Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    February 2012
    S M T W T F S
    « Jan    
     1234
    567891011
    12131415161718
    19202122232425
    26272829  
    • About Us
    Malware Blog > November Malware Roundup

    Most of the threats that emerged in November were compromised Web sites. The degree of the Web threats encountered ranged from simple spoofed sites (which offered malware downloads in the guise of media players) to trusted and reputable ones (such as Monster.com, a popular employment and recruitment site for jobseekers). It’s amazing what an errant iFRAME tag can do once your browser is redirected to where it’s not supposed to go. Because of the breadth of these emerging threats, even searching for some stuff over Google isn’t considered safe anymore. Read on and find out why.

    Notable Malware

    • TROJ_ZLOB.GAF
      ZLOB Trojans, which proliferated in 2006, are known for using fake codec downloads for its social engineering technique to entice users into downloading the malicious software on their systems. Initially, they were also known to affect Windows-based platforms only. Today, this Trojan family seems to be crossing over to Mac-based products as Macworld released a warning about the said Trojan that affects MAC OS X platforms. According to the report, this malware purports to be a video program that, when opened, displays a message that a codec is needed to run the program properly, while in the background, it instead downloads and launches an installer that asks the user to enter the administrator password. This kind of behavior is quite similar to the behavior that ZLOB variants have. Trend Micro detects the said malware as TROJ_ZLOB.GAF.
    • HKTL_DAHIJ.A
      Real-world terrorists once again threatening to take their jihad (Holy War) to cyberspace in the form of a hacking tool for attacking Web sites.This hacking tool, HKTL_DAHIJ.A, is supposed to be capable of distributed denial-of-service (DDoS) attacks. It is also configurable and flexible, which makes it easy for cyber-terrorists to be more effective in the said attacks.This hacking tool connects to a URL for verification purposes. After successfully establishing a connection, it downloads a list from several URLs. The said list, which contains another set of URLs, is used by the affected system to launch denial of service (DOS) attacks for the so-called e-jihad, which did not take place at the appointed date (November 11, 2007).
    • Seagate HDD Malware
      Last November, Taiwan has reported that newly manufactured Seagate Maxtor Basic HDDs (hard disk drives) contained malware. An article in a Taiwan newspaper points to China as the culprit behind this fiasco as the malware found in the infected drives upload information from affected systems to Web sites with a .cn domain. A mix of backdoors and Trojans was found in the affected HDDs. Taiwanese authorities have instructed Seagate’s Taiwan distributor to remove the affected products from store shelves immediately.

    Web Threats

    • Web sites again compromised through iFRAME
      SANS reported that last November 6, hundreds of Web sites across the Internet were believed to have been compromised by a yet unknown hacker. A certain script that loads http://{BLOCKED}8.net/0.js has been injected into the said sites, leading to a page riddled with invisible iFRAMEs, which then link to certain pages to automatically download several files. These files, consisting mostly of Trojans, are already detected by Trend Micro.
    • Alicia Keys Myspace Web page compromised
      Last November, ExploitLabs found a background image injected into the Alicia Keys page on MySpace.com. The said inserted image was said to be prominent enough, that, when a user’s click is misplaced, s/he can already be redirected to malicious sites supposedly located in China. From that point on, users are then prompted to download a fake video codec (again), which is actually a Trojan. Sounds familiar? It is another variant of the DNS-changing ZLOB Trojan.
    • Yahoo550
      The domain Yahoo550.com was recently found to serve malicious files. It is not affiliated with Yahoo!; the domain was obviously created to trick users into thinking that it is a valid domain in the fashion of Yahoo! 360°, Yahoo’s version of a social networking site. The malware file that can be downloaded from this site is detected by Trend Micro as TROJ_FARFLI.EY.
    • YouTube spoof site
      The most popular name in online video sharing, YouTube, was again used by phishers. Moreover, it was made to lead to malware downloads via a spoofed page informing users that they needed to download a new Flash player before they could view a certain video. Users were then redirected to a particular URL where the file install_flash_player.exe was then offered for download. Trend Micro detects the said file as TROJ_DROPPER.KAP.
    • Gameige and World of Warcraft site compromised
      Two gaming sites were compromised last November. One of them was a page in a Web site for World of Warcraft, wherein an iFRAME redirected the user to a separate page that downloaded a password stealer onto the user’s system. The other Web site, Gameige, is a support site for MMORPG players. Again malicious iFRAMEs were included in the Web site, leading to the download of multiple Trojans and backdoors.
    • Monster.com compromised yet again
      Monster.com was attacked for the second time. A particular page was said to contain an iFrame code that redirected users to servers hosting Neosploit, which is as Web attack toolkit as destructive as Icepack and Mpack. The said attack sabotaged searches for well-known companies such as Toyota, Eddie Bauer, and Best Buy, making the exploit successful, as many people were probably seeking for jobs from companies as huge as the said three. This latest attack was a sequel to the first attack, where user names were stolen by hackers for phishing and spamming purposes.
    • LaoAirlines Web site compromised
      Sophos Australia (via iTnews) reported that visiting the LaoAirlines Web site (laoairlines.com) for online bookings or any other activities could lead to a malware being downloaded onto systems. Further analysis revealed that the compromised site automatically redirected unsuspecting users to a malicious site — cs.{BLOCKED}ick.cn – that is known to host malicious JavaScript code and some Trojans. Now that the holiday season has been officially kicked off in most countries, this incident should serve as a reminder that malicious authors are not only targeting online shoppers and online bankers but also travelers as well.
    • Xmas Web threats through Google search result poisoning
      Malware authors have taken advantage of the Christmas season for distributing their “goodies.” Tried searching for Christmas gift ideas on Google recently? Chances are, one of the many search results would likely lead you to a malware download page. Yes, one innocent search turns into a Web threat nightmare. Clicking on a poisoned link would bring you to a Web page where malicious JavaScript code would eventually trigger a malware download on your system. Most of the malware downloaded comprise of Trojans, adware, dialers, and some malicious scripts.

    Vulnerabilities

    • Quicktime Player RTSP exploit
      Three new exploits posted on the Web take advantage of a vulnerability in QuickTime Player v7.3 in the way it handles response from a video/audio streaming server via Real Time Streaming Protocol (RTSP). RTSP controls the delivery of audio and video data with real-time properties. The exploits were designed to send a malformed RTSP response header that results to remote code execution on computers that uses QuickTime Player.
    • WinRAR exploit
      SANS Internet Storm Center reported last November that an exploit code taking advantage of a buffer flow vulnerability in the WinRAR archiving software was making rounds in the wild. The said exploit code affected WinRAR versions 3.50 and earlier. In-depth analysis revealed that the said exploit (detected as TROJ_RDROPPER.A) arrives as a malicious .RAR file. Once the said file successfully exploits the WinRAR flaw, it proceeds to drop the file WINRAR.EXE, which is detected by Trend Micro as BKDR_DARKMOON.AH. The dropped backdoor, in turn, opens a random port and allows remote code execution by a malicious user.

    Looking back at the past malware roundups, there is actually an increasing trend of Web threats and most of the compromised sites are related to services, social networking or are government-based. Since Christmas is just around the corner, expect to see a bunch of compromised Web sites related to shopping and travel.





    Share this article
    		 Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon



    This entry was posted on Tuesday, December 11th, 2007 at 7:46 am and is filed under Malware . Both comments and pings are currently closed.



    Comments are closed.



     

    Other Trend Micro blogs
    CTO Insights
    CounterMeasures Blog
    Cloud Security Blog
    Consumerization Blog
    Fearless Web
    Internet Safety for Kids & Families
    Simply Security News
    Trend Micro Blog [German]
    TrendLabs Security Blog [Japan]
    Cloud Security APAC
    Trend Micro Free Tools Threat Encyclopedia Trend Micro Videos
    Do you have a product-related question? Visit our eSupport website.

    © Copyright 2011 Trend Micro Inc. All rights reserved. Legal Notice