Major events, especially tragic ones, are usually followed with people asking the question, “Why did this happen?” Such events affect a lot of people in different ways, and that it is hard for us to dismiss that there is no valid reason as to why they occurred.

The September 11 terrorist attack on the United States is a clear example of this situation, as up until today — more than 8 years after the event has occurred — people are still searching for clear, justifiable explanation. Attempts to provide one only brought more confusion than clarity, as the numerous theories presented to the public only raised more questions that give answers.

And it seems that this is what the cybercriminals had in mind when they launched an attack that specifically plays on people’s desire to know what led to 9/11.  Senior Threats Researcher Paul Ferguson found a spammed email message that claims to contain data on the 9/11 U.S. Pentagon conspiracies theories.

The message is fashioned to appear to be from CNN:

Clicking the link on the message leads to the file hunt_the_boeing.hta, which is detected by Trend Micro as VBS_PSYME.DMB. VBS_PSYME.DMB connects to a certain URL to download possibly malicious files.

Though the final payload of this attack is yet to be determined, users are strongly advised to go against their natural tendency to be curious and not click on the link must they receive the said email. Trend Micro protects users from this spam run with its Trend Micro Smart Protection Network that blocks and detects the malicious file.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

A slightly modified Zbot spam campaign currently making rounds pretend to come from the IT support of various companies. It informs users that a security update in the mailing service caused changes in their mailbox settings. They are instructed to open the ZIP attachment and run the .EXE file, INSTALL.EXE to supposedly apply the changes. Trend Micro detects this as TROJ_FAKEREAN.CF.

When executed, this Trojan accesses http://{BLOCKED}nerkadosa.com/xIw1yPD0q5Gb8t0br4×6k5sk to download another malicious file detected as TROJ_FAKEREAN.BI.

Spammers usually employed random email address in the FROM and TO field headers but in this case, the actual company domain is used as email addresses in both fields. This is done to make the email message more credible, and convincingly coming internally from the company, thus luring unknowing users into executing the malware.

This attack is a follow-up on the phishing email we blogged earlier this week. The said email purports as a notification from the company’s “system administrator” to update the user’s system because of a server upgrade. Accordingly, the subdomains are tailor-made to make it more legitimate.

Users are encouraged not to open suspicious-looking emails even though it supposedly came from a trusted source. It is also advisable that users contact first their IT or tech support in case they received such emails to verify if indeed a security update had occured. Trend Micro protects users from this attack with its Trend Micro Smart Protection Network that blocks and detects the said malicious file.

A specially crafted .PDF file, detected by Trend Micro as TROJ_PIDIEF.ASP, was recently found to be hosted by several Indian, Thai, and New Zealand websites.

The Trojan takes advantage of critical vulnerabilities in Adobe Reader 9.1.3 and Acrobat 9.1.3; Adobe Reader 8.1.6 and Acrobat 8.1.6 for Windows, Macintosh, and UNIX; and Adobe Reader 7.1.3 and Acrobat 7.1.3 for Windows and Macintosh. These vulnerabilities can cause the application to crash and can potentially allow an attacker to take control of an affected system. Adobe has thus advised users to patch their systems and download the necessary updates.

The Trojan belongs to an old but notable malware family known as “ASProx,” which plagued the Web last year. It was so notable that it made its way to Trend Micro’s Top 8 in 2008 list.

Most ASProx variants, including this most recent one, exhibited the same payload. They first compromised several websites. Visiting the said sites then triggerred redirections to various malicious URLs that ultimately led to the download of more malicious files.

The recent reemergence of the ASProx code or the cybercriminals behind it may not have brought anything new to the table but it is noteworthy in that this attack seemingly brought the botnet back from the dead after almost a year of inactivity.

Users, as usual, are thus warned to refrain from opening suspicious-looking files. They are also strongly advised to patch their systems regularly to avoid becoming prey to vulnerability exploits.

Trend Micro Smart Protection Network™ protects users from this threat by blocking access to malicious URLs and preventing the download of malicious files. Mac users are also protected through Trend Micro Security for Mac and Smart Surfing for Mac.

Non-Trend Micro product users, on the other hand, can also stay protected with Housecall, Trend Micro’s highly popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plugins, and other malware.

Important correction, posted October 16, 2009: TROJ_PIDIEF.ASP exploits vulnerabilities cited in CVE-2009-0927 and CVE-2007-5659, not the previously posted vulnerability discussed in the second paragraph above. We apologize for any confusion caused by this oversight. Adobe users should enable the auto-update feature in their product to receive patches that address these vulnerabilities.

The solution for the vulnerability that was left unpatched during last month’s patch cycle was included in the recently released security advisory, along with a dozen other vulnerability reports.

Of the 13 security vulnerabilities fixed today, 8 vulnerabilities were marked “critical” while the other 5 were marked “important.” This month’s release covered a wide range of vulnerabilities, each of which affects long lists of software. Listed among the software affected in several of the released security update is the very much coveted Windows 7, which is slated to be released next week.

The update also included a security update for a vulnerability that was partly addressed in a previous patch release. More information on the security advisories can be found in this Trend Micro Security Advisory page.

Considering that many of the newly patched vulnerabilities enable remote code execution, it is all but necessary that users patch their systems as soon as possible.

Trend Micro OfficeScan users with Intrusion Defense Firewall plugin installed should apply today’s update for the latest filters (IDF9030). This version contains protection from attacks exploiting the above and other vulnerabilities.

Trend Micro threat analysts were recently alerted to a phishing attempt targeting random employees of several companies. The email posed as a notification from the company’s “system administrator,” reminding the employee to update his/her system’s software due to a recent server software upgrade. The spammed email contained a URL using several subdomains that resolved to the same IP address.

Trend Micro Advanced Threats Researcher Joey Costoya believes the subdomains are tailor-made, depending on the recipent’s email address. This makes the email seem legitimate, even if it is not, tricking unknowing users into clicking the URL.

As of this writing, the URLs are already inaccessible. Trend Micro analyzed the domains and subdomains used in this attack and found that they are already blacklisted. The domain was registered for only one year.

Trend Micro Smart Protection Network™ already detects the malicious files as TROJ_ZBOT.CYX and blocks the spammed emails. Non-Trend Micro product users are, on the other hand, advised to use HouseCall, Trend Micro’s highly popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plugins, and other malware.