Brazilian banks are once again in the hotseat as a banking Trojan emerges with a new technique. This time, the cybercriminals targeting these banks are using GMER, a popular anti-rootkit application. Trend Micro detects this banking Trojan as TROJ_DLOAD.BB. Upon execution, this Trojan downloads a legitimate copy of GMER and a malicious rootkit component detected as TROJ_DAMMI.AB.

TROJ_DLOAD.BB creates a batch file that terminates the processes related to the G-Buster Browser Defense, a security program used by many Brazilian banks as protection from information theft and as protection of customers’ privacy during online transactions. Without this application, the information relayed in these transactions may be exposed to malicious users and can be used for fraudulent activities later on.

The batch file created by TROJ_DLOAD.BB uses GMER’s -killfile option, TROJ_DLOAD.BB terminates GBPlugin and its components. TROJ_DAMMI.AB is then rendered as a rootkit and service to make sure that any instance of GBPlugin is terminated.

Trend Micro protects users via its Trend Micro Smart Protection Network that already blocks the download URLs and detects the related malicious files. Non-Trend Micro users can use HouseCall, Trend Micro’s free scanner for identifying and removing malware.

Update as of 20 October 2009, 17:00

Aviv Raff, one of our partners from RSA, confirmed this kind of approach that cybercriminals use in malicious routines. He stated that GMER is not the only malware removal tool utilized by cybercriminals. Another tool, called The Avenger, has been used to terminate GBPlugin. The Avenger is the work of a security researcher who uses the alias Swandog46. As his website states, The Avenger is a powerful program, which doesn’t make it hard to imagine the tool being misused. And true enough, the cybercriminals did.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

A day before Michael Jackson’s new song, “This Is It,” was slated to premier on michaeljackson.com on October 12, a spam run promoting a 45-second preview on YouTube already made the rounds.

The email below, purporting to be from CNN.com was spammed to users in an effort to trick them into clicking the link to watch the supposed preview.

Trend Micro threat experts analyzed the URL embedded in the email (http://www.{BLOCKED}hine.com/Support/index.html) and found it to be malicious. It redirected users to the following sites:

• http://{BLOCKED}aking-news.alerts.applest.com/audio/index.html
• http://{BLOCKED}aking-news.alerts.applest.com/audio/Michael_Jackson-The_brand_new_song.hta

The said sites have been injected with a malicious VBScript detected by Trend Micro as VBS_PSYME.DLV. It then led users to a remote site to download the file, http://www.{BLOCKED}c.com/best/AutoCfg.exe detected by Trend Micro as BKDR_RUNRUB.A.

BKDR_RUNRUB.A is a Ruby-compiled malware that waits for an active Internet connection to send information from the infected user’s machine such as the local computer name, local username, and IP address to a malicious client. Information such as this may be used by cybercriminals to further their profiteering schemes or sold to other malicious users.

We urge users not to open suspicious-looking emails nor click links that come from people you do not know. Cybercriminals will strive to make their malicious schemes seem legitimate, using the names of reputable news companies such as CNN in this case, as bait.

Trend Micro Smart Protection Network™ protects both Windows and Mac users from this threat by blocking access to malicious URLs and preventing the download of malicious files.

Major events, especially tragic ones, are usually followed with people asking the question, “Why did this happen?” Such events affect a lot of people in different ways, and that it is hard for us to dismiss that there is no valid reason as to why they occurred.

The September 11 terrorist attack on the United States is a clear example of this situation, as up until today — more than 8 years after the event has occurred — people are still searching for clear, justifiable explanation. Attempts to provide one only brought more confusion than clarity, as the numerous theories presented to the public only raised more questions that give answers.

And it seems that this is what the cybercriminals had in mind when they launched an attack that specifically plays on people’s desire to know what led to 9/11.  Senior Threats Researcher Paul Ferguson found a spammed email message that claims to contain data on the 9/11 U.S. Pentagon conspiracies theories.

The message is fashioned to appear to be from CNN:

Clicking the link on the message leads to the file hunt_the_boeing.hta, which is detected by Trend Micro as VBS_PSYME.DMB. VBS_PSYME.DMB connects to a certain URL to download possibly malicious files.

Though the final payload of this attack is yet to be determined, users are strongly advised to go against their natural tendency to be curious and not click on the link must they receive the said email. Trend Micro protects users from this spam run with its Trend Micro Smart Protection Network that blocks and detects the malicious file.

A slightly modified Zbot spam campaign currently making rounds pretend to come from the IT support of various companies. It informs users that a security update in the mailing service caused changes in their mailbox settings. They are instructed to open the ZIP attachment and run the .EXE file, INSTALL.EXE to supposedly apply the changes. Trend Micro detects this as TROJ_FAKEREAN.CF.

When executed, this Trojan accesses http://{BLOCKED}nerkadosa.com/xIw1yPD0q5Gb8t0br4×6k5sk to download another malicious file detected as TROJ_FAKEREAN.BI.

Spammers usually employed random email address in the FROM and TO field headers but in this case, the actual company domain is used as email addresses in both fields. This is done to make the email message more credible, and convincingly coming internally from the company, thus luring unknowing users into executing the malware.

This attack is a follow-up on the phishing email we blogged earlier this week. The said email purports as a notification from the company’s “system administrator” to update the user’s system because of a server upgrade. Accordingly, the subdomains are tailor-made to make it more legitimate.

Users are encouraged not to open suspicious-looking emails even though it supposedly came from a trusted source. It is also advisable that users contact first their IT or tech support in case they received such emails to verify if indeed a security update had occured. Trend Micro protects users from this attack with its Trend Micro Smart Protection Network that blocks and detects the said malicious file.

A specially crafted .PDF file, detected by Trend Micro as TROJ_PIDIEF.ASP, was recently found to be hosted by several Indian, Thai, and New Zealand websites.

The Trojan takes advantage of critical vulnerabilities in Adobe Reader 9.1.3 and Acrobat 9.1.3; Adobe Reader 8.1.6 and Acrobat 8.1.6 for Windows, Macintosh, and UNIX; and Adobe Reader 7.1.3 and Acrobat 7.1.3 for Windows and Macintosh. These vulnerabilities can cause the application to crash and can potentially allow an attacker to take control of an affected system. Adobe has thus advised users to patch their systems and download the necessary updates.

The Trojan belongs to an old but notable malware family known as “ASProx,” which plagued the Web last year. It was so notable that it made its way to Trend Micro’s Top 8 in 2008 list.

Most ASProx variants, including this most recent one, exhibited the same payload. They first compromised several websites. Visiting the said sites then triggerred redirections to various malicious URLs that ultimately led to the download of more malicious files.

The recent reemergence of the ASProx code or the cybercriminals behind it may not have brought anything new to the table but it is noteworthy in that this attack seemingly brought the botnet back from the dead after almost a year of inactivity.

Users, as usual, are thus warned to refrain from opening suspicious-looking files. They are also strongly advised to patch their systems regularly to avoid becoming prey to vulnerability exploits.

Trend Micro Smart Protection Network™ protects users from this threat by blocking access to malicious URLs and preventing the download of malicious files. Mac users are also protected through Trend Micro Security for Mac and Smart Surfing for Mac.

Non-Trend Micro product users, on the other hand, can also stay protected with Housecall, Trend Micro’s highly popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plugins, and other malware.

Important correction, posted October 16, 2009: TROJ_PIDIEF.ASP exploits vulnerabilities cited in CVE-2009-0927 and CVE-2007-5659, not the previously posted vulnerability discussed in the second paragraph above. We apologize for any confusion caused by this oversight. Adobe users should enable the auto-update feature in their product to receive patches that address these vulnerabilities.