Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2012
    S M T W T F S
    « Jul   Sep »
  • Email Subscription

  • About Us

    Archive for August 14th, 2012

    During the last weeks of July, we received reports from customers that their services.exe files were being patched by an unknown malware. The patched services.exe, detected by Trend Micro as PTCH_ZACCESS (for 32-bit version) and PTCH64_ZACCESS (for 64-bit version), was verified to be a component of the SIREFEF/ZACCESS malware family. ZACCESS (also known as ZEROACCESS) used this patched system file to run its other malicious components upon reboot. This proved to be a new variant of SIREFEF/ZACCESS, which now uses user-mode technique to stealthily load its malicious code, instead of using regular rootkit techniques.

    Investigating these cases further using the Trend Micro™ Smart Protection Network™, we were able to locate the main malware (BKDR_ZACCESS.SMQQ) responsible for patching services.exe. We also identified all of the components related to its infection routine. We found that the infection started with the execution of K-Lite Codec Pack.exe (downloaded by the user) and resulted to the patching and executing of the patched services.exe.

    ZACCESS Social Engineering Technique

    This malware propagates by bundling the main malware in crack/keygen applications or game installers. It can also disguise itself as a required codec that needs to be installed to play a downloaded movie via peer-to-peer (P2P) applications, which can be found on sites dedicated to keygen apps or in P2P services. Below are some of the names used. Note that these file names contain popular movies:

    Downloaded binary via P2P:

    • %P2P DL folder%The_Hunger_Games_2012_DVDRip_XviD_AMVK-Lite Codec Pack 9.0.exe
    • %P2P DL folder%Alien_1979_DVDRip_XviD_FKGK-Lite Codec Pack 9.0.exe
    • %P2P DL folder%The_Amazing_Spider-Man_2012_DVDRip_XviD_YKGK-Lite Codec Pack 9.0.exe
    • %P2P DL folder%John_Carter_2012_DVDRip_XviD_IINK-Lite Codec Pack 9.0.exe
    • %P2P DL folder%The_Dark_Knight_Rises_2012_DVDRip_XviD_QEVK-Lite Codec Pack 9.0.exe

    %P2P DL folder% refers to the P2P folder where the file is being saved after downloading it.
    Downloaded binary via direct download:

    • Diablo_III_crack.exe
    • Microsoft_Office_Professional.crack.exe
    • Youtube_Grabber_Keygen.exe

    Read the rest of this entry »


    With the 2012 Olympics officially closed, it’s worth looking back at the types of online scams we saw that tried to exploit the good name of the Olympics for illegal profit.

    We saw two primary lures for Olympic scams: fake streaming sites, and tickets for sale. These two scams accounted for approximately two-thirds of Olympic-related malicious sites that were encountered in the months of July and August. Other scams encountered included fake mobile apps, illegal TV cards, fraudulent goods, and typosquatting sites.

    Fake streaming sites

    • The primary purpose of these fake live streaming sites was, supposedly, to offer discounts for satellite TV for PC scams. In general, the sites let users click on fake video players, but clicking on these links instead redirects them to the said scam via legitimate (but abused) URL shorteners like The scammers use this to generate web analytics for their sites. To promote these, events on Facebook are created that link to these scam sites.
    • The events most targeted by streaming scams were: tennis, basketball, and athletics. The men’s and women’s tennis gold medal matches were particularly singled out for attention.
    • Around two-thirds of the sites created for this purpose used generic keywords like London 2012 Olympics. 17% of the sites were tied in to one match/event, while 8.6% tied to the opening or closing ceremonies. The total number of fake streaming sites was over 300.
    • Some of the most used keywords for fake live streaming sites were:
      Key Word Percentage
      2012 79%
      Olympics 67%
      live 63%
      London 46%
      stream 43%
      watch 23%

    Read the rest of this entry »

    Posted in Bad Sites | Comments Off on Fake Streaming Sites: Most Used Olympics-Related Scam


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice