Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    April 2012
    S M T W T F S
    « Mar   May »
  • Email Subscription

  • About Us

    Archive for April 30th, 2012

    Over the past month we’ve been investigating several high-volume spam runs that sent users to websites compromised with the Black Hole exploit kit. Some of the spam runs that were part of this investigation used the name of Facebook, and US Airways. Other spam runs involved LinkedIn, as well as USPS. The most recent campaign we’ve seen that was part of this wave of attacks used the name of CareerBuilder:

    We’ll look at the campaign that used Facebook specifically, but our conclusions about these each of these attacks are broadly similar:

    • Phishing messages using the names of various organizations spread via email to targets predominantly in the United States. The content of these phishing e-mails were practically indistinguishable from legitimate messages.
    • Links in these messages led to multiple compromised websites that redirected the user to various malicious sites. Collectively, these compromised sites numbered in the thousands.
    • Users were eventually directed to sites containing the Black Hole exploit kit.

    Now, let’s discuss the spam attack that used Facebook as the lure. This particular spam run consists of a fake friend request sent to the victim, as can be seen below:

    The link goes to various compromised web sites. We have identified more than 2,000 distinct URLs used in this attack, distributed over 374 domains. On average, each compromised domain hosted 5 separate malicious landing pages.

    As we mentioned earlier, this particular campaign was not the only spam run we investigated. We found clear evidence that all these attacks were linked. In many cases, the same sets of compromised URLs were used by multiple spam runs. This suggests that at least some of the parties responsible for these attacks were identical, if it was not the same group altogether.

    Read the rest of this entry »

    Posted in Bad Sites, Malware, Spam | Comments Off on Persistent Black Hole Spam Runs Underway

    Mobile security researchers reported the emergence of an Android malware called Tigerbot. The said malware is actually an app called Spyera, which we detect as ANDROIDOS_TIGERBOT.EVL. The said app was found in third party Chinese app stores.

    We tried to analyze this app to check if it is indeed malicious. Below are our findings:


    When installed, ANDROIDOS_TIGERBOT.EVL shows a different icon, usually that of a legitimate application. Some malware use the same routine to trick users into thinking that it is a harmless file. The fact that Tigerbot uses the same installation routine raises questions on the intention of this application.


    Tigerbot is controlled via either SMS or phone calls. It is capable of recording phone calls, tracking the device via GPS, or rebooting a device. Digging deeper into its routines, we found several commands that are of dubious nature:

    • DEBUG – initially checks running processes and the configuration of the Spyera app, and connects to a URL to send check network status
    • CHANGE_IAP – changes the phone’s APN (Access Point Name)
    • PROCESS_LIST_ADD – adds a phone process name to a list (the list is used to kill processes)
    • PROCESS_LIST_DELETE – deletes a phone process name that is in the list
    • ACTIVE – activates the copy of Tigerbot
    • DEACTIVE – deactivates the copy of Tigerbot

    The above-listed capabilities can be maliciously used to send over private information to an attacker. These are among the reasons why we are detecting the application as malware.

    The following details the 4 different command sets used by Tigerbot:

    Command Set A
    The following commands may be used by an attacker to gather information from the device:

    SMS Commands Name Description
    * * DEBUG Returns currently running process names, the current configuration,
    and attempts to verify the Internet connection.


    Upon receiving the DEBUG command, Tigerbot will:

    1. Immediately return the currently running process names. This gives us a way to identify the victim
    2. After 12 seconds, return the Tigerbot’s configuration if the copy is not yet activated
    3. After 20 seconds, check the network status by connecting to a URL and return network status to SMS sender

    Read the rest of this entry »

    Posted in Malware, Mobile | Comments Off on A Closer Look at ANDROIDOS_TIGERBOT.EVL


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice