Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    May 2013
    S M T W T F S
    « Apr   Jun »
  • Email Subscription

  • About Us

    Archive for May 2nd, 2013

    While users are trooping to the cinemas to watch Iron Man 3, some may scour the Internet for bootleg copies or free movie streaming. Unfortunately, this gives the bad guys an opportunity to serve users with their dubious schemes.

    We conducted a simple Google query and found more than a hundred websites claiming that they provide movie streaming of Iron Man 3. (The movie has already opened in some countries but not the United States, making these claims more credible at first glance.) These supposed streaming sites use popular blog providers, with half of these sites using Tumblr.

    Figure 1. Half of the fake Iron Man 3 sites we found use Tumblr

    Once visited, these sites would ask users to download a video installer file. Based on our analysis, we found that this file was what it said it was – a legitimate video player. This particular video player has been known to display aggressive ads in the past, although we did not see that behavior this time. In addition, the player could be used to download and view pornographic materials.

    However, it’s still possible that these legitimate files would be replaced with malware at a later time. Thus, it won’t be a complete surprise if we find a malware-hosting webpage disguised as an Iron Man 3 streaming or downloading page anytime soon.

    Unsurprisingly, some bad guys have also used Facebook to spread links advertised as providers of free Iron Man 3 movie streaming. Users may encounter these as feeds on their Facebook page, together with a link to the said site. But once users click the link, they are redirected to several web pages until lead to another survey scam, not to mention spamming their Facebook contact with the same post. Other similar ruses we documented in the past include the “Facebook Profile Viewer” and the survey scam under the veil of the much talked-about Google Glass competition.


    Figure 2. Screenshot of page leading to survey scam

    Needless to say, these sites do not lead to the actual Iron Man 3 movie. Some of these sites, however, may ask users to register and ask for their credit card number, which is highly suspicious.

    High-profile summer flicks like Iron Man 3 are typical cybercrime baits because they have been effective in tricking users into visiting shady websites, including those the host malware and dabble in survey scams. Because of the clever use of social engineering tactics, users may end up falling into the bad guys’ traps. Thus, it is important to be aware of how social engineering works and be conscious with what you click and share on your Facebook and other social media accounts. Trend Micro blocks the related sites and domains related to this threat.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

    With insights from Fraud analyst Paul Pajares.

    Posted in Social | Comments Off on Fake Iron Man 3 Streaming Sites Sprout on Social Media

    A few weeks ago, we noted that we believed it was likely that Bitcoin miners using GPUs might become part of the threat landscape. It appears that that has happened, in a somewhat roundabout way.

    The e-sports league ESEA was recently forced to admit that an employee had, without authorization, pushed a Bitcoin miner to users and forced the client machines to mine coins – for his own gain. They claim that the code to do so was born out of internal tests to see if this could be added as a feature to their software clients. ESEA themselves described the affair as a “fiasco“.

    By itself, this would be interesting enough. A legitimate software service was used to push unauthorized software to the machines of end users, much like what happened in Korea recently. However, the payload itself was unusual too: it was a Bitcoin miner, specifically one that was capable of harnessing the GPUs of users.

    This incident may well have been the first that did use GPUs, but we doubt it will be the last. The losses to users may not have been that large, but they were real nonetheless: increased energy usage and wear and tear on their computers. In addition, affected users will also see increased bandwidth usage as effective miners use a noticeable stream of bandwidth.

    Gamers may want to pay particular attention to signs of heavy GPU load on their system in the absence of any gaming activity. These can include excessive levels of heat or noise from their system, as well as poor performance in games. The control panels provided by AMD and nVidia can also be used to check the load on GPUs – under normal, non-gaming circumstances, GPUs should not be heavily loaded.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.


    A new attack is spreading via Facebook and several instant messaging applications. Its chief payload is a backdoor – BKDR_LIFTOH.DLF – which allows its attackers to take control of the infected systems. It spreads by using two worms, once of which is a new variant of the rather notorious DORKBOT family.

    DORKBOT is known for for spreading via social media and instant messaging applications (e.g.Skype and mIRC etc.), is now found propagating in multi-protocol instant messaging (IM) apps like Quiet Internet Pager and Digsby.

    These apps enable users to communicate via various IM apps. Digsby supports AIM, MSN, Yahoo, ICQ, Google Talk, Jabber, and Facebook Chat accounts while Quiet Internet Pager supports at least four different IM services. Thus, this malware may potentially affect more users because of its wider launchpad for propagation.

    Detected as WORM_DORKBOT.SME, this worm sends out shortened URLs to the contacts found in the IM client of the infected system. These URLs point to a file, which is actually an updated copy of DORKBOT uploaded to the file-hosting site Mediafire. This is probably a maneuver to evade detection and easy removal from the system.

    Aside from its propagation routines, DORKBOT is also known for its capability to steal login credentials by hooking APIs to certain web browsers.

    WORM_DORKBOT.SME is downloaded by the main payload, BKDR_LIFTOH.DLF.  One of the commands that this backdoor receives from its C&C server is to download and execute other malware. The command also consists of the URL where this backdoor will be downloaded. However, this time, the file is uploaded on Hotfile.

    Moreover, this backdoor also has the capability to edit its configuration from its C&C server.

    Figure 1. BKDR_LIFTOH.DLF Configuration

    Figure 1. BKDR_LIFTOH.DLF configuration

    Read the rest of this entry »

    Posted in Bad Sites | Comments Off on Backdoor Leads to Facebook and Multi-Protocol Instant Messaging Worm


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice