If a user visits the blogs in question by merely entering their URLs, they will see the harmless images. If they came from search engines such as Google, however, they will instead download a new FAKEAV variant, which is detected as TROJ_FAKEAV.FFGZ.

The JavaScript file that is used by the fake blogs is detected as JS_FRAUDLOAD.AP.  The domains or actual FAKEAV drop sites involved in this attack are already blocked by Trend Micro Smart Protection Network.

Post from: TrendLabs | Malware Blog - by Trend Micro

Fake Blogs Lead to FAKEAV

The spammed message even gave users two options—to either ignore the email if the payment request has been made or to download the attached .ZIP file and install the inspector module to decline the said payment request. If the user does not make any transaction, he/she still needs to download the attachment just to cancel the payment request. The attached .ZIP file is, of course, not an inspector module but an .EXE file (module.exe) detected by Trend Micro as TROJ_AGENTT.WTRA.

Users are advised to be wary before opening any attached files even if they come from known sources. It is also best to verify emails you receive from any company first just to be sure it is legitimate. Trend Micro secures users from this attack via the Trend Micro Smart Protection Network™, which detects and blocks the spammed emails and prevents the download of the malicious file.

Post from: TrendLabs | Malware Blog - by Trend Micro

Payment Request Spam Contains Malware

Upon execution, TROJ_FAKEAV.MET drops malicious files and displays fake warning messages. These messages urge users to avail of a bogus antivirus product, Security Tool.

FAKEAV is notorious for capitalizing on hot news and popular searches via SEO poisoning. Hence, users are advised to be wary of suspicious-looking URLs when conducting online searches. Trend Micro protects users from this attack via the Smart Protection Network™ that blocks and detects all related malicious files and URLs.

Post from: TrendLabs | Malware Blog - by Trend Micro

Meteor Shower and New Moon Lead to FAKEAV

When users open the attached .ZIP file, they will not find a balance checker tool but will instead get a malicious file (balancechecker.exe) detected by Trend Micro as TROJ_ZBOT.MYS. TROJ_ZBOT.MYS steals online banking credentials such as usernames and passwords. This stolen information may be used by cybercriminals for other fraudulent activities. It also disables the Windows Firewall and has rootkit capabilities that make detection and removal difficult.

Users are strongly advised not to open any suspicious-looking email even it comes from a known source. It is also good to verify any email coming from your mobile service provider just to be sure if it is legitimate or not. Trend Micro protects users from this attack via the Trend Micro Smart Protection Network™ that detects and blocks spammed emails and malicious files.

Post from: TrendLabs | Malware Blog - by Trend Micro

Bogus “Balance Checker” Tool Carries Malware

• Registering a Facebook account
• Confirming an email address in Gmail to activate the registered Facebook account
• Joining random Facebook groups
• Adding Facebook friends
• Posting messages to Facebook friends’ walls

Overall, this new component behaves like a regular Internet user that starts to connect with friends in Facebook. All Facebook accounts registered by this component are comparable to a regular account made by a human. The details provided about the account are complete such as a photo, birth date, favorite music, and favorite books, among others. In addition, every account registered is unique in such a way that the details vary for every account registered.

Koobface accomplishes these malicious activities by automating Internet Explorer to perform the task of creating and registering an account. However, it does not proceed and will terminate the process if the affected user is using Internet Explorer 6. Moreover, it employs a check if it has already reached the maximum friend requests set by Facebook or not. Hence, it keeps itself under the radar and does not cause any alarm to Facebook administrators.

This component fetches details from one of the botnet’s available proxy domains.

The messages posted through Facebook’s wall contain a link that leads to the usual fake Facebook or YouTube page hosting the Koobface loader component.

Facebook users are advised to be careful and security conscious. It is probable that the Koobface botnet owns a particular Facebook account. It is a good thing that the Trend Micro Smart Protection Network continues to block malicious URLs spammed by Koobface.

For more tips on using Facebook, users may opt to visit Facebook’s safety and security pages:

• http://www.facebook.com/safety
• http://www.facebook.com/security

Post from: TrendLabs | Malware Blog - by Trend Micro

New Koobface Component Imitates Facebook User

The Koobface gang used controlled Google Reader accounts to host URLs containing an image that resembles a flash movie. These URLs are spammed through the said social networks. When the user clicks the image or the title of the shared content, it leads to the all-too-familiar fake YouTube page that hosts the Koobface downloader component.

Google Reader is a free service offered by Google that allows users to monitor websites for new content. It also allows the users to share content from the websites. Any user online can view these pages as they are shared with the public. Sharing any Google Reader page publicly is easy as anyone can click on the share icon in his or her Reader page and the content will appear on his or her public page. 

This ability to share content with the public was abused by cybercriminals to use the Google Reader domain to spam malicious links.

We have already contacted Google about this matter to remove the malicious content. As of now we’ve found 1,300 Google Reader accounts used for this attack. The spam URLs hosted through these accounts are now blocked.

Post from: TrendLabs | Malware Blog - by Trend Micro

Koobface Abuses Google Reader Pages

The game, created by Zach Gage, somewhat resembles the format of the popular game Space Invaders, wherein the player is represented by a spacecraft and the goal is to kill the aliens placed all over the screen. Gage’s game, however, has a different twist, which has been causing quite a stir.

The new twist in Lose/Lose is that the aliens in the game—the ones that the player must kill to stay in the game—represent random files in the user’s system. Whenever the user kills an alien, the file the alien represents is deleted. Should the user refuse to kill the aliens, he/she will lose and the game itself will be deleted.

This interesting consequence of the game is clearly stated in Gage’s website where the game can be downloaded.

Gage describes his creation as a means to answer the question: “Why do we assume that because we are given a weapon and awarded for using it, that doing so is right?” Curious intentions or not, however, the game presents high risks and may be very easily abused. A user who may have acquired the file without knowing its effects may end up with a large number of deleted critical files.

The file has thus been classified as a malware and is now detected as OSX_LOSEGAM.A. The game tests the users’ killer instinct: the user is placed in a situation where he/she is handed a weapon and told that his/her survival depends on his/her ability to kill his/her prey. This usage of natural human reactions to trigger certain actions may be a form of research to some but what we see it as is this: a social engineering technique.

Mac users can get protection from this and other threats by using the Trend Micro Smart Surfing for Mac.

Post from: TrendLabs | Malware Blog - by Trend Micro

Lose/Lose: Kill an Alien, Delete a File

Apart from dropping malicious files on infected machines, Elite Loader also allows malicious users to upload additional software to targeted systems to steal passwords or deploy spam or distributed denial of service (DDoS) modules that other cybercriminals can use.

The bot’s size is only 8kb, making the dropping process relatively hidden. The bot works perfectly well on the Microsoft XP Service Packs 1, 2, and 3 and Vista OSs and supports multiple job instances.

The malware distribution business seems to have gone public. Elite Loader, for instance, was published by well-known Lonely Wolf—one of the moderators of the underground forum, DaMaGeLaB—with detailed instructions in the archive and even dedicated thread posts. This will make it easy even for script kiddies to create their own malicious code.

Trend Micro detects the variants of the Elite Loader dropper as part of the DLOADER family of Trojans so product users need not worry about being infected. Trend Micro Smart Protection Network™ blocks the download of all malicious files and access to malicious URLs related to this bot.

Non-Trend Micro product users who think their systems may have already been infected can clean their PCs using RUBotted.

Post from: TrendLabs | Malware Blog - by Trend Micro

Elite Loader Goes Public

Our analysis then observed BREDOLAB’s connections to two notorious malware families, FAKEAV and ZBOT/ZeuS. The samples always include the aforementioned malware in its download repertoire. Adding BREDOLAB to their long lists of carriers, these malware families mostly focused on information and financial theft.

BREDOLAB also exhibited certain similarities with another well-known botnet, PUSHDO in terms of downloading routine. This led our threat researchers to believe that the cybercriminals behind PUSHDO and BREDOLAB are the same.

Trend Micro’s Senior Threat Researcher David Sancho has written an in-depth analysis on this new threat. Read it here: You Scratch My Back…BREDOLAB’s Sudden Rise in Prominence.

Post from: TrendLabs | Malware Blog - by Trend Micro

BREDOLAB Revealed!

Upon execution, TROJ_CUTWAIL.GT creates registry entries to automatically execute at every system startup. It also drops a Trojan dropper detected as TROJ_DROPR.ST. Cutwail is known as the “spam engine” of the notorious botnet, PUSHDO, which spammed around 7.7 billion messages a day in the second quarter.

In the past few days or so, Trend Micro has reported various spam that used malicious attachments (ZIP or RAR) to hide malware. This suggests that old tactics never die and continue to be an effective way of infecting users. We blogged about this in the following posts:

• Spoofed Contract Carries Malware
• Fake Facebook Password Notification Leads to Malware
• FAKEAV Uses Conficker Worm as Bait

Users are advised to be wary when opening any attached file even if it comes from a person with authority or one’s “boss.” Trend Micro users are protected via the Trend Micro Smart Protection Network, which detects TROJ_CUTWAIL.GT and blocks the spammed email message. Non-Trend Micro products users can use free tools like HouseCall to stay secure from this attack.

Post from: TrendLabs | Malware Blog - by Trend Micro

Malware Conceals Itself as Boss’s Letter

• Weather Report for Halloween: High Chances of a Storm
• “Halloween Costumes” Bring More Fright Than Expected

But just how scary is the Web 2.0 environment nowadays? Let us run down a list of the scariest threats thus far:

• 2009 saw the emergence or resurfacing of three of the most notorious botnets in relation to information, financial, and identity theft—Koobface, ZeuS, and Ilomo. Botnets control more compromised machines than previously believed. Only a handful of cybercriminals have more than 100 million computers under their control. This means they have more computing power at their disposal than the entire world’s supercomputers combined. It’s no wonder then that more than 90% of all email worldwide is now spam.

Koobface is most known for preying on social networking and micro-blogging site users. It has transcended from its original design of taking over accounts to spread malicious links using the affected users’ credentials to spreading a FAKEAV or its variant to users who just happen to visit a compromised site or to click anywhere on a malicious page where a copy of the malware is hosted.ZeuS/ZBOT

The ZeuS botnet, on the other hand, is best known for ebanking attacks targeting small businesses that do not have full-time IT staff and only 1–2 payroll personnel. It was first introduced by Rock Phishers this April, paving the way for the rise of easy-to-use kits that yielded professional-looking phishing pages. Its latest components, also known as “ZBOT variants,” now come compressed in more and more complex packers.

Ilomo, the third most dangerous botnet, Ilomo, also known as “CLAMPI” or “LOMOL,” is known for injecting code into an affected user’s browser to wait for him/her to connect to one of over 4,000 banking, financial, or Web mail sites so it can steal his/her credentials. It can, however, also “piggyback” on the user’s session to transfer funds from his/her account to a remote one while making a mockery of the bank’s secure login system. The botnet also sells “anonymity as a service” as every infected machine can act as a proxy, allowing cybercriminals to route their illegal activities through different networks and countries, thereby evading detection.

• Tricking users into downloading FAKEAV has been an age-old cybercriminal tactic that apparently has not stopped working. Hence the continuous rise in the number of FAKEAV pushed to unwitting scam victims up to this day. Trend Micro estimates that more than 100,000 users receive messages saying they have been infected by malware while visiting malicious sites and that there are more than 48,000 FAKEAV offerings per month.Apart from its ability to rake in a lot of dough, it is also hard to detect due to its numerous domains and redirectors, giving security experts a hard time tracking all related activities down. FAKEAV will thus continue to plague users for a long time because its ploy works.

• In June 2009, Microsoft broke its December 2008 record of releasing patches for 28 vulnerabilities with the release of 10 security advisories to address 31 vulnerabilities in its OSs and other software.
  Unpatched vulnerabilities can allow cybercriminals to exploit users’ systems. For instance, unpatched vulnerabilities in a system’s browser can allow cybercriminals to run arbitrary code if the user happens to browse through a malicious website, leaving him/her at the mercy of online predators.Microsoft was not alone in this predicament though. Adobe and Firefox have had their share of exploited vulnerabilities as well.

Why do more and more people join the cybercriminal bandwagon? The answer is plain and simple, because there is a lot of money to be made in infecting users. FAKEAV, for instance, sell for an average price of US$50 each. Just imagine how much money cybercriminals can make even if they just sell to a fraction of their target user base!  Our threat research papers provide detailed information of such cybercrime activity, if you’re interested, you can read them here.

And if that isn’t scary enough, Trend Micro’s threat researchers found that the going rates for stolen data (credit card information and user credentials) and for infecting users’ systems continue to rise each year. Cybercriminals never seem to run out of tricks to spread threats to users throughout the Web. No wonder U.S. President Obama officially announced October as the “National Cyber Security Awareness Month!”

Post from: TrendLabs | Malware Blog - by Trend Micro

Trick or Threat?

1. Tailor-made ZBOT spam makes its way to employees’ mailboxes
   
   The Zeus botnet is well-known for e-banking attacks that target small businesses without a dedicated IT staff and only 1–2 payroll personnel; the most notorious ZBOT attack to date sent out tailor-made spam to the employees of several of these types of small companies. The spammed messages were made to look legitimate and non-malicious when, in fact, they contained Trojan spyware designed to steal information and identities.
2. Vulnerabilities hit critical mass: Patch me if you can 

   Microsoft set a record in December 2008 of 28 patches for its OS vulnerabilities. In June 2009, the company broke that record with the release of 10 security advisories for 31 OS and other software vulnerabilities. What does this mean for users? It means that unpatched vulnerabilities can allow cybercriminals to exploit their systems. For instance, unpatched vulnerabilities in a system’s browser can allow cybercriminals to run arbitrary code if the user happens to browse through a malicious website, leaving him/her at the mercy of online predators.

3. FAKEAV: Surrender hard-earned money for fake security 

   We’ve seen several strains of FAKEAV abound on the Web. Most employ “scareware” tactics, displaying a blue screen or bogus graphical user interfaces (GUIs) to warn users of infection. Some of the most dangerous variants, however, employ “ransomware” tactics. Users who fall victim to FAKEAV scams end up buying useless applications or may even be robbed of critical information apart from their hard-earned money. Sold at an average US$50 apiece, it is clear that big money can be made from pushing FAKEAV to users. This is why we can expect the debut of more FAKEAV in the future.

4. Expand your circle of friends but beware of KOOBFACE malware 

   This year, we saw the emergence of the KOOBFACE botnet that specifically targeted social networking and micro-blogging site users. Facebook and Twitter, two of the top-ranking social networking/micro-blogging sites today have millions of users worldwide, making them favorite cybercriminal targets. The popularity of these sites may be unprecedented but so is the rise in number of malware targeting them. Victims of KOOBFACE variants can end up with FAKEAV infections, wrangled into being a part of the widespread KOOBFACE botnet, or owners of compromised profiles, take your pick.

5. More sophisticated attacks = More victims 

   Cybercriminals continue to up the stakes as they come up with more sophisticated attacks to lure more victims into their traps. A new variant of the BEBLOH family of information stealers went well beyond logging keystrokes and sending it to a server to exploit. It stole user information and used it right away while effectively avoiding detection. The latest BEBLOH variant produces static pages that show remaining account balances and previous transactions to cover its tracks. Victims will not know they have been robbed unless they accessed the online banking site from an uninfected machine or used separate facilities such as ATMs.

6. No system is immune from security attacks, certainly not Macs 

   The days when Mac users felt safe from today’s threat landscape are over. The recent proliferation of Mac attacks reiterates what security researchers have been saying all along—that no system is immune from security attacks, certainly not Macs. The number of Mac users continues to increase, unfortunately so does the number of cybercriminals targeting the Mac OS. Cybercriminal attacks on the growing Mac user base are becoming more and more complex, preying on the earlier belief that the OS X is malware-free.

7. Blackhat SEO attacks climb the charts 

   Just as cybercriminals strive to make their malware-ridden pages climb to the top of search results, so has the number of documented blackhat SEO attacks. As if the usual blackhat SEO techniques were not crafty enough, cybercriminals just learned to use new nifty gadgets—Google Trends and GeoIP tracking—to increase the chances that users will click on links that direct them to specifically crafted malware-ridden pages. This kind of attack can affect anyone searching for information on the Web. All it takes to get infected is click a top-ranking search result.

If you are concerned that your computer may have been affected by a cyber attack, try our free prevention and clean up tools, available here.

Post from: TrendLabs | Malware Blog - by Trend Micro

This Halloween, Enjoy the Treats but Be Wary of Online Tricks

Spear phishing has been used by cybercriminals before in attacks that involved specific targets. In the previous post, “So Is It Twitter or Facebook?,” for instance, cybercriminals exploited Twitter’s direct message function to inform users that their pictures were seen on another website, the link to which is embedded in the same message. The link led to a bogus Facebook page from which user credentials are then stolen.

In this attack, the cybercriminals went as far as spoofing the From field to imply that the sender is from the same company the target is employed in. The URL embedded in the email is also customizable, depending on who its intended recipient is. Clicking the link points the user to a bogus Gmail Taiwan login page where the target’s user name has already been entered.

According to TT Tsai, this phishing attack seems to be targeting the Taiwan government as some of the phishing domains we have encountered are hosted in Taiwan, not to mention that the page uses the Chinese language.

Here’s a list of malicious domains users should be wary of:

• http://google.com.microsoft-server.tw/google/accounts/ServiceLogin.asp?uid=vq4hasv2o1xn&name=victim
• http://google.com.microsoft-server.tw/google/accounts/ServiceLogin.asp?uid=vq4hasv2o1xn&name=victim

TT Tsai, however, added that the cybercriminals are rapidly changing domains and taking down previously used ones to avoid detection and blocking.

As of this writing, all spam and phishing URLs related to this attack are already being blocked by the Trend Micro Smart Protection Network™. Non-users of Trend Micro products can stay protected from this and other similar attacks by using free tools such as eMail ID.

Post from: TrendLabs | Malware Blog - by Trend Micro

Taiwan: Spear Phishers Target Gmail Users

Upon execution, TROJ_BREDLAB.SMF connects to a malicious website and downloads a FAKEAV variant detected as TROJ_FAKEAV.BLV.

Users are advised to be wary of bogus notifications even if comes from a known source. Trend Micro product users are protected from this attack via the Smart Protection Network, which detects and blocks this kind of spam. Non-Trend Micro product users can use HouseCall, Trend Micro’s highly popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plugins, and other malware.

Post from: TrendLabs | Malware Blog - by Trend Micro

Fake Facebook Password Notification Leads to Malware

However, clicking the URL leads users to a fake FDIC website where they are ask to download a document file, which in actual fact is an .EXE file detected by Trend Micro as TSPY_ZBOT.AZH.

TSPY_ZBOT.AZH initially downloads a configuration file that contains a list of URLs that it will monitor, which mostly comprises social networking and banking-related websites. Once the user accesses any of the listed websites, it starts logging keystrokes to steal information such as account credentials. This, in effect, compromises the user’s account, making it available for cybercriminals’ future use.

Here’s a list of domains used in this spam wave:

• h1erfae.eu
• h1erfai.eu
• h1erfaj.eu
• h1erfaq.eu
• h1erfar.eu
• h1erfat.eu
• h1erfau.eu
• h1erfaw.eu
• h1erfay.eu
• milki1a.co
• milki1a.me
• milki1e.me
• milki1g.me
• milki1i.co
• milki1l.co
• milki1y.me
• nyuh1awa.eu
• nyuh1awb.eu
• nyuh1awc.eu
• nyuh1awd.eu
• nyuh1awf.eu
• nyuh1awg.eu
• nyuh1awh.eu
• nyuh1awm.eu
• nyuh1aws.eu
• nyuh1awt.eu
• nyuh1awv.eu
• nyuh1awx.eu
• tt1qwa1.eu
• tt1qwa1.me
• tt1qwae.eu
• tt1qwae.me
• tt1qwaq.co.uk
• tt1qwaq.eu
• tt1qwaq.me.uk
• tt1qwar.co.uk
• tt1qwar.eu
• tt1qwar.me.uk
• tt1qwat.co.uk
• tt1qwat.eu
• tt1qwat.me.uk
• yh1qab.eu
• yh1qab.me.uk
• yh1qak.co.uk
• yh1qak.eu
• yh1qak.me.uk
• yh1qal.eu
• yh1qao.eu
• yh1qao.me.uk
• yh1qaz.me.uk

According to Advanced Threats Researcher Joey Costoya, the brains behind this spam attack are the same cybercriminals responsible for other spam campaigns like the CapitalOne phishing attack and the Outlook update spam.

He explicated that the characteristics of the domains (fast-flux and character patterns), URLs (wildcarded subdomains, long URLs), and binaries (Zeus) used in FDIC spam are somewhat similar to the above-mentioned spam waves.

As we always say, please do not open unsolicited and suspicious-looking emails such as those shown above. Trend Micro customers need not worry about being bothered by this though, as they are protected by the Smart Protection Network. Non-product users, on the other hand, can use HouseCall, Trend Micro’s highly popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plugins, and other malware.

Post from: TrendLabs | Malware Blog - by Trend Micro

FDIC Spam Points to Info Stealer