Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    February 2012
    S M T W T F S
    « Jan   Mar »
     1234
    567891011
    12131415161718
    19202122232425
    26272829  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for February, 2012




    When there are celebrity stories such as the death of Whitney Houston in the press, we expect to see BlackHat SEO attacks and other cybercriminal campaigns using these themes to distribute malware. However, a recent targeted attack caught our attention. The lure in this case was the story of Jeremy Lin, the NBA star whose outstanding play for the New York Knicks has drawn international attention. He recently made the front cover of Time magazine with the simple headline “Linsanity”.

    A malicious document named “The incredible story of Jeremy Lin the NBA new superstar.doc”, detected by Trend Micro as TROJ_ARTIEF.LN, was sent on February 16th 2012. It exploits a vulnerability in Microsoft Office (CVE-2010-3333) in order to drop malware on the target’s system. The dropped malware is detected by Trend Micro as BKDR_MECIV.LN. After successful exploitation, a clean document is opened so that the target doesn’t suspect that anything malicious occurred.

    This attack is actually part of the LURID campaign (often known as Enfal) that we documented last year. The victims of that campaign were primarily in Eastern Europe and Central Asia. This “Linsanity” attack continues that trend.

    Read the rest of this entry »

     



    The Internet has played a significant role in the current conflict in Syria. The opposition has made increasing use of platforms such as Facebook to organize and spread their message. In response, supporters of the regime like the “Syrian Electronic Army” have sought to disrupt these activities by defacing websites and spamming Facebook pages. Recently, this conflict took on a new dimension with reports that suggested targeted malware attacks were being used against supporters of the Syrian opposition movement.

    Dark Comet RAT Used as “Syrian Spyware”

    The malware used in the attacks reportedly spreads through Skype chats. Once users execute the malware, it connects to a C&C (command and control) server in Syria at {BLOCKED}.{BLOCKED}.0.28, which belongs to an IP range assigned to the Syrian Telecommunications Establishment. While the malware has been described as “complex” and “invisible”, it turns out that it is the widely available Remote Access Trojan (RAT) known as Dark Comet.

    In our analysis, which confirms an earlier investigation by Telecomix, we found that the samples connecting to {BLOCKED}.{BLOCKED}.0.28 are instances of the DarkComet RAT versions 3.3 and 5. However, some samples are “downloaders” that connect to this same IP address via HTTP and download a encrypted “Update.bin” file, which is then decrypted and executed. The payload is the actual DarkComet RAT.

    DarkComet is a full featured RAT that has the ability to take pictures via webcam, listen in on conversations via a microphone attached to a PC, and gain full control of the infected machine. But the features attracting most people using this RAT are the keylogging and file transfer functionality. This way, an attacker can load any files onto the infected machine or even steal documents.

    DarkComet is still being developed and version 5 was released last January 15. It is created by a coder using the handle DarkCoderSc and was first coded in 2008. Since the reports of its use in connection with events in Syria, the author of DarkComet has expressed regret and while he will continue developing the RAT, he plans to make a DarkComet detector/remover available to the Syrian people. Read the rest of this entry »

     



    During the past few days, we’ve been monitoring Laduree.fr, the website of a well-known confectionery company based in France. A seemingly unlikely target for cybercrime, Ladurée’s website was compromised in order to infect users’ systems with ransomware. The ransomware, detected as TROJ_RANSOM.BOV pretends to be notifications from the National Gendarmerie (French: Gendarmerie nationale), commonly known as the French Police Force. It displays a window that covers the entire desktop and demands payment, i.e., holding the system ransom.

    Apart from infecting French users who visited the Ladurée site, there were also several infections seen in Japan. As it turns out, Ladurée pastries are popular among the Japanese; in fact the Ladurée site only translates to French, English and Japanese.

    Using a confectionery company’s site showcases cybercriminals’ ability to adapt and go to where they think they’ll find potential victims.

    Related Attacks

    In this case, the attack makes use of the Blackhole Exploit kit in order to drop malware onto systems. It is the same malware family that has been used in the past to impersonate other law enforcement agencies such as the BundesPolizei in Germany. In addition to the Ransomware component of the malware, it also steals credentials for a long list of programs and sites, including local email accounts, browser passwords, social networks, poker sites, ftp passwords and Remote Desktop software.

    We noticed that the domain name of the URL used to host the exploit kit has been suspended. Based on the logs, it was created on February 9, 2012 and last updated on February 14. The domain’s registrant shows a .ru email address which might help in identifying a possible suspect, but this might just be a compromised email account so the information might not be reliable. For example, the WHOIS information states that the domain owner is based in Moscow, but email account tied to it says the owner is based in a city about 4 hours from Moscow.

