Last month started with an April Fool’s message being spammed around. The spammed email contained a link from where a variant of the Storm malware could be downloaded. Aside from that, we’ve had our usual fill of Trojans and malicious scripts that plagued compromised Web sites for April.
This Trojan poses as a browser plugin that must be installed first to view files that are supposed to come from a fake US federal judiciary Web site. Reported last April 15, the link to the fake site comes from spammed email messages claiming to be legitimate court subpoenas. To add credibility to the spammed email, the sender uses a uscourts.com email address, which may seem authentic to unsuspecting recipients of the message.
TROJ_SPAMBOT.AF is the Trend Micro detection for the malware behind Kraken, which is an emerging botnet rivaling the Storm botnet. Some researchers who have analyzed Kraken have stated that this may be a variant of the Bobax malware family.
Reported last April 5, this Trojan uses an old technique to trick users into compromising their systems. Users receive a spammed email, under the guise of a Microsoft security bulletin, urging the users to download a patch from a certain link present in the email. Of course, the patch is actually the malware itself, which Trend Micro detects as TROJ_AGENT.AZZZ.
TrendLabs researchers discovered a Web site that offers what looks like a YouTube-style streaming video service. The infection vector and messaging are actually still the same — that is, users are most likely to access this site via links on specially crafted blogs. What is interesting this time is that on the suspect site, users are required to download the so-called “Storm Codec” in order to view the video. Yes, you read that right: the codec is called Storm Codec. Of course, the “codec” is actually a NUWAR variant, which Trend Micro already detects as WORM_NUWAR.JQ since April 2.
Exploits and Vulnerabilities
BKDR_POISONIV.QI and EXPL_NEVAR.B
A backdoor exploiting a recent vulnerability in Microsoft’s GDI processing was discovered right after Patch Tuesday last April 8. A file named TOP.JPG has been found to do this. It arrives on a system as an executable, now detected as EXPL_NEVAR.B. With just this opening available to malware authors, they can do pretty much anything after exploiting this vulnerability. Its specific routine is to connect to a URL to download a file named WORD.GIF (also detected as BKDR_POISONIV.QI).
JS_DLOADER.TVP and JS_IFRAME.US
Early this month, several Web sites have been compromised by search engine optimization (SEO) poisoning. Some of the compromised sites were that of the Washington State University and several news sites such as Sun Gazette and Tribune-Chronicle. For the past few months, education Web sites (*.edu) were the ones targeted for such attacks, averaging about three per month. In this recent incident, JS_IFRAME.US is the iFrame component that is inserted into the HTML code of the Web page. When the browser is redirected by this malicious iFrame, it downloads the malicious script file JS_DLOADER.TVP.
That’s it for today. As of this writing, it seems that another Italian Job is underway, with ~100 compromised Web sites. We shall take a look at more of this in next month’s malware roundup.