When users click the link, they will land in the sender’s Twitter page where another URL is posted in a tweet along with a message that encourages them to work online. The said URL points to a bogus site about working online and some success stories. This spam attack used Twitter as a technique to lure users into clicking the link. Since Twitter is a trusted source, users may think the email they received is legitimate.

Users are advised to be wary of opening any suspicious-looking emails. Trend Micro protects users via the Trend Micro Smart Protection Network, which detects and blocks this kind of spam. Non-Trend Micro product users can use free tools like eMail ID to stay secure.

Post from: TrendLabs | Malware Blog - by Trend Micro

Job Spam Uses Twitter

If a user visits the blogs in question by merely entering their URLs, they will see the harmless images. If they came from search engines such as Google, however, they will instead download a new FAKEAV variant, which is detected as TROJ_FAKEAV.FFGZ.

The JavaScript file that is used by the fake blogs is detected as JS_FRAUDLOAD.AP.  The domains or actual FAKEAV drop sites involved in this attack are already blocked by Trend Micro Smart Protection Network.

Post from: TrendLabs | Malware Blog - by Trend Micro

Fake Blogs Lead to FAKEAV

Upon execution, TROJ_FAKEAV.MET drops malicious files and displays fake warning messages. These messages urge users to avail of a bogus antivirus product, Security Tool.

FAKEAV is notorious for capitalizing on hot news and popular searches via SEO poisoning. Hence, users are advised to be wary of suspicious-looking URLs when conducting online searches. Trend Micro protects users from this attack via the Smart Protection Network™ that blocks and detects all related malicious files and URLs.

Post from: TrendLabs | Malware Blog - by Trend Micro

Meteor Shower and New Moon Lead to FAKEAV

According to Threat Response Engineer Jasper Manuel, search results led to the download of TROJ_FAKEAV.MAN. Clicking the link displays the following image:

Users who are interested in watching Pacquaio’s upcoming fights (i.e., with Mayweather) are advised to stay away from suspicious-looking links. Trend Micro Smart Protection Network™ blocks user access to malicious URLs and detects the said FAKEAV.

Post from: TrendLabs | Malware Blog - by Trend Micro

Pacquiao vs Cotto Fight Live Stream Leads to FAKEAV

When users open the attached .ZIP file, they will not find a balance checker tool but will instead get a malicious file (balancechecker.exe) detected by Trend Micro as TROJ_ZBOT.MYS. TROJ_ZBOT.MYS steals online banking credentials such as usernames and passwords. This stolen information may be used by cybercriminals for other fraudulent activities. It also disables the Windows Firewall and has rootkit capabilities that make detection and removal difficult.

Users are strongly advised not to open any suspicious-looking email even it comes from a known source. It is also good to verify any email coming from your mobile service provider just to be sure if it is legitimate or not. Trend Micro protects users from this attack via the Trend Micro Smart Protection Network™ that detects and blocks spammed emails and malicious files.

Post from: TrendLabs | Malware Blog - by Trend Micro

Bogus “Balance Checker” Tool Carries Malware

Microsoft has not confirmed independent reports. A spokesman said the company was still investigating the issue. Enterprise users are protected by Trend Micro products such as Deep Security and Intrusion Defense Firewall. Trend Micro has issued a security advisory with some more technical details on this vulnerability.

Other users are advised to block the ports used by the SMB protocol and await the official Microsoft response.

Update as of 11:01 P.M. While Microsoft has not confirmed these reports as of this writing, we have verified that Windows 7 is vulnerable.

Update as of November 14, 6:20 A.M. Microsoft has released a security advisory for this vulnerability. Accordingly, the said vulnerability can’t be used to install malicious files and to take control of one’s system. Although the exploit code has been published already, Microsoft said that it hasn’t received any reports of known attacks in the wild. As a workaround, Microsoft advises users to block TCP ports 139 and 445 at the firewall.

Post from: TrendLabs | Malware Blog - by Trend Micro

New SMB Zero-Day Exploit?

The attack starts with compromised Twitter accounts. The accounts are used to send out Direct Messages to the followers of the users who own the compromised accounts.

The Direct Message—which is basically the Twitter counterpart of a private message—contains a link to what looks like an IQ test website:

An IQ test may seem harmless but the last thing asked for in the test is no longer an answer but the respondent’s mobile number. Though the real motive for this scheme is unclear, we believe that this was set up to gather mobile numbers from unknowing users to become potential targets for SMS spam or other mobile-related attack.

Users are strongly advised to refrain from clicking the links contained in similar Direct Messages that they may encounter even if the person who sent the DM is a known user. On the other hand, those users who think that their accounts may be one of those compromised should change their passwords as soon as possible.

The Trend Micro Smart Protection Network™ protects users from this by blocking all related URLs.

Update as of 08:49 P.M. “Users who do give out their mobile phone numbers may end up being billed at least US$10 a month for text messages,” says KOMO News. Though not every online IQ test will charge you, most are just there to scam unwitting users. Keep in mind that if a test asks for your mobile phone number, it is looking for a way to bill your mobile phone account. If the quiz looks like it came from someone in your Twitter account then a hacker must have hijacked other people’s accounts to make you think you are getting a message from someone you know.

Update as of November 13, 10:52 A.M. This attack do not simply harvest the affected users’ numbers but signed up their mobile for an auto-renewing subscription as described in the terms and conditions.

Post from: TrendLabs | Malware Blog - by Trend Micro

Twitter DM Spam Collects Mobile Numbers

The fake Web portal asks users to enter their surname, shareholder reference number, postal code, telephone number, date of birth, and employer. After entering the said information, the page will redirect them to another login page that requires them to enter their account information—first name, middle name, last name, address, city, country, mother’s maiden name, and email address. Only after filling in the information will the users be redirected to a legitimate page of the Capita website.

Phishers will indeed do whatever it takes just to prey on unwitting victims. For this reason alone, users must be careful in giving out their credentials online. The phishing website used in this attack is already being blocked by the Trend Micro Smart Protection Network™.

Post from: TrendLabs | Malware Blog - by Trend Micro

Beware: Never Share Your Capita with Phishers

MS09-067 deals with eight security holes plaguing Microsoft Excel that when successfully exploited can allow remote code execution when users open a specially crafted .XLS file. Users are thus strongly advised to update their systems as soon as possible, as these vulnerabilities (especially those rated “critical”) can be used by cybercriminals to execute worms and drive-by download malware attacks on their systems.

Apart from Microsoft, Adobe also addressed a vulnerability found in Adobe Photoshop Elements 8.0 and 7.0. The said vulnerability can allow cybercriminals to execute commands on the affected system. Though no solution has yet been provided, Adobe issued a workaround that users must apply to avoid infection.

Apple also joined the patch bandwagon as it released its own set of patches to address 58 vulnerabilities affecting Mac OS X. When exploited, some of these security holes can give a malicious user full access to a system. The fixes deal with issues in opening downloaded files and problems with administrator authentication.

Everyone is vulnerable to threats lurking in the Web today. With that in mind, users are encouraged to apply these patches immediately.

Post from: TrendLabs | Malware Blog - by Trend Micro

November Patch Tuesday Addresses 15 Vulnerabilities

• Registering a Facebook account
• Confirming an email address in Gmail to activate the registered Facebook account
• Joining random Facebook groups
• Adding Facebook friends
• Posting messages to Facebook friends’ walls

Overall, this new component behaves like a regular Internet user that starts to connect with friends in Facebook. All Facebook accounts registered by this component are comparable to a regular account made by a human. The details provided about the account are complete such as a photo, birth date, favorite music, and favorite books, among others. In addition, every account registered is unique in such a way that the details vary for every account registered.

Koobface accomplishes these malicious activities by automating Internet Explorer to perform the task of creating and registering an account. However, it does not proceed and will terminate the process if the affected user is using Internet Explorer 6. Moreover, it employs a check if it has already reached the maximum friend requests set by Facebook or not. Hence, it keeps itself under the radar and does not cause any alarm to Facebook administrators.

This component fetches details from one of the botnet’s available proxy domains.

The messages posted through Facebook’s wall contain a link that leads to the usual fake Facebook or YouTube page hosting the Koobface loader component.

Facebook users are advised to be careful and security conscious. It is probable that the Koobface botnet owns a particular Facebook account. It is a good thing that the Trend Micro Smart Protection Network continues to block malicious URLs spammed by Koobface.

For more tips on using Facebook, users may opt to visit Facebook’s safety and security pages:

• http://www.facebook.com/safety
• http://www.facebook.com/security

Post from: TrendLabs | Malware Blog - by Trend Micro

New Koobface Component Imitates Facebook User

 
Once the users hit the “Login” button, it will redirect them to another fraudulent page where a link to download a suspicious update tool file is provided. Trend Micro detects this as TROJ_ZBOT.CDX.

As of this writing, the phishing URL as well as the malicious file has been blocked and detected already via the Trend Micro Smart Protection Network.

This is a great example showing just how cunning cybercriminals can be just to steal precious information. They even claimed to offer recipients security, which is really ironic. Not everyone though may be as hard to fool as, say, security experts. So how can you tell if your personal information is being phished? Here are some useful tips:

• Check the email’s content. Misspellings and grammatical mistakes are very common in spammed messages.
• Do not click embedded links. If you need to update your login credentials, go to the site’s homepage and log in from there.
• Check the URL in the message body. A legitimate Facebook link will not continue beyond .com as in the two bogus email messages.
• Check the time stamps. Facebook has millions of users worldwide so it really is very unlikely that the site’s administrator will send out email messages to all users within the same day.
• Check the sender’s email address. A legitimate Facebook email sender will have a facebook.com and not a facebookmail.com address.

Don’t be just another victim. Keep in mind that cybercriminals will do just about anything to fool those who let their guards down.

Additional text by Det Caraig

Post from: TrendLabs | Malware Blog - by Trend Micro

Are You Being (Facebook) Phished?

The game, created by Zach Gage, somewhat resembles the format of the popular game Space Invaders, wherein the player is represented by a spacecraft and the goal is to kill the aliens placed all over the screen. Gage’s game, however, has a different twist, which has been causing quite a stir.

The new twist in Lose/Lose is that the aliens in the game—the ones that the player must kill to stay in the game—represent random files in the user’s system. Whenever the user kills an alien, the file the alien represents is deleted. Should the user refuse to kill the aliens, he/she will lose and the game itself will be deleted.

This interesting consequence of the game is clearly stated in Gage’s website where the game can be downloaded.

Gage describes his creation as a means to answer the question: “Why do we assume that because we are given a weapon and awarded for using it, that doing so is right?” Curious intentions or not, however, the game presents high risks and may be very easily abused. A user who may have acquired the file without knowing its effects may end up with a large number of deleted critical files.

The file has thus been classified as a malware and is now detected as OSX_LOSEGAM.A. The game tests the users’ killer instinct: the user is placed in a situation where he/she is handed a weapon and told that his/her survival depends on his/her ability to kill his/her prey. This usage of natural human reactions to trigger certain actions may be a form of research to some but what we see it as is this: a social engineering technique.

Mac users can get protection from this and other threats by using the Trend Micro Smart Surfing for Mac.

Post from: TrendLabs | Malware Blog - by Trend Micro

Lose/Lose: Kill an Alien, Delete a File

A few days after its appearance, reports suggested that the threat had spread. More than 500,000 unique hosts spread across networks in the United States, China, India, the Middle East, Europe, and Latin America fell prey to the threat. Several residential broadband service providers also reported having an even larger number of infected customers.

New Year, New Variant

In January of this year, a few security websites and media outlets reported a wave of detections of another DOWNAD variant.

This variant first sent exploit packets for a Microsoft Server Service Vulnerability to every machine on the network and to several randomly selected targets over the Internet. It then dropped a copy of itself in the Recycler folder of all available removable and network drives and created an obfuscated autorun.inf file on these drives so it can execute every time a user browsed a network folder or removable drive without actually clicking on the file. It then enumerated the available servers on the network and, using this information, gathered a list of user accounts on the machines.

Afterward, it ran a dictionary attack against these accounts using a predefined password list. If it succeeds, it dropped a copy of itself on the systems and used a scheduled task to execute the worm.

Improved Domain Generation Functionality

In March, the most hyped DOWNAD variant reared its ugly head. WORM_DOWNAD.KK’s additional features included an increased number of generated domains, from the 250 generated by earlier variants to 50,000.

While it only attempted to connect to around 500 randomly selected domains at a time, this modification was seen as an effort to increase the botnet’s chances of survival until it was set to unleash its enigmatic payload on April Fools’ Day.

DOWNAD Uses P2P

April 1 came and went. No signs of the DOWNAD worm were seen until a week after. Threat researchers keeping an eye out for new DOWNAD-related activities saw a new file—the newest worm variant—in infected systems’ Windows Temp folder created exactly on April 7, 2009 at 07:41:21. What was odd about this was that no HTTP download took place around that time though a huge encrypted TCP response from a known DOWNAD/Conficker peer-to-peer (P2P) IP node, which was hosted somewhere in Korea, was found.

This variant was set to stop running on May 3, 2009; ran using random file and service names; deleted dropped components afterward; propagated via an exploit to external IP addresses if the system had Internet access or to local IP addresses if it did not; opened port 5114 and served as an HTTP server by broadcasting via an SSDP request; and connected to sites such as MySpace, MSN, and eBay.

Infection Peaks

In a span of just four months (November 2008–February 2009), the DOWNAD infection count peaked, from initially infecting around 500,000 PCs to 9 million PCs. It certainly wreaked a lot of damage, taking advantage of exploits to spread malicious code as a social engineering ploy. DOWNAD was used to create a botnet that can be utilized for the usual range of threats that lurk in the Web—spamming, distributed denial of service (DDoS) attacks, and spreading FAKEAV. According to Trend Micro Advanced Threats Researcher Ryan Flores, “DOWNAD/Conficker opened the IT security industry’s eyes by exposing several truths and areas that IT professionals commonly overlook.”

Updated Patches Still Key

It has been a year since DOWNAD/Conficker first infected PCs. If we have learned anything from this experience, it should be that most worms spread by exploiting network-based vulnerabilities. That is why it is very important to secure connected devices, and keep them up-to-date with the latest patches.

Of course, this would be hard to do if you use pirated software. So using legitimate software copies is also key to keeping data and even your identity secure, especially in today’s worsening threat landscape.

Post from: TrendLabs | Malware Blog - by Trend Micro

DOWNAD/Conficker Turns 1yr

Apart from dropping malicious files on infected machines, Elite Loader also allows malicious users to upload additional software to targeted systems to steal passwords or deploy spam or distributed denial of service (DDoS) modules that other cybercriminals can use.

The bot’s size is only 8kb, making the dropping process relatively hidden. The bot works perfectly well on the Microsoft XP Service Packs 1, 2, and 3 and Vista OSs and supports multiple job instances.

The malware distribution business seems to have gone public. Elite Loader, for instance, was published by well-known Lonely Wolf—one of the moderators of the underground forum, DaMaGeLaB—with detailed instructions in the archive and even dedicated thread posts. This will make it easy even for script kiddies to create their own malicious code.

Trend Micro detects the variants of the Elite Loader dropper as part of the DLOADER family of Trojans so product users need not worry about being infected. Trend Micro Smart Protection Network™ blocks the download of all malicious files and access to malicious URLs related to this bot.

Non-Trend Micro product users who think their systems may have already been infected can clean their PCs using RUBotted.

Post from: TrendLabs | Malware Blog - by Trend Micro

Elite Loader Goes Public

Our analysis then observed BREDOLAB’s connections to two notorious malware families, FAKEAV and ZBOT/ZeuS. The samples always include the aforementioned malware in its download repertoire. Adding BREDOLAB to their long lists of carriers, these malware families mostly focused on information and financial theft.

BREDOLAB also exhibited certain similarities with another well-known botnet, PUSHDO in terms of downloading routine. This led our threat researchers to believe that the cybercriminals behind PUSHDO and BREDOLAB are the same.

Trend Micro’s Senior Threat Researcher David Sancho has written an in-depth analysis on this new threat. Read it here: You Scratch My Back…BREDOLAB’s Sudden Rise in Prominence.

Post from: TrendLabs | Malware Blog - by Trend Micro

BREDOLAB Revealed!