At first glance, the ads may seem like the typical Web browser nuisance. However, random ads were proven to be vectors for downloading malware onto users’ systems. In one instance, an ad pointed to a URL containing exploits that download and execute several files on affected systems. The downloaded files include a malicious Java file (detected by Trend Micro as JS_BYTEVER.BG) and .PDF files (detected as TROJ_PIDIEF.GBA and TROJ_PIDIEF.GBB), among others.

According to advanced threats researcher Jonell Baltazar, these .PDF files exploit known vulnerabilities found in Adobe Reader (Collab.collectEmailInfo, Collab.getIcon, and util.printf) to download a file if the user’s application remains unpatched. Furthermore, Baltazar explains, the malicious .PDF files use getPageNumWords() and getPageNthWords() Adobe JavaScript application programming interfaces (APIs). The files also used the app.info.Author field of the .PDF document to store the encoded payload URL, which enables them to defeat automated PDF and JavaScript analysis tools.

As discussed in the 2010 Threat Predictions by Trend Micro CTO Raimund Genes, drive-by infections are the norm and one Web visit is enough to get infected. Users are thus advised to disable JavaScript on their Web browsers and to practice vigilance, verify URLs, and update browsers to avoid being redirected to malicious URLs.

Trend Micro™ Smart Protection Network™ protects product users from this threat by detecting and preventing the execution of the malicious files via the file reputation service. It also protects customers by blocking user access to malicious websites.

Non-Trend Micro product users can also stay protected from such threats via free tools like Web Protection Add-On, which prevents user access to potential malicious websites.

Update as of March 17, 2010, 4:23 P.M. (GMT +8):

Senior threat response engineer Vincent Cabuag adds that this relatively new encryption technique renders standard analysis tools useless in detecting the malicious script inside the .PDF file. The malicious script is obfuscated in a way that it requires the usage of certain APIs to be decrypted. Thus, it would require manual analysis to be able to emulate the embedded script.

Update as of March 18, 2010,7:54 P.M. (GMT +8):

According to further research by Baltazar, the attack used the “Liberty Exploit Kit”, which exploits known vulnerabilities found in IE (like MS06-014 (MDAC) and MS DirectShow). The exploit kit also includes exploits targeting Flash 9 (this is the most probable vector for malicious ads) and the mentioned PDF exploits.

Thus, no user-click is needed for the attack to be successful. Users must keep their Flash, Adobe Reader, and IE browser updated with latest available security patches in order to be protected from this attack.

Post from: TrendLabs | Malware Blog - by Trend Micro

Malicious Ads Lead to PDF Exploits

The text before the links are in French and tells users to click the link that follows. Some of these links made users believe that they were viewing a photo related to an accident that supposedly killed U.S. President Barack Obama. Others used domain names similar to legitimate sites like Facebook and YouTube.

In reality, however, the links lead to malicious BUZUS variants detected by Trend Micro as TROJ_BUZUS.BTA and TROJ_BUZUS.BTB.

Malware attacks using Barack Obama as social-engineering bait date back to his 2008 campaign for the U.S. presidency. Previous attacks were seen both around his election (both for pharmaceutical spam and spreading malware) as well as around his inauguration.

Trend Micro™ Smart Protection Network™ protects customers from this threat by blocking user access to the malicious websites that host the malicious files. It also detects and prevents the download of TROJ_BUZUS.BTA and TROJ_BUZUS.BTB via the file reputation service.

Post from: TrendLabs | Malware Blog - by Trend Micro

“Obama Accident” Instant Messages Used to Spread Malware

Clicking these links led to another FAKEAV variant detected as TROJ_FAKEAV.PAQ.

Users should always be wary of clicking unknown links in search results. This is particularly true if they are searching for items of dubious legality, as is the case here.

Trend Micro™ Smart Protection Network™ protects customers from this threat by blocking user access to the malicious websites that host the malicious FAKEAV files. It also detects and prevents the download of TROJ_FAKEAV.PAQ via the file reputation service.

Post from: TrendLabs | Malware Blog - by Trend Micro

Pacquiao-Clottey Live Streams Lead to FAKEAV

Using blackhat search engine optimization (SEO) techniques, a simple Google search for news on Corey Haim’s funeral gives out malicious links in the top search results, which redirect users to sites that eventually lead to the download of a FAKEAV.

A fake scan page convinces users that their computers were affected by several harmful files and that they should download and install the fake antivirus application.

Trend Micro detects the downloaded file as TROJ_FAKEAV.DBB. After installation, the program loads a scan page with fake scan results and offers to remove the harmful files from the users’ machines.

There is, of course, a slight catch since the product requires activation. We advise users to be wary of such tactics since they may unwillingly divulge sensitive information. In this case, the attackers ask for credit card information.

Trend Micro™ Smart Protection Network™ protects customers from this threat by blocking user access to the malicious websites that host the malicious FAKEAV file. It also detects and prevents the download of TROJ_FAKEAV.DBB via the file reputation service.

Post from: TrendLabs | Malware Blog - by Trend Micro

Search for News on Corey Haim’s Death Leads to FAKEAV

As part of its regular Patch Tuesday schedule, Microsoft released two security fixes to address vulnerabilities found in certain versions of Windows Movie Maker and Office Excel. This is the first time in almost two years that Microsoft did not include any critical patch in its release.

Both vulnerabilities allow remote code execution when a user opens a specially crafted Movie Maker or Microsoft Producer project file and a specially crafted Excel file. More information on the security advisories can be found in this Trend Micro Security Advisory page.

While this may be good news, this was somewhat balanced out by the discovery of a new zero-day exploit found in Internet Explorer (IE). This exploit is the second found in the last 60 days. The previous one was discovered in January. This exploit takes advantage of an invalid pointer reference vulnerability to execute arbitrary code. Only IE 6 and 7 are vulnerable. Users of IE 8 are safe from this threat.

The exploit code is now available publicly and some related attacks are being tracked.

But Microsoft is not alone in being hit by vulnerabilities this week.

Alternate browser, Opera, was also found to have a flaw in the way it handles the Content-Length HTTP header. At the very least, this can cause the browser to crash.

Server applications also came under fire. The popular spam blocker, SpamAssassin, was also found to have a security flaw. This flaw can allow code contained in a specially crafted email that was processed by the application to be executed with administrative privileges on an email server. However, as the specially crafted email would have an invalid recipient, it is unclear if properly configured servers are also vulnerable.

Patching vulnerable applications sounds like a solution but that may not be ideal, particularly for enterprise users. Restarting servers is often not as simple for them as it is for home users. In addition, some individuals who discover vulnerabilities believe, wrongly or not, that software vendors take a long time to issue patches as well as downplay the severity of any known flaw. Because of this, some prefer to reveal the flaws publicly to force vendors to release patches as soon as possible.

Trend Micro advises users to keep their security programs up to date and to immediately apply patches once they are released by their vendors. Users can download this month’s Microsoft patches from the official Microsoft Security Bulletin page or run Windows Update to automatically download and apply the patches.

For business users, Trend Micro Deep Security™ and Trend Micro OfficeScan™ users with Intrusion Defense Firewall (IDF) plug-in can be shielded from vulnerabilities, often even before vendor patches are available.

Post from: TrendLabs | Malware Blog - by Trend Micro

Multiple Vendors Affected by New Vulnerabilities

The Energizer DUO is a charger for two AA or AAA batteries that can be plugged into USB ports. While no software is needed to use the charger, Energizer did provide an application that would display the charge level of the batteries inserted into the charger.

However, the said application goes far beyond that. It also includes a backdoor detected by Trend Micro as BKDR_ARUGIZER.A. This particular backdoor opens port 7777 to incoming connections, allowing it to receive various commands from remote users. Among the possible commands are to:

• Download and execute files
• Delete files on affected systems
• Upload files from affected systems to a server

While this backdoor does have routines that could cause significant problems, it is not yet clear if these were actually used. Energizer already released an official statement on the issue, announcing the discontinued sale of the charger in question. It is likewise currently working with the US-CERT and U.S. government officials to understand how the code was inserted into the software.

Trend Micro™ Smart Protection Network™ already protects product users from these threats by detecting and preventing the file’s execution on affected systems via the file reputation service.

Non-Trend Micro product users, on the other hand, can use free tools like Housecall, which identifies and removes various viruses, Trojans, worms, unwanted browser plug-ins, and other malware from affected systems.

Post from: TrendLabs | Malware Blog - by Trend Micro

USB Battery Chargers with Malware?

ZeuS: A Persistent Criminal Enterprise

ZeuS has been entrenched in the cybercriminal business for a long time now and has continuously evolved and improved. Given the vast number of toolkit versions readily available in the underground, the features ZeuS possesses to thwart both antivirus and other security solutions, as well as efforts by the security industry, ZeuS will continue to be used by cybercriminals to steal personal information and even people’s identities.

The paper provides an extensive view of the ZeuS botnet. From a thorough discussion of its usual routine up to the possible criminal organizations involved, the research is a must read for users who want to get the rundown on this persistent online threat.

For more information on the above-mentioned subject and other previously released white/research papers, you may download the reports from this page.

Post from: TrendLabs | Malware Blog - by Trend Micro

What’s the Juice on ZeuS?

A newly discovered vulnerability in Internet Explorer (IE) leverages the ability of a Visual Basic script to invoke a .HLP (Windows Help file format) file, which could give a remote attacker the ability to run arbitrary code on an affected system.

Visual Basic uses the following syntax to call the MsgBox function, which is used to display message boxes:

MsgBox(prompt[,buttons][,title][,helpfile,context])

However, if a specially crafted .HLP file passes as a variable, remote users would be able to run arbitrary code on an affected system. To trigger the vulnerability, some user interaction is needed, as he/she has to be directed to the page hosting the exploit and to press F1 when the message box appears.

The exploit does not affect all versions of Windows. Systems running Windows 2000, Windows XP, and Windows Server 2003 are vulnerable. Those that run Vista, Server 2008, Server 2008 R2, and Windows 7 are not.

Microsoft is already aware of the issue and has issued the following statement:

Our teams are working to address the issue and once we complete our investigation, we will take appropriate action to protect customers. This may include releasing an update out of band. We will provide further updates as they become available.

In addition, it also released a security advisory that details several workarounds for the said vulnerability. For users, the most important advice is simple—do not press the F1 key when prompted by a website.

Until the official patch is released, however, Trend Micro Deep Security™ can help shield users from this vulnerability and Trend Micro OfficeScan™ users with Intrusion Defense Firewall (IDF) plug-in are also protected from this attack if their systems are updated with the IDF10-009 release and rule number IDF1004019.

Post from: TrendLabs | Malware Blog - by Trend Micro

Calling Windows Help May Lead to Vulnerability

It is interesting to note that its final payload is the download of a malicious binary file that happens to be a ZBOT/ZeuS variant detected as TROJ_ZBOT.BYZ. This acts as a combination of the two most
prevalent threats today— ZBOT and PDF exploits. From phishing emails to social-networking sites, the widespread ZeuS Trojan has now been making its rounds across various attack vectors to get into users’ systems.

ZeuS has been around since 2007 and even if most antivirus companies have caught on with its stealth and polymorphic routines, this malware still shows no signs of slowing down.

Learn more about ZBOT/ZeuS by reading more about the various tactics it uses in the following blog entries:

• Keeping an Eye on EYEBOT and a Possible Bot War
• New ZBOT/Zeus Binary Comes with a Hidden Message
• ZBOT Variant Spoofs the NIC to Spam Other Government Agencies
• Phishing in the Guise of Enhancing Security
• ZBOT Targets Facebook Again

Trend Micro protects users from this attack via the Smart Protection Network™, which blocks user access to all malicious URLs via the Web reputation service and detects all related malware via the file reputation service. Not a Trend Micro user? We also offer free system checks with HouseCall, which identifies and removes all kinds of viruses, Trojans, worms, unwanted browser plug-ins, and other malware from affected systems. You may also use RUBotted to find out if your machine is already part of a botnet.

Post from: TrendLabs | Malware Blog - by Trend Micro

ZeuS and PDF Exploits: Two Baddies Team Up

The two samples above TrendLabs obtained were sent to domains that belonged to Trend Micro. The file attachment does not contain any mailbox settings but instead a malicious file detected as TROJ_FAKEAV.EAO.

This spam run is similar to a run that TrendLabs earlier reported wherein Trend Micro Advanced Threats Researcher, Joey Costoya, said the subdomains may have been tailor-made, depending on the recipients’ email addresses. That spam run was actually part of a phishing attempt that targeted employees of various companies, including Trend Micro.

The Trend Micro™ Smart Protection Network™ protects product users from this attack by preventing the spammed messages from reaching users’ inboxes via the Web reputation service and by detecting and removing the malicious file via the file reputation service.

Non-Trend Micro product users can also stay protected by using eMail ID, which prevents fake messages from reaching their inboxes. It also helps users quickly find legitimate messages.

Post from: TrendLabs | Malware Blog - by Trend Micro

Spammers Target Antivirus Companies

According to Senior Threat Analyst, Joseph Pacamarra, visiting the malicious links leads to the download of several files detected as TROJ_FAKEAV.JSA and TROJ_FAKEAV.STL. First, an online scan window is displayed.

After the online scan window, the fake antivirus program called Security Tool loads and presents the user with fake scan results.

Finally, the user is asked to activate the product, which actually costs him/her money.

These FAKEAV tactics are already well-tested and have been discussed before both here in the Malware Blog and elsewhere.

Trend Micro™ Smart Protection Network™ protects customers from this and similar threats by blocking user access to all related malicious sites via the Web reputation service. It also detects and prevents the download of malicious files such as TROJ_FAKEAV.JSA and TROJ_FAKEAV.STL via the file reputation service.

Non-Trend Micro product users can also stay protected from such threats via free tools like Web Protection Add-On, which prevents user access to potential malicious websites.

Post from: TrendLabs | Malware Blog - by Trend Micro

Chile Earthquake Used for Blackhat SEO and FAKEAV

The threat arrives as a Facebook private message that does not bear a subject but contains a supposed link to a YouTube video. Taking a closer look at the link, however, indicates that it is not an authentic YouTube link as in previous attacks.

Users who are tricked into clicking the link are redirected to other pages until they finally end up at a spoofed YouTube site called YuoTube.

Similar to previously featured KOOBFACE-related attacks, users were asked to install a rouge software to play the said video, an Adobe Flash Player file, which in reality, is a worm detected by Trend Micro as WORM_KOOBFACE.IT.

WORM_KOOBFACE.IT is notable for several reasons:

• It connects to specific malicious sites to receive commands and executes these on affected systems.
• It connects to malicioius sites and downloads other malware, namely, TROJ_AGENTT.EA and WORM_KOOBFCE.SMM.
• It searches for social-networking-related cookies and connects to these using saved login sessions. It then navigates through users’ pages to search for their friends. Once found, it sends an HTTP POST request to a remote server, which then replies with data containing the actual message that the worm will then spread.

Users are advised to think twice before clicking embedded links in messages. Double-checking the legitimacy of URLs also help. For more information on how to stay safe in social-networking sites, please refer to Trend Micro’s Security Guide to Social Networks.

Trend Micro™ Smart Protection Network™ protects product users by blocking access to malicious sites via the Web reputation service. It also detects and deletes malicious files such as WORM_KOOBFACE.IT, TROJ_AGENTT.EA, and WORM_KOOBFACE.SMM via the file reputation service.

Non-Trend Micro product users can also stay safe from similar threats by using free tools such as Web Protection Add-On, which blocks access attempts to potentially malicious websites in real-time.

Post from: TrendLabs | Malware Blog - by Trend Micro

KOOBFACE Makes a Comeback

Cybercriminals are now using a new tool known as “Super Phisher” (detected by Trend Micro as HKTL_SUPERPHISER) has been released, which creates a phishing page from a legitimate website.

The tool creates all the files necessary for the phishing page such as an .HTML file that contains the actual page, and a .PHP file, which steals information and saves the stolen data to a .TXT file. In the screenshot below, note how the HTML page’s code refers to the local .PHP file and not the legitimate site (in this case, Yahoo!).

A would-be phisher then takes all the files and uploads these to a website under his/her control. This site could be a malicious, compromised, or even a free Web host that the phisher is abusing. It is then up to the phisher to lure users to the site he/she created.

While this tool allows cybercriminals to create phishing pages with greater ease and less time, thus producing more timely attacks, as needed, users can still take steps to protect themselves.

While the pages created by this phishing tool look identical to the legitimate site, it does not contain any code that obfuscates or manipulates the URL as seen in the user’s browser. While the phishing pages appear to be completely legitimate, the URLs they are hosted in do not.

To guard against threats like these, users must always be careful about the sites they enter personal information into. They must check that the site not only look legitimate but is also located in a legitimate URL. While cybercriminals may attempt to register domains with similar appearances, careful users should still be able between authentic and possibly malicious sites.

Trend Micro™ Smart Protection Network™ detects malware such as HKTL_SUPERPHISER using the file reputation service and protects users from accessing malicious sites via the Web reputation service.

Non-Trend Micro product users can also stay protected from such threats via free tools like Web Protection Add-On, which is designed to block access to possible malicious websites in real-time.

Post from: TrendLabs | Malware Blog - by Trend Micro

Phishing Made “Super”

The flaw was found in Adobe Download Manager (DLM), an application Adobe uses to deliver common applications (e.g., Flash and Reader) to users’ systems. Normally, it cannot be used to download non-Adobe files onto users’ systems. However, according to Raff, a vulnerability in DLM that allows third parties to download and install files onto users’ systems, in effect, making it vulnerable for use as a malware downloader.

Raff has not released specific details about this vulnerability and has indicated that he would not do so until the problem has been resolved by Adobe. On Tuesday, Adobe released a new security bulletin indicating that they have resolved this issue. Users who used Adobe DLM to download either Flash or Acrobat from February 23, 2010 onwards are safe; everyone else is advised to removed the Adobe Download Manager entry in the Add/Remove Programs applet in the Windows Control Panel.

This is not the first time DLM has proven vulnerable to malicious attacks. In fact, in January of this year, a remote code execution vulnerability in the application was among those Adobe patched.

This was on top of a bug that Raff also discovered earlier, which allowed DLM to be triggered to download Adobe or Adobe-approved applications by going to a specific URL on the company’s site. In a situation where an unpatched vulnerability in an Adobe product was thus present, this bug could allow cybercriminals to install vulnerable applications onto users’ systems, which they could then exploit to execute malware.

Security Has a Price—Problems with Security Updates

Trend Micro researcher, Rajiv Motwani, notes that the combined impact of fixing these and other similar holes in a relatively short period of time are becoming problematic for users, particularly enterprises. In theory, Adobe is supposed to release quarterly security updates for its products but regular discoveries of new flaws have significantly been undermining its plan.

Though unscheduled patches pose problems for home users and small businesses, large enterprises face greater risks. System administrators traditionally loath to use automatic updates on enterprise systems, as this may cause disruptions to important business operations.

The burden of updating systems will then fall either on users or administrators—neither of whom think this is an appealing proposition. It is also likely that systems will not be updated, leaving them wide open to exploits. A Trusteer study found that this was exactly the case for Adobe products, revealing that only 7 percent of the total number of product users had updated versions of Acrobat applications while only 19 percent had updated Flash versions.

These concerns are always present for applications. However, for Adobe products like Flash and Acrobat, the risks are greater due to the vendor’s success. The same Trusteer study found that more than 90 percent of the total number of users run some version of Flash while 99 percent run Acrobat or Reader applications.

As Motwani notes, these two factors—Adobe’s high market penetration and users’ failure to regularly patch their systems—not only raises the number of systems that can potentially be affected. It also means that organizations face the added burden of testing each patch for stability and/or performance issues and of rolling it out in a phased manner.

Solutions and Best Practices

Consumers and small businesses will benefit most by applying any Adobe patch as soon as it is released. Both Flash and Acrobat products now include standard auto-update features that can be scheduled to check for updates on a regular basis.

OfficeScan enterprise users with the Intrusion Detection Firewall (IDF) plug-in helps protect against threats of this nature, thus providing protection until system administrators deem it acceptable to roll out relevant patches.

Post from: TrendLabs | Malware Blog - by Trend Micro

New Adobe Download Manager Bug

After a second or two, users will again be redirected to the following malicious adult site.

At present, TrendLabs engineers have identified 29 unique domains related to this phishing attack. Note, however, that the cybercriminals behind this attack used more than 1,000 URLs and spammed messages.

The Bank of Nevada, in its home page, has also stated its knowledge of this phishing attack (see Figure 5) and has issued its own statement on its site to protect its online banking customers (see Figure 6).

Trend Micro™ Smart Protection Network™ protects product users from this attack by preventing the spammed messages from reaching users’ inboxes via the email reputation service and by blocking access to malicious sites and domains via the Web reputation service.

Non-Trend Micro product users can also stay protected by using eMail ID by avoiding fake messages from reaching their inboxes. It also helps users quickly find legitimate messages quickly.

Post from: TrendLabs | Malware Blog - by Trend Micro

Phishers Hit the Bank of Nevada