    We also observed related domains  to this campaign are all hosted on a common range of IP addresses. The related sites are from the same gang, but not used in this particular attack. This gang has also impersonated police notifications from Italy, Spain, Germany and Belgium, among others. Each of these domains use different email addresses for registration, mostly ending in .ru, but it is highly likely that these are simply compromised accounts.

    Ransomware as a Profitable Business Model

    By making threats more effective and harder to mitigate, cybercriminals stand a greater chance of obtaining more substantial profits. This ransomware attack, however, proves that sometimes even the most simple and straightforward of threats still work. The required ransom may be a relatively small price to pay for individuals who value their data. However, when that amount multiplies into thousands, you’re then face with a hefty sum that can be used to fund more complex and possibly more destructive endeavors.

     
    Posted in Exploits, Malware | Comments Off



    We’re seeing more and more scams on the Android Market. Last week, we wrote about a developer that uses popular app names to trick users into downloading fake ones. Before that, we saw a fake Temple Run app making the rounds on the Android Market. This time, we saw 37 more apps that share a similar behavior as the previously reported ones. These are “fan apps,” which means that these aren’t the real game created by the original developer.

    I noticed something odd just by looking at the fan apps’ web page. The developer’s website leads to dead links such as a.com site and a misspelled Google domain (it was spelled googel.com).

    Another thing I noticed was that all the listed apps have the same screenshot. Once installed, the app forces the user to share it on Facebook (if installed) and give it a rating on the Android Market. It also aggressively displays ads as notifications and creates shortcuts on the infected device’s home screen.

    The bigger problem, however, lies in the fact that the apps send sensitive information to particular remote servers. The information that gets sent out includes its OS version, International Mobile Equipment Identity (IMEI), and phone number, to name a few. Once any of these apps are run, the aforementioned information are immediately sent to the servers.


    There is an option to stop the advertisements. However, users are likely to miss and ignore it since it’s hidden in the app’s description page on the site.

    Never Shun the Opt-out Option

    We took the initiative and reported these apps to Google a few days ago. They responded positively and took them off the Android Market.

    However, the apps being taken off the Android Market does not eliminate this threat entirely. Cybercriminals can still choose to upload them to other sites such as third-party app stores, forums, and others. Nonetheless, regardless of where cybercriminals upload them, Trend Micro will still detect them as ANDROIDOS_FAKEAPP.SM.

    Quite obviously, this trend of apps being equipped with aggressive advertising methods — especially those related to search monetization — will be seen for quite a while. Thus, users are advised to be extra careful when installing apps. To read more about this, users may refer to our previous blog entry Search Monetization as a New Threat to the Mobile Platform.

    Trend Micro already protects against this threat. However, user education is still valuable in protecting your mobile devices from such attacks. Users may read more about mobile threats and tips on how to protect their mobile devices thru our Mobile Threat Information Hub.

     




    Microsoft spreads love to all IT administrators this month by addressing 23 vulnerabilities on the 14th of February. The software giant released nine bulletins and fixed critical flaws in Internet Explorer, an error in a runtime library which can be targeted through Windows Media Player, and flaws in the Windows kernel. Four out of the nine bulletins were tagged as Critical by Microsoft.

    One critical update was MS12-010, or a cumulative security update for Internet Explorer which resolves four privately reported vulnerabilities in versions 6 through 9 of Internet Explorer. These vulnerabilities could be used to run malicious code on a user’s system if they visited a malicious web site with Internet Explorer. A similar code execution vulnerability, MS12-013, could by exploited using flaws in the mscvrt.dll runtime library to run malicious code if the user opened a specially crafted video. The two remaining Critical vulnerabilities (MS12-008 and MS12-016) resolve vulnerabilities in the Windows kernel, the .NET Framework, and Silverlight that could similarly be used to run malicious code.

    Among the remaining five Important vulnerabilities are MS12-012 and MS12-014, which fix DLL preloading issues in the Color Control Panel and Indeo codecs, respectively. MS12-011 fixed a privilege escalation flaw in SharePoint.

    Microsoft urged users to immediately install the patches associated with the above bulletins; users can find full technical details from the February summary page. You can view our page on Threat Encyclopedia for respective Trend Micro solutions.

    Users of Deep Security and OfficeScan with Intrusion Defense Firewall (IDF) plug-in can also find updates to their products that will protect them from threats exploiting the vulnerabilities made public today, in advance of IT administrators being able to roll out these patches. The coverage for this month includes all of the vulnerabilities specifically mentioned above.

     
    Posted in Bad Sites | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice