TrendLabs | Malware Blog - by Trend Micro » Malicious Sites

Meteor Shower and New Moon Lead to FAKEAV

Erika Mendoza (Threat Response Engineer) — Wed, 18 Nov 2009 07:48:12 +0000

TrendLabs threat analysts found another FAKEAV campaign piggybacking on the Leonid meteor shower and the much-anticipated sequel to the Twilight saga, New Moon. Users searching for news and updates using the keywords “meteor shower tonight november 16 time” and “New Moon premiere live stream” end up with poisoned search results. These results redirect users to fake online scanners, which ultimately lead to the download of a FAKEAV variant detected by Trend Micro as TROJ_FAKEAV.MET.

Upon execution, TROJ_FAKEAV.MET drops malicious files and displays fake warning messages. These messages urge users to avail of a bogus antivirus product, Security Tool.

FAKEAV is notorious for capitalizing on hot news and popular searches via SEO poisoning. Hence, users are advised to be wary of suspicious-looking URLs when conducting online searches. Trend Micro protects users from this attack via the Smart Protection Network™ that blocks and detects all related malicious files and URLs.

Post from: TrendLabs | Malware Blog - by Trend Micro

Meteor Shower and New Moon Lead to FAKEAV

Beware: Never Share Your Capita with Phishers

Abigail Villarin (Fraud Analyst) — Thu, 12 Nov 2009 11:00:09 +0000

Trend Micro threat analysts recently discovered a phishing attack targeting the website of the Capita Group. The said site is dedicated for the company shareholders’ use. It aims to reduce the need for paperwork and provides 24 hour access for greater convenience.

The fake Web portal asks users to enter their surname, shareholder reference number, postal code, telephone number, date of birth, and employer. After entering the said information, the page will redirect them to another login page that requires them to enter their account information—first name, middle name, last name, address, city, country, mother’s maiden name, and email address. Only after filling in the information will the users be redirected to a legitimate page of the Capita website.

Phishers will indeed do whatever it takes just to prey on unwitting victims. For this reason alone, users must be careful in giving out their credentials online. The phishing website used in this attack is already being blocked by the Trend Micro Smart Protection Network™.

Post from: TrendLabs | Malware Blog - by Trend Micro

Beware: Never Share Your Capita with Phishers

This Halloween, Enjoy the Treats but Be Wary of Online Tricks

Trend Micro — Fri, 30 Oct 2009 10:06:27 +0000

We often associate Halloween with pumpkins and costumes but for cybercriminals it’s merely another avenue to exploit, steal, and trick users into giving away their personal identities. Treats are fun but we all need to be on the lookout for the sneaky and tricky ways cybercriminals slither into our computers. Below are the TrendLabs, top 7 scariest threats that might be knocking on your door:

Tailor-made ZBOT spam makes its way to employees’ mailboxes

The Zeus botnet is well-known for e-banking attacks that target small businesses without a dedicated IT staff and only 1–2 payroll personnel; the most notorious ZBOT attack to date sent out tailor-made spam to the employees of several of these types of small companies. The spammed messages were made to look legitimate and non-malicious when, in fact, they contained Trojan spyware designed to steal information and identities.
Vulnerabilities hit critical mass: Patch me if you can
Microsoft set a record in December 2008 of 28 patches for its OS vulnerabilities. In June 2009, the company broke that record with the release of 10 security advisories for 31 OS and other software vulnerabilities. What does this mean for users? It means that unpatched vulnerabilities can allow cybercriminals to exploit their systems. For instance, unpatched vulnerabilities in a system’s browser can allow cybercriminals to run arbitrary code if the user happens to browse through a malicious website, leaving him/her at the mercy of online predators.
FAKEAV: Surrender hard-earned money for fake security
We’ve seen several strains of FAKEAV abound on the Web. Most employ “scareware” tactics, displaying a blue screen or bogus graphical user interfaces (GUIs) to warn users of infection. Some of the most dangerous variants, however, employ “ransomware” tactics. Users who fall victim to FAKEAV scams end up buying useless applications or may even be robbed of critical information apart from their hard-earned money. Sold at an average US$50 apiece, it is clear that big money can be made from pushing FAKEAV to users. This is why we can expect the debut of more FAKEAV in the future.
Expand your circle of friends but beware of KOOBFACE malware
This year, we saw the emergence of the KOOBFACE botnet that specifically targeted social networking and micro-blogging site users. Facebook and Twitter, two of the top-ranking social networking/micro-blogging sites today have millions of users worldwide, making them favorite cybercriminal targets. The popularity of these sites may be unprecedented but so is the rise in number of malware targeting them. Victims of KOOBFACE variants can end up with FAKEAV infections, wrangled into being a part of the widespread KOOBFACE botnet, or owners of compromised profiles, take your pick.
More sophisticated attacks = More victims
Cybercriminals continue to up the stakes as they come up with more sophisticated attacks to lure more victims into their traps. A new variant of the BEBLOH family of information stealers went well beyond logging keystrokes and sending it to a server to exploit. It stole user information and used it right away while effectively avoiding detection. The latest BEBLOH variant produces static pages that show remaining account balances and previous transactions to cover its tracks. Victims will not know they have been robbed unless they accessed the online banking site from an uninfected machine or used separate facilities such as ATMs.
No system is immune from security attacks, certainly not Macs
The days when Mac users felt safe from today’s threat landscape are over. The recent proliferation of Mac attacks reiterates what security researchers have been saying all along—that no system is immune from security attacks, certainly not Macs. The number of Mac users continues to increase, unfortunately so does the number of cybercriminals targeting the Mac OS. Cybercriminal attacks on the growing Mac user base are becoming more and more complex, preying on the earlier belief that the OS X is malware-free.
Blackhat SEO attacks climb the charts
Just as cybercriminals strive to make their malware-ridden pages climb to the top of search results, so has the number of documented blackhat SEO attacks. As if the usual blackhat SEO techniques were not crafty enough, cybercriminals just learned to use new nifty gadgets—Google Trends and GeoIP tracking—to increase the chances that users will click on links that direct them to specifically crafted malware-ridden pages. This kind of attack can affect anyone searching for information on the Web. All it takes to get infected is click a top-ranking search result.

If you are concerned that your computer may have been affected by a cyber attack, try our free prevention and clean up tools, available here.

Post from: TrendLabs | Malware Blog - by Trend Micro

This Halloween, Enjoy the Treats but Be Wary of Online Tricks

Social Engineering Watch: Spam Leads to Canadian Pharmacy Sites

Aljerro Gabon (Anti-spam Research Engineer) — Thu, 29 Oct 2009 10:05:17 +0000

Trend Micro researchers found over 200 email samples that spamvertised male sexual enhancement pills. These bore subjects like “Re: Go wild in bedroom,” “Re: Let your lever straight up,” and “Re: Be her concrete-rod satisfier” and contains a URL that points to all-too-familiar Canadian pharmacy websites.

While spammed messages that lead to Canadian pharma sites are not new, there are notable things in this particular spam run. For one, it employed random messages in the email content to avoid spam filters. The spammers also put “Re:” in the subject to make it appear as though it was a reply of sorts. In addition, the FROM and TO fields bear the same email address. It particularly used dictionary form of spam attack where spammers randomly send spammed messages to a generated list of email addresses. Upon further analysis, the domains used were just recently registered.

As usual, users are advised not to open emails that spamvertise sexual enhancement pills. Trend Micro users are secure from this spam attack with the Smart Protection Network. Non-Trend Micro products users can stay protected from this by using free tools like eMail ID.

Post from: TrendLabs | Malware Blog - by Trend Micro

Social Engineering Watch: Spam Leads to Canadian Pharmacy Sites

Taiwan: Spear Phishers Target Gmail Users

Sarah Calaunan (Fraud Analyst) — Thu, 29 Oct 2009 09:44:20 +0000

Trend Micro threat analysts found several phishing sites registered in China that target specific people or companies. The said email can customize phishing URLs using the names of intended recipients via a technique called “spear phishing.”

Spear phishing has been used by cybercriminals before in attacks that involved specific targets. In the previous post, “So Is It Twitter or Facebook?,” for instance, cybercriminals exploited Twitter’s direct message function to inform users that their pictures were seen on another website, the link to which is embedded in the same message. The link led to a bogus Facebook page from which user credentials are then stolen.

In this attack, the cybercriminals went as far as spoofing the From field to imply that the sender is from the same company the target is employed in. The URL embedded in the email is also customizable, depending on who its intended recipient is. Clicking the link points the user to a bogus Gmail Taiwan login page where the target’s user name has already been entered.

According to TT Tsai, this phishing attack seems to be targeting the Taiwan government as some of the phishing domains we have encountered are hosted in Taiwan, not to mention that the page uses the Chinese language.

Here’s a list of malicious domains users should be wary of:

http://google.com.microsoft-server.tw/google/accounts/ServiceLogin.asp?uid=vq4hasv2o1xn&name=victim
http://google.com.microsoft-server.tw/google/accounts/ServiceLogin.asp?uid=vq4hasv2o1xn&name=victim

TT Tsai, however, added that the cybercriminals are rapidly changing domains and taking down previously used ones to avoid detection and blocking.

As of this writing, all spam and phishing URLs related to this attack are already being blocked by the Trend Micro Smart Protection Network™. Non-users of Trend Micro products can stay protected from this and other similar attacks by using free tools such as eMail ID.

Post from: TrendLabs | Malware Blog - by Trend Micro

Taiwan: Spear Phishers Target Gmail Users

ZBOT and a CapitalOne Phish

Joey Costoya (Advanced Threats Researcher) — Thu, 22 Oct 2009 13:09:38 +0000

In this most recent spam campaign, our spam traps caught an uncanny combination of a CapitalOne phish and a ZBOT variant. Below is a screenshot of an email sample making the rounds:

The spam campaign would have you believe that you would need to install a Digital Certificate in order to use CapitalOne’s website. Clicking on the email link brings you to the following site: This is the phishing part. After filling in the required login information, the website now conveniently gives you a download link to the supposedly digital certificate: The download link will lead you not to a digital certificate, but to a ZBOT variant. Running the so-called ‘digital certificate’ will only install the notorious ZBOT malware into your system, and will proceed to log your keystrokes, steal personally-identifiable information, and most especially, steal your personal financial information. Trend Micro now detects the said ZBOT malware as TROJ_ZBOT.CKA. The above website does not only host a CapitalOne phish, but also a Bank of America phish. Earlier this week, the same group also had a spam campaign, but was pushing a BoA phish: The phishing website in that campaign asks a lot of questions–three pages full of these. It basically asks all of your personal information pertinent to your banking account:

The websites for both the CapitalOne and Bank of America phishing attacks are all hosted on fast flux domains, and uses wildcarded subdomains. Here’s a list of some of the domains actually used:

11qioz.co.uk
11qwod.co.uk
easder1q.co.uk
f1iiitl.com
iiizad1z.co.uk
ij1tli.com
ltiil1.com
nekz1mqv.co.uk
nezz1cza.co.uk
racder1c.net
racder1x.com
raeder1f.net
rarder1g.com
raxsder1.com
t1fliil.tc
tj1fiil.co.nz
uunuyr.com
yyy1yyrd.co.uk
yyy1yyre.co.uk
yyy1yyrf.co.uk
yyy1yyrg.co.uk
yyy1yyrj.co.uk
yyy1yyrk.co.uk
yyy1yyrl.co.uk
yyy1yyrm.co.uk
yyy1yyro.co.uk
yyy1yyrq.co.uk
yyy1yyrr.co.uk
yyy1yyru.co.uk
yyy1yyrv.co.uk
yyy1yyrx.co.uk

The IP addresses these fast flux domains point to are comprised of residential broadband IP addresses, suggesting that the machines serving the websites’ contents are hosted on compromised residential PCs. The current spam campaigns (digital certificate lure) and its corresponding websites (fast flux, wildcarded subdomains) share the same characteristics like last year’s SSL Certificate spam campaign. A screenshot of last year’s spam campaign is shown below.

It looks like as though the same group has reemerged using the same tactic they’ve used last year. Maybe last year’s campaign has been successful enough that they’re hoping to duplicate the winning formula in the recent spam wave.

Trend Micro users are now protected from this attack through the Smart Protection Network. Non-users of Trend Micro producs, on the other hand, can opt to stay protected by using the eMail ID and Web Protection Add-On.

Post from: TrendLabs | Malware Blog - by Trend Micro

ZBOT and a CapitalOne Phish

Halloween Job Spam Spooks Users

Gaye Ofilas (Anti-spam Research Engineer) — Thu, 22 Oct 2009 09:54:37 +0000

Holidays are spammers’ favorite times of the year. After all, these give them additional opportunities to lure more victims to their specially crafted scams apart from a theme to focus on. As one of the most celebrated holidays across the globe, it is not surprising that Halloween, which is barely a week away, has been creating a buzz.

Trend Micro threat analysts got wind of Halloween-related spam samples (see the sample on the right). These offered readers promising opportunities to earn while working from home.

Clicking the link redirects the user to a site that is now inactive. However, based on Whois.Net’s domain name records, the URLs were only created in August of this year, most probably just for spamming purposes. It is, after all, not uncommon for spammers to register domains for the minimum time period allowable to further their malicious profiteering activities.

Users are thus warned not to click links to unknown sites no matter how tempting the offer they put on the table may be. If you’re really interested in getting a legitimate job or a means to earn more, go to a trusted job-search site. Do not trust everything you read on email, especially if you do not know who the email came from.

Trend Micro Smart Protection Network™ protects users from spamming attacks by blocking unwanted email and preventing user access to malicious sites. Mac users can enjoy the same benefits by using Trend Micro Smart Surfing for Mac.

Non-users of Trend Micro products can also stay protected from such attacks with free antivirus tools such as eMail ID and Web Protection Add-On.

Post from: TrendLabs | Malware Blog - by Trend Micro

Halloween Job Spam Spooks Users

Fake Agents for Russian Websites Spreading

Maxim Goncharov (Advanced Threats Researcher) — Tue, 20 Oct 2009 12:16:20 +0000

In the past few weeks, Trend Micro researchers have become aware that the Russian cybercriminal underground has been overflowing with offers for a new kind of information-stealing malware. These new malware variants pose as agent programs used by Russian social networking sites, such as Odnoklasniki and Vkontakte. (Agent programs are programs used by some websites to allow users to log into their services without having to start their browser.)

A group of cybercriminals interested in stealing the login credentials of the users of these target sites would provide the authors of these new fake agent programs an email address or an ICQ number where the stolen credentials would be placed. These “authors” would then be responsible for distributing their malware to users.

Users who did download and run these fake agents would be presented with an interface similar or identical to legitimate agent programs.

Upon users would attempt to enter their login credentials by using these fake agents, they would receive a message that the connection to the server has failed. In reality, the credentials have been captured and sent to the cybercriminals via the supplied email address or ICQ number. This threat is detected and removed by Trend Micro as TSPY_FKANTAKTE.A.

Post from: TrendLabs | Malware Blog - by Trend Micro

Fake Agents for Russian Websites Spreading

ASProx Resurfaces with a Mass Compromise in Tow

Det Caraig (Technical Communications) — Thu, 15 Oct 2009 12:44:50 +0000

A specially crafted .PDF file, detected by Trend Micro as TROJ_PIDIEF.ASP, was recently found to be hosted by several Indian, Thai, and New Zealand websites.

The Trojan takes advantage of critical vulnerabilities in Adobe Reader 9.1.3 and Acrobat 9.1.3; Adobe Reader 8.1.6 and Acrobat 8.1.6 for Windows, Macintosh, and UNIX; and Adobe Reader 7.1.3 and Acrobat 7.1.3 for Windows and Macintosh. These vulnerabilities can cause the application to crash and can potentially allow an attacker to take control of an affected system. Adobe has thus advised users to patch their systems and download the necessary updates.

The Trojan belongs to an old but notable malware family known as “ASProx,” which plagued the Web last year. It was so notable that it made its way to Trend Micro’s Top 8 in 2008 list.

Most ASProx variants, including this most recent one, exhibited the same payload. They first compromised several websites. Visiting the said sites then triggerred redirections to various malicious URLs that ultimately led to the download of more malicious files.

The recent reemergence of the ASProx code or the cybercriminals behind it may not have brought anything new to the table but it is noteworthy in that this attack seemingly brought the botnet back from the dead after almost a year of inactivity.

Users, as usual, are thus warned to refrain from opening suspicious-looking files. They are also strongly advised to patch their systems regularly to avoid becoming prey to vulnerability exploits.

Trend Micro Smart Protection Network™ protects users from this threat by blocking access to malicious URLs and preventing the download of malicious files. Mac users are also protected through Trend Micro Security for Mac and Smart Surfing for Mac.

Non-Trend Micro product users, on the other hand, can also stay protected with Housecall, Trend Micro’s highly popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plugins, and other malware.

Important correction, posted October 16, 2009: TROJ_PIDIEF.ASP exploits vulnerabilities cited in CVE-2009-0927 and CVE-2007-5659, not the previously posted vulnerability discussed in the second paragraph above. We apologize for any confusion caused by this oversight. Adobe users should enable the auto-update feature in their product to receive patches that address these vulnerabilities.

Post from: TrendLabs | Malware Blog - by Trend Micro

ASProx Resurfaces with a Mass Compromise in Tow

8 Things You Probably Didn’t Know About KOOBFACE

Ryan Flores (Advanced Threats Researcher) — Thu, 08 Oct 2009 04:31:58 +0000

You’ve probably read or heard about KOOBFACE malware propagating through social networking sites such as Facebook, MySpace, and Twitter. A lot of analysis is available online through blogs or malware descriptions. But I bet most of you probably still do not know some or all of these things about KOOBFACE.

KOOBFACE knows: KOOBFACE has the capability to steal whatever information is available in your Facebook, MySpace, or Twitter profile. Profile pages of these social networking sites may contain information about one’s contact details (address, email, phone), interests (hobbies, favorite things), affiliations (organizations, universities), and employment (employer, position, salary). So beware, KOOBFACE knows a lot!
KOOBFACE doesn’t just know you through your profile information, they also know what you look like!: Not only does the botnet steal profile information, it also makes sure to put a face to the name by getting one’s profile picture as well.
URLs leading to KOOBFACE malware are either in compromised or free Web hosting sites: Yep, call them cheap but the guys behind KOOBFACE are making good use of compromised and free Web hosting sites in spamming KOOBFACE-related URLs. These URLs are spammed in social networking sites with catch phrases like “funny video,” which lead to a fake YouTube or Facebook site, which then leads to KOOBFACE malware.
KOOBFACE zombies are made into Web servers on top of being social networking site spammers: KOOBFACE installs a Web server component into infected machines, which effectively makes the infected machine part of the malware’s distribution network. Infected machines serve fake YouTube or Facebook pages, which then lead to the KOOBFACE malware.
KOOBFACE zombies are able to distribute repackaged versions of the malware: KOOBFACE Web servers are able to use UPX, a popular executable packer program, to pack (compress) the KOOBFACE binaries they serve.
Half of KOOBFACE infections occur in the United States: This is not surprising since majority of the social networking site users reside in the United States.
KOOBFACE is able to block IP addresses: Probably in an effort to protect itself against takedown or snooping by curious researchers, KOOBFACE implemented a blockIP routine where traffic coming from a particular IP range is blocked.
KOOBFACE is able to defeat Facebook’s spam filtering: Facebook, MySpace, and Twitter have recently implemented a spam-filtering mechanism where known spam URLs are blocked. KOOBFACE tries to circumvent this by first testing if a KOOBFACE spam URL is blocked by Facebook or not.

So there, some things you may not know about KOOBFACE. If this whets your appetite for more information, you may read our research paper The Heart of KOOBFACE: C&C and Social Network Propagation, fresh off the grill from the White Papers section of TrendWatch.

Post from: TrendLabs | Malware Blog - by Trend Micro

8 Things You Probably Didn’t Know About KOOBFACE

Tropical Storm Leads to FAKEAV

Jessa De La Torre (Threat Response Engineer) — Tue, 29 Sep 2009 14:43:31 +0000

Cybercriminals leveraged on the tropical storm, Ondoy (International name: Ketsana) that hit the Philippines and killed around 140 people. Senior Threat Analyst Joseph Pacamarra found several malicious sites that appeared each time the users search the strings, “manila flood,” “Ondoy Typhoon,” and “Philippines Flood,” among others. The said sites emerged as one of the top search results.

Once the user clicks the URL, they will be redirected to several landing pages where they are asked to download an EXE file, soft_207.exe. Trend Micro detects it as TROJ_FAKEAV.BND. This attack does GeoIP checks, which mean it only targets specific regions or location (one of the landing sites is hxxp://{BLOCKED}uterbestscan11.com/scan1/geoip.php).

Figure 1. Screenshot of the malicious search result

Figure 2. The EXE file that users need to download

“Cybercriminals heartlessly exploited the calamity that unfolded in the Philippines. They rigged multiple URLs related to this news to point unknowing users to FAKEAV. Such SEO poisoning campaigns attract users all over the Web especially those who are trying to get information about their loved ones and fellow countrymen in the Philippines,” Pacamarra said.

Although riding on tragic events is not exactly new, what is notable is it employed once again blackhat SEO to lead users to a FAKEAV as we had previously discussed here.

Users are advised to be wary in clicking any URLs. Trend Micro protects users from this attack via its Trend Micro Smart Protection Network as it blocks all URLs and detects the said FAKEAV.

Post from: TrendLabs | Malware Blog - by Trend Micro

Tropical Storm Leads to FAKEAV

Several Compromised Thai Sites Serve Malware

Bernadette Irinco (Technical Communications) — Mon, 28 Sep 2009 13:01:32 +0000

Trend Micro researchers discovered another wave of mass compromised websites involving several Thai government agencies’ sites. One of the compromised sites, the Thai Police site, was injected with malicious codes to redirect users to several malicious sites. One of the landing pages, http://{BLOCKED}t.ru/ip/bchqu1.exe served a downloader detected by Trend Micro as TROJ_DLOADER.DNG. This Trojan downloader is responsible for downloading several malware (detected as TROJ_FAKEREAN.BW, TROJ_CUTWAIL.GQ, and TSPY_ZBOT.ACH).

Figure 1. Screenshot of compromised police site

Figure 2. Screenshot of fake Antivirus Pro 2010

Figure 3. Screenshot of compromised site

According to Senior Threat Analyst Joseph Pacamara who found out about the mass compromise, cybercriminals are now entertaining the idea of employing compromised legitimate sites as an avenue to proliferate FAKEAVs.

As of this writing, Trend Micro has contacted and informed all entities concerned to clean up the said websites. They have also been informed of the user risks brought about by such attacks. We have also notified ThaiCERT regarding the compromised sites. Users of Trend Micro Smart Protection Network are protected from this attack.

Post from: TrendLabs | Malware Blog - by Trend Micro

Several Compromised Thai Sites Serve Malware

Bogus Sponsored Link Leads to FAKEAV

Erika Mendoza (Threat Response Engineer) — Thu, 24 Sep 2009 10:30:19 +0000

Apart from SEO poisoning, cybercriminals have found another avenue to proliferate FAKEAV malware—bogus sponsored links (sitio patrocinados in Spanish). Just recently, Trend Micro researchers were alerted to malicious search engine ads that appeared in Microsoft’s Bing and AltaVista, among others, when a user searches the string “malwarebytes.” (Malwarebytes is a free antivirus product, but of course, not a FakeAV.) Clicking the malicious URL points the user to an executable file named MalwareRemovalBot.exe-1 (detected by Trend Micro as TROJ_FAKEAV.DMZ).

Figure 1. Malicious banner ad on Bing

Figure 2. Malicious banner ad on AltaVista

Upon execution, the rogue antivirus displays false information that the system is infected with files that do not even exist.

Figure 3. Fake scan results

In the past, cybercriminals employed the same tactic when it hitchhiked on Trend Micro. Some Google searches then showed banner ads that led to a fraudulent Trend Micro website.

Though the ads may not appear in all regions, all users are still strongly advised to be extra careful when clicking links in search engines. Users connected to the Trend Micro Smart Protection Network are protected from this attack as it detects and blocks all malicious URLs.

Post from: TrendLabs | Malware Blog - by Trend Micro

Bogus Sponsored Link Leads to FAKEAV

Bogus Profile in LinkedIn Leads to FAKEAV

Macky Cruz (Technical Communications) — Mon, 14 Sep 2009 18:19:31 +0000

Research Manager Ivan Macalintal found a bogus profile in LinkedIn that appears as one of the search results when the keyword “obama” is used.

Cybercriminals riddled the profile page with links. The .cn links lead to a URL under the y0utybe domain (notice similarity with the legitimate video-sharing site), which in turn leads to a URL (under the .com domain localtubeonline). Finally, the links land the user on familiar malicious territory–an .EXE download (file name flash-plugin_update.40069.exe).

The said landing page is actually one of the landing pages used in the blackhat SEO attack leveraging 9/11 memorials.

Trend Micro detects the binary as TROJ_RENOS.BGI. The Trojan’s primary payload is to connect to other URLs to download other components for the attack’s completion. At the time of analysis, the URLs in the malware’s code are unavailable.

Users are advised to refrain from clicking on links coming from untrusted sources. Social networking sites–even a business/corporated-oriented one such as LinkedIn–can easily be used by cybercriminals to get into people’s circle of trust. We have seen this in the following attacks:

The best protection is to make sure security applications are updated with the latest patterns to avoid the effects of these latest threats.

Post from: TrendLabs | Malware Blog - by Trend Micro

Bogus Profile in LinkedIn Leads to FAKEAV

FakeAV for 9/11

Jessa De La Torre (Threat Response Engineer) — Fri, 11 Sep 2009 02:18:59 +0000

As the anniversary of the horrible September 11 attacks in The United States approaches, Trend Micro researchers donned their research coats and waited for the people behind FAKEAV to make their move. Predictably, they did not disappoint.

Through SEO poisoning, users searching for any reports related to September 11 may find themselves stacked with Google search results that lead to a rogue AV malware detected by Trend Micro as TROJ_FAKEAV.BOH.

Figure 1. Poisoned Google search results

As shown in the image above, TROJ_FAKEAV.BOH may arrive on the system as Scanner-7c545a_2031.exe from several malicious Web sites that can all be found in the poisoned Google search results.

Trend Micro users are already protected from this threat, as the malicious file(s) are already detected and the download links are already identified and blocked by the Web Reputation Service.

The people behind FAKEAV still show no sign of slowing down. With the holiday season coming up, users are also advised to refrain from visiting unknown sites returned in Search Engine results and rely on reputable news agencies instead.

Post from: TrendLabs | Malware Blog - by Trend Micro

FakeAV for 9/11