Posts filed under 'Malicious Websites'
April 29th, 2008 by Jake Soriano (Technical Communications)
Senators Hillary Clinton and Barack Obama battle it out on all fronts, literally. The tight contest, where until now no clear frontrunner emerges, isn’t likely to be dictated by just the debates. So we see extra-political battles in different arenas. The Web would seem one likely sphere where the one hopeful nominee who dominates gains a lot.
The most recent Internet-related clash between these two involved redirection: one candidate’s Web site leads users to the site of the other. Users viewing Obama’s site were redirected to Clinton’s through an attack called cross-site scripting (XSS). Researchers were successful in reversing the attack, too, exploiting vulnerabilities and revealing these glitches to the site owners.
Internet-related incidents are not new in the coming U.S. presidential elections. TrendLabs, as early as November last year, reported on spamming activities that were seen as campaign materials for Ron Paul. Clinton herself was featured in a spam run that spewed malware into systems, turning them into bots to further spread spam.
This time, however, the cross-site scripting attacks are seen as benign as no malware were involved. With the increasing hype around spamming and other malicious activities, this might be a move driven by caution. Those who do it may have realized that malicious activities, once exposed, will inevitably taint individuals and their appearances to the media, or to everyone in general.
Researchers are still investigating how this type of attack could be used in more malicious criminal activity.
March 31st, 2008 by Jake Soriano (Technical Communications)
Massive iFrame attacks on top Web sites still threaten online searches. The threat is not just continuing but, according to independent Internet security researcher Dancho Danchev, is getting bigger as well.
Trend Micro has recently reported two high-traffic sites that were iFramed earlier this month. The said attack relied on popular search terms that were not validated in search engines. Interestingly, this previous attack came less than a week after search results of popular Web sites ZDNet Asia and TorrentReactor were also found to have been iFramed.
Danchev says that the current poisoning also leads users to several redirection posts. He again lists what he believes are poisoned sites. These include the following:
- USAToday.com
- ABCNews.com
- News.com
- Target.com
- Packard Bell.com
- Walmart.com
- Rediff.com
- MiamiHerald.com
- Bloomingdales.com
- PatentStorm.us
- WebShots.com
- Sears.com
- Forbes.com
Trend Micro Threat Response engineers analyzed the said pages and found no traces of an ongoing compromise. The sites may have been already fixed by the time of our engineers’ verification. However, the threat in general continues to persist, as it would be very possible to encounter iFrame injections in some future time. Security researchers have yet to close in on a foolproof way to lock down a site from being compromised.
March 27th, 2008 by Carolyn Guevarra (Technical Communications)
Virus Coordinator for Trend Micro Latin America Jose Lopez Tello recently discovered a very interesting malware attack that seems to be (at first blush) related to the previous Banamex phishing e-mails reported last January and earlier this month.
Similar to the past attacks, this malware aims to steal money by targeting customers of Banamex, the largest e-Bank in Mexico.
However, instead of using the DNS poisoning method as the past attacks, this malware uses a script to change the user’s DNS settings, and also installs a botnet client that is hosted at an IRC server in a U.S. hosting provider.
Based on Tello’s analysis, the infection chain is usually initiated by a fake greeting eCard that a user receives via email. This eCard contains a link, which when clicked downloads the malicious file Gusanito.exe.
Trend Micro detects this file as BKDR_VBBOT.AE. The difference between this new attack and the previous attacks is that, this time around, the malicious downloaded executable does not poison the user’s HOSTS file or the local router’s DNS table. Instead, it changes the DNS from the affected user’s computer using the following simple script:
dns name= source=static addr=[IP address] register=PRIMARY
Thus, when the user attempts to access www.banamex.com, he is redirected to a phishing Web site (which is actually located at the same fake DNS server).
The Botnet client code (BKDR_VBBOT.AE) also opens an IRC connection to the yet another, different US-based host and channel to wait for commands from its botmaster, which is intended actually to send more of the same, original, bogus eCard greeting emails.
As of this writing, there are over ~650 bots already connected to the this botnet C&C (Command & Control Server) and are most probably sending out tons of fake greeting eCards at this very moment. “In fact, you can see all the list emails that will be targeted,” says Tello.
The malicious link has already been submitted to Trend Micro Content Security team for processing and blocking. The appropriate law enforcement and content providers have also been alerted to this.
(Thanks to Paul Ferguson for additional technical background.)
-Update: March 29, 2008-
BKDR_VBBOT.AE was renamed to WORM_KELVIR.EI.
March 27th, 2008 by Daver Cavalcanti (Threats Analyst)
Just recently, Trend Micro discovered an FTP server in Uruguay that hosts a phishing Web site that targets Telecom Italia Mobile (TIM) customers, one of the largest mobile phone companies in Brazil.
The server’s IP address indicates that it may be affiliated with Russian or Ukrainian cyber criminals who have previously been affiliated with RBN, or the Russian Business Network. RBN was made notorious for it’s “bullet-proof” hosting facilities which have been linked to illegal activities such as child pornography, phishing, spam, and malware distribution.
Using an INDEX.HTML file, this phishing site has an ActiveX control that invites a user to view a video message purportedly from TIM Brazil. When accessed, it attempts to insert a malicious code on the client system and then send phishing messages to the affected user. This file changes daily and points to a new false URL that is sent via email to all those who fell victim to the fraudulent Web site.
Phishing is a technique used to trick users into divulging personal information (such as social security numbers, ATM PIN, and credit card numbers) through email or dubious Web sites. Perpetrators trick gullible users to send them private or personal information. To do this, they forge the Web site or an email of a legitimate company. These Web sites or email messages usually ask for information about the recipient. Alterations on the code of these bogus Web pages or email messages result in the information being redirected to the cyber criminals. When the user is tricked into divulging information, we say that (s)he has become a victim of a “phishing attack.”
The activeX is already detected by Trend Micro as POSSIBLE_MLWR- 1. The malicious URL, which hides the source of the downloadable file through an obfuscated code script and resolves to downloading a Banker Trojan downloader, win.exe, from a host located in Brazil which is already blocked by our URL filtering services.
March 26th, 2008 by Aivee Cortez (Anti-spam Engineer)
The Web site of the Ministry of Finance in Brazil, Ministerio da Fazenda, has become the new target of the bad guys. Trend Micro Content Security Team found a phishing email that purports itself as a legitimate email coming from the said financial institution.
It asks recipients to confirm that their income tax return that has not been delivered. The confirmation method is by clicking the hyperlink message, which leads to the URL hxxp://www.c3.hu/~vadkert//tagok/formulario.php. However, instead of displaying an ordinary phishing Web site, it downloads a malicious executable file.
The said file is already detected by Trend Micro as POSSIBLE_BANLD- 1, while the malicious URL has already been added on the database and will be blocked by WCS.
- Update: March 27, 2008 -
TrendLabs engineers further analyzed the malicious site and found the various malware being hosted on the said site, such as the following:
- w.exe - detected as TSPY_AGENT.ALKZ
(Note: The original file downloaded from the link is already detected as PE_PARITE.A)
- formulario.exe - detected as TROJ_BANLOAD.CRZ
- onnas.exe - detected as TSPY_BANCOS.AUE
The file usersonline.txt, on the other hand, is a non-malicious file that contains IP addresses and ports, which based on analysis, are currently not available. Jose Lopez Tello, Trend Micro Virus Coordinator in Latin America, notes that it is not certain if the IP addresses contained in the mentioned text file are from online users or just a fake list, but what is interesting is that all of the IPs are located in Brazil.
Next Posts
Previous Posts
