Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2012
    S M T W T F S
    « Nov   Jan »
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    3031  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for December 7th, 2012




    During the first half of the year, we have seen targeted attacks leveraging the Syrian conflict and how the backdoor RAT DarkComet was used, which we documented in the following blog posts:

    After the report that the Anonymous collective via its OpSyria or Operation Syria  (which targeted the Syrian Government) has recently leaked documents from the Syrian Ministry of Foreign Affairs (MoFA), our friends from Kaspersky discovered that the said Syrian government institution has been the subject of a targeted attack via an email with a malicious .PDF file attachment. The said email message was sent to them last December 5, 2011.

    We decided to investigate this further and found out that the targeted email attacks continued until March 2012 (or possibly even beyond that), as seen in the snapshots below. One was sent to {BLOCKED}n@mofa.gov.sy and the other was sent to {BLOCKED}k@mofa.gov.sy, which both came from the sender named {BLOCKED}bi@mofa.gov.sy. This is also the sender email address used in the Kaspersky (KAV) report.

    The messages translate to the text below:

    Colleagues in the office of codes
    Please inform us about the receipt of the telegram No. 23<
    With thanks
    Embassy / Abu Dhabi

    Please open or download attachments.
    Best wishes!

    Read the rest of this entry »

     
    Posted in Targeted Attacks | Comments Off



    Malware writers have devised lots of social engineering tactics to lure users into their scheme. This time around, we saw a Trojan passing itself off as a Trend Micro component as a way to trick users into downloading and executing it.

    We recently encountered a file and noticed the following properties (see below). For the untrained eye, this file can be mistaken as a Trend Micro product/component. But during our analysis, we verified this file as a Trojan in disguise. We believe that by spoofing Trend Micro properties, the people behind this threat are hoping to trick unwitting users into executing the file. This malware is already detected by Trend Micro as TROJ_RIMECUD.AJL.

    When user executes TROJ_RIMECUD.AJL, it creates the process svchost.exe where it injects its malicious code. Once done, the malware downloads a component package (refer to Figure 2).

    Read the rest of this entry »

     
    Posted in Malware | 1 TrackBack »



    In two recent blog posts (The Risks of the Out of Office Notification and Other Risks from Automatic Replies)  we discussed the possible threats from automatic email replies, from out of office notifications to read notifications to non-delivery receipts, they all allow information to be leaked – which can then be exploited. So what can administrators and users do to deal with this threat and help secure their environment?

    While we have always stressed the importance of user education, in this particular case this should be reinforced with strong server settings. There’s no reason to rely only on user settings, which can be (and frequently, are) set improperly.

    Enterprise email servers have fairly granular control over whether out-of-office notifications are sent or not. A good best practice for e-mail would be to limit out-of-office notifications to recipients within the organization only. If external parties need to receive these notifications, then they can be whitelisted as necessary. However, the default should be that external parties should not be sent out-of-office notifications.

    Read the rest of this entry »

     
    Posted in Spam | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice