Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    March 2012
    S M T W T F S
    « Feb   Apr »
  • Email Subscription

  • About Us

    Archive for March 15th, 2012

    The Android Market was just recently renamed to Google Play and yet there are already cybercriminals taking advantage of this. We’ve spotted newly created domains that imitate the Google Play site and contain malicious apps.

    The malicious URL http://{BLOCKED} displays a fake Russian Google Play site. When translated to English, the text reads: “ Download Google Play for Android Google Play is formerly known as the android market but now a vast and influential old android market combined with a store of books google ebookstore multi-format films and world music google music.

    Upon trying to select the clickable images in the site, I was led to another malicious Russian domain that offers suspicious Android apps. I tried to download the Google Play application, google-play.apk, from the URL http://{BLOCKED} but it just points to malicious file detected as ANDROIDOS_SMSBOXER.AB. This leads to another malicious URL, http://{BLOCKED} 

    ANDROIDOS_SMSBOXER.AB is a premium abuser type of mobile malware. Such malware subscribes affected devices to premium services without the permission of the user, thus leading to unwanted charges.

    This particular malware is very similar to ANDROIDOS_OPFAKE.SME — an Android malware that made news last month for its ability to polymorph. However, similar to ANDROIDOS_OPFAKE.SME, the server that hosts ANDROIDOS_SMSBOXER.AB simply inserts unnecessary files into the APK in order to evade detection. According to Threats Analyst Kervin Alintanahin, the said routine technically can not be considered polymorphic behavior, especially since no significant change is done to the APK’s source code. Due to this, security software can still easily detect the malicious files.

    Aside from detecting the malicious .APK files, all of the related malicious URLs are already blocked through the Trend Micro Smart Protection Network. Trend Micro customers need not worry as ANDROIDOS_ SMSBOXER.AB is currently detected by Trend Micro Mobile App Reputation.

    If anything, this attack shows just how quick cybercriminals can adapt to the fast-changing mobile landscape. Users are strongly advised to practice extreme caution when dealing with apps and app stores in general. For more information on mobile threats, please check our Mobile Threat Information Hub.


    We’ve gotten a number of questions from customers who are concerned about the Remote Desktop Protocol (RDP) vulnerability addressed by Microsoft on Tuesday with their security bulletin MS12-020. We wanted to take a moment to update you on this.

    This bulletin addresses a critical, remote execution vulnerability affecting Microsoft Windows systems that have RDP enabled. While this is not enabled by default on Windows systems, RDP provides remote access functionality that many environments utilize, thus potentially putting them at risk. This vulnerability is highly critical because it can be exploited even by unauthenticated users. Another fact that’s special about this vulnerability is that it affects all versions of Windows. Hence, it’s important to take mitigating steps.

    Trend Micro customers who run Deep Security or the Intrusion Defense Firewall (IDF) who have applied the latest updates have protections against attempts to exploit this vulnerability; specifically Deep Security update DSRU12-006 with the rule name 1004949 – Remote Desktop Protocol Vulnerability (CVE-2012-0002) and IDF update 12007) . These updates were released on Tuesday March 13 and Wednesday March 14 , respectively. Trend Micro Deep Security and IDF customers can also turn off remote desktop sharing conveniently on systems where it’s not required by applying the rule 1002508 – Application Control For RDP.

    As a member of the Microsoft Active Protections Program (MAPP), Trend Micro received information from Microsoft as part of their regular security update release process to provide these protections to Trend Micro customers.

    As part of their regular security update process, Trend Micro customers should regularly update these products to get the latest protections against exploits for these vulnerabilities.

    In accordance with Microsoft’s guidance, Trend Micro customers are encouraged to test and deploy the Microsoft security updates as soon as possible. More detailed information about the vulnerabilities addressed in this security update is available from Microsoft at their Security Research and Defense blog.

    Update as of March 16, 2012, 11:58 p.m. (PST)

    We wanted to update to make customers aware of reports that there is now Proof-of-Concept code available for MS12-020. Once again we urge customers to test and deploy this update as soon as possible.

    We also wanted customers to know that Trend Micro Threat Management Services helps provide protections against attempts to exploit this vulnerability using following TDA patterns:

    • Network Content Inspection Pattern (NCIP) 1.11595
    • Network Content Correlation Pattern (NCCP) 1.11579

    Finally, as an additional protection, customers may want to evaluate blocking access RDP (TCP port 3389) or watching for traffic scans and abnormalities on that port.

    Update as of March 21, 2012 12:56 AM (PST)

    Trend Micro customers may refer to the Threat Encyclopedia for further details on the corresponding solution.


    We have recently analyzed a series of emails sent to specific users that leverage a certain prominent socio-political issue.  One of these messages is about the supposed statement from the German Chancellor regarding the protests in Lhasa, Tibet.  The From field indicates that it came from a key officer from the ATC or Australian Tibet Council.  But of course, the email is faked and the email address was just created and used to impersonate the said ATC officer. It also includes a .DOC file that supposedly contains the relevant parts of the statement. Once downloaded, the file detected as TROJ_ARTIEF.AE exploits a vulnerability in Microsoft Word (CVE-2010-3333) to drop other files. This file is detected as TSPY_MARADE.AA. TSPY_MARADE.AA was found to gather network and system information once specific shell commands are executed. These stolen data are then uploaded to malicious sites.

    Click for larger viewWe received another sample with more details in its message. It purportedly comes from the Tibetan Women’s Association Central, which contains the recent speech given by TWA during the 56th Session of the Commission on the Status of Women at the United Nations Commission. Like the first sample, it comes with a .DOC file of the complete speech.  This attachment is detected as TROJ_ARTIEF.CP and drops the malware TROJ_REDOSDR.AH.

    Click for larger viewBased on our analysis, we have reason to believe that these messages are part of a targeted attack.  Both samples use specific political issues as social engineering bait.  We also noticed that the people behind these attacks have a certain level of knowledge about the important figures and organizations in the TibetMovement.  The messages spoofed the organizations TWA Central and Australian Tibet Council to appear credible to intended recipients. This is a common technique used by spammers and those behind targeted attack campaigns and does not necessarily mean that these groups were compromised.  To add to our suspicions that this is a possible targeted attack, the TWA sample email was directed specifically to the email address of a prominent Tibetan figure.

    Below is a list of email we intercepted with malicious attachments related to this incident. This list, however, is not definitive as there may be other variants yet to be seen.

    Email Subject Attachment File Name Attachment Type Attachment Detection Name Dropped File Detection Name
    Germany Chancellor Again Comments on Lhasa protests Germany Chancellor Again Comments on Lhasa Protests.doc .DOC TROJ_ARTIEF.AE TSPY_MARADE.AA
    TWA’s speech in the meeting of the United Nations Commission for Human Rights TheSpeech.doc .DOC TROJ_ARTIEF.CP TROJ_REDOSDR.AH
    Fowarding of TWA message English_Final_Statement.doc, English_Final_Statement_1.doc .DOC TROJ_ARTIEF.DA, TROJ_ARTIEF.DB TROJ_SWISYN.GT
    Open Letter To President Hu Letter.doc .DOC TROJ_ARTIEF.DD TSPY_ROFU.NSS
    Tibetan environmental situations for the past 10 years Tibetan environmental statistics.xls .XLS TROJ_MDROPPR.BJ BKDR_MECIV.AC
    An Urgent Appeal Co-signed by Three Tibetans Appeal to Tibetans To Cease Self-Immolation.doc .DOC TROJ_ARTIEF.CX TROJ_SASFIS.UL
    About TYC Centrex Notice and New email id of TYC Centrex Centrex_Contact.doc .DOC TROJ_ARTIEF.CZ TROJ_SHWOM.A
    [Tanc] JOINS US: March 10, Saturday: 53rd Commemoration of the 1959 Tibetan National Uprising Day. march10.doc .DOC TROJ_ARTIEF.DF TROJ_SHWOM.A
    10th march speech 10th March final.doc, 10th March final.pdf .DOC, .PDF TROJ_ARTIEF.CU BKDR_MECIV.AA, BKDR_MECIV.AD
    FW: Call for End to Burnings Support List.xls .XLS TROJ_MDROPPR.BK BKDR_PROTUX.BK, BKDR_PROTUX.BJ
    Public Talk by the Dalai Lama _ Conference du Dala_ Lama Ottawa, Saturday, 28th April 2012 Public Talk by the Dalai Lama.doc .DOC TROJ_ARTIEF.DG TROJ_SWISYN.GT
    Bonafide Certificate of Miss Tenzin Tselha (contains tentselha.jpg, tentselha.jpg.lnk, tentselha1.jpg) ZIP (containing LNK, EXE, JPG) TROJ_REDOSDR.AH TROJ_REDOSDR.AH
    TWA mourns the self immolation deaths of two female protesters this past weekend TWA mourns the self immolation deaths of two female protesters.doc .DOC TROJ_ARTIEF.SM3 TSPY_MARADE.AA, TSPY_ZBOT.BPG
    Self-Immolations: New heightened form of Non Violent protests in Tibet TWA looks back at the aftermath and the undercurrents of the 52 years of Chinese rule in Tibet.doc .DOC TROJ_ARTIEF.DH BKDR_AGENT.ZZZZ
    Arrest and protests mar ‘Losar’ week in Tibet.eml an appealing letter to the United Nations.doc .DOC TROJ_ARTIEF.CW TROJ_SWISYN.HV
    UN Human Rights Council publishes written statement on discrimination in Tibet.eml G1210456.doc .DOC TROJ_ARTIEF.CT TROJ_SWISYN.HV
    Students For A Free Tibet !.eml Action Plan for March 10th.doc .DOC TROJ_ARTIEF.JD BKDR_DUOJEEN.A

    The infection chain shown by the two samples above is noticeably similar to a previous attack that used NBA star Jeremy Lin as a social engineering hook. If you check out some of our blog postings on targeted attacks from way back in 2008 such as the ones we wrote about here and here, you will find similarities from past targeted attack campaigns of the same nature. Each scenario involves a malicious .DOC file that exploits a Microsoft Word vulnerability to drop infostealing malware.

    If you see any of these messages in your inbox, please delete them immediately. If you’ve already opened or downloaded the attached files, please coordinate with Trend Micro support team. As a rule, always be cautious with opening your email, especially with opening and downloading attachments. Even mail coming from supposedly trusted sources must be taken with a grain of salt as cybercriminals are crafty with spoofing email addresses to make it appear legitimate.

    We will continue to monitor this campaign and update this blog post with our analysis.

    With additional text by Nart Villeneuve



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice