Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    May 2012
    S M T W T F S
    « Apr   Jun »
  • Email Subscription

  • About Us

    Archive for May, 2012

    A few weeks ago, we have been alerted by our colleagues from Korea to a specially crafted Hangul Word Processor document (.hwp) that exploits an application vulnerability in the Hancom Office word processing software. The file extension .HWP is a popular Korean word processor file format – just the right format for targeting Korean prospective victims, which might be the case here.

    Detected as TROJ_MDROP.ZD, this specially crafted document arrived as an attachment of an email, which used a recent murder case in Korea as social engineering ploy. The email was sent to numerous employees of a prominent Korean company.

    Upon opening the malicious attachment, TROJ_MDROP.ZD exploits a still unidentified vulnerability in order to drop and execute the backdoor BKDR_VISEL.FO in the background. This backdoor gives remote access to a potential attacker, who may perform malicious routines on the infected machine. Based on our analysis, BKDR_VISEL.FO also terminates processes related to specific antivirus programs, making its detection and removal difficult. The backdoor also downloads and executes other malicious files, leaving the compromised system susceptible to further infection and data theft.

    After execution, TROJ_MDROP.ZD replaces itself with a non-malicious .HWP document in order to prevent the user from suspecting any malicious activity. This decoy document contains the following Korean text:

    A Recon for Future Attacks

    Judging from the profile of the target company, a successful infection may lead to mass pilfering of personal data of their customers. Add the fact that .HWP is the Korean government’s de facto standard wordprocessor format, what we may be seeing now is a reconnaissance phase of a future, larger, regional attack.

    With this incident, we may be seeing attackers gradually taking advantage of vulnerabilities in local-based applications. Hancom Office is also not the first of its kind to be exploited by attackers. We previously reported a case wherein malicious users abused vulnerabilities found in the Japanese-language word processor Ichitaro. Successfully exploiting these lead to the installation of a backdoor. Both incidents prove that using regional software does not guarantee absence of malware attacks. In this case the Word Processor vendor, who adopted a specific third-party module that may have contained the vulnerability, needs to pay attention to industry’s CVE information too and get ready to update.

    This highlights the importance of security, specially for organizations whose services include storing customer information. A successful compromise to an organization not only puts their customers at risk, but also easily tarnishes their reputation. Fortunately in this case, proper mitigation steps were executed immediately. However, we must stay vigilant, as this is not the last time we’ll be seeing threats of this kind.

    Trend Micro protects users from this threat via Trend Micro™ Smart Protection Network™ that detects and deletes the related malware. It also blocks the related message and prevents it from even reaching users’ inboxes.

    We will update this blog entry once we get more details about the said vulnerability.

    With additional insights from Thomas Park

    Update as of May 25, 2012 3:23 AM PST

    Based on our analysis, TROJ_MDROP.ZD triggers a buffer overflow that stems from the plug-in file HNCTextArt.hplg, which HWP.EXE uses to process .HWP files. HNCTextArt.hplg contains a code that copies a wide character string, including the null termination character, from the source to the destination. The source string must contain a null terminated character. In the case of this malicious .HWP file, the wide character string being copied does not contain the said null terminated character, resulting in an infinite loop.

    Because of this, HNCTestArt.hplg copies the data repeatedly until an exception occurs. This triggers the malicious shell code inside the malicious .HWP file. The said code decrypts, drops, and executes the PE file and the non-malicious HWP file, which serves as the decoy.

    With additional analysis from Jason Pantig

    Posted in Exploits, Malware, Targeted Attacks, Vulnerabilities | Comments Off on Specially Crafted .HWP File Used for Korean Targeted Campaign

    During my investigation of mobile threats in the wild, I discovered a spytool, which is currently available on Google Play, that is actively being discussed on certain hacker forums. This tool’s beta version is available on the site since March 11. An estimated 500 – 1000 users have already downloaded the said spytool, which Trend Micro detects as ANDROIDOS_SMSSPY.DT.

    Based on our analysis, this spytool gathers SMS messages from an infected mobile device and sends these to a remote FTP server at regular times set during the app’s installation. Below is the particular code embedded in the malicious app that executes the FTP Upload task that sends the stolen messages to defined FTP servers.

    Affected users are at risk of having their personal and sensitive information stolen by potential attackers, who may use these for malicious purposes.

    As the app is still in its beta testing, spying on a mobile device using this tool poses certain challenges. First, it should be installed onto the target device without the victim knowing about it. Second, potential attackers would need to setup their own FTP servers, which may be difficult for those with less advanced IT knowledge. However, the developers behind this tool are likely to release an updated version that may include features and improvements to make it easier to use.

    Trend Micro users need not worry as their mobile devices are protected from this threat via Mobile Security Personal Edition. Users are advised to activate the lock function of their mobile devices for added security. When installing an app, users should always double-check the required permissions of the app, specially if it requests for permissions beyond its supposed function.

    To know more on how to better protect yourself from threats related to your mobile devices, you may read our comprehensive e-guides below:

    With additional input from Noriaki Hayashi


    The continuing increase in visitors to the Pinterest site may be a primary reason why it’s becoming a hit for cybercriminals’ scams and schemes. In March, we spotted scammers using popular brands to lure users into “pinning” fake posts that led to surveys scams. This new wave of survey scams I found came from my search using “pinterest” as keyword.

    Users who re-pin the posts from the sample above will most likely spread the post.

    In addition, I also spotted posts using URL shorteners such as and When clicked, the shortened URLs/the fake posts lead to any of the following URLs:

    • http://pinterest.{BLOCKED}
    • http://pinterestgift.{BLOCKED}
    • http://pinterests.{BLOCKED}

    Upon clicking the link, users are redirected to a Pinterest-like webpage offering prizes, vouchers, gift cards and others:

    Made to resemble like a typical Pinterest webpage, the fake site features a search field, add+, an about. However, these are mere images and are not clickable. The clickable links are those that redirect to survey scams such as Body Age Quiz.

    After a user fills out the fields required in the scam page, users are also required to enter their mobile numbers. Users who do provide their numbers will receive a code on their mobile phones and will continue to receive unwanted messages, charges and other scams via text message.

    And Via Email, Too

    Another thing I’ve noticed is that the fake site requires an email address:

    Users entering their email addresses are brought to complete several steps to get the supposed offer. Users receive an email claiming to be from Pinterest. The email urges the user to click on the link found in the message body to confirm the subscription. Clicking on the link redirects the user to a Pinterest-like scam page. Again, all the clickable links lead to the same scam pages.

    Upon closer investigation of these attacks, I noticed that before users are redirected to the fake Pinterest sites, the connection passes through ad-tracking sites. This way, the number of visitors are tracked, determining the supposed earnings of the scammers. Based on our data, the fake Pinterest URLs are being visited since May 2. Fake Pinterest posts hosting scams are likely to spread within Pinterest via users who re-pin the posts. The “offers” in these fake Pinterest posts look enticing after all. Plus, some users would want to ask the rest of the Pinterest community to verify such offers, like this user.

    Pinterest has since removed some of the fake Pinterest posts. Trend Micro users are also protected from these scams by the web reputation technology in our Smart Protection Network™.

    Posted in Social | Comments Off on Bogus Pinterest Pins Lead to Survey Scams

    Recently, Trend Micro researchers encountered a potential vulnerability that affected users of Yahoo! Mail. We discovered several emails used in targeted attacks that contained JavaScript in the “From” field that attempted to launch a Document Object Model (DOM)-based cross-site scripting attack against the recipients of the email. However, we were not able to replicate the attack successfully. We have been in touch with Yahoo! about this problem.They, too, were unable to replicate this attack successfully at that time. However, to protect users against any such problems Yahoo! has strengthened their filters that sanitize user emails in order to protect against these kinds of attacks.

    This is not the first time that vulnerabilities have been found in popular webmail providers. We discussed almost a year ago that some of the major webmail providers – Gmail, Hotmail, and Yahoo! Mail – were all found to have some sort of vulnerability that compromised either the user’s email account or their system. It shouldn’t be a surprise that they’ve become targets as well: just about everyone uses these free services, and users don’t expect these services to have security problems of their own.

    As we’ve highlighted before, vulnerabilities like these are used in targeted attacks. Whether it’s vulnerabilities in user software or cloud-based services like free webmail, vulnerabilities allow attackers to compromise systems without the target being aware that anything has happened. This is extremely useful to attackers as the content compromised email accounts can be stolen by attackers and the account can be used to launch further attacks against the victim’s contacts.


    We recently received reports about private messages found on Facebook and distributing a link, which is a shortened URL pointing to an archive file “”. This archive contains a malicious file named “” and uses the extension “.COM”.

    Once executed, this malware (detected as WORM_STEKCT.EVL) terminates services and processes related to antivirus (AV) software, effectively disabling AV software from detection or removal of the worm. WORM_STEKCT.EVL also connects to specific websites to send and receive information.

    Another noteworthy routine is that this worm downloads and executes another worm, one detected as WORM_EBOOM.AC. Based on our analysis, WORM_EBOOM.AC is capable of monitoring an affected user’s browsing activity such as message posting, deleted posted messages and private messages sent on the websites such as Facebook, Myspace, Twitter, WordPress, and Meebo. It is also capable of spreading through the mentioned sites by posting messages containing a link to a copy of itself.

    Facebook and IM applications are tools to share and connect. Cybercriminals’ use of these tools is nothing new, but there are users who fall prey to these schemes. We recommend users to be conscious with their online behavior, in particular on social media sites. To know more on how you can prevent these threats targeting Facebook and other social media sites, you may read our comprehensive e-guide A Guide to Threats on Social Media.

    Furthermore, with our recent partnership with Facebook, Trend Micro™ protects users via Smart Protection Network™, which blocks access to the related malicious link. The file reputation technology in Smart Protection Network™ detects and deletes both WORM_STEKCT.EVL and WORM_EBOOM.AC.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice