Holidays are spammers’ favorite times of the year. After all, these give them additional opportunities to lure more victims to their specially crafted scams apart from a theme to focus on. As one of the most celebrated holidays across the globe, it is not surprising that Halloween, which is barely a week away, has been creating a buzz.

Trend Micro threat analysts got wind of Halloween-related spam samples (see the sample on the right). These offered readers promising opportunities to earn while working from home.

Clicking the link redirects the user to a site that is now inactive. However, based on Whois.Net’s domain name records, the URLs were only created in August of this year, most probably just for spamming purposes. It is, after all, not uncommon for spammers to register domains for the minimum time period allowable to further their malicious profiteering activities.

Users are thus warned not to click links to unknown sites no matter how tempting the offer they put on the table may be. If you’re really interested in getting a legitimate job or a means to earn more, go to a trusted job-search site. Do not trust everything you read on email, especially if you do not know who the email came from.

Trend Micro Smart Protection Network™ protects users from spamming attacks by blocking unwanted email and preventing user access to malicious sites. Mac users can enjoy the same benefits by using Trend Micro Smart Surfing for Mac.

Non-users of Trend Micro products can also stay protected from such attacks with free antivirus tools such as eMail ID and Web Protection Add-On.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

Very recently, cybercriminals have found another avenue to lure victims into their trap by using Microsoft as bait.

A screen shot of one such campaign is shown in Figure 1 below. The email asks the recipient to download and install the attached .zip file (shown in Figure 2) which is actually a malicious file which purports to scan their computer of possible Conficker worm infection.

Noticeable to these spam mails are the forged headers. The From field is the same as the address of the recipient (Figure 3).

The executable file contained in the attached .zip file is a FAKEAV variant detected as TROJ_FAKEAV.BL. Upon execution, TROJ_FAKEAV.BL displays a splash screen for the fake antivirus Power-Antivirus-2009 as shown in Figure 4. It then displays the following fake scanning window to trick users into thinking that the executed file is a legitimate antivirus application (Figure 5). It then displays the following fake alerts that warns users of infection, as shown in Figure 6.

With the spam message blocked and malicious file detected, Trend Micro users are fully protected from this attack. Non-Trend Micro product users on the other hand are advised to use HouseCall, Trend Micro’s scanner for identifying and removing viruses, Trojans, worms, unwanted browser plugins, and other malware.

In the past few weeks, Trend Micro researchers have become aware that the Russian cybercriminal underground has been overflowing with offers for a new kind of information-stealing malware. These new malware variants pose as agent programs used by Russian social networking sites, such as Odnoklasniki and Vkontakte. (Agent programs are programs used by some websites to allow users to log into their services without having to start their browser.)

A group of cybercriminals interested in stealing the login credentials of the users of these target sites would provide the authors of these new fake agent programs an email address or an ICQ number where the stolen credentials would be placed. These “authors” would then be responsible for distributing their malware to users.

Users who did download and run these fake agents would be presented with an interface similar or identical to legitimate agent programs.

Upon users would attempt to enter their login credentials by using these fake agents, they would receive a message that the connection to the server has failed. In reality, the credentials have been captured and sent to the cybercriminals via the supplied email address or ICQ number. This threat is detected and removed by Trend Micro as TSPY_FKANTAKTE.A.

Brazilian banks are once again in the hotseat as a banking Trojan emerges with a new technique. This time, the cybercriminals targeting these banks are using GMER, a popular anti-rootkit application. Trend Micro detects this banking Trojan as TROJ_DLOAD.BB. Upon execution, this Trojan downloads a legitimate copy of GMER and a malicious rootkit component detected as TROJ_DAMMI.AB.

TROJ_DLOAD.BB creates a batch file that terminates the processes related to the G-Buster Browser Defense, a security program used by many Brazilian banks as protection from information theft and as protection of customers’ privacy during online transactions. Without this application, the information relayed in these transactions may be exposed to malicious users and can be used for fraudulent activities later on.

The batch file created by TROJ_DLOAD.BB uses GMER’s -killfile option, TROJ_DLOAD.BB terminates GBPlugin and its components. TROJ_DAMMI.AB is then rendered as a rootkit and service to make sure that any instance of GBPlugin is terminated.

Trend Micro protects users via its Trend Micro Smart Protection Network that already blocks the download URLs and detects the related malicious files. Non-Trend Micro users can use HouseCall, Trend Micro’s free scanner for identifying and removing malware.

Update as of 20 October 2009, 17:00

Aviv Raff, one of our partners from RSA, confirmed this kind of approach that cybercriminals use in malicious routines. He stated that GMER is not the only malware removal tool utilized by cybercriminals. Another tool, called The Avenger, has been used to terminate GBPlugin. The Avenger is the work of a security researcher who uses the alias Swandog46. As his website states, The Avenger is a powerful program, which doesn’t make it hard to imagine the tool being misused. And true enough, the cybercriminals did.

A day before Michael Jackson’s new song, “This Is It,” was slated to premier on michaeljackson.com on October 12, a spam run promoting a 45-second preview on YouTube already made the rounds.

The email below, purporting to be from CNN.com was spammed to users in an effort to trick them into clicking the link to watch the supposed preview.

Trend Micro threat experts analyzed the URL embedded in the email (http://www.{BLOCKED}hine.com/Support/index.html) and found it to be malicious. It redirected users to the following sites:

• http://{BLOCKED}aking-news.alerts.applest.com/audio/index.html
• http://{BLOCKED}aking-news.alerts.applest.com/audio/Michael_Jackson-The_brand_new_song.hta

The said sites have been injected with a malicious VBScript detected by Trend Micro as VBS_PSYME.DLV. It then led users to a remote site to download the file, http://www.{BLOCKED}c.com/best/AutoCfg.exe detected by Trend Micro as BKDR_RUNRUB.A.

BKDR_RUNRUB.A is a Ruby-compiled malware that waits for an active Internet connection to send information from the infected user’s machine such as the local computer name, local username, and IP address to a malicious client. Information such as this may be used by cybercriminals to further their profiteering schemes or sold to other malicious users.

We urge users not to open suspicious-looking emails nor click links that come from people you do not know. Cybercriminals will strive to make their malicious schemes seem legitimate, using the names of reputable news companies such as CNN in this case, as bait.

Trend Micro Smart Protection Network™ protects both Windows and Mac users from this threat by blocking access to malicious URLs and preventing the download of malicious files.