If a user visits the blogs in question by merely entering their URLs, they will see the harmless images. If they came from search engines such as Google, however, they will instead download a new FAKEAV variant, which is detected as TROJ_FAKEAV.FFGZ.

The JavaScript file that is used by the fake blogs is detected as JS_FRAUDLOAD.AP.  The domains or actual FAKEAV drop sites involved in this attack are already blocked by Trend Micro Smart Protection Network.

Post from: TrendLabs | Malware Blog - by Trend Micro

Fake Blogs Lead to FAKEAV

1. Tailor-made ZBOT spam makes its way to employees’ mailboxes
   
   The Zeus botnet is well-known for e-banking attacks that target small businesses without a dedicated IT staff and only 1–2 payroll personnel; the most notorious ZBOT attack to date sent out tailor-made spam to the employees of several of these types of small companies. The spammed messages were made to look legitimate and non-malicious when, in fact, they contained Trojan spyware designed to steal information and identities.
2. Vulnerabilities hit critical mass: Patch me if you can 

   Microsoft set a record in December 2008 of 28 patches for its OS vulnerabilities. In June 2009, the company broke that record with the release of 10 security advisories for 31 OS and other software vulnerabilities. What does this mean for users? It means that unpatched vulnerabilities can allow cybercriminals to exploit their systems. For instance, unpatched vulnerabilities in a system’s browser can allow cybercriminals to run arbitrary code if the user happens to browse through a malicious website, leaving him/her at the mercy of online predators.

3. FAKEAV: Surrender hard-earned money for fake security 

   We’ve seen several strains of FAKEAV abound on the Web. Most employ “scareware” tactics, displaying a blue screen or bogus graphical user interfaces (GUIs) to warn users of infection. Some of the most dangerous variants, however, employ “ransomware” tactics. Users who fall victim to FAKEAV scams end up buying useless applications or may even be robbed of critical information apart from their hard-earned money. Sold at an average US$50 apiece, it is clear that big money can be made from pushing FAKEAV to users. This is why we can expect the debut of more FAKEAV in the future.

4. Expand your circle of friends but beware of KOOBFACE malware 

   This year, we saw the emergence of the KOOBFACE botnet that specifically targeted social networking and micro-blogging site users. Facebook and Twitter, two of the top-ranking social networking/micro-blogging sites today have millions of users worldwide, making them favorite cybercriminal targets. The popularity of these sites may be unprecedented but so is the rise in number of malware targeting them. Victims of KOOBFACE variants can end up with FAKEAV infections, wrangled into being a part of the widespread KOOBFACE botnet, or owners of compromised profiles, take your pick.

5. More sophisticated attacks = More victims 

   Cybercriminals continue to up the stakes as they come up with more sophisticated attacks to lure more victims into their traps. A new variant of the BEBLOH family of information stealers went well beyond logging keystrokes and sending it to a server to exploit. It stole user information and used it right away while effectively avoiding detection. The latest BEBLOH variant produces static pages that show remaining account balances and previous transactions to cover its tracks. Victims will not know they have been robbed unless they accessed the online banking site from an uninfected machine or used separate facilities such as ATMs.

6. No system is immune from security attacks, certainly not Macs 

   The days when Mac users felt safe from today’s threat landscape are over. The recent proliferation of Mac attacks reiterates what security researchers have been saying all along—that no system is immune from security attacks, certainly not Macs. The number of Mac users continues to increase, unfortunately so does the number of cybercriminals targeting the Mac OS. Cybercriminal attacks on the growing Mac user base are becoming more and more complex, preying on the earlier belief that the OS X is malware-free.

7. Blackhat SEO attacks climb the charts 

   Just as cybercriminals strive to make their malware-ridden pages climb to the top of search results, so has the number of documented blackhat SEO attacks. As if the usual blackhat SEO techniques were not crafty enough, cybercriminals just learned to use new nifty gadgets—Google Trends and GeoIP tracking—to increase the chances that users will click on links that direct them to specifically crafted malware-ridden pages. This kind of attack can affect anyone searching for information on the Web. All it takes to get infected is click a top-ranking search result.

If you are concerned that your computer may have been affected by a cyber attack, try our free prevention and clean up tools, available here.

Post from: TrendLabs | Malware Blog - by Trend Micro

This Halloween, Enjoy the Treats but Be Wary of Online Tricks

Trend Micro Senior Threat Researcher David Sancho had this to say about the new OS:

Microsoft has been improving the security of its OS that is why there are fewer network vulnerabilities every time. Having said that though, security cannot be taken for granted and there’s always room for improvement. The Web is today the biggest infection vector therefore hardening the OS needs to be complemented with strengthening the browser and applications used to visualize Web pages (such as Adobe Acrobat, Flash, etc.).

Now, users may wonder if their Trend Micro products will work with Windows 7. The answer is yes. Programs such as Trend Micro Internet Security will work just as well in Windows 7 as in previous versions like XP and Vista. Whether users upgrade or stick with their current OS, they can continue to rely on their existing Trend Micro software. Even HouseCall, our free online scanner, will run under Windows 7.

Post from: TrendLabs | Malware Blog - by Trend Micro

Windows 7? No Problem for Trend Micro Users

Microsoft has confirmed that the list is authentic. They have also said that their databases were not actually breached; if this is correct this means the list was gathered using conventional phishing attacks. Users who believe their accounts have been compromised may fill out this online Microsoft form to recover their account.

Windows Live Hotmail users are strongly advised to change their passwords immediately, as the scale of the overall problem is unknown. As a preventive measure, users should be very careful about entering user credentials in untrusted websites. The Microsoft page above also contains other security recommendations that users should consider.

Phishing sites like the ones that were apparently involved in collecting these credentials are blocked by the Trend Micro Smart Protection Network.

Update as of 6 October 2009, 12:00 PM:

It turns out that this attack is bigger than previously thought, as new lists of compromised email accounts were found posted on the same site where the thousands of Hotmail credentials were initially posted. However the newly posted information were not only consisted of Hotmail accounts, but Gmail, Yahoo!, Comcast, and Earthlink accounts as well. The said information are said to have been acquired in the same way as the previous attack.

The email account credentials were posted at pastebin.com, a website designed as a platform for developers to share code. The website was taken down temporarily by its owner to remove the information. The website is online again as of this writing, but not without a note for its likely very concerned users: Concerned about Hotmail? If you’ve come here after reading about the hotmail leak, see this blog post.

Post from: TrendLabs | Malware Blog - by Trend Micro

Windows Live Hotmail User Information Leaked

Citizen Journalism

In the Philippines, residents with camera phones began taking pictures and videos of events as they happened. Videos were uploaded to YouTube, and were then linked to Facebook. In addition, pictures uploaded in Flickr or Facebook were linked as well.

These photos and videos provide almost real-time information, faster than established news outlets and proved to be critical in mapping out traffic jams, flood water levels, and areas in need of immediate rescue.

Social Networks as a Sounding Board for Public Announcements

Contact numbers of government institutions and NGOs were posted in Facebook for people who might need them. It’s important to note the Please repost plea at the end of the message were added to make sure it gets to other social groups, thus making the message “viral.”

SOS on Facebook!

Other people also employed Facebook to spread SOS messages from other people who were in critical/near-critical condition. The messages were spread in the hope that a person connected to a government agency, NGO, or rescue team will receive the message. In most cases, these pleas for help were responded to.

Mapping out SOS calls with Google Maps

A group of volunteers set up a Google map to help rescue teams pin point the exact location of SOS calls received from radio, TV, social networks, and email. We can also see the concentration of distress calls by viewing the said map, which may help in the deployment and allocation of resources of rescue teams.

Google Maps Used in the Study of Flood Levels

A group of university professors surveyed the affected residents about the flood level in their area. This data is expected to be used in the research of water flow, flood management, and city planning.

Some Caveats

As usual, these types of events can be leveraged by cybercriminals in order to propagate malware. In fact, Trend Micro discovered several malicious websites using blackhat SEO with keywords related to Ketsana in order to install FAKEAV.

Scammers may also cash in on the situation so make sure all donations and relief items are channeled through reputable organizations.

Indeed, Web 2.0 can save lives, but we also need to keep in mind that cybercriminals are always waiting to exploit the situation, our vigilance must also extend to matters pertaining to security.

Conclusions

This particular experience is yet another proof of the reach and importance of social networks and social media. Established institutions and governments may fail, but the population as a whole will find a way to organize and help, aided greatly by social networks.

With that in mind, I can’t help but think of how these can be exploited by people with ill intentions. Fake donation accounts may be set-up and spread on social networks while malware may use the situation as a social engineering trick. Right now, everything is just based on trust, but it won’t be long before we see scam messages leveraging the tragedy. Users should be vigilant with such scams. Good thing, Trend Micro saves users from these security threats with its Trend Micro Smart Protection Network.

Post from: TrendLabs | Malware Blog - by Trend Micro

How Web 2.0 Can Save Lives

As reported in detail by Trend Micro researcher Rik Ferguson in the Counter Measures blog, the New York Times issued warnings through both Twitter and its website’s front page about malvertisements that trigger the display of a malicious pop-up window. The said pop-up window displays the typical fake antivirus warning indicating malware infection. This forces the affected user to purchase a full version of a rogue antivirus software. Of course, the reported infections are in reality nonexistent. The alarming messages are mere distractions to convince the user into giving away important information.

Not only is good money wasted on purchasing a useless software. Important information such as credit card details are also compromised and made available to cybercriminals.

However, this attack turns out to be short-handed when placed against the Smart Protection Network. Not only are the fake antivirus software used so far already detected as TROJ_FAKEALE.SMF and TROJ_FRAUDPAC.LH; the URL to which the malvertisement redirects to is also blocked. These prevent the whole infection process from even starting.

Other users are advised to ignore such pop-up messages.

Post from: TrendLabs | Malware Blog - by Trend Micro

Malvertisements in NYTimes.com Lead to FAKEAV

This is the scenario painted by cybercriminals in their latest spam run. The spammed message informs recipients that the President of Peru, Alan Gabriel Ludwig García Pérez, and other attendees of the delegation of UNASUR (Union of South American Nations) summit have confirmed cases of Swine flu. Furthermore, it states that the presidents of Brazil and Bolivia were also both infected but are now recovering.

Figure 1. Sample spam

Written in Spanish, the spam attempts to stir recipients’ curiosity by saying that the incident is being kept from the public. It also urges them to click on the malicious link, which purports to contain the audio news pertaining to this incident. Instead of news, however, all victims get is an executable file (Alan.Gripe.Porcina.mp3.exe) detected by Trend Micro as TSPY_BANCOS.AEM. BANCOS variants are known for its info-stealing capabilities.

Figure 2. Screenshot of the executable file

In the past, Trend Micro has written about malware attacks that hitchhiked on swine flu in the following blog posts:

• Scammers Ride on H1N1 Global Pandemic
• Yet More Swine Flu Attacks
• Waledac Turns to Cash and Vaccines
• Swine Flu Spam Attempt to Infect Japanese Users
• Swine Flu Outbreak Hits The Web Through Spam

Trend Micro already blocks and detects the malicious URL and file via its Trend Micro Smart Protection Network. Users are advised to be wary in clicking on URLs in messages from unknown senders.

Post from: TrendLabs | Malware Blog - by Trend Micro

Fake Presidential Swine Flu Stories Lead to Malware

The California bush fires that destroyed 50 homes and 10 commercial buildings and claimed the lives of two firefighters have become the focus of cybercriminals’ latest social engineering ploy.

Users looking for information about the fires in Auburn on the Web with search terms like “auburn fire map” are met by results that point to malware-ridden sites hosting rogue antivirus products such as:

• http://california-fire-map.{BLOCKED}angocafe.com/
• http://california-fires-map.{BLOCKED}angocafe.com/
• http://california-fires-map.{BLOCKED}lifepromotion.com/
• http://auburn-ca-fire-map.{BLOCKED}lifepromotion.com/

As if that is not alarming enough, Trend Micro Research Project Manager Ivan Macalintal also noted that there are other cybercriminal campaigns in different malicious domains delivering various malware such as one targeting Macs detected as OSX_JAHLAV.M.

This scam is the latest example of a profit-motivated attack that takes advantage of tragedies and natural disasters to distribute malware, reminiscent of Hurricane Katrina-inspired attacks.

As usual, users are advised to only rely on well-known news outlets for updates on the incident, as cybercriminals are never slow to leap on such an opportunity. And as this targets Mac users yet again, we cannot reiterate the fact that no OS is safe.

The Trend Micro Security for Macintosh and Smart Surfing for Mac already detect and consequently block the malicious sites from being accessed and the application from being downloaded so users need not worry.

Post from: TrendLabs | Malware Blog - by Trend Micro

California Bush Fires Spark Blackhat SEO Campaigns

In reality, however, this company has been serving as the operational headquarters of a large cybercrime network since 2005. From its office in Tartu, employees administer sites that host codec Trojans and command and control (C&C) servers that steer armies of infected computers. The criminal outfit uses a lot of daughter companies that operate in Europe and in the United States. These daughter companies’ names quickly get the heat when they become involved in Internet abuse and other cybercrimes. They disappear after getting bad publicity or when upstream providers terminate their contracts.

Some of the larger daughter companies survived up to 5 years, but got dismantled after they lost internet connectivity in a data center in San Francisco, when webhosting company Intercage went dark in September 2008, and when ICANN decided to revoke the company’s domain name registrar accreditation.

This caused a major blow to the criminal operation. However, it quickly recovered and moreover immediately started to spread its assets over many different webhosting companies. Today we count about 20 different webhosting providers where the criminal Estonian outfit has its presence. Besides this, the company own two networks in the United States.

We gathered detailed data on the cyber crime ring from Tartu and found that they control every step between driving traffic to sites with Trojans and exploiting infected computers. Even the billing system for fake antivirus software that is being pushed by the company is controlled from Tartu. An astonishing number of 1,800,000 Internet users were exposed to a bogus “you are infected” messages in July 2009 when they tried to access high traffic pornography sites.

For a detailed analysis, please read our whitepaper: A Cybercrime Hub available at TrendWatch.

Post from: TrendLabs | Malware Blog - by Trend Micro

Investigations on a Cybercrime Hub in Estonia

Today’s Patch Tuesday from Microsoft comes with 9 security advisories, 5 of which are tagged as critical, 4 as important. Collectively, 19 flaws are addressed in these advisories, 15 of which are critical. This set of advisories also includes the bulletin that addresses the previously exploited Microsoft Office Web Components bug.

The critical advisories include patches for vulnerabilities in Microsoft Office Web Components (MS09-043), Remote Desktop Connection (MS09-044), Internet Name Service (MS09-039), Windows Media File Processing (MS09-038), and Active Template library (MS09-037).

The other advisories are for vulnerabilities in ASP.NET (MS09-036), Message Queuing (MS09-040), Workstation Service (MS09-041) and Telnet (MS09-042).

Details about these vulnerabilities can be found at our Security Advisory for the August 2009 Patch Tuesday at the Threat Encyclopedia. The Microsoft blog says that five of the six critical patches are rated “1″ in their Exploitability Index. They are thus expecting there to be some in-the-wild exploits targeting these within 30 days from now.

Again, this is a reminder to make sure that all your applications and operating systems are up to date with the latest patches. Software vendors issue these patches to prevent cybercriminals from exploiting these vulnerabilities. Update now.

Trend Micro OfficeScan users with Intrusion Defense Firewall plugin installed should apply today’s update for the latest filters (IDF09024). This version contains protection from attacks exploiting the above and other vulnerabilities.

Post from: TrendLabs | Malware Blog - by Trend Micro

August 2009 Patch Tuesday Addresses MS Vulnerabilities

The DefCon attendees believe that cybercriminals will likely be doing more of the same in the near future. Some techniques highlighted were:

• That Internet browsers will continue to be the easiest platform to exploit, regardless of which browser a user uses. Cross-site scripting (XSS) and cross-site request forgery (CSRF) will continue to makes hackers’ lives easier. In the same context, I got an insight into anonymous browsing tunneled over XSS (XAB) wherein one or many Web browsers can be used for traceless data transfer. In the future, encryption and possible computer chaining were predicted for XAB.
• The use of Metasploit as a software as a service (SaaS) was dubbed a good practice. We are, in fact, seeing a trend (with Zeus and Ilomo) that malware can be updated via the Internet. I found it amazing that a lawyer talked about hackerspaces and their legal bases. It seems that hackers are already one step ahead in protecting themselves even before laws against hacking are instituted by governments.
• Last but not least, I found that defeating Secure Sockets Layer (SSL) technology and stealing certificates seemed a very easy task for hackers, in fact, it is already an automated task in stealing credit card numbers and identities.

Attacking datacenters was suggested as a new topic for next year’s DefCon. Datacenters can be attacked or exploited either physically (through lock picking) or digitally (hacking Hadoop, one of the most used database systems). I did not hear anything about distributed denial of service (DDOS) attacks on datacenters as this would only probably make sense in cases of blackmailing their customers.

The fact that there was no secure OS was again reiterated. This was proven by the presentation on “Runtime Kernel Patching on Mac OS X,” from which I gathered:

Runtime kernel patching has been around for almost 10 years and is a technique frequently used by various rootkits to subvert the kernels used in many modern OSs.

This technique does not require any type of kernel modules or extensions and will allow you to hide various things like processes, files, folders, and network connections by modifying the kernel’s memory directly. It will also allow you to place various backdoors in the kernel for privilege escalation.

DefCon originated in 1993. It was a meant to be a party for the members of “Platinum Net,” a Fido protocol-based hacking network out of Canada. At present, it has become one of the oldest-running and largest hacker conventions around. This year’s DefCon was held at the Riviera Hotel and Casino in Las Vegas from 30 July–02 August.

Post from: TrendLabs | Malware Blog - by Trend Micro

DefCon Las Vegas 2009

Cybercriminals use popular and high interest events to further their cause—in this case, spreading fake antivirus software detected by Trend Micro as TROJ_FAKEALRT.FK.

Trend Micro threat analyst Joseph Pacamarra found that searching for details on the former president’s death with the words “corazon aquino’s death” led users to the following malicious sites:

• http://{BLOCKED}-gonzales.redxhost.com/corazon-aquino-death.html
• http://{BLOCKED}sa.20x.cc/corazon-aquino-death.html
• http://{BLOCKED}rank.0adz/corazon-aquino-death.html
• http://{BLOCKED}-1.0adz.com/corazon-aquino-died.html

The cybercriminals used the same .php page (1.php) to redirect users who click the links above. However, this page was hosted on different domains, possibly to avoid detection. The redirections from the above links eventually led to the download of a fake antivirus from the following sites:

• http://{BLOCKED}-pro-antivirus-scan.com/download.php?id=2022
• http://{BLOCKED}-pro-antivirus-scan.com/download/Install-6a1e7ce_2022.exe
• http://{BLOCKED}-pro-antivirus-scan.com/download/Install-74f10_2022.exe
• http://{BLOCKED}-pro-antivirus-scan.com/download/Install-6a75f_2022.exe

This is not the first time that news was used to launch blackhat SEO attacks:

• Blackhat SEO Quick to Abuse Farrah Fawcett Death
• Scammers Ride on H1N1 Global Pandemic
• “Solar Eclipse 2009 in America Leads to FAKEAV

Users are advised to rely on legitimate and reputable news sites to avoid being infected. Trend Micro product users are advised to update to the latest CPR version 6.338.03 to stay protected.

After further analysis, the file corazon-aquino-died.html1, which may be downloaded from the sites mentioned earlier, is now detected as HTML_REDIR.ECT. This is consequently blocked by Trend Micro’s Smart Protection Network.

After a recent reanalysis of TROJ_FAKEALRT.FK, Trend Micro threat analyst Kathleen Notario discovered that the sample (”Personal Antivirus”) does not exhibit FAKEAV behaviors. It does not, for instance, display a FAKEAV graphical user interface (GUI) nor causes system modifications. It has been found to be missing a main installer component.

However, the Trojan may access the following domains to download possibly malicious files or install other FAKEAVs:

• http://{BLOCKED}ne-sachs.com
• http://{BLOCKED}erbaseupdatesv2.com
• http://{BLOCKED}twareupdatev2.com
• http://{BLOCKED}ben.cn
• http://{BLOCKED}-updatesv5.com

Post from: TrendLabs | Malware Blog - by Trend Micro

Cory Aquino’s Death Used to Spread Another FAKEAV

Trend Micro recently relaunched TrendWatch, its dedicated threat center, to keep users better informed and abreast of the latest threats! As with the website’s earlier launch last year, this year’s relaunch aims to continue to make more intuitive information about all threats as accessible as possible to all our site visitors.

The site will continue to answer the same questions you may have had in the past but will also offer you so much more. The new and improved TrendWatch site promises to be faster, simpler to use, and more intuitive than before.

To get a glimpse of the new and improved TrendWatch, you may visit this URL: http://us.trendmicro.com/us/trendwatch/.

So what can you look forward to seeing in this site?

• Focus Report Series is a Trend Micro first. The featured report each month will give you a more in-depth insight on some of the most prevalent types of malware attacks.
• Threat Meter presents a graphical view of the latest threats (i.e., Web, spam, and malware) affecting users in real time.
• Recent Security Advisories will keep Microsoft application users informed of the latest critical updates to protect their systems from vulnerability exploits.
• Latest Videos and Podcasts provides user education and training support conducted by our tech gurus.
• Recent Threat News provides links to our latest blog entries that will keep you informed of the latest threats you should protect yourselves from.

These and links to our rich and timely security resources are sure to make your TrendWatch experience better than before.

Visit TrendWatch, a threat center designed just for you! Powered by data from TrendLabs, Trend Micro’s global network of research, service, and support centers, TrendWatch is a central resource providing the latest information about threats plus updates on new technologies and access to security tools.

Experience Trend Micro, visit TrendWatch today!

Post from: TrendLabs | Malware Blog - by Trend Micro

TrendWatch Relaunch

Detected as WORM_MYDOOM.EA by Trend Micro, it is suspected to have arrived in victims’ inboxes as an attachment to email messages. Upon execution, it registers itself as a system service (like as WMI Performance Configuration or WmiConfig) to ensure execution upon startup. It then drops component files distributed on several infected machines with lists of targets for DDoS.

The worm then gathers email addresses from all files located in the affected system’s Temporary Internet Files folder. It also gathers domain names, and uses them to add more email addresses by prepending the user names such as andrew, brenda, david, and george to the gathered domain names (detailed list can be read here). Additionally, the threat attempts to obtain email server addresses by prepending certain strings to the obtained domain names. Emails with a copy of itself as attachment are sent to the composed addresses through its own SMTP engine. It should be noted, however, that though the code suggests that WORM_MYDOOM.EA propagates through email, we have yet to receive a sample that successfully propagates via email.

Our threat researchers are still analyzing some aspects of this malware, and its components, so we will update this post as necessary as more information becomes available.

Files related to network analysis tools are also deleted in order to prevent the affected user from noticing the heightened network activity caused by the DDoS attack (see Figure 1 for the threat diagram).

The DDoS attack left a number of its target websites inaccessible, which included several of South Korea’s government websites. South Korea is one of the top countries in Asia in terms of Internet usage, with an estimated 36.8 million users.

Users are strongly advised to ignore unsolicited emails to avoid unwillingly partaking in this massive attack.

Updates as of 12 July 2009:

Further analysis by our engineers reveal that WORM_MYDOOM.EA drops a specially crafted .JPG file detected as TROJ_JPEGDRPR.B. Embedded in TROJ_JPEGDRPR.B is an executable detected as WORM_MYDOOM.EB.

WORM_MYDOOM.EB overwrites the Master Boot Record of all drives in the affected system with the string Memory of the Independence Day. It then searches for files with certain file extensions, creates an archive of all found files, then deletes the original files. Found files which are 0-byte (file size is zero) are automatically deleted. The created archive is protected by a random 8-digit password.

Post from: TrendLabs | Malware Blog - by Trend Micro

MYDOOM Code Re-Used in DDoS on U.S. and South Korean Sites

See sample message below:

These messages contain links to a site which appears to be from Youtube:

Figure 2: The website with the supposed video

The video supposedly shows a fabulous fireworks show, but in reality attempting to play the video results in downloading a copy of WORM_WALEDAC.DU. This particular technique has been used many, many times before, but it’s still quite effective.

Fortunately, however, the malicious file is already detected by the Trend Micro Smart Protection Network, so users don’t need to worry about this threat.

Post from: TrendLabs | Malware Blog - by Trend Micro

WALEDAC Celebrates Independence Day, Too