A wave of WORM_VOBFUS variants has recently emerged with some variants even spreading through Facebook. But based on initial analysis, this crop of WORM_VOBFUS presents no new routines. For good measure, users are encouraged to observe best practices such as disabling Autorun feature and updating their antivirus program with the latest pattern, just to name a few.

What You Need to Know About WORM_VOBFUS

WORM_VOBFUS takes advantage of Windows Autorun feature to drop copies onto removable and mapped network drives. They also arrive as downloaded or dropped files of other malware family. Users may unknowingly download WORM_VOBFUS variants when visiting malicious sites.

These variants were also reported to be spreading on Facebook, usually using (but not limited to) sexually-suggestive file names to pique users’ interest.

The VOBFUS malware drops copies of itself in removable drives using the file names of the user’s folders and files with the following extensions:

• .avi
• .bmp
• .doc
• .gif
• .jpe
• .jpg
• .mp3
• .mp4
• .mpg
• .pdf
• .png
• .tif
• .txt
• .wav
• .wma
• .wmv
• .xls

This worm hides these files mentioned above as original files and folders. Thus, users may think that they are clicking normal files or folders, while in fact these are WORM_VOBFUS variants in disguise. Like your typical worm, it drops an AUTORUN.INF to automatically execute the file when the drive is accessed.

To know if system is infected, users must check for the following files:

• {drive letter}:\Passwords.exe
• {drive letter}:\Porn.exe
• {drive letter}:\Secret.exe
• {drive letter}:\Sexy.exe

This worm connects to a remote site where it downloads and executes other malware. Specifically, it connects to the following sites:

• http://{random number}.ddns1.eu/{random characters}?{random character}
• http://{random number}.ddns1.eu/{random characters}/?{random character}

Once the file is downloaded it is saved as %User Profile%\google.com (detected as TSPY_BANCOS.JFB). However, some sites where this malware connects to are already inaccessible.

Read the rest of this entry »

Because of its promise of improved feature and security, Windows 8 is naturally making waves in the tech industry and among ardent Windows users. Unfortunately, we are all too aware of the pitfalls of popularity when it comes to online security. It’s just a matter of time before cybercriminals will take advantage of Windows 8′s popularity.

We got hold of two samples that are packaged as key generator apps for Windows 8, which are available on http://{BLOCKED}en2eqqh2.cloudfront.net. Key generators are used to generate serial numbers and are typically used for bootleg copies of a paid software. Based on our analysis, the apps we’ve found are malicious. Trend Micro detects these as ADW_SOLIMBA and JOKE_ARCHSMS respectively.

When executed, ADW_SOLIMBA displays a fake message informing users to click ‘OK’ to download Windows 8 via the web browser. On the other hand, JOKE_ARCHSMS purports as a Windows 8 activator. Similar to ADW_SOLIMBA, JOKE_ARCHSMS also displays images to trick users into thinking that they can activate Windows once they have sent an SMS to a certain number. In addition, it also connects to the following URLs for click fraud:

• http://{BLOCKED}rchant.net/api/open.php?aid=2102499&v
• http://{BLOCKED}rchant.net/50qjpr21e2bd/2102499/

Read the rest of this entry »

Thinking of updating your web browsers? Just make sure that you download from legitimate sources, instead of downloading malware disguised as browser updates onto your system.

Just recently, we were alerted to a report of several websites offering updates for Internet browsers like Firefox, Chrome, and Internet Explorer just to name some. Users may encounter these pages by clicking malicious ads.

The bad guys behind this threat made an effort to make this ruse appear legitimate. These pages, as seen below, were made to look like the browsers’ official sites. To further convince users to download the fake update, the sites even offers an integrated antivirus protection:

Instead of an update, users download a malware detected as JS_DLOADR.AET, which was found capable of changing the downloaded binary to have a different payload.

The malicious JavaScript, in turn, downloads TROJ_STARTPA.AET and saved it as {Browser Download Path}\install.exe. Based on our initial analysis, the Trojan modifies the user’s Internet Explorer home page to http://{BLOCKED}rtpage.com, a site that may host other malicious files that can further infect a user’s system.

Read the rest of this entry »

This is the second in a series of blog posts describing the mobile threat landscape in Japan. The first one may be found here. 

Smartphone users in Japan are able to download a wide variety of apps, many of which are either inexpensive or free. Not all of these actually meet what users expect in terms of features, and some even introduce risks that users may not fully understand. In this blog entry, I will report the privacy risks caused by certain apps that we have looked into.

The Ad Delivery Cycle for “Free” Apps

As mentioned in the first entry, we define those apps that demonstrate the following routines without user consent as high-risk apps (referred as “ego apps” in Japan):

• Displaying pop-up ads
• Getting the user’s private information

One reason these apps are significantly increasing lately is the way that ads are sold in Japan.

As you can see in this graph, these ad agents/networks provide software development kits (SDKs) for app developers. By inserting the SDK-provided code into their apps, app developers can have ads appear inside their apps. They would then earn money from how many ads are viewed and/or clicked. This revenue allows the developer to charge little or no money for his app.
Read the rest of this entry »

This part of the year is a popular time for people to buy their electronic gadgets, including smartphones. With this in mind, three major smartphone platforms – iOS, Android, and Windows Phone – have all been updated with new versions for this year’s shopping season.

To give users an overview of this development, this month’s Monthly Mobile Review focuses on the new security features in each of these updates – namely, iOS 6, Android 4.2 (Jelly Bean), and Windows Phone 8.

Apple’s iOS 6 primarily focuses on improvements to the user’s personal data, with settings that control which apps have access to your information, and can even control what kind of information each app has access to. Similarly, Jelly Bean’s security improvements include an integrated scanner for malicious apps, as well as improvements in how Android displays the permissions an app is asking for. Not to be outdone, Windows 8 for mobile offers a multi-layer protection and boasts three key security features.

In addition to looking at the mobile platforms, we also examined the security of using near-field communication (NFC) and discussed tips that consumers can follow to use NFC securely.