In order to infect users, email disguised as a shipment notification from Fedex were mass-mailed to target victims.

This email contains a downloader Trojan which installs TSPY_SPCESEND.A.” This downloader also installs other malicious executables on affected systems including FAKEAV variants from the BestAV affiliate network and FakeHDD variants from the Yamba network. These were observed to be downloaded from compromised, legitimate websites.

Furthermore, this downloader Trojan also shares the same C&C with the TSPY_SPCESEND.A. This strongly suggests that the document-stealing sendspace Trojan is pushed by cybercriminals who are also involved in the Pay-Per-Sell (PPS) underground business.

Command and Control Server

After the malware uploads a .ZIP archive containing the victim’s documents to sendspace, it sends the sendspace download link along with a unique ID, the password for the .ZIP archive and the victim’s IP address to the command and control (C&C) server.

As of this writing, we have seen at least three C&C servers used by the malware: {BLOCKED}28889.ru, {BLOCKED}8483825.ru, and {BLOCKED}372721.ru . These three domains point to the IP addresses 31.184.237.143 and 31.184.237.142. These IPs, along with a number of IPs in the same range, have records of hosting malicious files since July 2011. These malicious files included variants of bots such as BFBot (Palevo), NgrBot, and IRCBot.

Digging deeper into the directory structure of the C&C server shows an “open directory” that contains a log file that records this information.

There are two logs files that contain the same data: log.txt and serialse.txt. The only difference is that serialse.txt is formatted for automated, programmatic parsing (it appears to be in JSON format). The contents of the log file contain the following information about the victims and the uploaded data:

We processed the log file and found that there have been 18,644 unique victims (based on a victim ID assigned by the malware) with 21,929 unique IP addresses (spanning over 150 countries) and 19,695 unique sendspace URLs generated.

Some of the victims have been identified by looking up the IP addresses in the WhoIs databases of the Regional Internet Registries. While the majority consists of IP addresses in the ranges of ISPs (i.e. the subscribers of residential and commercial ISP services) we were able to identify several government, academic and corporate networks.

Trend Micro and Sendspace Efforts

We contacted sendspace upon discovering the attack. We assisted them by sharing our findings in order for them to deploy proper mitigation measures.

At the time the attack was reported, sendspace discovered and removed more than 75,000 uploaded malicious archives from their server. Based on the upload logs, the first archive was uploaded on December 25, 2011, which may indicate the start of the malicious campaign.

As a result of our collaboration with sendspace, they are currently monitoring their servers through an automated job that blocks archives uploaded by the sendspace Trojan every few minutes. This effectively removes innocent users’ stolen documents from their server, therefore preventing the perpetrators behind this attack from retrieving stolen data.

Trend Micro is pleased to assist sendspace in mitigating this abuse to their service. Nevertheless, this is probably not the last time similar attacks will take place. As always, Trend Micro is willing to assist in any effort that will make the Internet a safer place for everyone.

Hat tip to Senior Threat Researcher Nart Villeneuve for additional research. 

Post from: TrendLabs | Malware Blog - by Trend Micro

Trojan Abuses Sendspace: A Closer Look

Sendspace was recently used for dropping stolen data but wasn’t done automatically by malware. As reported late last year, hackers used Sendspace for rounding up and uploading stolen data.

However, this is the first time we’re seeing malware being used to upload stolen data to the file hosting and transfer site.

In this attack, the infection starts off with a malicious file, Fedex_Invoice.exe, detected as TROJ_DOFOIL.GE. The file name used for this particular malware suggests that it is being used for a spam campaign, specifically one that uses messages disguised as a FedEx shipment notification. We are currently trying to find a sample of the mentioned spammed message.

Once executed, TROJ_DOFOIL.GE downloads and executes  TSPY_SPCESEND.A.

TSPY_SPCESEND.A is a “grab and go” Trojan that searches the local drive of an affected system for MS Word and Excel files. The collected documents are then archived and password-protected using a random-generated password in the user’s temporary folder. Here’s an example of an archive of collected documents:

Malware utilizing free online services are definitely not unheard of. Utilizing a public file hosting site is yet another clever way for cybercriminals to store stolen data as they do not need to set up a server that will store large amount of data.

Trend Micro Solutions Evangelist Ivan Macalintal shared that this technique of posting stolen/exfiltrated data to ‘extended networks’ or external file storage infrastructures can fast become a trend with the criminals. “We’ve seen dropsites/dropzones for stolen/exfiltrated data that are hosted also within domains owned by the cybercriminals. Now, we’re seeing legitimate ‘clouds’ being used by criminals where they can drop and pickup their loot,” he explained.

In addition, this highlights a serious concern for the security industry and users alike. Document theft and exfiltration are now not only seen in targeted attacks, but in mass campaigns as well.

Trend Micro Smart Protection Network™  protects users from this threat by blocking the malicious files, and the C&C URL. We will update this entry once we’ve gained more information about the related spammed messages.

Post from: TrendLabs | Malware Blog - by Trend Micro

Malware Uses Sendspace to Store Stolen Documents

We’ve recently spotted samples of spammed messages posing as a notice from Fidelity Investments, a well-known American financial institution.

The email, which is in a newsletter-format, contains the subject “Your statement is ready for your review“. It informs recipients that his/her tax statement is attached and ready for review.

Users should watch out for such spam campaigns, specially with the tax season already ongoing. We saw attacks similar this one during the tax season last year, so it’s almost a given we’ll see more of it again this time around.

Spam emails such as those shown above are already blocked through the Trend Micro Smart Protection Network.

Post from: TrendLabs | Malware Blog - by Trend Micro

Tax Season Opens, Tax Spam Follows

As we prepare for the year ahead, let us take a look at some of the Trend Micro 2011 predictions that came true and how we contributed to the security industry’s wins against the continuing war against cybercrime.

 

Though we didn’t foresee hacktivism coming to the fore in 2011, we witnessed a slew of mass compromises result from AntiSec and LulzSec attacks against various entities. Armed with politically charged agendas and disgruntled with varying issues, hacktivist groups continued to fling attacks at users.

2011, however, wasn’t all bad, as we also garnered some wins in our never-ending battle against cybercrime. In close collaboration with our industry partners and law enforcement authorities, Trend Micro was at the forefront in what has been dubbed the “Biggest Cybercriminal Ring Takedown”—Operation Ghost Click—to date. As individuals and organizations alike embark on the cloud journey, we at Trend Micro, along with our fellow cybercrimefighters in law enforcement and the security industry, will continue to serve our customers by providing data protection from, in, and for the cloud.

For more details on what 2011 was like, take a look at the 2011 security roundup report, A Look Back at 2011: Information Is Currency.

Post from: TrendLabs | Malware Blog - by Trend Micro

2011: The Year of Data Breaches

Unfortunately, closer inspection of the shortened link reveals a URL that doesn’t seem to have anything to do with McDonald’s gift certificates.

Instead, the link leads to the following site:

Clicking the “Join Now” button leads to some redirections that finally lands the page to an adult dating site.

We consider the URLs used in this attack as malicious because of the deceitful nature by which they are used. The lure “#mcdonald’s gift card” would have definitely led several users to believe that some gift certificates or vouchers are being given away or discounted.

A couple of weeks ago of weeks ago in the US, attention was drawn to a Mystery Santa who donated $500 worth of gift cards from McDonald’s to a nearby homeless shelter. Whether or not cybercriminals got a social engineering idea from this cannot be confirmed, but in all cases users are advised against clicking on links without first inspecting them. In this case, hovering on the link would have given users a clue about how to proceed. Another context clue in the illegitimacy of this spam is how users may find themselves being mentioned in the same tweet with unfamiliar users or users that they do not normally follow. This is due to how the spam bot mentions Twitter accounts that have been victimized in the same spammed tweet.

This is also not the first time that McDonald’s was used as a social engineering lure. Here are just some of the incidents we’ve seen in the past:

• Getting a Taste of McDonald’s Phish Fillet
• Bogus McDonald’s, Coca-Cola Promos Used as Worm Carriers
• No Such Thing as Free Lunch, and Free Supper Will Cost You

Trend Micro™ Smart Protection Network™ protects against Twitter spam by preventing you from accessing malicious sites. Read the Web Attack Entry “Spam, Scams and Other Social Media Threats” for more tips on staying safe online.

Post from: TrendLabs | Malware Blog - by Trend Micro

McDonald’s Gift Card Spam on Twitter

Once users click the Like button, the page redirects them to a URL which allows victims to download and install a malicious plugin named Free Cheesecake Factory Coupons.

What the plugin does is that it floods affected users’ walls with the catchy status, Get Christmas Theme for FB on – – >>0< < – – free Christmas Theme for all FB users!!. Just Install this amazing new fb Christmas new look and change your profile looks show it to your friends…… [Name of tagged friends]

Users need to be extra vigilant this holiday season, since cybercriminals are surely to continue launching attacks that use the holiday season as a lure. For more information on how to keep themselves protected, we recommend users to check the following reports:

• Season’s Warnings: iPhone 4S Scam and Other Holiday Threats
• Beware of Holiday-Themed Multi-component Online Threats
• Season’s Warnings

As for the attack explained above, users are already protected through file detection and URL blocking done by the Trend Micro Smart Protection Network.

Post from: TrendLabs | Malware Blog - by Trend Micro

Christmas Theme for Facebook Profile Leads to Malspam

The attack involves domains that display replicated eBay posts for iPhone 4S units. The screenshots below show a sample of the fake page, and the original eBay post from which the content was copied.

There are some differences between the two pages. For example, the real post uses US dollar as its currency, while the fake post uses Euro. The price in the fake one is also dramatically cheaper. You’ll also notice that the post the cybercriminals chose to replicate is one by a seller with a good reputation, to gain the trust of potential victims.

The fake eBay pages are hosted on domains that are followed by /www.ebay.ie/ in order to trick users into thinking that it is the real eBay domain. All the links in the fake page will lead to the legitimate one, except for the “Buy It Now“. Clicking “Buy It Now” leads to a fake login page that asks users to enter personal information.

After filling out the form, users are directed to a page that says they must contact the seller via email in order to proceed with the transaction.

We’re pretty sure that this is not how transactions go when buying something over eBay. This is most likely a scam that aims to steal money and personal information from its victims. The iPhone 4S is one of the top smartphones in this year’s holiday sales, and clearly the cybercriminals taking advantage of its demand.

This iPhone 4S scam is just one of the many attacks that people might encounter this season. Cybercriminals often leverage holiday activities—such as sending holiday greetings, shopping online, and looking for deals and promos—to launch attacks targeting unsuspecting users.

Well-wishers might wish to send out holiday cheer and love through e-cards or social networking sites. However, some e-cards instead send out malware. Worse still, these email greetings may be used to steal information. Social networking sites, on the other hand, are home to survey scams that wind up charging victims for premium services.

Online shopping is a big convenience for shoppers who want to avoid the crowds. However, cybercriminals often leverage in-demand items, such as the iPhone 4S, to create scams like this one. And since it is the season for shopping, people are also most likely to take advantage of promotions and deals. Cybercriminals respond by churning out fake promos and deals, all to steal information and to spread malware.

For more information on these holiday-related threats, and on ways to how to keep yourself safe, please check our e-book, Season’s Warnings, and our entry Beware of Holiday-Themed Multi-component Online Threats. For more information on online shopping, please read our entry, Online Shopping Made Easy.

Additional text by Abigail Pichel

Post from: TrendLabs | Malware Blog - by Trend Micro

Season’s Warnings: iPhone 4S Scam and Other Holiday Threats

Cybercriminals, on the other hand, only had one reaction to the incident—to take advantage of it.

Our researchers found spammed messages with email subjects mentioning the death of Kim Jong Il. The messages arrive with a .PDF attachment that has the file name brief_introduction_of_kim-jong-il.pdf.pdf. The said file is of course malicious and is detected as TROJ_PIDIEF.EGQ.

As part of its routines, TROJ_PIDIEF.EGQ opens a non-malicious PDF file to trick the user into thinking that it is a normal file. The .PDF contains a picture of Kim Jong Il.

Aside from this particular spam attack, we’ve also encountered malicious documents which bear file names mentioning the late Korean leader. One of the files we saw has the file name Kim_Jong_il___s_death_affects_N._Korea___s_nuclear_programs.doc and is now detected as TROJ_ARTIEF.AEB. This file, when opened, drops another file into the system, one detected as BKDR_PCCLIEN.BQD. BKDR_PCCLIEN.BQD connects to its C&C server through port 8000.

Here at TrendLabs, the death of a globally known person has become an automatic trigger for us to look for attacks trying to taking advantage of it. Hence, we are always on the lookout to protect our customers who are trying to look for more information. Such events generate global interest in a very short amount of time, so they make very good social engineering lures.

Under such circumstances, everyone is advised to stick with trusted sources when trying to get more information about noteworthy events. Trend Micro users are already protected from the abovementioned attacks through the Trend Micro™ Smart Protection Network™, as both the spammed messages and the malicious files are already blocked and detected respectively.

Other political figures whose deaths were also used by cybercriminals as lure include:

• Osama bin Laden
• Moammar Gadhafi
• Benazir Bhutto

Update as of December 20, 2011, 11:04 PM:

Further analysis by Threat Response Engineer Erika Mendoza revealed that TROJ_PIDIEF.EGQ drops a malicious file detected as BKDR_FYNLOS.A. The said backdoor connects to its C&C server to receive and execute commands such as downloading,uploading, and executing of files, terminating processes, and performing shell commands.

TROJ_PIDIEF.EGQ also exploits the following vulnerabilities affecting Adobe Reader and Acrobat:

• CVE-2010-2883
• CVE 2011-0611

Users are advised to patch their systems accordingly to prevent being victimized by the mentioned attacks.

Post from: TrendLabs | Malware Blog - by Trend Micro

Kim Jong Il Malicious Spam Found

Mobile computing is also starting to play a bigger role in terms of online shopping, as 43% of all Web-enabled smartphone owners said they use their mobile devices to help them shop. This percentage will likely increase in the coming years, or even as soon as the next couple of months considering the upcoming holiday season.

As online shopping becomes widely preferred as a primary method for purchasing items, online shoppers will also become preferred cybercriminal attack targets. Cybercriminals are continuously launching attacks, any or all of the following shopper information: credit card credentials, online banking personal identification numbers, and other personal data. The attack types seen include:

• blackhat SEO attacks – search results for hot items such as gadgets and others can be poisoned to lead users to malicious sites
• scams – coming off as online promos, scams trick users into becoming victims of their malicious schemes that can lead to information and financial theft. A good example of this is a spam run we recently saw leveraging Black Friday.
• session hijacking – users who do their shopping while connected to unsecure networks put themselves at risk of this attack, which involves sniffing through networks for certain kinds of information such as account credentials, and using the said information to impersonate the users and execute actions

Shoppers need not be helpless against these attacks, however, as they can implement security measures and can use solutions that help them avoid being victimized. In our guide, “Online Shopping Safety Made Easy,” and infographic, “Online Shopping Tips,” we discuss things online shoppers need to know in order to protect themselves from online shopping-related attacks.

 

As we get closer to Christmas, instances of the above-mentioned threats increase in number, thus users need to keep themselves protected. For more information on threats leveraging the holidays, and for ways to prevent being victimized, check our reports, and our ebook:

• Season’s Warnings: iPhone 4S Scam and Other Holiday Threats
• Beware of Holiday-Themed Multi-component Online Threats
• Season’s Warnings

Post from: TrendLabs | Malware Blog - by Trend Micro

Online Shopping Safety Made Easy

There are few modifications in the body text in the spammed message. Also, it was sent by do_not_reply@itunes.com via smtp.com, which means that Gmail detected that the email might have been sent using a third-party email service. Even more curious, I clicked the link in the email that supposedly signs in to your Apple ID. I found that it pointed to a site that tries to mirror the legitimate Apple site; only the glaring difference was that this one had advertisements at the bottom of the page.

I sought help from one of our engineers and as it turns out, the “Apple” site was indeed a phishing page hosted on a free hosting site. It tells users to input their Apple IDs and passwords while the information is later on sent to the phishers. This simple spammed message shows how easy it is to stage attacks nowadays- with minimum investment and considerable returns, phishers now have access to users’ App store info which includes users’ credit card information, home addresses, and phone numbers. You don’t even have to pay to host your server.

Phishing attacks like this don’t need a lot of storage as it only stores the Apple credentials and is limited only to Apple users. It may only be as simple as a spammed message, but the outcome isn’t any different from your typical infostealing malware today that need to install themselves into systems. Furthermore, with the Apple’s market steadily growing, cybercriminals may now be more interested in these Apple accounts and the stolen credentials may be sold underground to other crooks for a good price.

Always be wary of the littlest details in your email that may strike you as suspicious. Check and double check embedded URLs, delete spammed messages, and never underestimate the endless possibilities of cybercrime.

Big thanks to Roland Dela Paz for helping out with the analysis and additional insights.

Post from: TrendLabs | Malware Blog - by Trend Micro

There’s Something Phish-y About this Email from Apple