Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Abigail Pichel (Technical Communications)

    Spam may be seen by the public as a minor nuisance now,  but this couldn’t be further from the truth. We recently encountered spam that triggers an infection chain with ZBOT malware as the end result.

    The spammed message is supposed to have come from Allergan Limited, the UK arm of the global health care company Allergan, Inc. The message informs the recipient that the attachment contains information about the recipient’s medical information. This attachment is actually malicious and is detected as TROJ_ARTIEF.PI. This malware takes advantage the MSCOMCTL.OCX RCE vulnerability (CVE-2012-0158), which affects versions of Microsoft Office (specifically 2003, 2007, and 2010). This vulnerability was also targeted in other threats that we documented, including the spoofed APEC 2013 email and the EvilGrab malware found in the Asia-Pacific region.

    Figure 1. Fake email from Allergan Limited

    This malware drops and executes BKDR_LIFTOH.AD. This backdoor often downloads ZBOT. In this instance, the backdoor leads to the download of TSPY_ZBOT.VHP. ZBOT malware are known for stealing user login credentials, account information etc., in particular targeting online banking users.

    One interesting detail in this particular attack is the use of BKDR_LIFTOH malware. Variants often propagate via social networking sites and multi-protocol instant messaging (IM) programs. Propagation through spam is quite rare.

    This isn’t the only spam that employs the same attack. We spotted other spam with the same malware attachment, but with different content. Content from these emails suggests that these messages target British users.

    Figures 2 and 3. Other similar spammed messages

    Users should always take extra precaution when dealing with e-mail attachments; in general these should not be opened unless  Email from unknown senders should be ignored or immediately deleted. Trend Micro protects users from this threat by blocking the spam messages and detecting the malware cited in this entry.

    With additional insights from Eruel Ramos and Alvin Bacani

    Posted in Malware, Spam | Comments Off on British Users Targeted By Health-Related ZBOT Spam

    Online banking is one of the many tasks that have been made more convenient by mobile technology. Now, users can purchase products and/or services, pay their bills and manage their finances from anywhere, and anytime. However, there are threats against mobile banking exist, which need to be addressed and secured against.

    Some of these threats include:

    • Mobile phishing – malicious mobile websites that pass themselves off as login websites of legitimate organizations, such as banks and social networks. These are designed to trick users into entering their login information. So far, in this quarter, nearly half of all mobile phishing websites spoof financial services websites.
    • Malicious apps – Apps that contain malicious routines, such as stealing information from the device they’ve been installed on. These are usually found either in third-party app stores or malicious websites, and frequently passed off as legitimate apps.
    • Trojanized apps – Legitimate apps that have been turned into malicious apps. These are more dangerous because to the end user, they are completely indistinguishable from the real app. Because of this, the malicious app – and its routines – could be running for a long time, long before the user even suspects anything.


    Figure 1. Distribution of types of mobile phishing pages in Q3 2013 to date

    While banks are taking steps to reduce losses due to mobile banking, in the end users – both individuals and businesses – must take steps to protect themselves. Users should be familiar with their bank’s mobile banking procedures, in order to more easily spot things that are “off” and could indicate an attack. In general, too, good computing habits will help keep users secure.

    Businesses need to understand and educate their staff about the risks related to online banking, so that the bottom line is not at risk from these threats. This may include guidelines on whether employees can/should use mobile banking from personal devices. In addition, businesses should work together with their bank to look into possible procedures and steps to reduce known risks.

    For more information about mobile banking and how to secure it, we have recently released the latest edition of our Monthly Mobile Report titled Security in Mobile Banking, as well as an e-guide. These discuss the basics of mobile banking, and how they should be secured.

    Posted in Mobile | Comments Off on The Ghost in the (Portable) Machine: Securing Mobile Banking

    The discovery (and subsequent media coverage) of the mobile malware OBAD shows that mobile threats continue to be a serious concern for users.  Just like Windows malware, mobile malware are also becoming more sophisticated, both in technique and deployment. This confirms one of our 2013 security predictions.

    OBAD exploits an Android vulnerability to avoid detection and uninstallation. OBAD’s propagation method is notable because of its use of Bluetooth, a routine previously seen in Symbian malware.

    FAKEAV mobile malware routines now include pop-up windows and messages about “infected” apps. Rather than show persistent notifications, mobile ads now lead users to web threats.

    These refinements take advantage of characteristics of the current mobile landscape. Android vulnerabilities are exploited because Android fragmentation makes it difficult to address vulnerabilities. This concern on Android’s update issues may contribute to the growing concerns about mobile malware, making it easy for users to become victims of mobile FAKEAV.

    Our latest monthly mobile report discusses these emerging threats, issues affecting or influencing these threats, and what you can do to help secure your devices better.

    Posted in Mobile | Comments Off on How PC Threats Go Mobile

    Who says you can’t teach old malware new tricks? Recently, we reported on how ZBOT had made a comeback of sorts in 2013; this was followed by media reports that it was now spreading via Facebook. Now, we have spotted a new ZBOT variant that can spread on its own.

    This particular ZBOT variant arrives through a malicious PDF file disguised as a sales invoice document. If the user opens this file using Adobe Reader, it triggers an exploit which causes the following pop-up window to appear:

    Figure 1. The error message upon execution of the malicious PDF file

    While this is going on, the malicious ZBOT variant – WORM_ZBOT.GJ – is dropped onto the system and run. It is here that several differences start to appear.

    First of all, WORM_ZBOT.GJ has an autoupdate routine: it can download and run an updated copy of itself. Secondly, however, it can spread onto other systems via removable drives, like USB thumb drives.

    It does thus by searching for removable drives and then creating a hidden folder with a copy of itself inside this folder, and a shortcut pointing to the hidden ZBOT copy.

    Figure 2. WORM_ZBOT.GJ Infection Chain

    Figure 3. Portion of WORM_ZBOT.GJ code creating copy of itself

    This kind of propagation by ZBOT is unusual, to say the least. ZBOT malware is usually distributed by exploit kits and/or malicious attachments. This kind of behavior from ZBOT is not something we’d usually expect to see; it could mean an increase in ZBOT infections moving forward. This unusual behavior, however, is in line with our 2013 predictions, which noted that we believed that older threats would continue to be seen in 2013, although they would have refinements to make them more effective. In the past, some ZBOT variants have used unusual means – like file infectors – to spread as well.

    These threats are some of the newest changes to the crimeware landscape; we earlier documented this particular threat in the paper The Crimeware Evolution. Neither propagating via removable drives nor auto-updating are particularly novel; many malware threats have used these behaviors in the past. Most notably, the Conficker/DOWNAD threat used both of these quite effectively; to this day it is a significant threat. It’s still in the top 10 malware in the Americas and Carribean in 2012, despite it being several years old.

    We protect Trend Micro users by detecting WORM_ZBOT.GJ, as well as as blocking websites related to this threat. We will provide additional information if necessary to protect our users.

    With analysis from Threat Response Engineers Joie Salvio and Alvin Bacani

    Posted in Malware | 1 TrackBack »

    When it comes to cybercriminal targets, it truly is a popularity contest. Multiple sites were found compromised, including those popular with Japanese users. There were 40 compromised domains identified using feedback provided by Trend Micro Deep Discovery; since yesterday almost 60,000 hits have been recorded on these sites.

    One of the compromised sites contains an obfuscated JavaScript (detected as JS_BLACOLE.SMTT) designed to load a hidden iframe that loads behind the user’s browser.

    Figure 1. Encrypted JavaScript inserted onto compromised site

    Figure 2. Decrypted JavaScript that could lead users to malicious sites

    Figure 1 shows the obfuscated JavaScript, or JS_BLACOLE.SMTT, that’s on the compromised site. Figure 2 shows the decrypted JavaScript, which leads users to more malicious sites.

    The hidden iframe loads a .PHP file (detected as JS_BLACOLE.MT) that checks which software are installed in the user’s computer. After checking, it then loads the appropriate exploits. These lead to the download of malicious PDF files, which exploit an old vulnerability (CVE-2010-0188) in Adobe Reader and Acrobat. Other software applications targeted for exploits include Java and Flash. This behavior indicates that the attacker used the Blackhole Exploit Kit in these attacks.

    Users should remember that cybercriminals are catching up with the digital landscape. They will take advantage of any online activity—no matter how mundane—to gain more victims. They are also not selective; one of  the (compromised) sites caters to both students and businesses.

    End users should ensure that their installed software is patched, as this can prevent attacks that use old exploits – like this one – from succeeding. Site owners should exercise similar precautions with their installed server software – particularly content management systems – and ensure that their own passwords are sufficiently random and difficult to guess by attackers. Inputs should be sanitized as well, to prevent SQL injection attacks.

    Trend Micro provides protection by blocking related malicious sites and detecting the malware.

    With additional inputs from Threat Researcher Rhena Inocencio and Threats Analyst Yoshikawa Takashi.

    Update as of June 5, 2:15 AM PDT

    The malicious PDF files noted earlier in this post are detected as TROJ_PIDIEF.MT. The files downloaded by this malware are saved with legitimate filenames. however they are non-executable and non-malicious files despite their .EXE extension. However, the files could easily be replaced by malware; it is possible that this attack was still being tested when it was released into the wild.

    Posted in Exploits, Malware | Comments Off on Compromised Japanese Sites Lead to Malware


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice