro proactively sources and detects these new threats every day, helping protect our product users.

Post from: TrendLabs | Malware Blog - by Trend Micro

Website of an Amsterdam-Based Record Label Compromised

However, these particular incidents are not actually isolated attacks. Rather, these only form the tip of the iceberg of several attacks involving compromised and malicious sites. Cybercriminals are increasingly making browser and OS detection part of their standard attacks.

The malicious sites, payloads, and redirection chains change on a daily basis. Let’s look at one of the malicious sites we recently saw:

The code itself is reasonably simple—it sends users to various malicious sites that vary, depending on what browsers and OSs they run. In this particular attack, Internet Explorer and Firefox users received FAKEAV variants similar to those seen in earlier attacks, as documented in “FAKEAV Update: Java Vulnerabilities and Improved Fake Alerts.”

Mac and Linux users were sent to the RSS feed of a site scraper. This site appears to periodically capture high-ranking keywords from Google Trends and use one of these keywords as the subject of a new blog post. The “post” contains, among others, high-ranking items from a Google Images search using the captured keywords. It’s possible that the site in question has been “parked” while malware is not being delivered.

Users who didn’t fall into any of these categories proceed along “standard” FAKEAV redirection chains.

While this particular attack involved only FAKEAV, the particular sites used change on a daily basis. Thus, other malware may be served just as easily to other users. This same technique was used to spread KOOBFACE to Mac users last week. We have also seen it used to deliver other malware families such as:

• BREDOLAB
• CUTWAIL
• TDSS
• ZBOT

While the vast majority of attacks delivered this way still use FAKEAV, the fact that malware families that are part of the traditional botnet business model have picked up these “customized” malware attacks is troubling and points to widespread exploitation down the road.

Users have to be cautious, as these “customized” attacks mean that malicious sites are likely to resemble legitimate ones more easily. Distinguishing legitimate pages from malicious ones by eye will be a challenge. Web blocking will become more important for protecting users, as customized malware attacks allows for even more malicious files to be used in these attacks. This emerging trend in Web threats is one that we will be on the lookout for to help protect users against this latest development.

Post from: TrendLabs | Malware Blog - by Trend Micro

Customized Malware Attacks Become Widespread