Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    July 2012
    S M T W T F S
    « Jun   Aug »
  • Email Subscription

  • About Us

    Archive for July, 2012

    The long-awaited London Olympics 2012 has officially opened. Apart from the fraudulent website that claims to sell tickets and another website that sells illegal cards to Japanese users, we also spotted several fake live streaming sites leveraging this sporting event. Some of these are the following:

    • http://olympicsopeningceremony2012live.{BLOCKED}
    • http://olympicgames2012live.{BLOCKED}
    • http://olympics-2012-live-stream.{BLOCKED}
    • http://olypiccoverage2012.{BLOCKED}
    • http://{BLOCKED}12openinglivestream.{BLOCKED}
    • http://{BLOCKED}
    • http://{BLOCKED}
    • http://{BLOCKED}ndonolympics2012liveonline.{BLOCKED}
    • http://{BLOCKED}12olympicsonline.{BLOCKED}
    • http://{BLOCKED}12olympicsliveonline.{BLOCKED}
    • http://{BLOCKED}
    • http://{BLOCKED}12olympicsliveonline.{BLOCKED}
    • http://{BLOCKED}12olympicsliveonline.{BLOCKED}
    • http://{BLOCKED}12olympicsliveonline.{BLOCKED}
    • http://{BLOCKED}ympics2012livestreamfree.{BLOCKED}
    • http://{BLOCKED}donolympics2012liveonline.{BLOCKED}
    • http://{BLOCKED}12olympicsliveonline.{BLOCKED}
    • http://{BLOCKED}peningceremony2012.{BLOCKED}
    • http://{BLOCKED}

    When users searched for the keywords “watch london olympics opening ceremony live,” “watch london olympics online,” and “watch london olympics 2012 live,” the above-mentioned websites appeared as one of the top search results via Blackhat Search Engine Optimization (BHSEO).

    Upon analysis, some of these sites redirected to fake live broadcasts of London Olympics 2012 and contained a link for buying cheap albeit bogus tickets. The said URL has been previously discussed in this blog entry.

    Other fake live streaming sites redirect to another site requiring an email address. As such, cybercriminals can harvest email addresses, which may be used for their spamming activities.

    We were also alerted to reports of malicious websites disguised as the Google Play store. The webpage content is written in Russian language and has a search box. When users search for London Olympics-related application, a rogue application, London2012-Official game is seen. The said site also contains a QR code and download button. Once unsuspecting users clicked the download button, it redirects to a web hosting site that serves a variant of ANDROIDOS_SMSBOXER malware family. This malware is notorious for sending messages to premium numbers without the user’s consent.


    In the same bogus Google Play store, we also saw another rogue application (called The Dark Knight Rises mobile game) leveraging the movie, The Dark Knight Rises.

    Users are strongly advised to download apps related to London Olympics in the official Google Play store and watch live streaming on legitimate sites only.

    Trend Micro™ Smart Protection Network™ protects users from these threats by blocking all the related URLs and detecting the malicious file.

    For more information on threats leveraging sporting events like Olympics, visit Race to Security.

    Additional text provided by Fraud Analyst Paul Pajares.

    Hat tip to Jovi Umawing for first writing about the malicious Olympics-related app in Google Play store.


    We know that threat actors take time to study the network environments of their prey. As employees go more and more mobile, the emergence of mobile malware in targeted attacks seems to be a logical progression. For the past few months, however, this notion has been all speculation—and we wondered, not if, but when it will happen.

    Today, we can say for sure: it has.

    At DEFCON, we presented for the first time that file infector viruses could be written on Android and we are now seeing the first tangible evidence that threat actors are expanding their target base—targeted attacks onto mobile platforms. Specifically, we have discovered 2 APKs in early stages of development while monitoring a Luckycat C&C server. You will recall the Luckycat report as one of the more comprehensive write-ups about a targeted attack operating inside enterprise networks.

    The Android apps we found had RAT-like functionality. They can explore a device to seek out sensitive information. They can upload this information to remote servers. They can also download files to acquire a newer version of the malware.

    A remote shell is also available as one of the commands in the apps but the current APKs appear incomplete in this regard. In fact, overall, the apps look like they are still in the early stages of development.

    What do these findings mean?

    For the BYOD phenomenon, the existence of these apps demonstrate even more vividly the risks of allowing smartphones and tablets to connect to the corporate network in an unsecure manner. Mobile devices may be small, handy, and convenient, but they can open users to the same threats that used to be the sole domain of the desktop.

    When it comes to targeted attacks, this development suggests that threat actors are actively adapting to the specific network environment trends of their targets. In this case, the influx of mobile devices in corporate networks. In the paper, we also touch on SABPUB, a Mac malware used in the Luckycat campaign, where Mac has long been considered an “alternative” OS that cybercriminals overlook in favor of Windows.

    Read about this important finding in Adding Android and Mac OS X Malware to the APT Toolbox authored by our researchers Nart Villeneuve, Ben April, and Xingqi Ding. Click the icon below to download the paper.

    APT Toolbox Android Mac OS X Malware Paper

    Posted in Bad Sites, CTO Insights, Mobile, Targeted Attacks | Comments Off on DEFCON 2012: Android Malware in Luckycat Servers

    Cybercriminals are fond of capitalizing on big sporting events, and it doesn’t get any bigger than the Olympics. With a worldwide audience, this prestigious event is more than just a prime target for cybercriminals, it’s a huge money-making opportunity.

    You can be sure, then, that these thieving digital miscreants are all racing to make you their latest victim. Not only that, they’re already out of the gate even before the opening ceremonies, each one eager to be the first to hand you a baton of threats.

    The first pass was made a few days ago when we detected a fraud website advertising itself on Facebook, claiming to sell tickets to the event. Upon further analysis, it was revealed to be a phishing website, created to collect personal information from unsuspecting victims.

    The second one was spotted to be targeting Japanese users. A website was found selling illegal cards that would allow users to view the Olympics for free. The website itself processes user payments in an unsafe manner, which could present certain risks to users’ financial information.

    Cybercriminals have not been slacking on the email front, either, as more than 50 spammed mails have been discovered, all of them scams related to the 2012 London Olympics. One of them claims to be a notification for an Olympic Email Lottery winner, with the user supposedly winning a large sum of cash.

    We’re sure that this is only a preview of things in terms of the relay race cybercriminals are running to take advantage of the Olympics. Do you have what it takes to make sure they don’t come in first? To help prepare yourself, check out our infographic:

    Posted in Social | Comments Off on Relay Race To Ruin: Cybercrime in the Olympics

    We’ve encountered new malware for Mac OS X systems, which we detect as OSX_MORCUT.A. We found this just as a new Mac OS X version, Mountain Lion (10.8), was being released via the Mac App Store.

    OSX_MORCUT.A acts as a backdoor into the remote system, giving attackers remote access to infected systems. From there, its capabilities are broadly similar to backdoors on Windows systems: search for files, check for network connections, download and upload files, execute commands on the affected machine, and even uninstall itself. In addition it also has a rootkit component, which it uses to hide its files and processes.

    What is somewhat unusual is this malware’s ability to record audio. Because almost all Macs sold today have some sort of built-in microphone, it means that an infected Mac could, in effect, serve as a surveillance device. Together with its other observed behaviors, this suggests that OSX_MORCUT.A was meant as a sophisticated information theft tool, perhaps used in targeted attacks. The number of self-described decision makers and power users who do run Macs makes one wonder if this was the goal in the first place.

    Our investigation also revealed that it runs on previous Mac OS X versions (Leopard, Snow Leopard, and Lion), but not on Mountain Lion. One wonders why this malware suddenly appeared on the same day as a new OS X version was released, with no ability to operate on the latest OS version. However, OSX_MORCUT.A’s apparent inability to run on Mountain Lion may be premature, as we know malware creators are capable of “updating” and spawning variants within hours. With Mountain Lion’s release, it is likely that we will soon see newer samples, or even a new threat, that will attempt to target Mountain Lion.

    Macs, like Windows or any other operating system, are not immune to malware. The presence of a rootkit component in this threat also highlights the increasing sophistication of Mac threats. Coupled with the habit of deferring updates to a later time, this might cause serious problems to both Mac consumers and enterprises supporting Macs alike.

    Posted in Bad Sites | Comments Off on Crisis/MORCUT Malware on OS X: Why Should Users Care?

    We found a spam mail written in Japanese leveraging the Olympics to sell illegal products. We fully expected this event to be used by cybercriminals to profit. It appears that among the first to strike are sellers of B-CAS cards for TVs, which are supposed to allow the users to watch the Olympics without paying.

    These spammed messages – which have the subject line オリンピック全日程が見放題 (translated as Free access to all Olympic games in English) – have a link which leads to websites selling the illegal B-CAS card. The message itself says that normally, you have to pay more than 400,000 Japanese yen (more than 5,000 US dollars) per year in order to watch premium channels. Instead, the (illegal) B-CAS cards allow you to watch these channels for free.

    The website of these illegal cards describes these cards as “miracle cards” in Japanese:

    The order form – which asks the user for their name, email address, number of cards to be bought, shipping address, and contact information – does not use HTTPS, which all reputable vendors use to secure the transaction from possible interception. Not only is the site selling illegal goods, it’s set up in an insecure manner for any online commerce site.

    We have identified the server as being located in Hong Kong because of its IP address. Other landing pages for sites also selling B-CAS cards are located on this server as well.

    Here are some of the malicious URLs that we found on the server:

    • http://www.{BLOCKED}.com/
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}
    • http://www.{BLOCKED}

    Note that the above URLs are all hosted on a single IP. The following diagram shows the relationship between the various sites and this single IP address, as well as the overall infection chain:

    The Trend Micro™ Smart Protection Network™ protects users from this threat by preventing the spammed messages from even reaching users’ inboxes via the Email Reputation Service. It also blocks access to malicious sites via the Web Reputation Service. We have blocked more than 2,500 attempts from Japanese users to access these sites for the last 30 days.

    We advise users to not purchase anything from these sites, as they could face criminal prosecution for merely buying these devices. Recently, the Kyoto Prefectural Police announced they had arrested both buyers and sellers of illegal B-CAS cards.

    With the Olympics only days away from starting, we expect other threats related to this event soon. Here are some blog entries and Web Attack entries that discuss similar threats:

    Web Attack Entries

    Malware Blog entries

    For complete information on the latest Olympic-themed threats—including quizzes and safety guides, you can visit Race to Security, the Trend Micro security guide to major sporting events such as the Olympics, by clicking the banner below:

    Related posts:

    Posted in Bad Sites | Comments Off on Illegal TV Cards Allowing Free Olympic Viewing Sold Online


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice