Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    May 2014
    S M T W T F S
    « Apr   Jun »
  • Email Subscription

  • About Us

    Archive for May 14th, 2014

    VOBFUS malware is known for its polymorphic abilities, which allow for easy generation of new variants. We recently came across one variant that replaces these abilities for one never seen in VOBFUS malware before—the ability to “speak” several languages.

    Infection in Different Languages

    Just like other VOBFUS variants, this new variant, detected as WORM_VOBFUS.JDN, propagates by dropping copies of itself in removable drives. Previously, variants used these eye-catching file names in order to convince users to click on the dropped file:

    • passwords.exe
    • porn.exe
    • secret.exe
    • sexy.exe

    WORM_VOBFUS.JDN, on the other hand, takes it one step further by dropping files with files name that depend on the infected computer’s OS language and location. For example, a computer with English as the OS language may receive any of the following files:

    • I love you.exe
    • Naked.exe
    • Password.exe
    • Sexy.exe
    • Webcam.exe

    Whereas a computer that uses Bahasa Indonesia may receive the following files:

    • Aku mencintaimu.exe
    • kata sandi.exe
    • seksi. exe
    • Telanjang.exe

    This variant also uses file names written in these languages:

    • Arabic
    • Bosnian
    • Chinese
    • Croatian
    • Czech
    • French
    • German
    • Hungarian
    • Italian
    • Korean
    • Persian
    • Polish
    • Portuguese
    • Romanian
    • Slovak
    • Spanish
    • Thai
    • Turkish
    • Vietnamese

    While the languages may differ, they all translate to I love you, Naked, Password, and Webcam.

    Malware Going Local

    Infection by way of “localized” threats could be seen as one way for cybercriminals to transform unsuspecting users into victims. Seeing a file or a notification written in their language might pique users’ interest more than seeing one written in English. Users may also find a false sense of security in these “localized” files and notifications as they might view these as less suspicious than other files.

    Police ransomware is one threat that uses this particular technique. These malware pose as the local law enforcement agency of the victim’s country to urge users to pay the fee for their locked computers. For example, a French victim will receive a notification from Gendarmerie Nationale, while a US-based one will likely receive a message from the FBI. There have even been instances wherein the ransomware will use an audio clip in the victim’s language.  Posing as local law enforcement agencies adds a sense of legitimacy to the claim and may further convince victims to pay the fee.

    We have also seen file-encrypting ransomware use this approach. These malware locks computers and encrypts files until the victim pays a fee. We came across two incidents that targeted Turkish and Hungarian users. The spam containing the malware and the notification were written in their language.

    Cybercriminals will do anything or use any technique possible to gain new victims. We advise users to avoid clicking links or files unless these can be verified. For ransomware incidents, since the files cannot be decrypted (aside from perhaps paying the fee), it’s also good practice to constantly back up files in case of instances such as this one. Trend Micro blocks all threats mentioned in this entry.

    Posted in Malware | Comments Off on VOBFUS Evolves, Adds Multiple Languages

    Patch-Tuesday_grayThis month’s Patch Tuesday features eight bulletins, the most number of bulletins released for the year so far. Out of the eight bulletins, two are rated as ‘critical’ and the remaining, ‘important.’ While Microsoft may have released an out-of-band update for Windows XP to address a (then) zero-day vulnerability, updates for that OS are noticeably absent for this rollout.

    Aside from the eight bulletins, this Patch Tuesday also includes the out-of-band security patch that was released two weeks ago addressing an Internet Explorer zero-day vulnerability. But that isn’t the only update concerning Internet Explorer. One of the two ‘critical’ updates, MS14-029, addresses two privately reported vulnerabilities in Internet Explorer that could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.

    The second ‘critical’ update (MS14-022) addresses multiple vulnerabilities in Microsoft Office server and productivity software. According to Microsoft, “[t]he most severe of these vulnerabilities could allow remote code execution if an authenticated attacker sends specially crafted page content to a target SharePoint server.”

    Two updates address vulnerabilities concerning Microsoft Office. MS14-023 resolves vulnerabilities that could allow for remote code execution if a user opens an Office file in the same network directory as a specially crafted library file. MS14-024, meanwhile, resolves a vulnerability that could security feature bypass if a user “views a specially crafted webpage in a web browser capable of instantiating COM components, such as Internet Explorer.” The remaining updates address vulnerabilities that could allow elevation of privilege and denial of service if exploited.

    Users are advised to apply these security updates as soon as possible, as well as visit the Trend Micro Threat Encyclopedia page for further information. Two rules for Trend Micro Deep Security and Trend Micro Intrusion Defense Firewall plugin for OfficeScan have also been created and are available for use by system administrators:

    • 1006034 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0310)
    • 1006056 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-1815)

    Update as of 7:26 PM, June 12, 2014

    Adobe has also released security updates to address vulnerabilities affecting Adobe Flash Player. Once these vulnerabilities are successfully exploited, remote attackers can potentially control the system. We highly advised users to update their Adobe Flash Player to version

    Trend Micro Deep Security and Office Scan with Intrusion Defense Firewall (IDF) plugin protect user systems from threats that may leverage these vulnerabilities via the following DPI rules:

    • 1006062 – Adobe Acrobat And Reader Use-after-free Vulnerability (CVE-2014-0527)
    • 1006070 – Adobe Flash Player Buffer Overflow Vulnerability (CVE-2014-0515) – 1
    • 1006066 – Adobe Reader Unspecified Security Bypass Vulnerability (CVE-2014-0512)
    Posted in Vulnerabilities | Comments Off on May 2014 Patch Tuesday Rolls Out 8 Bulletins


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice