Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    June 2012
    S M T W T F S
    « May   Jul »
  • Email Subscription

  • About Us

    Archive for June 12th, 2012

    As we mentioned last week, this month’s Patch Tuesday includes the release of what Microsoft calls as an updater feature for Windows Vista and 7. This updater flags and automatically checks untrusted certificates from time to time. The checking relies on a list of untrusted certificates that Microsoft updates. Trend Micro Deep Security users, on the other hand, must apply the rule 1005040 – Detected Unauthorized Digital Certificate to protect from components of FLAME malware, which were known to use Microsoft certificates.

    Of the seven bulletins released this month, three are rated Critical while the rest are rated Important. The Critical-rates bulletins are updates for Remote Desktop Protocol, versions 6 to 9 of Internet Explorer, and several versions of Microsoft .NET Framework. Vulnerabilities mentioned in the said Microsoft products/components allow remote code execution when successfully exploited. Users should immediately apply patches, whenever possible, for these vulnerabilities.

    As guidance for Trend Micro Deep Security users, a complete list of rules and information on the bulletins are found in this Threat Encyclopedia page.

    Posted in Malware, Vulnerabilities | Comments Off on June 2012 Patch Tuesday Includes Flagging for Untrusted Certificates

    As a continuation of our efforts to protect customers as outlined in our previous post, this post is an update on the current Black Hole Exploit Kit spam run activity. We’ve been identifying Black Hole Exploit Kit spam runs for a while and so far, it continues to have high activity. These spam runs remain a concern for organizations spoofed by spammers, owners of compromised websites, and the number of users receiving these phishing emails. The solutions we’ve released for these spam runs with unique insight from big data analysis and the power of Trend Micro Smart Protection Network are still effectively detecting and addressing email sent by spammers.

    Changes in Black Hole Exploit Kit Spam Runs

    We’ve noticed recently that while the same strategy is still being used, the spammers have now added new legitimate organizations to spoof. Specifically, they mimic legitimate emails from these entities in spam to lure users into clicking the URL in the message. The attack starts with spam containing a link to a compromised website which redirects users to the website where malware is hosted. As mentioned, the difference is that the organizations that are spoofed in the attack have diversified.

    Recent Activity with Diversified Organizations

    The following table includes the dates of recent activity, which also includes some of the new organizations being spoofed by Black Hole Exploit Kit spammers:

    Date Organizations
    May 29 Bank of America
    May 30 PayPal
    May 31 Monster
    June 1 Century Link
    Detroit Basketball
    The HoneyBaked Ham Company
    June 3 The Federal Reserve System
    June 4 Verizon
    June 5 Amazon
    June 6 AT&T
    June 7 LinkedIn

    Sample Infection Chain

    Below is the infection chain for the Black Hole Exploit Kit spam run that spoofed Amazon, AT&T, and PayPal which is just an example of the massive spam runs our experts track and release solutions for as the attacks occur:

    As this activity continues, we will continue to track and ensure that solutions for these runs remain effective and release updated solutions as necessary. Also, we’ve mentioned in our previous post of a better way to handle the black hole exploit kit than focusing at the infection point. Since the email is the initial entry point, detecting these phishing mails is an effective way to combat this threat. We will talk more about the effectiveness of our solution in an upcoming blog post.

    Posted in Bad Sites, Malware, Spam | Comments Off on Same Operation, Diversification of Targets Being Spoofed: Current Black Hole Exploit Kit Spam Runs


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice