Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    March 2013
    S M T W T F S
    « Feb   Apr »
  • Email Subscription

  • About Us

    Archive for March, 2013

    We’ve spotted an uptick in a particular type of threat hitting Twitter uses in Japan. We call this threat the “browser crasher” after what it does: it causes the browser to “hang/crash”. To do this, the user has to be lured to visit a particular site with the JavaScript code. So long as the browser tries to open that site, the user will be unable to browse websites normally.

    How is this attack conducted? In this particular case, users were lured to the site using various Twitter messages. The messages of the tweets varied: some said the site was interesting, while others explicitly warned users not to click on it.

    Twitter posts leading to “browser crasher” page

    Whatever the case, once users ended up on the site they would get the following popup on any JavaScript-enabled browser (which is to say, just about any browser on any operating system), like this iPhone:

    Pop-up on iPhone

    The message in Japanese tells users that they will not be able to get off the page, no matter what they do. Clicking the OK button will not be enough to get rid of the pop-up, as a new one will appear with exactly the same message. This pop-up will keep bothering the user and stop them from using the browser until they are able to get off the offending page.

    What the JavaScript does is actually quite simple. The JavaScript within the site contains the code to create a pop-up, as seen above. However, this code is placed inside an infinite loop – as soon as the user closes one alert, the code triggers again and opens another pop-up in a never-ending cycle that continues as long as the site is open.

    Read the rest of this entry »

    Posted in Social | 1 TrackBack »

    Downloading from third-party app sites can be tempting for users – they offer ‘free’ versions of apps you would normally have to pay for. They may also  feature other apps that you may not be able their first-party counterparts.

    But is it really worth putting yourself and your mobile device at risk, considering all the possible dangers?

    In 2012, we uncovered an increase in the number of malicious domain accounts related to Android apps. From approximately 3,000 domains in January 2012, the number jumped to almost 8,000 by the end of the year. These malicious domains host suspicious .APK files or files containing data needed in Android app installation. Just an example of these malicious apps is the recent fake versions of the popular Candy Crush app with features that can be abused by cybercriminals. By using these features, they can get hold of your important data and aggressively push ads onto your device.

    The number of malicious domains, along with the 350,000 high-risk and malicious Android app found in 2012, portrays an alarming mobile threat landscape.

    As the mobile threat landscape unfolds, being informed is still your best defense. In our Mobile Review The Dangers of Third-Party Apps Sites, we reveal the hidden dangers that lurk in third-party app sites. It talks about how cybercriminals have begun to shift from simply tricking mobile users into installing malware-ridden apps to forcing them to visit or connect to malicious URLs.

    Read the rest of this entry »

    Posted in Mobile | Comments Off on The Hidden Dangers in Third-Party App Sites

    We have continued to look into the MBR-wiping attacks that hit Korea earlier. We believe we now have a good picture of how the attack was conducted by looking into two different scenarios, why it caused so much damage, and how we were able to protect users using Trend Micro Deep Discovery and other solutions.

    Spoofed Bank Notification Leads to Downloader

    On March 19, we saw the first indications of this attack, where South Korean organizations received a spam message that contained a malicious attachment, including a supposed monthly credit billing information. The message posed as coming from a bank. The attachment is actually a downloader, which downloaded 9 files from several different URLs. To hide the malicious routines, a fake website is shown.

    It was at this stage that Deep Discovery was able to protect our customers by heuristically detecting the malicious attachment via ATSE (Advanced Threats Scan Engine). Deep Discovery executed the attachment in a sandbox, which was used to generate a list of URLs that was used to block these attacks right away. The URLs found at this stage were then blocked. The combination of information provided by Deep Discovery and decisive actions by IT administrators was able to ensure our customers were protected in a timely manner.

    The screenshot below shows the appearance of the alerts:


    Read the rest of this entry »

    Posted in Malware, Targeted Attacks | Comments Off on How Deep Discovery Protected Against The Korean Cyber Attack

    On March 20, several attacks hit various South Korean government agencies and corporations, resulting in major disruptions to their operations. The incident started when several of their computer screens went black, while others were showing images of a skull and a “warning”.

    However, Trend Micro was able to protect our enterprise users in Korea against this threat. We have determined two separate scenarios that are related to this event and how our solutions averted and can help customers prevent the said threat.

    Two of our threat discovery solutions – Deep Discovery Inspector and Deep Discovery Advisor – heuristically detected and reported malicious traffic and messages sent to two Trend Micro customers, which we later determined to be related to this attack. Because our solutions were able to detect this attack, this gave customers actionable intelligence (information such as malware’s dropped files, malicious URL, to name a few) that enabled them to take appropriate actions and mitigate the risk of the attack. Our threat discovery solutions detected this threat as HEUR_NAMETRICK.B in ATSE 9.740.1012.

    In a different scenario, we have acquired several samples (detected as TROJ_KILLMBR.SM), which we believe were responsible for the reported blank computer screens that occured in certain South Korean entities. This malware overwrites the Master Boot Record (MBR), with a series of the words HASTATI. and PRINCPES. In normal usage, the MBR contains information necessary for any operating system to boot correctly. It then automatically restarts the system. When the system restarts, due to the damaged MBR, the system is unable to boot.

    Read the rest of this entry »


    With the amount of media coverage surrounding this year’s papal conclave and inauguration, it’s hardly a surprise that cybercriminals have taken advantage of this event to victimize users. We recently spotted spam that use newly-elected Pope Francis as the subject.

    These email messages use the new pope and controversies surrounding the Catholic Church to pique the recipients’ curiosity. To convince users of the legitimacy of the emails, these cite CNN as the alleged source. A screenshot of an email can be seen below:

    Figure 1. Sample spam entry

    It should be noted that while the topic is supposedly about Pope Francis, the email below calls the new pope Benedict, which is actually the name used by his predecessor.

    Figure 2. Spam entry with wrong headline

    The embedded links lead users to sites which have been compromised by Blackhole Exploit Kits (BHEK). Blackhole Exploit Kits have been used to deliver a wide variety of malware incuding:

    • Infostealers
    • Backdoors
    • Remote Access Trojans (RATs)
    • Rootkits

    We detect and block all related spammed messages and all associated URLs.

    As for the related malware, we found out that the final payload (detected as TROJ_PIDIEF.SMXY) exploits CVE-2009-0927, a dated vulnerability in Adobe Reader and Acrobat, to perform its routines. Thus, users must ensure that their systems are up-to-date with the latest software update.

    Read the rest of this entry »

    Posted in Bad Sites, Exploits, Malware, Spam | Comments Off on Spammers Bless New Pope with Spam


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice