Seems like the bad guys pushing fake antivirus software are not done yet.

We received several reports from the North American region earlier today about users being victimized by a rogue antispyware software. Users download this rogue program after they have somehow been convinced to click on malicious links. These links point to malware that caused overt signs (such as popup balloons and modified wallpapers) to appear on the PC, suggesting that the system has indeed been infected. This is not goodwill, though — downloading the “trial version” only scans the system. To remove the infection, the user will have to purchase the entire antispyware with real money. Users may be infected via spammed email messages, spammed instant messages, or even via ads served in social networking sites.

Soon enough, we’ve discovered not one but two fake antivirus software. This time the attack is made possible through a mass SEO (search engine optimization) poisoning involving several compromised Web sites. This development has certainly upped the chances of the rogue antispyware gaining mileage.

How does this work?

A simple Google/Yahoo! search can lead users to malware-serving site. Search strings such as “changes on the river amazon” or “changes made for mount Pinatubo” will lead them to a malicious Web site. Users who happen to use these strings will find themselves going down the long road of nasty redirections.

Figure 1. Poisoned string leads users to a malware-serving site.

Figure 2. Poisoned string leads users to a malware-serving site.

The two Web sites hosting the malicious pages are normal by themselves, but the exact URL that it points to will automatically redirect to hxxp:// windows-scanner2009. com.

Figure 3. The PC is redirected several times, during which the user begins to see signs that the PC is infected.

Figure 4. Message boxes suggest that the user might want to get rid of viruses in his/her PC by installing a certain software named Antivirus 2009.

Figure 5. Clicking OK in Figure 4 means the user has agreed to a “free scan.” The message even ends with what should be a comforting note saying that the file is certified free of malware. But don’t be fooled.

Figure 6. A convincing GUI for Antivirus 2009 performing the system scan might still convince users that they are using legitimate software.

After all the fake notifications, the user will be asked to download the file AV2009Install_880488.exe, which is detected by Trend Micro as TROJ_FAKEAV.DM.

The other fake antivirus will lead users to hxxp://scan. free-antispyware-scanner. com instead of the earlier example.

Figure 7. Variation on the rogue antispyware scam.

This will ask the user to download setup_100722_3.exe (detected as TROJ_FRAUDLOA.WM) instead of AV2009Install_880488.exe. (Note that the final agenda for both and most rogue antispyware scams is extortion. Users who fall for this scam pay a certain amount of money to the malware writers to purchase the full version of the fake antispyware.)

According to our investigation, there are about several dozen domains involved that are currently compromised. The hackers were able to upload PHP scripts that contain various text strings designed for SEO poisoning (manipulating or influencing the natural page rankings of search results in order to get more hits than a page really deserves).

This is not the first time Trend Micro has seen this incident — a previous SEO poisoning of this scale was also discovered back in December 2007, with SEO poisoning pages hosted on Blogspot. This time around, compromised Web sites were used instead.

Digging a little bit deeper, we’ve also found that the hackers have almost 1 million search phrases at their disposal for SEO poisoning. These search phrases cover the range from “free downloads, lyrics, travel, politics” and anything in between.

Malicious sites have “CLICK HERE! ALL INFORMATION!” and “CLICK HERE! WANT TO KNOW MORE ABOUT” as their page titles, so it is best to avoid clicking through Google/Yahoo! results that have those aforementioned site titles.

Notable Malware

WORM_NUWAR.VQ, TROJ_DROPPER.OAC
These malware took advantage of the Fourth of July celebrations in the United States to increase their chances of distribution. A malicious URL was included in eCards that were spammed during this time. The URL pointed to locations from where these malware could be downloaded.

TROJ_PIDIEF.JT
Sometime in mid-July, an email was being spammed, foretelling the supposed death of the Internet in 2010. The email had a PDF attachment, which contained “more details” of the news. Users who were tricked into clicking the PDF attachment open would soon find themselves with an unexpected guest on their systems, in the form of TROJ_PIDIEF.JT.

BKDR_POISON.GO, TROJ_FAKECLEAN.A
POISON and FAKECLEAN are two malware that pose as virus cleaning tools. Towards the end of July, these malware were being sent out through email by Chinese hackers. The email claimed that these “applications” were Trend Micro Virus Clean Tools. There is actually a Trend Micro Virus Clean tool, but what makes this incident suspicious is that Trend never sends applications as attachments through email.

Exploits and Vulnerabilities

Internet Explorer Vulnerability
As July began, a vulnerability was discovered in Internet Explorer. According to reports regarding the vulnerability, access to an HTML document’s frames was not restricted, implying that the frame contents could be replaced, presumably with malicious content. This allows for further potential in browser-based attacks against the user.

TROJ_MDROPPER.ZY, TROJ_PPDROP.M, TROJ_MDROPPER.ZT
Even the 2008 Summer Olympics was not spared as a tool for malware distribution. In the early weeks of July, .DOC files with malicious content were spreading around. Users were tricked into opening them since the documents seemed to have some info or news on the Olympic games. These .DOC files were actually exploits that took advantage of a vulnerability in Microsoft Word 2002 Service Pack 3. When exploited, the unspecified remote code-execution vulnerability could allow remote attackers to take complete control of an affected system, or cause the application to crash.

Web Incidents

TROJ_AGENT.AYZO
TROJ_AGENT.AYZO is the malware behind the recent wave of compromised Web sites. In July, quite a number of legitimate Web sites were compromised. Additional Web pages were added to the Web sites’ domain, usually ending in START.HTML, BEGIN.HTML or R.HTML. Once accessed, these malicious Web pages redirect the browser to a location where TROJ_AGENT.AYZO can be downloaded.

Our researchers at TrendLabs have discovered a new set of rogue antivirus software circulating in the wild. Based on initial analysis, these threats arrive mainly via spammed email messages that contain a link to a bogus celebrity video scandal. We have also received reports that the said link is circulating in instant messaging applications and private messages in social networking Web sites, too.

Once the said URL link is clicked, the Web threat infection chain begins and ultimately leads to the download of a Trojan detected by Trend Micro as TROJ_FAKEAV.CX. This Trojan is a rogue antivirus that displays very convincing (and for some, alarming) messages, such as the following:

Note that since users are only using the “trial version,” TROJ_FAKEAV.CX even convinces users to get the full version so that they are always supposedly protected:

TROJ_FAKEAV.CX also drops another malware, detected as TROJ_RENOS.ACG. RENOS Trojans are known to have very visual payloads that may further alarm users — for example, they modify the system’s wallpaper and screensaver settings to display BSOD (Blue Screen of Death/Doom). Thus, users may be more convinced that something’s wrong with their system, not knowing that their new software is the one causing it.

Rogue antispyware isn’t entirely new, although our researchers have been seeing an increase in activity for the past couple of months (the Anjelina spam being one of the more recent examples).

Perhaps it’s because this is also the time of the year when the more legitimate security suites are releasing their latest software updates, and cyber criminals are riding on this season to ramp up their profits. Bad news for the infected users, though, as their latest versions of “antivirus software” are actually adding more threats to their system.

Trend Micro is still investigating this spam run. Updates will be posted when more information becomes available.

Just when you think you’ve seen everything, malware criminals manage to come up with something that hasn’t been seen before.

Trend Micro Advanced Threats Analyst Joey Costoya reports this latest find:

If you were to click on any links here, however, you’d be quite surprised - because instead of ending up at MSNBC, you’d end up at CNN. This is what it looks like:

So what’s going on here? The truth is, of course, you’re at neither site. This video page asks you to download adobe_flash.exe - which has nothing to do with Adobe, and is instead detected as TROJ_AGENT.KBE. Have we seen this before? You bet. Twice, in fact.

How did we get this unusual phishing/spamming scam with a split identity? “(The spammers) forgot to update their HTML template,” Joey Costoya says. Somewhere in the world, there are probably some malicious hackers saying, “Oops.”

While the Smart Protection Network will protect Trend Micro users, everyone should still be careful about both unsolicited email and links in those messages. That’s especially true for sites that, even at first glance, aren’t what they say they are. Like this one.

Additional information provided by Fraud Analyst Mary Ermitaño.

Clever. Hardly detectable. Very timely.

Such terms were not used to glorify phishers, but to demystify the (old) way we see phishing and to help us begin acknowledging where phishing schemes are inevitably going.

Peter Cohen of MacWorld reports a new phishing scam targeting users of MobileMe, Apple’s latest subscription-based Internet suite that replaces the .Mac (pronounced “Dot Mac”) service. The phishing email purporting to come from Apple looks clean and sleek, the text courteous and professional — hardly the kind that instantly gives away an email as a fake or scam. Below is a screenshot of the said email:

A number of links in the email body directs the victim to legitimate Apple pages, and only one link (the clicking here link) is directed to the phishing site. Once users click on the link, they are directed to http://www.{BLOCKED}tevideos.net/store.apple.com/us, a site that is not associated with Apple. It displays a Web page fashioned to look like one from the Apple Web site, and asks the user to update their billing information. Below is a screenshot of the phishing site:

Cohen further reveals that the link is registered to a personal Gmail account in Romania, which one can surmise to have been spoofed.

Justin Berka of Ars Technica wrote that this newfound phishing scam cannot be more timely since MobileMe had been experiencing billing problems since late last month, and being privy to this could make any Apple user fall prey to the phisher’s scheme.

Trend Micro has documented a number of reports concerning Apple and the company’s products and services. Below are just some of them:

• Are Apple’s Product Woes Getting Too Hot to Handle?
• Backdoor Busts the Mac Myth
• First iPhone Nuisance App: Created By A Pre-Teen
• It Takes Two Minutes to Hack A Mac!
• Microsoft Alerts Users to Carpet Bombing via Safari
• Phishers Pose Fake Apple Billing Woes

Trend Micro clients, especially Apple service users, are implored to be wary about clicking on links from emails that appear to be legitimate.

Updated: 13 August 2008, 1:30 AM PST; Additional data provided by Trend Micro Fraud Analyst Abigail Villarin