Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    January 2014
    S M T W T F S
    « Dec   Feb »
  • Email Subscription

  • About Us

    Archive for January 27th, 2014

    Fake Flash player scams have been around for a long time, but remarkably they still haven’t gone away. Now, they’re targeting users in Turkey.

    A recent attack that we found starts off with a video link sent to users via Facebook’s messaging system (sent in Turkish). This “video” prompts users to install a Flash Player update ; it actually installs a browser extension that blocks access to various antivirus sites. It also sends a link to the “video” to the victim’s Facebook friends via the messaging system, restarting the cycle.

    This targeting appears to have worked: based on feedback from the Smart Protection Network, 93% of those who accessed pages related to this attack were from Turkey.

    The browser extension pushed to users was in the format used by Chromium-based browsers like Google Chrome. It would not work in other browsers, like Internet Explorer and Mozilla Firefox. It also stops the user from accessing the extension settings page, to prevent the user from removing or disabling the extension.

    As we noted earlier, this threat is cyclical. The fake update, detected as TROJ_BLOCKER.J, installs the extension (detected as JS_BLOCKER.J) that blocks the antivirus websites. JS_BLOCKER.J then downloads a malicious script which is used to send the Facebook messages with the link to the video. This script is detected as HTML_BLOCKER.K.

    In addition to Facebook messages, Twitter accounts “promoting” this page were also spotted:

    Turkey is one of the world’s most active Facebook-using countries, with 19 million daily active users and 33 million monthly active users.  In addition, this attack’s behavior – blocking antivirus sites – is not actively harmful to users, although it would leave them vulnerable to future attacks.

    Facebook is working diligently to prevent users from encountering these types of attacks. We protect users by detecting and blocking the files and sites related to this attack. Users can also protect themselves further through these simple tips:

    • Don’t click or access any strange and unfamiliar URLs that pop up on your wall, profile, or from a private message.
    • If you’re asked to update any software, go to the software vendor’s site directly, and not through any other supplied link.
    • Get a security solution that automatically blocks malicious downloads and fraudulent websites.

    With analysis from Anthony Melgarejo and Paul Tiu

    Posted in Bad Sites, Malware, Social, Spam | Comments Off on Fake Adobe Flash Update Aimed At Turkish Users

    Last month, we published a blog post describing how Control Panel malware was being distributed via malicious attachments to Brazilian users. We have continued to look into these threats, and we have now released a research paper titled CPL Malware: Malicious Control Panel Items covering the structural aspects of CPL files and how criminals are using it to spread malware mainly in Brazil.

    Currently, this particular threat is being commonly used to spread banking malware in Brazil. Typically, these users are sent financial-themed mails that contain a link to a malicious compressed file. When the contents of this file are uncompressed, the user sees several the malicious .CPL file(s).

    Figure 1. Typical CPL Malware Behavior

    In terms of analysis, looking at a CPL file is essentially identical to a DLL file. However, unlike the latter, it is automatically run when double-clicked. This makes it similar to EXE files; however uneducated users may be more likely to try to execute CPL files if they do not know any better. Most CPL malware from Brazil were written in Delphi, which is a popular programming language in the country.

    In Brazil, CPL files are used for banking malware almost as frequently as EXE files, with both file types combining for almost 90% of the banking malware seen in Brazil from March to November 2013. For the past two years (2012 and 2013), we have detected approximately a quarter million CPL malware in the country. It is currently a significant problem for Brazilian users and organizations.

    Posted in Malware, Spam | Comments Off on A Look Into CPL Malware


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice