Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  
  • About Us

    Trend Micro senior developer TT Tsai discovered a sequel to the fake Trend Micro iClean tool. Our Web Threat Protection (WTP) add-on is being used as bait to download malware.

    An email message with content seemingly copy-pasted from the WTP page of the Trend Micro Taiwan site advertises a link (Figure 1) where a supposed free download of the WTP add-on is located.

    Note that the real WTP add-on is actually a trial version of Trend Micro’s Web Threat Protection technology so it can really be downloaded for free.

    Screenshot

    Figure 1. Screenshot of email message

    The link redirects to an uncanny imitation of our real WTP download page with the URL hxxp:// {BLOCKED}.update-windows-microsoft.com/products/enterprise/wtp2.htm. This attack takes advantage of a vulnerability in the ActiveX control for the Snapshot Viewer for Microsoft Access that allows remote code execution to download and execute a malicious file detected by Trend Micro as BKDR_AGENT.AVAJ.

    Screenshot

    Figure 2. Screenshot of the supposed download site

    Trend Micro is not the only victim of the domain hxxp:// {BLOCKED}.update-windows-microsoft.com/. Our initial investigation found spoofed login pages of Taiwan’s Yahoo! mail (Figure 3), Gmail (Figure 4), and Hotmail (Figure 5) hosted in the same domain.

    These pages may have been of the usual phishing scheme, crafted and deployed to gather email addresses for spam distribution and for stealing confidential information from the users’ mail accounts.

    Fake

    Figure 3. Fake Yahoo! email login page

    Fake

    Figure 4. Fake Gmail email login page

    Fake

    Figure 5. Fake Hotmail email login page

    The malicious site mentioned above is already blocked in the Trend Micro Smart Protection Network.

    We are still investigating the various malware samples we found stored in these URLs. Please stand by for updates.

    Note also that Trend Micro will NEVER send tools or applications through email.

    Trend Micro cautions users to never open or download attachments from people unknown to them, and to download tools or applications from trusted sites only.

    Update as of 30 July 2008

    Our researchers have found out that the spoofed login pages of Taiwan’s Yahoo! mail, Gmail, and Hotmail take advantage of a vulnerability in Microsoft Data Access (MDAC) function that allows remote code execution. This exploit is used to execute the routines of the spoofed login pages, which is to steal user information. More information on this vulnerability can be found here.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice